SoylentNews is people
SoylentNews
from the wasn't-worth-the-work...-until-now? dept.
Submitted via IRC for AndyTheAbsurd
As of today, Google begins shipping Chrome 68 which flags all sites served over the HTTP scheme as being "not secure". This is because the connection is, well, not secure so it seems like a fairly reasonable thing to say! We've known this has been coming for a long time now both through observing the changes in the industry and Google specifically saying "this is coming". Yet somehow, we've arrived at today with a sizable chunk of the web still serving traffic insecurely:
The majority of the Internet’s top 1M most popular sites will show up as “Not Secure” in @GoogleChrome starting July 24th. Make sure your site redirects to #HTTPS, so you don’t have the same problem. @Cloudflare makes it easy! #SecureOnChrome https://t.co/G2a0gi2aM8 pic.twitter.com/r2HWkfRofW
— Cloudflare (@Cloudflare) July 23, 2018
Who are these people?! After all the advanced warnings combined with all we know to be bad about serving even static sites over HTTP, what sort of sites are left that are neglecting such a fundamental security and privacy basic? I wanted to find out which is why today, in conjunction with Scott Helme, we're launching Why No HTTPS? You can find it over at WhyNoHTTPS.com (served over HTTPS, of course), and it's a who's who of the world's biggest websites not redirecting insecure traffic to the secure scheme:
The article continues with a list of "The World's Most Popular Websites Loaded Insecurely", tools and techniques used to gather the data, different responses based on the version of curl, differences accessing the bare domain name versus with the "www." prefix, and asks for any corrections. One can also access the aforementioned website set up specifically for tracking these results: https://whynohttps.com/.
(Score: 5, Informative) by Anonymous Coward on Wednesday July 25 2018, @06:53AM (53 children)
The majority of the worlds static web sites don't need https and it's silly to suggest they do.
(Score: 5, Insightful) by c0lo on Wednesday July 25 2018, @07:07AM (9 children)
Engineering point of view? You are of course, right.
Real-world point of view? Let everything go encrypted, even if it doesn't need to.
Let the "copy all traffic" be an expensive proposition for NSA and their ilk.
Let the "encrypted communication" be the norm rather than the exception that triggers those letter-agencies' suspicion.
Let "HTTPS everywhere" be a step in regaining the privacy for all.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by epitaxial on Wednesday July 25 2018, @12:31PM (4 children)
I'm pretty sure the feds hold all the SSL keys to begin with.
(Score: 2) by c0lo on Wednesday July 25 2018, @12:58PM (3 children)
Unless the hosting entity does not share the private key with the feds, this cannot happen - correctly done, the private key should never leave the server.
The private/public key pair is generated on the server, then the public key goes with the Certificate Signing Request to the CA but the private key should (ideally) never leave the server that would host the Web Server.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @02:16PM (1 child)
i thought this was all about google maintaining better control of data via the fact it doesnt matter if its encrypted if they host it, and second, its good pr to pretend they care.
people lost control a long time ago, so this at least is like a politician being 'tough on crime' by doing nothing much themselves aside from providing severe punishment that doesnt fit the crime.
(Score: 2) by c0lo on Wednesday July 25 2018, @02:35PM
Speaking of which... What exactly is the malfeasance Google is accused of if Chrome signals to the user a site using plain HTTP is insecure? It's not like they are lying, is it?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @08:40PM
The Feds can decrypt SSL traffic no problem. It would give them a slightly higher overhead but not crazy. The real safety comes from making it hard for non-gov criminals to find the desired traffic. The problem you are having is assuming the crypto and the hardware it runs on doesn't have flaws. They don't even have to be full backdoors since some small flaw in the encryption routine can make it much simpler to crack the encryption if you know what pattern to look for.
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @04:15PM
Exactly this. If the many governments weren't intent on hoarding all communication for future analysis, leaving unimportant stuff in the clear would be fine, but because they insist on unwarranted data collection of everything, let's make it as expensive as possible. Bury your banking and online buying habits and your innocuous-today-but-potentially-seditious-by-future-interpretation chats in mundane encrypted cat videos and discussions about that cute guy/gal in third period math class.
(Score: 4, Insightful) by Grishnakh on Wednesday July 25 2018, @04:55PM (2 children)
The problem with this is that it imposes a real-world cost on anyone who wants to create their own little website. Certificates are not free, unless you get one from Let's Encrypt, but LE certs don't work on most of the lowest-cost hosting providers. So basically, this whole "let's go HTTPS everywhere!" trend is simply making it so that small-time website operators are going to disappear and it'll make having a website more expensive. Great job for democratization, guys.
(Score: 2) by c0lo on Wednesday July 25 2018, @10:58PM
I'm hosting with Bluehost for a couple of hobby websites. In the light of the "HTTPS everywhere" they offered SSL certificates with no modifications in the price of hosting - see for yourself [bluehost.com] all their plans have "SSL certificate included".
I have no doubts that Bluehost is not the only hosting service to do it.
I'm repeating my question: what has Google done wrong in signalling the connection to a site in insecure?
They don't lie about it, just notify the visitors. The access to the site is not blocked.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by urza9814 on Thursday July 26 2018, @04:03PM
What exactly do you mean that LE certs won't work on low cost hosting providers? You can get a .key and .crt file from LE and deploy those exactly the same way you'd deploy any other SSL cert. There might be some truly bottom end hosts that don't support HTTPS in any way, but that's hardly something to blame on LE alone. And there's plenty of cheap or even free hosting options that do support SSL. Might take a bit of time to get it set up, but that should be expected on a bottom tier host. EVERYTHING is going to take a bit of time to get set up on one of those services. And if you really have NO IDEA what you're doing, you should be using a more basic service like Wordpress.com -- it's free, they set up SSL automatically, and they won't let you disable it even if you wanted to.
I can understand that not every single site necessarily needs to be secure, and not every webmaster is going to want to spend the time to set that up...and if that's the case, if they intentionally want their site to be insecure, then that's fine. But let the users know so people aren't putting their credit cards or other sensitive information into that site. But "I can't afford it" or "my host doesn't support it" really isn't a valid excuse anymore.
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @07:24AM (8 children)
I hope you'll like ISP's ads and bitcoin miners on your static pages that need no protection.
(Score: 4, Insightful) by jmorris on Wednesday July 25 2018, @07:34AM (7 children)
So https magically makes webmasters stop embedding ads and scripts from criminals? At least some of them pay, seen legit ad impression rates lately? It is fucking retards like you that are responsible for this mad dash to encrypt even the ads.
You know what https everywhere is going to end up doing? Make the web less secure. Everybody who has a captive portal or web filter is now under pressure to break https, especially people like me under federal mandates demanding me to "implement a technical measure" to control access to smut. Before, almost all https was stuff that needed to be private so it could pass unmolested. Now it is only a matter of time before I have to gimp the browser certificates to allow filtering again. Both on lab PCs and come up with some sort of app to gimp devices when connected to our WiFi. For now I'm working on simply IP blocking any address known to have naughty bits but with shared IP virtual hosting being such a big thing that ain't gonna hold long.
(Score: 5, Interesting) by c0lo on Wednesday July 25 2018, @07:49AM (1 child)
Webmasters? No.
The ISP injecting their content (read: ads) inside your traffic? Yes.
Generally speaking: any MITM become harder and will be easier to detect.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by curunir_wolf on Wednesday July 25 2018, @08:33PM
Which is exactly why Google is doing this: to protect their ad revenue. It does the same thing in other, insidious ways. How many websites have Google Analytics? Yea, so Google can track all that traffic, right back to the user, and target ads.
It's all about Google trying to protect their business model. And causing additional expense for anyone hosting web pages. It's evil folks. Evil for the sake of money.
I am a crackpot
(Score: 1, Informative) by Anonymous Coward on Wednesday July 25 2018, @07:54AM (4 children)
That's... quite informative. You sure you wanted to post it?
In any case, now it is in the open! Welcome out of the closet and into the light, jmorris.
(Score: 3, Interesting) by jmorris on Wednesday July 25 2018, @05:02PM (3 children)
I'm not an anonymous coward, people who have been here for a while probably already know. I am a librarian in the United States where we have something called CIPA (Children's Internet Protection Act) and it requires anyone receiving Federal Funds (as in the Schools and Libraries Corporation funded from your phone bill's Universal Service Fund line entry) to "implement a technical measure to control access" to smut by children. Breaking the shit out of https is now a matter of time now. All of the major vendors of commercial products to industry already offer the feature. In some industries with a captive fleet of PCs it is quickly becoming a "best practice", apparently it is being pushed hard where there are mandates for records retention too.
The crypto weenies hosed us again. They believed they could be absolutists on privacy since their precious unbreakable crypto would force the world to give it to them. Nope, The System is quickly adopting a form of rubber hose cryptanalysis to demand the system be allowed to continue snooping. In the end the crypto will still be unbreakable but firmly in the control of The System.
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @07:53PM (1 child)
why don't you use a whitelist for kids' internet?
I honestly don't see any other reasonable option.
and obviously no search engine access, since they can google/bing for porn, and the images are displayed right there in the search results.
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @09:17PM
Try Bing Video. You can play the videos right in your browser and get past all the content blocks. We ended up blocking Bing completely for awhile where I work, took ages for someone on staff to actually notice and complain
(Score: 2) by urza9814 on Thursday July 26 2018, @04:11PM
Breaking HTTPS on computer under your own control should not be difficult. Never was. And if you aren't doing it already, it would seem that you're already violating that law, you just haven't been caught yet. Plenty of corporations have been doing this for decades already. More people doing it or knowing about it doesn't make anything less secure -- if anything it improves security by increasing awareness of "attacks" which have been possible since the beginning of HTTPS. But not really, because that's not really an "attack" since you're MITM-ing your own traffic. Sure, you can alter the traffic being seen by your clients, but you could also do that through a browser plugin or a system virus or a number of other methods because you already have full control over both the PCs and network! Calling that "insecure" is like saying my PC is insecure because it lets me install Linux. That's not a security flaw, that's me being in control of my own devices.
You make the PCs connect through a proxy, and the proxy decrypts, checks, and re-encrypts with its own certs. You control the endpoints, so you can force them to trust the proxy's certs. Where's the problem exactly?
(Score: 5, Informative) by bradley13 on Wednesday July 25 2018, @07:40AM (18 children)
TFA explains quite well that even static contents needs to be encrypted. Just as one example: with unencrypted content, it is trivially easy for someone to play MITM, and redirect you to a look-alike site that contains malware.
On top of that, more encryption provides more cover for that data that does need encrypted. Why make life easy for abusive 3-letter agencies, or for oppressive governments?
Everyone is somebody else's weirdo.
(Score: 4, Insightful) by Anonymous Coward on Wednesday July 25 2018, @08:52AM (9 children)
In times where a lot of web pages (including web pages most people use all the time) have logins (even if optional), and thus need encryption anyway, I don't buy this argument. You'll get a lot of encrypted traffic even if you don't encrypt any static web page.
A reasonable middle ground would be if the browser only warns for HTTP pages that contain any of the following:
Note that for 99.9% of all existing web sites that would not make a difference (mostly because of JavaScript). But it still would allow users to serve simple static HTML pages without the encryption overhead.
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @09:50AM (6 children)
Enlighten me, what is that bad about encrypting content so that you want us to throw out of the window the benefits of encrypted traffic?
Are you working for a federal agency too [soylentnews.org]?
(Score: 4, Interesting) by Pino P on Wednesday July 25 2018, @01:24PM (5 children)
For sites on the public Internet, what's so bad about HTTPS is that there exists no signing-only cipher suite that allows intermediate caching while precluding tampering. If you're serving the same document to a plurality of users, such as serving an encyclopedia article to a classroom full of devices in a school in sub-Saharan Africa with a harshly metered 128 kbps connection, you want a replay attack to be possible. Otherwise, what's the benefit of the HTTP header Cache-Control: public in an HTTPS environment?
Sites on a private home network have a different problem with HTTPS. in order to qualify for a certificate, you need a domain name. Let's Encrypt will not issue a certificate if any of the following are true:
So if you can't find a dynamic DNS provider that both is on the PSL and supports TXT records, you end up having to buy a domain name and continuing to pay for its renewal.
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @08:08PM (1 child)
Non-encrypted signing only thing allows for surveillance and data mining.
(Score: 2) by Pino P on Thursday July 26 2018, @04:41PM
In parts of the world where all Internet connections are very slow and very harshly capped, people are likely to consider "surveillance and data mining" an acceptable tradeoff.
(Score: 2) by urza9814 on Thursday July 26 2018, @05:00PM (2 children)
Take one of those laptops and turn it into a caching proxy that drops the encryption. For bonus points, re-encrypt using a self-signed cert that you've already installed as trusted on the remaining laptops.
Why do you need a cert that's trusted on the global Internet for your private home network? Use self-signed certs and install them manually on whatever devices need it. That's a hell of a lot easier than getting a cert from Let's Encrypt or any other CA anyway. I *think* you could also use Let's Encrypt on a free domain like .tk if you configure the redirects properly, but I'm not 100% certain on that.
(Score: 3, Interesting) by Pino P on Thursday July 26 2018, @06:13PM (1 child)
The installation I'm referring to is currently using Polipo software, and Polipo's manual states that it tunnels all HTTPS connections using the CONNECT method. This means we'll have to use something other than Polipo. Which caching proxy software stack do you recommend for terminating HTTPS by issuing a temporary certificate from a private CA and using that to re-encrypt the cached resource?
Because operating systems for non-PC devices make it painful to install and trust a private CA certificate. A user-installed certificate on Android, for example, won't work in applications designed for Android 7 or later unless the app's developer opts in to trusting user CAs (search keywords: Network Security Config), and it may require changing the lock screen. Some set-top box operating systems offer no way to trust a private CA certificate at all.
(Score: 3, Informative) by urza9814 on Thursday July 26 2018, @07:25PM
Squidguard can proxy and filter HTTPS traffic so that would probably work...pretty sure you can configure caching on that too although I'm not 100% sure on that point. Looks like Privoxy with Stunnel would also work although that seems a bit more difficult to configure...
(Score: 4, Interesting) by MichaelDavidCrawford on Wednesday July 25 2018, @11:45AM (1 child)
If you're site serves only cleartext _static_ content, it would be trivial for Charlie to serve that very same static content, but with the addition of some Javascript that the end-user never sees is there, that then sends them some malware.
In addition, I know of at least one exploit that resulted from specially-crafted images. My entire company disconnected from The Tubes until we were able to install Microsoft's patch
Yes I Have No Bananas. [gofundme.com]
(Score: 4, Interesting) by maxwell demon on Wednesday July 25 2018, @10:28PM
Not with the restrictions in the parent post: The web page the browser receives would contain JavaScript, and therefore the browser would alert you.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 1, Insightful) by Anonymous Coward on Wednesday July 25 2018, @09:44AM (7 children)
How is that a HTTP level problem?
It also increases bandwidth costs by around 1/3 along with an increase in power consumption. If the problem is 3-letter agencies, fix the 3-letter agencies. If the problem is oppressive government, fix oppressive government. If the problem is leftists redefining "oppression", exile them to a socialist country so they better understand the word.
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @11:11AM (6 children)
Are you in a shortage of those?
How about you come with a realistic plan on how to stop NSA spying on everybody, US citizens included?
Until you do, I'll stick with HTTPS-everywhere, thank you.
Listen to him, just listen.
He's saying: "anyone who doesn't like NSA spying the Internet is redefining oppression. Actually NSA intercepting all traffic is freedom, or at least not-oppression".
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @12:32PM (4 children)
Personally, no. Multiply it by the number of unnecessary SSL web sites.
More power to the house oversight committee and strict limitations on offshoring intelligence gathering when it targets US citizens.
Legislative overreach, weaponization of government [forbes.com] and politicization of the 3 letter agencies [newsmax.com] are the problems. Criminals and terrorists don't get to play the oppression card.
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @01:28PM (3 children)
Yeah, the non-US citizens are all criminals and terrorists. Way to go, brah.
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @02:01PM (2 children)
Non-citizens are not under US constitutional protection. Try again!
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @02:55PM
The fourth amendment doesn't actually say any such thing.
(Score: 2) by maxwell demon on Wednesday July 25 2018, @10:38PM
The US constitution puts limits on what the US government may do. Unless that limit explicitly is restricted to the case that US citizens are targeted, the limitations are valid no matter who is targeted.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Pino P on Thursday July 26 2018, @06:17PM
I personally currently am not. The administrator of a school in a remote area whose Internet uplink is 128 kbps and harshly metered is.
(Score: 4, Informative) by Anonymous Coward on Wednesday July 25 2018, @08:39AM (6 children)
The problem is that there's no protocol available for just signing your content. For public, static HTML pages that would be perfect: On one hand, cryptographic signatures would make sure that the content is not modified during transmission, while on the other hand the static content (and thus also static signature) not being encrypted by a session key would allow caching.
So:
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @10:19AM (5 children)
so browsers should allow me to completely forbid javascript whenver pure http is used.
does that solve the problems you're talking about?
or is it still possible for the man in the middle to replace the text of the website?
(Score: 2) by Pino P on Wednesday July 25 2018, @01:31PM (4 children)
Let's say you set up a network attached storage (NAS) device on your home LAN, and it offers a web interface for a user to browse the files stored on the device. Some of the more advanced features of this web interface, such as audio visualization and video playback in the full screen, use JavaScript. But in your proposal, websites on cleartext HTTP cannot use JavaScript. So what certificate should this NAS device use for HTTPS?
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @02:20PM (3 children)
nothing, because its pretty dumb to enforce such requirements on local network devices and appliances like that.
hackers may read what you are doing on your home network and your IoTs might search it for midget porn, but i can take the risk if someone would at least let me make the decisions for myself.
probably i wouldnt administrate anything with chrome anyway if the device is that old. i'd be using a dedicated old browser like an ancient esr of firefox or something like that, just for that purpose. provided there's no fat client or cli anyway
i wish html wasnt used to dumbify stuff, since it just causes problems like this that shouldnt need solving.
yeah someone will enable http admin access over the internet or something after giving a web managed device a public ip address or due to convenience because dumb, but i can't be held responsible for stupid unless its my stupid.
(Score: 2) by Pino P on Wednesday July 25 2018, @02:47PM (2 children)
Yet the Secure Contexts spec [w3.org] does exactly that, on grounds that your web browser can't always tell the difference between a (relatively safe) home network and a (far more dangerous) public hotspot in a coffee shop. The only hostname exempt from the policy is localhost.
Even a brand new device would still need a certificate, which in turn needs a domain name. Should the manufacturer of a web-managed device be responsible for provisioning TLS certificates on the devices it ships? If so, that would encourage the manufacturer to terminate CA service for a device the day the warranty runs out, creating planned obsolescence and increasing the e-waste load. It would also exclude homemade IoT devices, such as a gateway modded to run DD-WRT or a device built around a Raspberry Pi single-board computer.
Other than a web application, what administration means would you prefer for a device on a home network? SSH? VNC-over-SSH? RDP? If so, you'd still need some way for the client to verify the device's server key fingerprint. You mention "fat client" as an alternative, but good luck running a binary-only, Windows-only fat client in any rational computing environment built on free software.
(Score: 2) by urza9814 on Thursday July 26 2018, @05:37PM (1 child)
These devices *already* use HTTPS with self-signed certs. The ones I use won't even allow a non-secure connection. Sure, it's potentially not quite as secure as an "official" CA-issued cert, but it's still better than unsecured HTTP. It's not like the devices can't handle the overhead -- they already do. It's not like the companies can't find a way to set that up -- they've been doing it for years. I don't see the problem here...
(Score: 2) by Pino P on Thursday July 26 2018, @06:19PM
You must be using different brands of device from the brands I have used. The brands I have used default to cleartext HTTP precisely because current browsers provide a scarier warning for HTTPS using a certificate from an unknown issuer than for cleartext HTTP.
(Score: 1, Insightful) by Anonymous Coward on Wednesday July 25 2018, @09:11AM (1 child)
Exactly. My site has no logins or databases. I don't need httpS. In fact over the past 10 days several websites I go to daily have been inaccessible due to mucked up certificates - and FireFox refuses to go there. Long rule HTTP!
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @10:21AM
It ain't about you but your visitors, honey.
(Score: 3, Insightful) by Anonymous Coward on Wednesday July 25 2018, @10:18AM (5 children)
But modern Internet is phasing out static sites. See, the static site sits here in the server, is sometimes updated, and serves as a source of information all time. The knowledge exchange here cannot be easily monetized.
In modern Internet, human contact became commodity too. And this is a step towards eliminating static sites and going back to the "oral history", but this time paid per post.
And really, don't tell me that adding cert from Let's Encrypt is free - it just isn't, most cheap hosting providers require more money for it than going with VPS and hiring a geek to take care of it.
(Score: 2) by c0lo on Wednesday July 25 2018, @11:11PM (4 children)
Bluehost [bluehost.com] - all plans with SSL included
hostgator [hostgator.com] - all plans with free SSL included
siteground [siteground.com] - all plans with "All essential features" including free SSL/HTTPS
a2hosting [a2hosting.com] - all plans with free SSL
Oh, fuck it: visit this [hostingfacts.com] - the first non-ad link that popped into a Google-search for "hosting providers" - the above are the first 4 entries in that list. Continue browsing the list, I'm willing to bet all of them will offer free SSL with their plans.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by rob_on_earth on Thursday July 26 2018, @09:22AM (1 child)
Sadly, usually one free SSL per account, not per Domain.
(Score: 3, Interesting) by c0lo on Thursday July 26 2018, @12:04PM
Hint: you can create one account per each domain/site you want to host.
Incidentally, this is how my sites are registered/hosted - the login name is usually derived from the domain name rather than your chosen username/email.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Thursday July 26 2018, @09:51AM (1 child)
In my conditions and for static site Your proposals are in this "more expensive" category, reserved usually for regional e-shops and small corporate sites.
Usually in such situations static sites are hosted in providers with 1/4 of Bluehost's simplest plan price. Seriously, there are small services with domain, a few GBs, one database usually not used, and some server side scripting. No shell, no ability to run own programs, no Java on server, just plain hosting with quota.
(Score: 2) by c0lo on Thursday July 26 2018, @11:57AM
You'll have to ask yourself the question: is it your site or the site of your readers? Don't worry, your choice, I'm not interested in your answer, much less interested in judging your choice.
If it is your site, why do you need to make it public?
If it is your readers' why do you feel you can take the decision in their name to keep them unprotected against an ISP (Comcast [infoworld.com]) so willing [netgate.com] to inject ads and trackers [thehackernews.com] in their traffic or to hijack their searches [eff.org] or redirect typoed domain names [wikipedia.org]?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 3, Informative) by c0lo on Wednesday July 25 2018, @07:11AM (7 children)
EE UK [wikipedia.org] a mobile comms provider.
Their idea of protecting the kids [ee.co.uk]:
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 1, Insightful) by Anonymous Coward on Wednesday July 25 2018, @07:41AM (1 child)
This shows that HTTPS is, at least on the mass-deployment scale, secure enough to prevent "them" from reading and modifying your web traffic. Not the NSA's secret-agent type, but the casual, everyday "I'll trample everybody's privacy simply because I damn well can".
Now just imagine: what would happen to those save-the-children snakeoil peddlers if the whole web were indeed on HTTPS ?
:-o
(Score: 2) by jmorris on Wednesday July 25 2018, @05:04PM
They would direct you to a captive portal offering you their "app" to permit access. It would gimp your browser's certificate store to let them see your traffic. And since people want the access they would install it. Game over.
(Score: 2) by MostCynical on Wednesday July 25 2018, @07:44AM (1 child)
Important to protect children from homework..
https://www.spellingcity.com [spellingcity.com]
https://www.education.vic.gov.au/languagesonline/french/french.htm [vic.gov.au]
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @11:06AM
Dude, WTF is wrong with you? I mean really? Once kids know how to spell "sex" they're half way to finding out about it.
(Score: 2, Informative) by MichaelDavidCrawford on Wednesday July 25 2018, @10:44AM (2 children)
I Am Absolutely Serious:
It happens that Michael Patrick Dumble-Smythe's stage name is Michael Crawford.
Dumble-Smythe starred as the phantom in the London stage production of The Phantom Of The Opera.
In no way have any of my websites ever suggested that I had ever been an actor.
Despite that, there were a few years that I _regularly_ received love letters from nine year old girls. I _always_ replied:
"Do your parents know that you're eMailing adult men who are complete strangers to you?"
I got lots of offers for sexual affairs from middle-aged married women as well.
Yes I Have No Bananas. [gofundme.com]
(Score: 3, Funny) by Whoever on Wednesday July 25 2018, @03:17PM (1 child)
How many are called Betty?
(Score: 0) by Anonymous Coward on Thursday July 26 2018, @03:13AM
This list?
https://en.wikipedia.org/wiki/Betty [wikipedia.org]
Or is there something in pop culture that I've missed?
(Score: 0, Insightful) by Anonymous Coward on Wednesday July 25 2018, @09:49AM (4 children)
They know their ad business is going to tank eventually so they're poised to become the CA to end all CA's. To accomplish this they must first become arbiters of what is secure which is accomplished by spreading FUD on one end and by bullying smaller players out of the market (which they've already experimented with, aided by their butt-buddies at Mozilla).
(Score: -1, Offtopic) by Anonymous Coward on Wednesday July 25 2018, @09:56AM (3 children)
You really believe us technical illiterates? Or are you just shilling for a spook agency?
(Score: -1, Offtopic) by Anonymous Coward on Wednesday July 25 2018, @12:11PM (2 children)
You appear to be butthurt.
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @12:15PM (1 child)
That never would have happened if he had used https.
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @02:03PM
Or lubricant.
(Score: 2) by MichaelDavidCrawford on Wednesday July 25 2018, @10:41AM (2 children)
I have a lot of really good reasons to believe that a substantial portion of my various websites' users, visit my sites from library computers, a great many of which still run Windows 95.
I Am Absolutely Serious.
For the last week I've been having a knock-down-drag-out Flame War with a professional web designer as well as a truly-knowledgeable former IBM Mainframe salesmen.
They repeatedly insist that I implement CSS and JS to the very edge of the Earth.
To which I reply:
"Does your design work on XP? How about Windows CE?"
Finally I grew weary of arguing, so every time they mail me their repetitious insistance that my site REALLY DOES LOOK LIKE 1995 BECAUSE I REALLY _DO_ SUPPORT WINDOWS 95:
"I'll leave that decision to the web designer that I ALREADY told you I would hire after the Branding Consultant I retained a few days ago is done with Soggy Jobs' new logo".
BUT I AM ABSOLUTELY SERIOUS:
That web designer will be required to support Windows XP with no service packs - yes, IE - Mac OS X 10.4 - the initial release of Tiger - as well as whatever version of Windows CE's IE was in use at the time that Tiger and XP were around.
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by MichaelDavidCrawford on Wednesday July 25 2018, @11:41AM
- rest of them.
That one HTTPS site is internal use only.
I'm going to support non-redirected SSL for all my websites. I've already purchased their certs, I just need to configure them.
For Soggy Jobs and for Warp Life, I'm also going to set up Tor Hidden Services.
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by toddestan on Thursday July 26 2018, @03:04AM
I can't imagine trying to use the modern internet on Windows 95. The first challenge will be trying to find a browser that would render modern websites that also runs on Windows 95. Even if you managed to find one, the amount of Javascript and other bloat on any website one might want to visit would absolutely bring the machine to its knees. Ditto for even running the browser, most of which nowadays have RAM footprints in sizes used to measure harddrives back when Windows 95 was new. Keep in mind a high-end Windows 95 machine is probably 300 MHz with 256 MB of ram. Installing on anything much newer and you'll run into all kinds of driver problems, and even if you manage to cram more RAM into the machine Windows 95 won't know what to do with it (same goes for a second CPU). The hardware would easily be 20 years old.
Maybe some libraries might still have Windows 95 running an old electronic card catalog (the 1990's style that was a dedicated application before they went web-based), but as a general internet browsing machine? No way.
Though if you do make websites for Windows 95, maybe you do see a decent amount of visitors because you probably got the market cornered :)
(Score: 2) by Bot on Wednesday July 25 2018, @11:54AM
is location addressed data vs content addressed data.
location addressed data implies encryption implies authentication and DoS protection, no caching or MITM done at ISP level.
content addressed data helps even when no encryption is necessary, makes caching trivial and DoS and tracking difficult to impossible.
All we discussing here are stopgap measures that will help the web limp along for a while, nothing more. Given the amount of hitlers around, it's a matter of time before the internet balkanizes.
Account abandoned.
(Score: 1, Insightful) by Anonymous Coward on Wednesday July 25 2018, @12:32PM (2 children)
https is overrated, in my opinion because it provides a false sense of security. There is no way I would connect to anything important without it, but isn't the solution to all of the internet's security woes. There is a better way to do away with plain http than shaming.
They are taking the wrong approach. Instead of shaming http, https should be the default protocol if not specified in the address bar. Defaulting to http leaves the user suspect to a MiTM 301ing them to an interception proxy on a domain they control. If the domain the proxy is on uses https, they will get the green lock and everything. It will still be the real site. It will still function as normal. Is the average user going to notice this?
https won't prevent social engineering.
DNS and router logs can reveal what you connected to.
https won't protect you from bugs in your browser or web applications. Languages with anal retentive type systems, like Haskell and Ada, can prevent a lot of bugs and still produce fast, native code. They aren't a magic bullet either, but a step in the right direction. Mucking around with the UI on the browser and server side instead of the core logic certainly doesn't help. I actually liked the way things looked in the early/mid 2000s better than today.
malware downloaded from the "clean your pc" ads over https just means you know you are getting the real malware.
https is a pain to proxy. If you have as many machines as I do, there is no way you wouldn't proxy linux package repositories. I have to disseminate a local CA cert and use squid's ssl-bump feature to cache https repos. I don't want to modify the .list and .repo files because I want to get the latest version through the package that created them.
(Score: 1, Insightful) by Anonymous Coward on Wednesday July 25 2018, @01:29PM
I tend to agree.
While https may increase resistance to MITM, it also makes reverse engineering web site and browser functionality vastly more difficult. Which is to say fixing security problems above TCP gets harder. And it would seem quite a coincidence, that reverse engineering Googles vast client side surveillance drag net gets harder about the same time they get spanked for billions of dollars of privacy violations.
More importantly MITM attacks violate existing computer intrusion laws in many states. So this is a technical solution, that gives up a freedom (the freedom to reverse engineer) to combat an act that is already a crime. So you ask: "Why doesn't Google file charges on behalf of their customers?"
The answer is of course self evident.
Overall, SSL everywhere drives up administrative complexity (and costs) for the WWW, and corresponding drives up the costs of free speech. If the related criminal statutes were enforced at the ISP level it wouldn't be neccessary. But clearly they aren't. So this really works for the ISP view that the web is really just a fancy broadcast cable TV network, and that full duplex digital interpersonal communications are just a fad.
What happens after, is predictable. The big software vendors, the social media sites, and the ISP's will merge, and then they will proprieterize http itself. Breaking the whole Internet. If existing laws were enforced against corporations, as they are enforced against indeviduals, this wouldn't happen. Thanks SCOTUS for that.
Clearly the liquidation of NN has already had a huge effect. When Google loads faster on TOR transmitted across transoceanic boundaries than it does over clearnet, obviously the carrier is selectively throttling competitors. So the "going dark" complaint by the FBI, can be largely said to have been caused by the FCC killing NN. By failing to defend the civil rights of everyone, the state has compelled the tech sector to defend itself.
I think SSL everywhere is a defensive move on Googles part. And it wouldn't be neccessary if NN and related Constitutional rights were actually defended by the states when it comes to ISP interference with third party interpersonal communications. What SSL everywhere prevents, is already a crime. It just isn't prosecuted against corporations. If the state won't protect the public, then the public has the right to protect itself.
One thing that should be noted by the shorts, is that there is a LOT of equipment in the networks of certain ISPs that becomes redundant if SSL everywhere becomes highly adopted. Which is to say that there are some switch companies that specialize in this kind of product, that will likely fail. And the companies that buy those products will also have to endure a great deal of expense at reengineering their networks, to remove all of the dirtbag surveillanceware that no longer works.
So there will be at least one good thing that comes out of this.
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @08:14PM
Any security provides false sense of security because it isn't 100% secure. Therefore we shouldn't do anything. Wait a minute here…
(Score: 2) by DavePolaschek on Wednesday July 25 2018, @01:59PM (13 children)
I have a website. Went online in the mid-90s. But due to ISP buyouts and transfers and such, plus me not having updated the site for five years, setting up https would be a major bit of work. Hell, I don't even know who to contact to update my DNS without consulting whois at this point. And transferring the domain to another registrar is something I'm dreading.
So I'm faced with a decision. Update a site that costs me $40/month just to keep online (because I use more than the 10MB included hosting space that comes for $10/month) and spend weeks corresponding with various people to get the server configured correctly, or just pull the plug. Which do you think I'll go with?
(Score: 2) by DrkShadow on Wednesday July 25 2018, @02:26PM (9 children)
Option C: Ignore the abuses of large corporations.
Everyone here is talking about one privacy-violating, intrusive browser. There are a handful of others. Ignore the one.
(Score: 2) by Pino P on Wednesday July 25 2018, @02:56PM (8 children)
To which of the "handful of others" will you be switching? Firefox already shows a "not secure" warning if you try to fill in a form on a cleartext website. Go sign up for a commenting account on Explosm.net (home of the webcomic Cyanide & Happiness) to see this in action.
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @05:01PM
Try Slimjet, a chromium with all the phone-home stuff removed. I use mostly Pale Moon, a firefox derivative with the same. Or Qupzilla, or Vivaldi, or TorBrowser. Install & use multiple browsers. Confuse the advertising AI. Promote honest alternatives. Don't dedicate yourself to a single point of failure, however you define it. Or to a single corporation.
(Score: 2) by jmorris on Wednesday July 25 2018, @05:18PM (5 children)
Oh it gets better than that. The morons at Moz corp repost that warning dialog with every keystroke, and because they are morons it eats random keystrokes (dunno about Windows but it does on both Devuan and CentOS) in the process. Try configuring a piece of network gear with that nonsense going on with password entry boxes. And no it isn't "insecure", the damned thing is on my desk being initially configured and if anyone thinks every piece of network gear is going to ship with a unique name and a real certificate in the system just to avoid that initial connect to http://192.168.0.1 [192.168.0.1] to configure it without a browser bitching they are insane in the brain. If Moz still had competent people they would at least trap the reserved internal ips and suppress the warning for those.
(Score: 2) by Pino P on Wednesday July 25 2018, @05:48PM (2 children)
An attacker on a public hotspot in a coffee shop controls "the reserved internal ips" on that network. If you have some reliable way of distinguishing a private home WLAN from a coffee shop WLAN, I'd like to hear about it.
(Score: 2) by jmorris on Wednesday July 25 2018, @05:58PM (1 child)
If you can come up with a viable attack against http://192.168.x.x, [168.x.x,] http://10.x.x.x, [x.x.x,] etc. addresses that would actually work in the real world, lets hear it. If they allowed anything that resolved to a 192.168.0.0/16 THAT might have possibilities, but since a random WiFi controls DNS and can trap any unencrypted traffic they already have a lot of ways to attack.
(Score: 2) by toddestan on Thursday July 26 2018, @03:15AM
Easy. You log onto someone else's wi-fi. They set up their DNS so ebay.com or facebook.com or soylentnew.org or whatever to point to a server they control with a 192.168.x.x or 10.x.x.x address. Granted, if you were paying attention you might notice that it's not https, but if you don't and put in your username and password then you've been pwned.
I agree though that in the case where it's my own network and I don't need to worry about an attack like that, it's a pain in the ass.
(Score: 2) by NewNic on Wednesday July 25 2018, @06:12PM (1 child)
Just tried it. Firefox on CentOS 7. I didn't get missing keystrokes.
lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @08:48PM
Well it is jmorris, he's probably heavily infected with NSA malware building up a dossier for the day when he finally snaps.
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @05:21PM
Ditto
The only one that I can think of that has ongoing developer support, where the product is intended to be secure out of the box, is TOR browser. Everything browser in the top 10 can be regarded as institutionally compromised.
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @02:39PM (1 child)
I am assuming it is a small personal site.
$40/month is a lot for a small site. I pay about $13/month for shared hosting. That is after the cheap intro. That includes SSL and email, and unlimited storage (within reason). You are giving up a nice weekend getaway every year or two for no reason. Checkout current shared hosting prices.
Your pay for moving to a new hosting provider would be HUNDREDS of dollars an hour.
(Score: 2) by DavePolaschek on Thursday July 26 2018, @01:13PM
Transferring the domain is more headache than I want at this point, let alone moving the site. More likely, I'll just pull the plug.
(Score: 2) by Pino P on Wednesday July 25 2018, @02:50PM
Set up the transfer to Gandi or Namecheap already. Then you can sign up for hosting at any of several virtual private server (VPS) providers at $10 per month or less. Even a VPS on Amazon Elastic Compute Cloud (EC2) is cheaper than that, and you can use an S3 bucket for large static resources such as images and video.
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @02:36PM (1 child)
HTTPS is cool, but the only thing sending unsecure HTTP redirects to HTTPS does is make your site less interoperable for no actual security benefit.
While most UAs support HTTPS to some description, HTTPS has a lot of different modes and most of them are completely broken from a security perspective. In many cases such modes have to be disabled on the server side. This means HTTPS won't work in anything but the latest browsers, so you need to leave HTTP working.
Browsers should just change it so when you type 'mycoolsite.example.org' in the address bar it connects with HTTPS by default. But maybe even this doesn't matter because most people don't enter domain names directly and just type 'mycoolsite' into a web search.
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @08:17PM
"Anything but the latest browsers" is an invitation to some fullscreen goatse screensaver anyway. And that's best case scenario.
(Score: 5, Interesting) by Knowledge Troll on Wednesday July 25 2018, @02:38PM (6 children)
I've been watching the change over to an all TLS Internet with a careful eye when I wear my ham radio operator hat. On ham radio it is legal to use digital modes for communication but it is illegal to obfuscate the communication in any way including cryptography. There is exactly no privacy at all on ham radio yet we still use authentication and we can even pass TCP/IP itself over the radio using AX.25 (the ham radio version of X.25).
Back in the 90s not only did I have 2 public routable IPs in a netblock reserved just for ham radio (44.0.0.0/8 called AMPRNet) but they were static! And back then there was a chance you could actually access machines on the Internet over ham radio since nearly nothing used SSL yet. Technically you can still route TCP/IP over ham radio but trying to talk to the Internet means you'll likely just break the rules.
I don't personally believe that crypto belongs on ham radio so my sole concern is that the browsers and other programs that communicate with the Internet will go encrypted only and then it wont even be possible to use them on networks that say entirely inside ham radio and never access the Internet itself. That would be really unfortunate.
Also I can't believe hams still hold on to AMPRNet - that's 16 million IPs that are almost entirely unused.
For the curious I did TCP/IP over packet radio in the 90s and that isn't very common anymore. The current technique is to modify the firmware of consumer plastic piece of shit routers and run them in a mesh. Ham radio license holders are explicitly allowed to do something like modify a Linksys router while a non-license holder is not (yes, seriously, this is why we test and get a license).
Packet can do 1200 baud on 2 meters but those hacked WiFi routers run at their native speed.
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @05:33PM (5 children)
"I don't personally believe that crypto belongs on ham radio"
I can see crypto over ham radio bands from a safety standpoint. For example giving commands to a robotic combine harvester that is a mile away in the wheat field for example.
(Score: 2) by jmorris on Wednesday July 25 2018, @05:59PM
That would be commercial activity and is forbidden. My license is long expired but I remember the rules.
(Score: 2) by Knowledge Troll on Wednesday July 25 2018, @08:17PM (3 children)
Privacy and integrity are two entirely different things and integrity does not require encryption which itself is obfuscation. You can send all the signed messages you want to remote equipment, sending along a signature for a message obfuscates nothing and still provides perfectly serviceable integrity and authenticity grantees.
The exact reason obfuscation of content on ham radio is not allowed is so that all the hams can observe what is going on and if we see inappropriate activity we can deal with it because we mostly self police - the FCC won't really help us.
The argument people try to make that crypto needs to be allowed on ham radio only works for privacy and thats a tough sell - the instances I've seen that make any sense at all (and not much sense) is that during a disaster using crypto to secure health records when sending them around the world because that is the last functioning communication infrastructure is needed or it would violate HIPPA.
That argument fails for many reasons: Part 97 says exactly that during emergency communications the operator is to do anything needed to communicate even if that means exceeding privileges and regulations. As well in a true disaster HIPPA concerns are entirely secondary. On top of that what good is patient information going to do 3,000 miles away from the patient itself?
No one has been able to provide a compelling reason that privacy is actually needed instead of integrity and authenticity.
(Score: 0) by Anonymous Coward on Thursday July 26 2018, @03:39AM (1 child)
> On top of that what good is patient information going to do 3,000 miles away from the patient itself?
Not arguing with you in general, but in this case there is a possibility that:
The patient that was dug out of the earthquake rubble in LA was on a business trip from NYC (ie, 3000 miles from home). It would be helpful if their home medical records were available to the emergency room that is near the disaster site...and the NYC provider is not going to be anxious to open themselves to a HIPPA violation.
(Score: 2) by Knowledge Troll on Thursday July 26 2018, @03:59AM
If all the rest of the communication infrastructure is not operating I don't think the hams are going to have the time to worry about that kind of stuff for one person who might be dying considering everyone is going to be dying. That's just not going to be a priority.
In fact if the shit hits the fan I'm not sure that ham radio is going to be good for much more than delivering casualty reports until the operator starves to death themselves.
(Score: 2) by hendrikboom on Thursday July 26 2018, @12:50PM
Maybe the reverse -- obtaining patient information when the patient is 3000 miles from her regular doctor?
-- hendrik