Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Wednesday July 25 2018, @06:07AM   Printer-friendly
from the wasn't-worth-the-work...-until-now? dept.

Submitted via IRC for AndyTheAbsurd

As of today, Google begins shipping Chrome 68 which flags all sites served over the HTTP scheme as being "not secure". This is because the connection is, well, not secure so it seems like a fairly reasonable thing to say! We've known this has been coming for a long time now both through observing the changes in the industry and Google specifically saying "this is coming". Yet somehow, we've arrived at today with a sizable chunk of the web still serving traffic insecurely:

The majority of the Internet’s top 1M most popular sites will show up as “Not Secure” in @GoogleChrome starting July 24th. Make sure your site redirects to #HTTPS, so you don’t have the same problem. @Cloudflare makes it easy! #SecureOnChrome https://t.co/G2a0gi2aM8 pic.twitter.com/r2HWkfRofW

— Cloudflare (@Cloudflare) July 23, 2018

Who are these people?! After all the advanced warnings combined with all we know to be bad about serving even static sites over HTTP, what sort of sites are left that are neglecting such a fundamental security and privacy basic? I wanted to find out which is why today, in conjunction with Scott Helme, we're launching Why No HTTPS? You can find it over at WhyNoHTTPS.com (served over HTTPS, of course), and it's a who's who of the world's biggest websites not redirecting insecure traffic to the secure scheme:

The article continues with a list of "The World's Most Popular Websites Loaded Insecurely", tools and techniques used to gather the data, different responses based on the version of curl, differences accessing the bare domain name versus with the "www." prefix, and asks for any corrections. One can also access the aforementioned website set up specifically for tracking these results: https://whynohttps.com/.

Source: https://www.troyhunt.com/why-no-https-heres-the-worlds-largest-websites-not-redirecting-insecure-requests/


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Interesting) by Knowledge Troll on Wednesday July 25 2018, @02:38PM (6 children)

    by Knowledge Troll (5948) on Wednesday July 25 2018, @02:38PM (#712368) Homepage Journal

    I've been watching the change over to an all TLS Internet with a careful eye when I wear my ham radio operator hat. On ham radio it is legal to use digital modes for communication but it is illegal to obfuscate the communication in any way including cryptography. There is exactly no privacy at all on ham radio yet we still use authentication and we can even pass TCP/IP itself over the radio using AX.25 (the ham radio version of X.25).

    Back in the 90s not only did I have 2 public routable IPs in a netblock reserved just for ham radio (44.0.0.0/8 called AMPRNet) but they were static! And back then there was a chance you could actually access machines on the Internet over ham radio since nearly nothing used SSL yet. Technically you can still route TCP/IP over ham radio but trying to talk to the Internet means you'll likely just break the rules.

    I don't personally believe that crypto belongs on ham radio so my sole concern is that the browsers and other programs that communicate with the Internet will go encrypted only and then it wont even be possible to use them on networks that say entirely inside ham radio and never access the Internet itself. That would be really unfortunate.

    Also I can't believe hams still hold on to AMPRNet - that's 16 million IPs that are almost entirely unused.

    For the curious I did TCP/IP over packet radio in the 90s and that isn't very common anymore. The current technique is to modify the firmware of consumer plastic piece of shit routers and run them in a mesh. Ham radio license holders are explicitly allowed to do something like modify a Linksys router while a non-license holder is not (yes, seriously, this is why we test and get a license).

    Packet can do 1200 baud on 2 meters but those hacked WiFi routers run at their native speed.

     

    Starting Score:    1  point
    Moderation   +3  
       Interesting=2, Informative=1, Total=3
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 0) by Anonymous Coward on Wednesday July 25 2018, @05:33PM (5 children)

    by Anonymous Coward on Wednesday July 25 2018, @05:33PM (#712501)

    "I don't personally believe that crypto belongs on ham radio"

    I can see crypto over ham radio bands from a safety standpoint. For example giving commands to a robotic combine harvester that is a mile away in the wheat field for example.

    • (Score: 2) by jmorris on Wednesday July 25 2018, @05:59PM

      by jmorris (4844) on Wednesday July 25 2018, @05:59PM (#712530)

      That would be commercial activity and is forbidden. My license is long expired but I remember the rules.

    • (Score: 2) by Knowledge Troll on Wednesday July 25 2018, @08:17PM (3 children)

      by Knowledge Troll (5948) on Wednesday July 25 2018, @08:17PM (#712639) Homepage Journal

      I can see crypto over ham radio bands from a safety standpoint. For example giving commands to a robotic combine harvester that is a mile away in the wheat field for example.

      Privacy and integrity are two entirely different things and integrity does not require encryption which itself is obfuscation. You can send all the signed messages you want to remote equipment, sending along a signature for a message obfuscates nothing and still provides perfectly serviceable integrity and authenticity grantees.

      The exact reason obfuscation of content on ham radio is not allowed is so that all the hams can observe what is going on and if we see inappropriate activity we can deal with it because we mostly self police - the FCC won't really help us.

      The argument people try to make that crypto needs to be allowed on ham radio only works for privacy and thats a tough sell - the instances I've seen that make any sense at all (and not much sense) is that during a disaster using crypto to secure health records when sending them around the world because that is the last functioning communication infrastructure is needed or it would violate HIPPA.

      That argument fails for many reasons: Part 97 says exactly that during emergency communications the operator is to do anything needed to communicate even if that means exceeding privileges and regulations. As well in a true disaster HIPPA concerns are entirely secondary. On top of that what good is patient information going to do 3,000 miles away from the patient itself?

      No one has been able to provide a compelling reason that privacy is actually needed instead of integrity and authenticity.

      • (Score: 0) by Anonymous Coward on Thursday July 26 2018, @03:39AM (1 child)

        by Anonymous Coward on Thursday July 26 2018, @03:39AM (#712901)

        > On top of that what good is patient information going to do 3,000 miles away from the patient itself?

        Not arguing with you in general, but in this case there is a possibility that:
        The patient that was dug out of the earthquake rubble in LA was on a business trip from NYC (ie, 3000 miles from home). It would be helpful if their home medical records were available to the emergency room that is near the disaster site...and the NYC provider is not going to be anxious to open themselves to a HIPPA violation.

        • (Score: 2) by Knowledge Troll on Thursday July 26 2018, @03:59AM

          by Knowledge Troll (5948) on Thursday July 26 2018, @03:59AM (#712913) Homepage Journal

          If all the rest of the communication infrastructure is not operating I don't think the hams are going to have the time to worry about that kind of stuff for one person who might be dying considering everyone is going to be dying. That's just not going to be a priority.

          In fact if the shit hits the fan I'm not sure that ham radio is going to be good for much more than delivering casualty reports until the operator starves to death themselves.

      • (Score: 2) by hendrikboom on Thursday July 26 2018, @12:50PM

        by hendrikboom (1125) Subscriber Badge on Thursday July 26 2018, @12:50PM (#713056) Homepage Journal

        On top of that what good is patient information going to do 3,000 miles away from the patient itself?

        Maybe the reverse -- obtaining patient information when the patient is 3000 miles from her regular doctor?

        -- hendrik