SoylentNews is people
SoylentNews
From PC World:
More than two dozen U.S. government websites should be urgently upgraded to use encryption, as whistleblowers are potentially at risk, according to the American Civil Liberties Union.
At least 29 websites that can be used for reporting abuse and fraud don't use encryption, the ACLU said in a letter sent on Tuesday to the U.S.'s top technology chief, CIO Tony Scott.
There has been a broad push recently to move websites to using SSL/TLS (secure sockets layer/transport security layer) encryption. Most e-commerce sites use SSL/TLS, but the case has grown stronger for its broader adoption because of a surge in state-sponsored espionage and cybercriminal activity.
The government plans to upgrade all of its websites within two years to use encryption, signified by "https" in a browser's URL bar. It prevents data that is exchanged between a computer and a website from being read if it is intercepted or tampered with during a man-in-the-middle attack.
The ACLU said that the timeline "is not soon enough for some sensitive sites," which it said included the Justice Department, Treasury Department and the Department of Homeland Security.
(Score: 0) by Anonymous Coward on Sunday April 19 2015, @02:47AM
Based on the summary, it seems that "whistleblowers" here refers to people reporting TO the government, not ON the government. Think Enron, not Snowden. In which case HTTPS/SSL/TLS/etc. would offer at least some protection against a business from seeing what data was being sent to the regulatory agencies.
(Score: 3, Insightful) by Grishnakh on Sunday April 19 2015, @03:42AM
I'm no security expert, but I seem to remember reading that it's commonplace for companies to have a system in place so they can readily decrypt all HTTPS traffic that originates in their internal network.
(Score: 1, Insightful) by Anonymous Coward on Sunday April 19 2015, @07:29AM
If, as a whistleblower, you will leak information directly from the network housing the material you leak, then you'll be caught anyway, regardless of HTTPS status. Heck, you may as well e-mail the thing to your personal e-mail account and leave traces that way.
First step is always to separate the material and sanitize it. Then move to a cleanskin location which you can 'burn' and leak from there.
(Score: 2) by kaszz on Sunday April 19 2015, @09:34AM
That means the corporation you are at has added THEIR self-signed CA to your browsers list of approved CAs. And then added a proxy mode setup unless they have on the fly TCP replacement. So use USB, download your own browser from a secure source, rewire the network cable, etc.
Memo: Always sanitize the list of approved CAs in your browser.
(Score: 2) by maxwell demon on Sunday April 19 2015, @10:46AM
Is there a particular reason to send it over the company's network instead of simply transporting it outside and send it from there? Especially in the times of BYOD you should have all the necessary means to do that.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Grishnakh on Monday April 20 2015, @02:37PM
Not every company is BYOD, in fact I've never seen that myself anywhere.
Doing internet stuff on a cellphone is a PITA; it's a lot easier to use a real computer. The only computer people usually have at work is the work-owned computer. If it's a laptop, it might be possible to use it with your cellphone and avoid going through the company network, but now you're using your your cellular data allotment, and getting slower speed, plus it's a PITA to switch back and forth.
(Score: 2) by maxwell demon on Monday April 20 2015, @06:01PM
If I had the choice between inconvenient and dangerous, I'd choose inconvenient any day,
The Tao of math: The numbers you can count are not the real numbers.