SoylentNews is people
SoylentNews
from the wasn't-worth-the-work...-until-now? dept.
Submitted via IRC for AndyTheAbsurd
As of today, Google begins shipping Chrome 68 which flags all sites served over the HTTP scheme as being "not secure". This is because the connection is, well, not secure so it seems like a fairly reasonable thing to say! We've known this has been coming for a long time now both through observing the changes in the industry and Google specifically saying "this is coming". Yet somehow, we've arrived at today with a sizable chunk of the web still serving traffic insecurely:
The majority of the Internet’s top 1M most popular sites will show up as “Not Secure” in @GoogleChrome starting July 24th. Make sure your site redirects to #HTTPS, so you don’t have the same problem. @Cloudflare makes it easy! #SecureOnChrome https://t.co/G2a0gi2aM8 pic.twitter.com/r2HWkfRofW
— Cloudflare (@Cloudflare) July 23, 2018
Who are these people?! After all the advanced warnings combined with all we know to be bad about serving even static sites over HTTP, what sort of sites are left that are neglecting such a fundamental security and privacy basic? I wanted to find out which is why today, in conjunction with Scott Helme, we're launching Why No HTTPS? You can find it over at WhyNoHTTPS.com (served over HTTPS, of course), and it's a who's who of the world's biggest websites not redirecting insecure traffic to the secure scheme:
The article continues with a list of "The World's Most Popular Websites Loaded Insecurely", tools and techniques used to gather the data, different responses based on the version of curl, differences accessing the bare domain name versus with the "www." prefix, and asks for any corrections. One can also access the aforementioned website set up specifically for tracking these results: https://whynohttps.com/.
(Score: 5, Informative) by Anonymous Coward on Wednesday July 25 2018, @06:53AM (53 children)
The majority of the worlds static web sites don't need https and it's silly to suggest they do.
(Score: 5, Insightful) by c0lo on Wednesday July 25 2018, @07:07AM (9 children)
Engineering point of view? You are of course, right.
Real-world point of view? Let everything go encrypted, even if it doesn't need to.
Let the "copy all traffic" be an expensive proposition for NSA and their ilk.
Let the "encrypted communication" be the norm rather than the exception that triggers those letter-agencies' suspicion.
Let "HTTPS everywhere" be a step in regaining the privacy for all.
https://www.youtube.com/watch?v=aoFiw2jMy-0
(Score: 2) by epitaxial on Wednesday July 25 2018, @12:31PM (4 children)
I'm pretty sure the feds hold all the SSL keys to begin with.
(Score: 2) by c0lo on Wednesday July 25 2018, @12:58PM (3 children)
Unless the hosting entity does not share the private key with the feds, this cannot happen - correctly done, the private key should never leave the server.
The private/public key pair is generated on the server, then the public key goes with the Certificate Signing Request to the CA but the private key should (ideally) never leave the server that would host the Web Server.
https://www.youtube.com/watch?v=aoFiw2jMy-0
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @02:16PM (1 child)
i thought this was all about google maintaining better control of data via the fact it doesnt matter if its encrypted if they host it, and second, its good pr to pretend they care.
people lost control a long time ago, so this at least is like a politician being 'tough on crime' by doing nothing much themselves aside from providing severe punishment that doesnt fit the crime.
(Score: 2) by c0lo on Wednesday July 25 2018, @02:35PM
Speaking of which... What exactly is the malfeasance Google is accused of if Chrome signals to the user a site using plain HTTP is insecure? It's not like they are lying, is it?
https://www.youtube.com/watch?v=aoFiw2jMy-0
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @08:40PM
The Feds can decrypt SSL traffic no problem. It would give them a slightly higher overhead but not crazy. The real safety comes from making it hard for non-gov criminals to find the desired traffic. The problem you are having is assuming the crypto and the hardware it runs on doesn't have flaws. They don't even have to be full backdoors since some small flaw in the encryption routine can make it much simpler to crack the encryption if you know what pattern to look for.
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @04:15PM
Exactly this. If the many governments weren't intent on hoarding all communication for future analysis, leaving unimportant stuff in the clear would be fine, but because they insist on unwarranted data collection of everything, let's make it as expensive as possible. Bury your banking and online buying habits and your innocuous-today-but-potentially-seditious-by-future-interpretation chats in mundane encrypted cat videos and discussions about that cute guy/gal in third period math class.
(Score: 4, Insightful) by Grishnakh on Wednesday July 25 2018, @04:55PM (2 children)
The problem with this is that it imposes a real-world cost on anyone who wants to create their own little website. Certificates are not free, unless you get one from Let's Encrypt, but LE certs don't work on most of the lowest-cost hosting providers. So basically, this whole "let's go HTTPS everywhere!" trend is simply making it so that small-time website operators are going to disappear and it'll make having a website more expensive. Great job for democratization, guys.
(Score: 2) by c0lo on Wednesday July 25 2018, @10:58PM
I'm hosting with Bluehost for a couple of hobby websites. In the light of the "HTTPS everywhere" they offered SSL certificates with no modifications in the price of hosting - see for yourself [bluehost.com] all their plans have "SSL certificate included".
I have no doubts that Bluehost is not the only hosting service to do it.
I'm repeating my question: what has Google done wrong in signalling the connection to a site in insecure?
They don't lie about it, just notify the visitors. The access to the site is not blocked.
https://www.youtube.com/watch?v=aoFiw2jMy-0
(Score: 2) by urza9814 on Thursday July 26 2018, @04:03PM
What exactly do you mean that LE certs won't work on low cost hosting providers? You can get a .key and .crt file from LE and deploy those exactly the same way you'd deploy any other SSL cert. There might be some truly bottom end hosts that don't support HTTPS in any way, but that's hardly something to blame on LE alone. And there's plenty of cheap or even free hosting options that do support SSL. Might take a bit of time to get it set up, but that should be expected on a bottom tier host. EVERYTHING is going to take a bit of time to get set up on one of those services. And if you really have NO IDEA what you're doing, you should be using a more basic service like Wordpress.com -- it's free, they set up SSL automatically, and they won't let you disable it even if you wanted to.
I can understand that not every single site necessarily needs to be secure, and not every webmaster is going to want to spend the time to set that up...and if that's the case, if they intentionally want their site to be insecure, then that's fine. But let the users know so people aren't putting their credit cards or other sensitive information into that site. But "I can't afford it" or "my host doesn't support it" really isn't a valid excuse anymore.
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @07:24AM (8 children)
I hope you'll like ISP's ads and bitcoin miners on your static pages that need no protection.
(Score: 4, Insightful) by jmorris on Wednesday July 25 2018, @07:34AM (7 children)
So https magically makes webmasters stop embedding ads and scripts from criminals? At least some of them pay, seen legit ad impression rates lately? It is fucking retards like you that are responsible for this mad dash to encrypt even the ads.
You know what https everywhere is going to end up doing? Make the web less secure. Everybody who has a captive portal or web filter is now under pressure to break https, especially people like me under federal mandates demanding me to "implement a technical measure" to control access to smut. Before, almost all https was stuff that needed to be private so it could pass unmolested. Now it is only a matter of time before I have to gimp the browser certificates to allow filtering again. Both on lab PCs and come up with some sort of app to gimp devices when connected to our WiFi. For now I'm working on simply IP blocking any address known to have naughty bits but with shared IP virtual hosting being such a big thing that ain't gonna hold long.
(Score: 5, Interesting) by c0lo on Wednesday July 25 2018, @07:49AM (1 child)
Webmasters? No.
The ISP injecting their content (read: ads) inside your traffic? Yes.
Generally speaking: any MITM become harder and will be easier to detect.
https://www.youtube.com/watch?v=aoFiw2jMy-0
(Score: 2) by curunir_wolf on Wednesday July 25 2018, @08:33PM
Which is exactly why Google is doing this: to protect their ad revenue. It does the same thing in other, insidious ways. How many websites have Google Analytics? Yea, so Google can track all that traffic, right back to the user, and target ads.
It's all about Google trying to protect their business model. And causing additional expense for anyone hosting web pages. It's evil folks. Evil for the sake of money.
I am a crackpot
(Score: 1, Informative) by Anonymous Coward on Wednesday July 25 2018, @07:54AM (4 children)
That's... quite informative. You sure you wanted to post it?
In any case, now it is in the open! Welcome out of the closet and into the light, jmorris.
(Score: 3, Interesting) by jmorris on Wednesday July 25 2018, @05:02PM (3 children)
I'm not an anonymous coward, people who have been here for a while probably already know. I am a librarian in the United States where we have something called CIPA (Children's Internet Protection Act) and it requires anyone receiving Federal Funds (as in the Schools and Libraries Corporation funded from your phone bill's Universal Service Fund line entry) to "implement a technical measure to control access" to smut by children. Breaking the shit out of https is now a matter of time now. All of the major vendors of commercial products to industry already offer the feature. In some industries with a captive fleet of PCs it is quickly becoming a "best practice", apparently it is being pushed hard where there are mandates for records retention too.
The crypto weenies hosed us again. They believed they could be absolutists on privacy since their precious unbreakable crypto would force the world to give it to them. Nope, The System is quickly adopting a form of rubber hose cryptanalysis to demand the system be allowed to continue snooping. In the end the crypto will still be unbreakable but firmly in the control of The System.
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @07:53PM (1 child)
why don't you use a whitelist for kids' internet?
I honestly don't see any other reasonable option.
and obviously no search engine access, since they can google/bing for porn, and the images are displayed right there in the search results.
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @09:17PM
Try Bing Video. You can play the videos right in your browser and get past all the content blocks. We ended up blocking Bing completely for awhile where I work, took ages for someone on staff to actually notice and complain
(Score: 2) by urza9814 on Thursday July 26 2018, @04:11PM
Breaking HTTPS on computer under your own control should not be difficult. Never was. And if you aren't doing it already, it would seem that you're already violating that law, you just haven't been caught yet. Plenty of corporations have been doing this for decades already. More people doing it or knowing about it doesn't make anything less secure -- if anything it improves security by increasing awareness of "attacks" which have been possible since the beginning of HTTPS. But not really, because that's not really an "attack" since you're MITM-ing your own traffic. Sure, you can alter the traffic being seen by your clients, but you could also do that through a browser plugin or a system virus or a number of other methods because you already have full control over both the PCs and network! Calling that "insecure" is like saying my PC is insecure because it lets me install Linux. That's not a security flaw, that's me being in control of my own devices.
You make the PCs connect through a proxy, and the proxy decrypts, checks, and re-encrypts with its own certs. You control the endpoints, so you can force them to trust the proxy's certs. Where's the problem exactly?
(Score: 5, Informative) by bradley13 on Wednesday July 25 2018, @07:40AM (18 children)
TFA explains quite well that even static contents needs to be encrypted. Just as one example: with unencrypted content, it is trivially easy for someone to play MITM, and redirect you to a look-alike site that contains malware.
On top of that, more encryption provides more cover for that data that does need encrypted. Why make life easy for abusive 3-letter agencies, or for oppressive governments?
Everyone is somebody else's weirdo.
(Score: 4, Insightful) by Anonymous Coward on Wednesday July 25 2018, @08:52AM (9 children)
In times where a lot of web pages (including web pages most people use all the time) have logins (even if optional), and thus need encryption anyway, I don't buy this argument. You'll get a lot of encrypted traffic even if you don't encrypt any static web page.
A reasonable middle ground would be if the browser only warns for HTTP pages that contain any of the following:
Note that for 99.9% of all existing web sites that would not make a difference (mostly because of JavaScript). But it still would allow users to serve simple static HTML pages without the encryption overhead.
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @09:50AM (6 children)
Enlighten me, what is that bad about encrypting content so that you want us to throw out of the window the benefits of encrypted traffic?
Are you working for a federal agency too [soylentnews.org]?
(Score: 4, Interesting) by Pino P on Wednesday July 25 2018, @01:24PM (5 children)
For sites on the public Internet, what's so bad about HTTPS is that there exists no signing-only cipher suite that allows intermediate caching while precluding tampering. If you're serving the same document to a plurality of users, such as serving an encyclopedia article to a classroom full of devices in a school in sub-Saharan Africa with a harshly metered 128 kbps connection, you want a replay attack to be possible. Otherwise, what's the benefit of the HTTP header Cache-Control: public in an HTTPS environment?
Sites on a private home network have a different problem with HTTPS. in order to qualify for a certificate, you need a domain name. Let's Encrypt will not issue a certificate if any of the following are true:
So if you can't find a dynamic DNS provider that both is on the PSL and supports TXT records, you end up having to buy a domain name and continuing to pay for its renewal.
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @08:08PM (1 child)
Non-encrypted signing only thing allows for surveillance and data mining.
(Score: 2) by Pino P on Thursday July 26 2018, @04:41PM
In parts of the world where all Internet connections are very slow and very harshly capped, people are likely to consider "surveillance and data mining" an acceptable tradeoff.
(Score: 2) by urza9814 on Thursday July 26 2018, @05:00PM (2 children)
Take one of those laptops and turn it into a caching proxy that drops the encryption. For bonus points, re-encrypt using a self-signed cert that you've already installed as trusted on the remaining laptops.
Why do you need a cert that's trusted on the global Internet for your private home network? Use self-signed certs and install them manually on whatever devices need it. That's a hell of a lot easier than getting a cert from Let's Encrypt or any other CA anyway. I *think* you could also use Let's Encrypt on a free domain like .tk if you configure the redirects properly, but I'm not 100% certain on that.
(Score: 3, Interesting) by Pino P on Thursday July 26 2018, @06:13PM (1 child)
The installation I'm referring to is currently using Polipo software, and Polipo's manual states that it tunnels all HTTPS connections using the CONNECT method. This means we'll have to use something other than Polipo. Which caching proxy software stack do you recommend for terminating HTTPS by issuing a temporary certificate from a private CA and using that to re-encrypt the cached resource?
Because operating systems for non-PC devices make it painful to install and trust a private CA certificate. A user-installed certificate on Android, for example, won't work in applications designed for Android 7 or later unless the app's developer opts in to trusting user CAs (search keywords: Network Security Config), and it may require changing the lock screen. Some set-top box operating systems offer no way to trust a private CA certificate at all.
(Score: 3, Informative) by urza9814 on Thursday July 26 2018, @07:25PM
Squidguard can proxy and filter HTTPS traffic so that would probably work...pretty sure you can configure caching on that too although I'm not 100% sure on that point. Looks like Privoxy with Stunnel would also work although that seems a bit more difficult to configure...
(Score: 4, Interesting) by MichaelDavidCrawford on Wednesday July 25 2018, @11:45AM (1 child)
If you're site serves only cleartext _static_ content, it would be trivial for Charlie to serve that very same static content, but with the addition of some Javascript that the end-user never sees is there, that then sends them some malware.
In addition, I know of at least one exploit that resulted from specially-crafted images. My entire company disconnected from The Tubes until we were able to install Microsoft's patch
Yes I Have No Bananas. [gofundme.com]
(Score: 4, Interesting) by maxwell demon on Wednesday July 25 2018, @10:28PM
Not with the restrictions in the parent post: The web page the browser receives would contain JavaScript, and therefore the browser would alert you.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 1, Insightful) by Anonymous Coward on Wednesday July 25 2018, @09:44AM (7 children)
How is that a HTTP level problem?
It also increases bandwidth costs by around 1/3 along with an increase in power consumption. If the problem is 3-letter agencies, fix the 3-letter agencies. If the problem is oppressive government, fix oppressive government. If the problem is leftists redefining "oppression", exile them to a socialist country so they better understand the word.
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @11:11AM (6 children)
Are you in a shortage of those?
How about you come with a realistic plan on how to stop NSA spying on everybody, US citizens included?
Until you do, I'll stick with HTTPS-everywhere, thank you.
Listen to him, just listen.
He's saying: "anyone who doesn't like NSA spying the Internet is redefining oppression. Actually NSA intercepting all traffic is freedom, or at least not-oppression".
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @12:32PM (4 children)
Personally, no. Multiply it by the number of unnecessary SSL web sites.
More power to the house oversight committee and strict limitations on offshoring intelligence gathering when it targets US citizens.
Legislative overreach, weaponization of government [forbes.com] and politicization of the 3 letter agencies [newsmax.com] are the problems. Criminals and terrorists don't get to play the oppression card.
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @01:28PM (3 children)
Yeah, the non-US citizens are all criminals and terrorists. Way to go, brah.
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @02:01PM (2 children)
Non-citizens are not under US constitutional protection. Try again!
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @02:55PM
The fourth amendment doesn't actually say any such thing.
(Score: 2) by maxwell demon on Wednesday July 25 2018, @10:38PM
The US constitution puts limits on what the US government may do. Unless that limit explicitly is restricted to the case that US citizens are targeted, the limitations are valid no matter who is targeted.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Pino P on Thursday July 26 2018, @06:17PM
I personally currently am not. The administrator of a school in a remote area whose Internet uplink is 128 kbps and harshly metered is.
(Score: 4, Informative) by Anonymous Coward on Wednesday July 25 2018, @08:39AM (6 children)
The problem is that there's no protocol available for just signing your content. For public, static HTML pages that would be perfect: On one hand, cryptographic signatures would make sure that the content is not modified during transmission, while on the other hand the static content (and thus also static signature) not being encrypted by a session key would allow caching.
So:
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @10:19AM (5 children)
so browsers should allow me to completely forbid javascript whenver pure http is used.
does that solve the problems you're talking about?
or is it still possible for the man in the middle to replace the text of the website?
(Score: 2) by Pino P on Wednesday July 25 2018, @01:31PM (4 children)
Let's say you set up a network attached storage (NAS) device on your home LAN, and it offers a web interface for a user to browse the files stored on the device. Some of the more advanced features of this web interface, such as audio visualization and video playback in the full screen, use JavaScript. But in your proposal, websites on cleartext HTTP cannot use JavaScript. So what certificate should this NAS device use for HTTPS?
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @02:20PM (3 children)
nothing, because its pretty dumb to enforce such requirements on local network devices and appliances like that.
hackers may read what you are doing on your home network and your IoTs might search it for midget porn, but i can take the risk if someone would at least let me make the decisions for myself.
probably i wouldnt administrate anything with chrome anyway if the device is that old. i'd be using a dedicated old browser like an ancient esr of firefox or something like that, just for that purpose. provided there's no fat client or cli anyway
i wish html wasnt used to dumbify stuff, since it just causes problems like this that shouldnt need solving.
yeah someone will enable http admin access over the internet or something after giving a web managed device a public ip address or due to convenience because dumb, but i can't be held responsible for stupid unless its my stupid.
(Score: 2) by Pino P on Wednesday July 25 2018, @02:47PM (2 children)
Yet the Secure Contexts spec [w3.org] does exactly that, on grounds that your web browser can't always tell the difference between a (relatively safe) home network and a (far more dangerous) public hotspot in a coffee shop. The only hostname exempt from the policy is localhost.
Even a brand new device would still need a certificate, which in turn needs a domain name. Should the manufacturer of a web-managed device be responsible for provisioning TLS certificates on the devices it ships? If so, that would encourage the manufacturer to terminate CA service for a device the day the warranty runs out, creating planned obsolescence and increasing the e-waste load. It would also exclude homemade IoT devices, such as a gateway modded to run DD-WRT or a device built around a Raspberry Pi single-board computer.
Other than a web application, what administration means would you prefer for a device on a home network? SSH? VNC-over-SSH? RDP? If so, you'd still need some way for the client to verify the device's server key fingerprint. You mention "fat client" as an alternative, but good luck running a binary-only, Windows-only fat client in any rational computing environment built on free software.
(Score: 2) by urza9814 on Thursday July 26 2018, @05:37PM (1 child)
These devices *already* use HTTPS with self-signed certs. The ones I use won't even allow a non-secure connection. Sure, it's potentially not quite as secure as an "official" CA-issued cert, but it's still better than unsecured HTTP. It's not like the devices can't handle the overhead -- they already do. It's not like the companies can't find a way to set that up -- they've been doing it for years. I don't see the problem here...
(Score: 2) by Pino P on Thursday July 26 2018, @06:19PM
You must be using different brands of device from the brands I have used. The brands I have used default to cleartext HTTP precisely because current browsers provide a scarier warning for HTTPS using a certificate from an unknown issuer than for cleartext HTTP.
(Score: 1, Insightful) by Anonymous Coward on Wednesday July 25 2018, @09:11AM (1 child)
Exactly. My site has no logins or databases. I don't need httpS. In fact over the past 10 days several websites I go to daily have been inaccessible due to mucked up certificates - and FireFox refuses to go there. Long rule HTTP!
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @10:21AM
It ain't about you but your visitors, honey.
(Score: 3, Insightful) by Anonymous Coward on Wednesday July 25 2018, @10:18AM (5 children)
But modern Internet is phasing out static sites. See, the static site sits here in the server, is sometimes updated, and serves as a source of information all time. The knowledge exchange here cannot be easily monetized.
In modern Internet, human contact became commodity too. And this is a step towards eliminating static sites and going back to the "oral history", but this time paid per post.
And really, don't tell me that adding cert from Let's Encrypt is free - it just isn't, most cheap hosting providers require more money for it than going with VPS and hiring a geek to take care of it.
(Score: 2) by c0lo on Wednesday July 25 2018, @11:11PM (4 children)
Bluehost [bluehost.com] - all plans with SSL included
hostgator [hostgator.com] - all plans with free SSL included
siteground [siteground.com] - all plans with "All essential features" including free SSL/HTTPS
a2hosting [a2hosting.com] - all plans with free SSL
Oh, fuck it: visit this [hostingfacts.com] - the first non-ad link that popped into a Google-search for "hosting providers" - the above are the first 4 entries in that list. Continue browsing the list, I'm willing to bet all of them will offer free SSL with their plans.
https://www.youtube.com/watch?v=aoFiw2jMy-0
(Score: 2) by rob_on_earth on Thursday July 26 2018, @09:22AM (1 child)
Sadly, usually one free SSL per account, not per Domain.
(Score: 3, Interesting) by c0lo on Thursday July 26 2018, @12:04PM
Hint: you can create one account per each domain/site you want to host.
Incidentally, this is how my sites are registered/hosted - the login name is usually derived from the domain name rather than your chosen username/email.
https://www.youtube.com/watch?v=aoFiw2jMy-0
(Score: 0) by Anonymous Coward on Thursday July 26 2018, @09:51AM (1 child)
In my conditions and for static site Your proposals are in this "more expensive" category, reserved usually for regional e-shops and small corporate sites.
Usually in such situations static sites are hosted in providers with 1/4 of Bluehost's simplest plan price. Seriously, there are small services with domain, a few GBs, one database usually not used, and some server side scripting. No shell, no ability to run own programs, no Java on server, just plain hosting with quota.
(Score: 2) by c0lo on Thursday July 26 2018, @11:57AM
You'll have to ask yourself the question: is it your site or the site of your readers? Don't worry, your choice, I'm not interested in your answer, much less interested in judging your choice.
If it is your site, why do you need to make it public?
If it is your readers' why do you feel you can take the decision in their name to keep them unprotected against an ISP (Comcast [infoworld.com]) so willing [netgate.com] to inject ads and trackers [thehackernews.com] in their traffic or to hijack their searches [eff.org] or redirect typoed domain names [wikipedia.org]?
https://www.youtube.com/watch?v=aoFiw2jMy-0