Paul Schreiber blogs about the tech behind the websites of presidential candidates. "So, you want to run a country. Can you hire someone who can run a website? ...Here's how the (declared) candidates' sites fare." There's a table comparing 4 candidates' sites based on HTTPS, URL permutations, IPv6, SSL rating, and other related qualities. Schreiber mentions that he will "update this as more candidates declare or sites change."
From the blog comments
HillaryClinton.com was using IIS (and no https) until Sunday morning, when they switched over.
What's wrong with WordPress?
What isn't wrong with wordpress? I can crack any wordpress 6 ways to Sunday, it's written in PHP (and so are all of its themes and plugins) and the coding is atrocious. The developers are asshats and don't like it when you tell them they're wrong. They have a huge case of "not invented here" syndrome and so they remain bug ridden and insecure as fuck -- Typical of nearly any PHP project. The same goes for phpBB, et. al.
> don't like it when you tell them they're wrong.
Because everybody else just loves that!
hey, I think you just broke the fourth wall there. That was very much out of your character compared to your regular posting personality.
What's wrong with using IIS? Modern versions are very capable and robust.
Are you trying to be funny?
No, he tries to show that operating systems from Microsoft puts the user in impossible situations and generally causes problems than need not to be. So one should not use it.
You've been Poe'd. Read the last sentence again.
Once upon a midnight dreary,while I pondered, weak and weary,Over many a quaint and curious volume of forgotten lore,While I nodded, nearly napping,suddenly there came a tapping,As of some one gently rapping,rapping at my chamber door.Quoth Ethanol-fueled,"Suck my rock hard cock you dirty skanky whore!"
The article declares that all sites should be built over https. Why? We can still use ftp to download Linux kernels and other such things for the very good reason that it is broadcasting to the public, and there is no private communication involved. Saying all websites should use https is like saying all sources of radio signals, from cell phones to radio stations, should encrypt their signals. Yes to cellphones encrypting their signals, no to radio and TV stations needing to do that.
Https is appropriate for parts of the websites, like the campaign donation buttons. But for just stating positions and policies, https is unnecessary, and even a little detrimental.
We need HTTPS everywhere, normative, all the time.
People should recoil at exposed HTTP the same way they refrain from Telnet vs SSH.
Ask the security researches that look at how HTTP streams are hijacked and injected on ad networks - one of the most prolific vectors for ordinary pwnage of personal computers. These were all thwarted by HTTPS.
HTTPS totally falls apart because the CA system is fucking broken.
You keep going on and on about security, but you totally ignore one of the biggest goddamn security flaws out there.
It's better than nothing security. A quick fix using an existing standard.
No, it's worse. It offers no real security, but tricks people like you into thinking it offers security. A false sense of security is worse than no security. A false sense of security combined with no security is even worse than that.
It absolutely offers some security. The NSA and other agencies with compromised CAs are not the only threat out there. Other threats include ISPs fucking with the data stream like adding supercookies to make every request trackable [forbes.com] and injecting ads or malware [arstechnica.com] and snooping on all your browsing to build a profile they can sell to the highest bidder. [arstechnica.com]
The perfect is the enemy of the good. Quit being an enemy of the good.
The good can also be tools of evil if people are satisfied with the so-called good and forget to deal with the evil.
Sure, use HTTPS/encryption in cases where it makes sense to do so - but do NOT forget that the evil must still be dealt with. Keep looking for an opportunity to destroy the evil at the root of the problem.
If all encryption were 100% unbreakable by anybody, you'd still be exposed to powerful metadata analysis by the criminals in the NSA, et al.: "We kill people based on metadata [rt.com]." -Michael Hayden, former CIA and NSA director
> The good can also be tools of evil if people are satisfied with the so-called good and forget to deal with the evil.
Yeah, yeah, yeah. We've already been down that path in this same thread. Thanks for regurgitating:
>> The NSA and other agencies with compromised CAs are not the only threat out there.> If all encryption were 100% unbreakable by anybody, you'd still be exposed to powerful metadata analysis by the criminals in the NSA, et al.:
> The good can also be tools of evil if people are satisfied with the so-called good and forget to deal with the evil.Yeah, yeah, yeah. We've already been down that path in this same thread. Thanks for regurgitating:
Yeah, yeah, yeah. We've already been down that path in this same thread. Thanks for regurgitating:
I'll consider it just as soon as people stop implying that the use of known-broken cryptosystems is some sort of panacea, then getting indignant when the brokenness is brought up by others.
It's a hipster thing. They're all rah-rah-rah for HTTPS these days.
No, it's because the more encryption there is, the harder it will be for the government to tell 'important' communication from 'unimportant' communication, thereby providing some cover for those that need encryption the most.
The same way you don't know that they broke into your house and replaced your laptop with one that will eat your children... The NSA is one of the few technically impressive pieces of the government left (just look at what NASA just let happen!). If they want your stuff bad enough, they will probably get at it. Although I do agree that HTTPS is a nice way to avoid being the low hanging fruit.
No, excessive security is insecurity. People do not take security as seriously when it is unnecessary and people see that. Further, there is the false positive problem. Unnecessary security is very bad when it denies access for an invalid reason. For https, I've had the browser pop up the scary warning messages about invalid certificates that actually were perfectly valid. It happened because I was on an old computer that could not save the current date because the CMOS battery was dead, and the browser believed the system about the date being Jan 1, 2000. If the site had not insisted on https, I would not have been troubled with that false positive. Instead, I was presented with the demand to add a totally unnecessary security exception before being allowed to view the site. I've commented on Firefox bug reports about this problem.
As to your questions, how do you know the NSA hasn't hacked the Linux distro's website and substituted a CD install image with back doors, complete with md5 and sha256 sums, and valid digital signatures? Or, that the NSA didn't strike further upstream, and break into the source code repository of openssl, or Apache, Firefox, bind, dnsmasq, bash, xterm, getty, or the Linux kernel itself, to add a back door? No need to crack https to do that. When you focus on unnecessary https, you divert resources from real security threats. https has its place, but let's not overuse it. And definitely don't try to implement the evil bit.
For example, very few people use SELinux, because it's a pain to administer, and doesn't do much to add to the security. I was always having to add permissions so that this vital utility and that vital utility could function. An insider can still compromise an SELinux box. (Admittedly, guarding anything against insiders is pretty well impossible, but the point here is that SELinux sort of tries to do that.) SELinux's coverage is very narrow, too narrow. It will not stop an exploit that does not touch or care about the underlying OS. Most attacks use some other vector, such as a browser. NoScript is more important and better security than SELinux, but it is still a hassle to use, have to constantly add to its whitelist.
I was just reading a journal entry [soylentnews.org] by my dear friend Ethanol-fueled.
He talks of "one of those big lock thingies hanging from his doorknob" that he saw on a vacant house.
I've seen those on doors before, but I have never understood how they work. Can anyone explain this?
What is the proper name for those things, too?
You've missed the point of the gadget.Though it looks like a giant padlock, the point is that the thing is HOLLOW.It is called a Realtor Lockbox [google.com]Inside the thing, there is a key to the propertyEach realtor has a master key or a combination that opens the box.That way, each realtor doesn't have to carry 100 keys to show 100 properties.
My god, my estimation of Ethanol, and others of his ilk, has just fallen beyond recovery. It is almost like when the Insane Clown Posse admitted they had no idea how magnets worked. Is it actually possible for human to be this stupid? Or more to the point, is it possible that humans cannot know they are revealing just how stupid they are, with a computer, over a computer network? I smell a patent violation here, along with the teen spirit. Curt Cobain:"Here we are now, entertain us; we feel stupid, and contagious!"\
Nobody knows how magnets work. Not even physicists and electrical engineers. We can describe what we've observed about them and how they interact with each other and with other matter, but we still don't truly understand how they work.
We know how they work.We just don't know why they work.
It's probably god. Just not the ICP's ultra-christian version of God.
There's absolutely zero reason to even think a god exists, let alone think that it makes magnets work.
Drifting off-topic, but as a quick PSA: The better term is "real estate agent". You don't have to be a Realtor® to be a real estate agent any more than you have to be a CISSP to be a computer security expert. It's just a trade group that does a lot of marketing and lobbying. And the lobbying is (surprise!) not always in the best interest of the general public.
It seems silly to me to complain about websites that host non-sensitive content and lack HTTPS capability. Last I'd checked, most/all major browsers threw a warning if a website used a self-signed certificate (or worse: e.g. the Mozilla dunderheads changed Firefox to pitch a hysterical temper tantrum by default), and the trustworthiness of the Certificate Authority system is completely compromised in that, in just one example, every CA based in the USA is subject to the NSA's gag-ordered National Security Letters. Most businesses comply with NSLs rather than fight or shut down business like Lavabit did [theguardian.com].
As-is, the owner of a simple website that doesn't handle sensitive information, who understands the broken nature of the CA system and doesn't want to rely on it, is basically stuck between a rock and a hard place. If he chooses to use self-signed certificates, users are shown pointless "suspicious" warnings which will drive some away. If he uses a compromised CA (which potentially includes all of them), he's just participating in security theater. If he takes the simple approach and just sticks to unencrypted HTTP, some self-important idiot is likely to point ignorant fingers and start keening about "unsecure sites".
Certificate pinning can help, but neither that nor private/democratic webs-of-trust will work properly in front of an average user faced with the stupid default browser behavior currently in vogue.
To quote a great computer scientist,
Strike a poseStrike a poseVogue, vogue, vogueVogue, vogue, vogueLook aroundEverywhere you turn is heartacheIt's everywhere that you go [Look around]You tryEverything you can to escapeThe pain of life that you know [Life that you know]Come on, vogueLet your body move to the music [Move to the music]Hey, hey, heyCome on, vogueLet your body go with the flow [Go with the flow]You know you can do it
Strike a poseStrike a poseVogue, vogue, vogueVogue, vogue, vogue
Look aroundEverywhere you turn is heartacheIt's everywhere that you go [Look around]You tryEverything you can to escapeThe pain of life that you know [Life that you know]
Come on, vogueLet your body move to the music [Move to the music]Hey, hey, heyCome on, vogueLet your body go with the flow [Go with the flow]You know you can do it
Does HTTPS protect agains an ISP replacing HTML content in-transit?
There are many things HTTPS protects against (and yes, it does protect against the situation in your example). If any of those are important to you or your website, then use HTTPS on your site.
The point of my previous post was that HTTPS is by no means a panacea, particularly in its current form of foolishly-paranoid broswer defaults and CAs compromised by criminal governments.
With self signed certificates it only partially protects. If you've been to the site before, you'll know if there's a MItM attack. Unless te certificate has changed on the server. If you haven't you'll think your secure but won't necceraarily be.
Unlike with SSH, where I know of the very should have chaned, and I log in for the first time when connected on a secure network, with https there's arguably too many false positives from self signed Certs.
Using HTTPS with self-signed certificates is equivalent to using SSH with default key generation and settings.
In both cases, a new visitor/user does not generally have foreknowledge of the site's cryptographic fingerprints, and a man-in-the-middle attack is possible when the user lacks that knowledge.
The single reason for more "false positives" with HTTPS versus SSH fingerprints is that the typical default expiration dates set for HTTPS certificates are set a year or so out, versus no expiration dates for SSH credentials. I can think of no practical value to creating an HTTPS certificate with an expiration date (or, since I recall openssl demanding an expiration date, an expiration time closer than decades into the future) other than to generate revenue for "official" CA businesses that want to sell you a new certificate every year.
Unix-like servers store both types of credentials in the same manner (files on disk), so if you have no problem with servers using SSH, you should have no objection to servers using self-signed HTTPS certificates that effectively don't expire.
And if you want that level of security, browsers are finally offering a way to do it with HTTP opportunistic encryption. The browser vendors have decided that putting "HTTPS" in the URL means that some external authority (either a CA or the NSA ;) has verified that the server really is the right one for the domain.
I really have to ask... do people actually use SSH without verifying host keys? I guess I do for servers like GitHub, but for the vast majority of the servers I have access to, I verify the host key locally (or over a wired LAN at least) before using it over the internet.
And therein lies the rub. SSH and HTTPS credential verification are handled in the same fashion, and there's some level of required trust for the vast majority of users who do not have physical or local-network access to the servers they want to use encryption with.
The NSA and CA system are known threats/weaknesses as far as credential verification systems go, so the existing HTTPS-with-CA system can't be pointed to as a proper "existing solution".
Other private alternatives or methods exist, such as "Perspectives" and "Certificate Patrol" as early examples. Some combination of widespread democratic verification and certificate pinning systems are likely going to be required in functional solutions.
As an addendum to my previous reply [soylentnews.org] to your comment:
If you have criminals in your ISP and government, the proper fix is not to point fingers and blame at website owners who are not using a mostly-broken security system.
The proper fix is to seize the criminals and punish them after following due process.
Wishfuil thinking and absolutism go hand in hand.
Meanwhile in the real world, real engineers are focused on practical solutions that can get results today, not theoretical results in a theoretical perfect world.
HTTPS as-is does not "get results" today, which was the point originally being made.
While there are limited use cases where HTTPS as-is does offer some benefit, those benefits are overshadowed by the system's brokenness.
People pointing to as-is HTTPS as a "practical solution" are lazy, ignorant, or working for the NSA.
"Hey, the door you installed me has no lock!""So what? If you have criminals in your neighbourhood, don't blame the people not installing locks on doors. Catch and punish the burglars!"
If you believe that your likely-typical door locks and deadbolts are the things that keep criminals out of your house, you are sadly [youtube.com] mistaken [youtube.com]. Locks are used to deter the drunk/confused from ending up in your living room instead of on your porch, or to act as a different type of doorbell to let you know that you need to grab your shotgun instead of your pants.
Well, I have all-metal doors and all the windows also have metal bars. That should slow down the fuckers.
Well, I have all-metal doors and all the windows also have metal bars. That should slow down the fuckers
I was going to agree with you, but frame is typically the weakest spot. Here's a solid wooden door set in a metal frame [youtube.com], and it does take a significant amount of work to get through. Proper frame and door reinforcements can make forced entry effectively impervious to humans lacking power tools [youtube.com]...
... but then there's nothing stopping someone from using a buzzsaw to simply cut a new doorway in a wall, or driving a tank into your house.
Nonetheless, taking simple and inexpensive steps to reinforce entryways can help keep the home's owner from being low-hanging fruit for criminals.
In the past, there were complaints about not indicating which parts of the original article were lifted intact.Since then, I have made additional effort to carefully use the blockquote tag.Undoing the effort I put into my submission takes us back to where we started, months ago.
In the past, there were complaints about not indicating which parts of the original article were lifted intact.Since then, I have made additional effort to carefully use the blockquote tag.Undoing the effort I put into my submission takes us back to where we started, months ago.-- gewg_
No moderation points right now so I'm commenting to give the AC more visibility in case it is needed (I'm not sure it is). Parent comment is “0 Insightful” at the moment.
A pretty lacking comparison I say. Funny idea though.
The level of spanish-unfriendliness is probably ideological, not technical. The republican base - the most extreme ones who are the only ones who vote in primaries - simply does not like teh brownies. I fully expect that each republican candidate has done focus groups and found that putting a spanish version up will piss off more of their base than it will draw in spanish-speaking voters.
* Hillary Rodham Clinton
* Jeff Boss
* Vermin Supreme
* Robby Wells
* Ted Cruz
* Rand Paul
* Marco Rubio
* Mark Everson
* Jack Fellure,
* Terry Jones
* Zoltan Istvan
The comparison was probably limited to candidates with most money and connections. But out of the four evaluated, Hillary Clinton and Rand Paul seems to be the candidates with a site done with the most competence. w3m and lynx is quite good tool to weed out the most incompetent ones.