Stories
Slash Boxes
Comments

SoylentNews is people

posted by mrcoolbp on Saturday April 18 2015, @01:57AM   Printer-friendly
from the executive-material? dept.

Paul Schreiber blogs about the tech behind the websites of presidential candidates. "So, you want to run a country. Can you hire someone who can run a website? ...Here's how the (declared) candidates' sites fare." There's a table comparing 4 candidates' sites based on HTTPS, URL permutations, IPv6, SSL rating, and other related qualities. Schreiber mentions that he will "update this as more candidates declare or sites change."

From the blog comments

HillaryClinton.com was using IIS (and no https) until Sunday morning, when they switched over.

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Insightful) by bzipitidoo on Saturday April 18 2015, @03:34AM

    by bzipitidoo (4388) Subscriber Badge on Saturday April 18 2015, @03:34AM (#172279) Journal

    The article declares that all sites should be built over https. Why? We can still use ftp to download Linux kernels and other such things for the very good reason that it is broadcasting to the public, and there is no private communication involved. Saying all websites should use https is like saying all sources of radio signals, from cell phones to radio stations, should encrypt their signals. Yes to cellphones encrypting their signals, no to radio and TV stations needing to do that.

    Https is appropriate for parts of the websites, like the campaign donation buttons. But for just stating positions and policies, https is unnecessary, and even a little detrimental.

    Starting Score:    1  point
    Moderation   +3  
       Insightful=3, Disagree=2, Total=5
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 5, Insightful) by Jeremiah Cornelius on Saturday April 18 2015, @03:49AM

    by Jeremiah Cornelius (2785) on Saturday April 18 2015, @03:49AM (#172284) Journal

    We need HTTPS everywhere, normative, all the time.

    People should recoil at exposed HTTP the same way they refrain from Telnet vs SSH.

    Ask the security researches that look at how HTTP streams are hijacked and injected on ad networks - one of the most prolific vectors for ordinary pwnage of personal computers. These were all thwarted by HTTPS.

    --
    You're betting on the pantomime horse...
    • (Score: 2, Interesting) by Anonymous Coward on Saturday April 18 2015, @04:02AM

      by Anonymous Coward on Saturday April 18 2015, @04:02AM (#172288)

      HTTPS totally falls apart because the CA system is fucking broken.

      You keep going on and on about security, but you totally ignore one of the biggest goddamn security flaws out there.

      • (Score: 2) by kaszz on Saturday April 18 2015, @10:37AM

        by kaszz (4211) on Saturday April 18 2015, @10:37AM (#172347) Journal

        It's better than nothing security. A quick fix using an existing standard.

        • (Score: 2, Informative) by Anonymous Coward on Saturday April 18 2015, @12:50PM

          by Anonymous Coward on Saturday April 18 2015, @12:50PM (#172381)

          No, it's worse. It offers no real security, but tricks people like you into thinking it offers security. A false sense of security is worse than no security. A false sense of security combined with no security is even worse than that.

          • (Score: 0) by Anonymous Coward on Saturday April 18 2015, @03:49PM

            by Anonymous Coward on Saturday April 18 2015, @03:49PM (#172451)

            It absolutely offers some security. The NSA and other agencies with compromised CAs are not the only threat out there. Other threats include ISPs fucking with the data stream like adding supercookies to make every request trackable [forbes.com] and injecting ads or malware [arstechnica.com] and snooping on all your browsing to build a profile they can sell to the highest bidder. [arstechnica.com]

            The perfect is the enemy of the good. Quit being an enemy of the good.

            • (Score: 1) by Fauxlosopher on Saturday April 18 2015, @06:10PM

              by Fauxlosopher (4804) on Saturday April 18 2015, @06:10PM (#172509) Journal

              The good can also be tools of evil if people are satisfied with the so-called good and forget to deal with the evil.

              Sure, use HTTPS/encryption in cases where it makes sense to do so - but do NOT forget that the evil must still be dealt with. Keep looking for an opportunity to destroy the evil at the root of the problem.

              If all encryption were 100% unbreakable by anybody, you'd still be exposed to powerful metadata analysis by the criminals in the NSA, et al.: "We kill people based on metadata [rt.com]." -Michael Hayden, former CIA and NSA director

              • (Score: 0) by Anonymous Coward on Sunday April 19 2015, @02:16AM

                by Anonymous Coward on Sunday April 19 2015, @02:16AM (#172681)

                > The good can also be tools of evil if people are satisfied with the so-called good and forget to deal with the evil.

                Yeah, yeah, yeah. We've already been down that path in this same thread. Thanks for regurgitating:

                >> The NSA and other agencies with compromised CAs are not the only threat out there.
                > If all encryption were 100% unbreakable by anybody, you'd still be exposed to powerful metadata analysis by the criminals in the NSA, et al.:

                • (Score: 0) by Anonymous Coward on Sunday April 19 2015, @08:17AM

                  by Anonymous Coward on Sunday April 19 2015, @08:17AM (#172767)

                  > The good can also be tools of evil if people are satisfied with the so-called good and forget to deal with the evil.

                  Yeah, yeah, yeah. We've already been down that path in this same thread. Thanks for regurgitating:

                  I'll consider it just as soon as people stop implying that the use of known-broken cryptosystems is some sort of panacea, then getting indignant when the brokenness is brought up by others.

  • (Score: -1, Troll) by Anonymous Coward on Saturday April 18 2015, @04:00AM

    by Anonymous Coward on Saturday April 18 2015, @04:00AM (#172287)

    It's a hipster thing. They're all rah-rah-rah for HTTPS these days.

    • (Score: 1, Interesting) by Anonymous Coward on Saturday April 18 2015, @06:53AM

      by Anonymous Coward on Saturday April 18 2015, @06:53AM (#172321)

      No, it's because the more encryption there is, the harder it will be for the government to tell 'important' communication from 'unimportant' communication, thereby providing some cover for those that need encryption the most.

  • (Score: 5, Informative) by FatPhil on Saturday April 18 2015, @08:01AM

    by FatPhil (863) <reversethis-{if.fdsa} {ta} {tnelyos-cp}> on Saturday April 18 2015, @08:01AM (#172329) Homepage
    That's a RMS-like view (no password), and it's a nice ideal. Unfortunately, we don't work in a nice ideal world. How do you know you are downloading a linux install CD? How do you know you're not downloading one which the NSA has hacked back doors into? Check the signature? Where did you download the signature from - an http or https site? If the former, how do you know you didn't download a signature that the NSA created for their bogus ISO? But it's signed with Debian's key? How do you know you're checking against Debian's key, that pub key you're looking at, where did it come from - an http or https site? ...
    --
    I know I'm God, because every time I pray to him, I find I'm talking to myself.
    • (Score: 2, Interesting) by btendrich on Saturday April 18 2015, @12:40PM

      by btendrich (3700) on Saturday April 18 2015, @12:40PM (#172377)

      The same way you don't know that they broke into your house and replaced your laptop with one that will eat your children... The NSA is one of the few technically impressive pieces of the government left (just look at what NASA just let happen!). If they want your stuff bad enough, they will probably get at it. Although I do agree that HTTPS is a nice way to avoid being the low hanging fruit.

    • (Score: 3, Insightful) by bzipitidoo on Saturday April 18 2015, @04:32PM

      by bzipitidoo (4388) Subscriber Badge on Saturday April 18 2015, @04:32PM (#172479) Journal

      No, excessive security is insecurity. People do not take security as seriously when it is unnecessary and people see that. Further, there is the false positive problem. Unnecessary security is very bad when it denies access for an invalid reason. For https, I've had the browser pop up the scary warning messages about invalid certificates that actually were perfectly valid. It happened because I was on an old computer that could not save the current date because the CMOS battery was dead, and the browser believed the system about the date being Jan 1, 2000. If the site had not insisted on https, I would not have been troubled with that false positive. Instead, I was presented with the demand to add a totally unnecessary security exception before being allowed to view the site. I've commented on Firefox bug reports about this problem.

      As to your questions, how do you know the NSA hasn't hacked the Linux distro's website and substituted a CD install image with back doors, complete with md5 and sha256 sums, and valid digital signatures? Or, that the NSA didn't strike further upstream, and break into the source code repository of openssl, or Apache, Firefox, bind, dnsmasq, bash, xterm, getty, or the Linux kernel itself, to add a back door? No need to crack https to do that. When you focus on unnecessary https, you divert resources from real security threats. https has its place, but let's not overuse it. And definitely don't try to implement the evil bit.

      For example, very few people use SELinux, because it's a pain to administer, and doesn't do much to add to the security. I was always having to add permissions so that this vital utility and that vital utility could function. An insider can still compromise an SELinux box. (Admittedly, guarding anything against insiders is pretty well impossible, but the point here is that SELinux sort of tries to do that.) SELinux's coverage is very narrow, too narrow. It will not stop an exploit that does not touch or care about the underlying OS. Most attacks use some other vector, such as a browser. NoScript is more important and better security than SELinux, but it is still a hassle to use, have to constantly add to its whitelist.