Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet security gets worse all the time. Time for HTTPS ?


  • Please log in to reply
9 replies to this topic

#1 palerider2

palerider2

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:16 AM

Posted 28 June 2014 - 09:55 PM

I recently posted in this forum about the problem I was having with proficient hackers. I subsequently received really useful information which allowed me to secure my PC just a little bit better. Since then though the hacker has targetted my NAT router and compromised it.
 
There is a reason for starting a separate thread today.  :cowboy:
 
What I found is that I can't browse anywhere on the internet using HTTP and still be safe. Very quickly my traffic is detected and so the PC hostname and my live IP address become known. Forexample, my presence on this site is something that can be used to identify me. The number of concurrent users is not that high at the present time.
 
And if my IP becomes known, apparently my router can be successfully attacked. 
 
Of course I can browse using a proxy but I've found that I can't log on to BC and post a reply if I'm using a proxy. And the same is true of other sites.
 
So what does this tell me ? Well, most of the internet is being monitored by an unknown number of hackers who can ignore or use that information as they see fit. So this is a serious problem.
 
And therefore, here's my question: is there any plan to implement SSL/TLS on the BC site in the near future ? 'Cos I'd really like to continue posting here. :cowboy:
 
And is it possible to increase the formatting options if you choose to post without using javascript ? I found that if don't allow scripts to run you can't even use <CR> in your posts, which makes them much harder to read. Generally I trust the scripts on this site but any site be attacked. My hacker would try to do that. Very persistent and very well-connected.
 
Cheers !
 
Edit: such bad grammar at times.

Edited by palerider2, 28 June 2014 - 10:14 PM.


BC AdBot (Login to Remove)

 


#2 palerider2

palerider2
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:16 AM

Posted 02 July 2014 - 09:04 PM

I guess only the site owner can answer the question about HTTPS. ENTER
Where I've typed 'ENTER' (except that one :) ) I've pressed the Enter button. ENTER
Anyway, here's a comment from Mssrs Gibson and Laporte on the subject ENTER
"Leo: Yeah. In our business we're constantly coming across new victims of
cybercrime. And in thinking about it one day we realized that if we - the industry,
really - simply followed your advice of HTTPS-only everywhere, we would have
stopped every single financial cybercrime we've ever been called in for on a post-
mortem. Unfortunately, we were never able to share much event detail with the
public. Suffice to say, if secure HTTP had been the only allowed protocol, not a single
one of the crimes would have been possible. So [quoting listener question] 'Why not simply block all non-secure HTTP traffic, attempt to automatically redirect it to HTTPS to minimize
inconvenience? I'm asking rhetorically, of course. Thanks to you and Leo for all your
efforts each week to put together a world-class podcast. Thank you.'
Steve: So this was a great question."
"You need to have a security certificate on your server."
... "So, I mean, there are still too many barriers to HTTPS. It's getting better all the time. "
"So this is a perfect example of slow evolution in our understanding of the importance of
security on the Internet. I know we'll get there someday. I mean, there will always be
sites that are HTTP only. But I think that'll end up at some point being the exception
rather than the rule. "

Edited by palerider2, 02 July 2014 - 09:06 PM.


#3 palerider2

palerider2
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:16 AM

Posted 02 July 2014 - 09:10 PM

Well, that was interesting because the carriage returns in my quoted text have been honoured.

Let's see if this sentence is in a separate paragraph. I typed this post in an editor and pasted the whole lot into the web site.

:)

Edited by palerider2, 02 July 2014 - 09:30 PM.


#4 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:08:16 AM

Posted 02 July 2014 - 09:29 PM

You should be more concerned with this: The NSA Revelations All in One Chart. http://projects.propublica.org/nsa-grid/

HTTPS for login, to protect your login details, but then HTTP for general posting. HTTPS will increase server load.

Edited by Crazy Cat, 02 July 2014 - 09:36 PM.

 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#5 palerider2

palerider2
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:16 AM

Posted 02 July 2014 - 09:43 PM

Interesting Cat.

For now, I'll settle for HTTPS myself.

It looks like I now have paragraphs, without using scripts.

Edited by palerider2, 02 July 2014 - 09:44 PM.


#6 palerider2

palerider2
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:16 AM

Posted 02 July 2014 - 09:49 PM

Crazy Cat: HTTPS for login, to protect your login details, but then HTTP for general posting. HTTPS will increase server load.

I can see the issue Cat. The additional problem though is that HTTP traffic can be hijacked. This must be happening with sufficient regularity that groups like EFF are convinced that HTTPS is the way forward.

Here's their site:
https://www.eff.org/

Two days ago I flattened my sacrificial PC - just had to do it.

Edit: If I submit a post (without scripting enabled) the paragraphs are lost but if I then Edit the post, make no changes and submit it again, all good. :)
A bit of a chore but it's a workaround if you don't wish to run the scripts.

Edited by palerider2, 02 July 2014 - 09:53 PM.


#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:16 PM

Posted 03 July 2014 - 08:06 AM

HTTPS adds overhead to browser sessions. I see no good reason to use SSL HTTP communications unless there is information being transmitted that you want to protect. This includes real names, unencrypted passwords, social security #s, banking info, credit card details, etc.

On this site the only info being transmitted when you login is your display name and encrypted password. As everyone should be using different passwords at different sites, this should not be an issue.

#8 palerider2

palerider2
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:16 AM

Posted 03 July 2014 - 07:43 PM

Thanks Grinler. That's a full explanation of why BC shouldn't need HTTPS and, frankly, I cannot contradict it. :)

There's a broader issue of whether the internet should continue to use HTTP. This is something I'm trying to get to grips with. Some people feel that HTTPS everywhere is the right way forward.

If people did run the HTTPS Everywhere extension on their browser (except maybe IE users) then they would be sure to use encrypted connections wherever possible.

But I still wonder whether there's a security risk from allowing one's WAN IP address to be known, except to those sites that you choose to connect to. And, would using HTTPS assist in that regard ? I don't yet have an answer on that - I'm still looking in to it.

Once again, cheers for the reply.

Edited by palerider2, 03 July 2014 - 07:43 PM.


#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:16 PM

Posted 07 July 2014 - 01:27 PM

No, a website would still see your wan IP address. HTTPS only prevents people from sniffing your connection as it would be encrypted. With standard HTTP everything flowing over it is plain text and can easily be viewed.

#10 palerider2

palerider2
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:16 AM

Posted 09 November 2015 - 02:11 AM

Hi again G

I noticed recently that BC does support HTTPS.

I created an xml file that would allow HTTPS Everywhere to upgrade the connection automatically to HTTPS, provided that the site permits it. It doesn't at the moment.

Any chance of allowing it for the minority who would like to use it ?

pr2 :)

Edited by palerider2, 09 November 2015 - 02:11 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users