EFF Applauds 'Massive Change' to HTTPS (eff.org) 73
"The movement to encrypt the web reached milestone after milestone in 2017," writes the EFF, adding that "the web is in the middle of a massive change from non-secure HTTP to the more secure, encrypted HTTPS protocol." In February, the scales tipped. For the first time, approximately half of Internet traffic was protected by HTTPS. Now, as 2017 comes to a close, an average of 66% of page loads are encrypted, and Chrome shows even higher numbers. At the beginning of the year, Let's Encrypt had issued about 28 million certificates. In June, it surpassed 100 million certificates. Now, Let's Encrypt's total issuance volume has exceeded 177 million certificates...
Browsers have been pushing the movement to encrypt the web further, too. Early this year, Chrome and Firefox started showing users "Not secure" warnings when HTTP websites asked them to submit password or credit card information. In October, Chrome expanded the warning to cover all input fields, as well as all pages viewed in Incognito mode. Chrome has eventual plans to show a "Not secure" warning for all HTTP pages... The next big step in encrypting the web is ensuring that most websites default to HTTPS without ever sending people to the HTTP version of their site. The technology to do this is called HTTP Strict Transport Security (HSTS), and is being more widely adopted. Notably, the registrar for the .gov TLD announced that all new .gov domains would be set up with HSTS automatically...
The Certification Authority Authorization (CAA) standard became mandatory for all CAs to implement this year... [And] there's plenty to look forward to in 2018. In a significant improvement to the TLS ecosystem, for example, Chrome plans to require Certificate Transparency starting next April.
If a website doesn't take any private information from you why does it need ssl/tls?
I'm just not understanding the push for everything to be encrypted when it doesn't need to be.
It doesn't. Google just thinks they know better than you. Maybe making everyone dependent on certificate authorities even when they don't need it is part of their plan for world domination.
Because my little brother, guy sitting next to me at Starbucks, my ISP, and government don't need to have a clear text view of everything, or anything, I'm doing. It's not that I'm doing anything wrong... It's that it's none of their fucking business.
... and they have no interest whatsoever in your fucking business.
Maybe they don't right now, or in a year, or 10 years, or maybe never.
But maybe, at some point, whoever is in control of that data decides they want to smear you by cherry picking the sites you've visited. Or maybe they use it to build a court case against you. Or maybe they use it to watch out for "dissidents" or those who won't submit to a dictatorship.
Would you want to live in a society where the gov knows exactly where you've gone and what you've done both historically and in real time? The US is dang
Until you speak out politically. Until you're photographed at a protest. Until you're a nuisance to those in power. Then you may find that you want the government to not have low-effort ways to attack you.
Remember, there's no telling what topics that are innocuous today will become reputation-wrecking or outright illegal in 20 or 40 years, and the government has a habit of keeping everything in case it might be useful one day.
Never assume that because the government has no interest in you today, that bec
To make hiding the malware easier. Slow no caching (Score:5, Informative)
In my professional judgement, there is little benefit to https for many sites, which simply present publicly available information. This is based on my 20+ years of internet security work throughout my career. Payment pages where people enter credit card information obviously need encryption, but in my opinion most sites see little to no benefit.
Https means it can't be loaded from your ISP or company's cache, making popular sites slower. It also prevents corporate security or your own router / firewall from seeing the malware or whatever that some hacker added to the page, and generally keeping an eye out for security problems. For public sites where you don't log in, I think https is a net reduction of security.
There *is* the argument that it makes it harder for governments to know which pages you're viewing on a site, but they still see which sites you connect to.
As I understand it, corporate security has the option of having you accept their keys and MITMing everything, allowing scanning and caching of activity performed from inside the corporate network. Is that incorrect?
As I understand it, corporate security has the option of having you accept their keys and MITMing everything, allowing scanning and caching of activity performed from inside the corporate network. Is that incorrect?
Indeed. And with HTTPS, corporate security can ensure that they're the only ones MITMing the connection. With HTTP it's impossible to know if anyone else might be monitoring -- or even modifying -- the connection.
funny, I have only 17 years of infosec experience and I wholeheartedly approve of this. For the Corp environment we do TLS inspection, so beaconing and C2 is detectable but forcing TLS everywhere, all the time, makes it to where when applications change over time... as they always do... and then they start hitting PII or GDPR or Crown Jewels any other category of data, we donâ(TM)t have to care about transit. No questions asked, no exception, TLS only
Many connections are so fast now, there's no need to do MITM caching. Can't remember the last time my ISP actually cached a website. Maybe Netflix, but only because they pay for it. Most heavy websites do local storage and service workers.
Many connections are so fast now, there's no need to do MITM caching
Every time a fool advocates for changes for everyone because the internet appears to be fast enough at his personal ivory tower he must be reminded of what it looks like in the suburbs. And third world countries. And mobile browsers basically worldwide.
On mobile devices the effect is componded. Devices forever loading megs and megs of third party javascript tracking code, useless css and images in very improper amounts of ram (and how quickly the OS decides the page needs to be swapped out and fully reloade
This https movement is just backlash from people becoming aware everything was being spied upon by the USA. A bigger deal outside the USA; allies and enemies all being spied upon.
The PROBLEM is that this is pure security theater to make people feel safer! HTTPS is easily broken by the NSA if you use any official signing authority except perhaps Let's Encrypt, but somehow I doubt that was setup as NSA proof. It's not that you are being broken into all the time; only targeted people are being broken - so i
The PROBLEM is that this is pure security theater to make people feel safer! HTTPS is easily broken by the NSA if you use any official signing authority except perhaps Let's Encrypt, but somehow I doubt that was setup as NSA proof. It's not that you are being broken into all the time; only targeted people are being broken - so it's better than previously... although the greater the targeting ability the more people will be targeted and for a longer period.
Without HTTPS, you are the mercy of anybody between you and what you think is the website you're browsing. It doesn't just obscure data transit, it provides verification to varying levels that you are viewing the site you think you are.
So you've got 20 years of professional experience yet don't recognize the dangers of MITM attacks from non-HTTPS pages?
If you are connecting to an unprotected page basically nothing on it can be actually trusted. While a page might look normal every resource and link could have been rewritten to do something malicious. You have no way of knowing that anything loaded over HTTP is what the server actually intended to send.
Links could route through fishing sites and malicious resources could be added. One of the best features of HTTPS is to make resources resistant to MITM attacks. An page with no PII can be intercepted and modified to leak that data without you even knowing.
Most people don't want or need their ISP or corporate gateway caching content. For one a browser's cache is more effective for most content since it's loaded from disk (or RAM) rather than coming over a network. Second it's more effective for ISPs to forego their own caching and simply let CDNs with their colocated edge caches handle the task. The content from the CDN to client is going to be encrypted using the source site's credentials (or authorized credentials) so end users can trust the data path to the server and the ISPs don't need to pay for the hardware. Since CDNs colocate edge caches everywhere they can afford there's little if any performance difference between a third party edge cache to the client and an ISP's edge cache to a client. They're likely to be hosted in the same buildings on the same networks.
Yeah. Too many people are forgetting that endpoint-to-endpoint encryption doesn't protect the endpoints themselves. I think this push towards universal HTTPS is yet another security theater---it makes you feel securer than you ought to feel.
In my professional judgement, there is little benefit to https for many sites, which simply present publicly available information. This is based on my 20+ years of internet security work throughout my career. Payment pages where people enter credit card information obviously need encryption, but in my opinion most sites see little to no benefit.
Https means it can't be loaded from your ISP or company's cache, making popular sites slower. It also prevents corporate security or your own router / firewall from seeing the malware or whatever that some hacker added to the page, and generally keeping an eye out for security problems. For public sites where you don't log in, I think https is a net reduction of security.
There *is* the argument that it makes it harder for governments to know which pages you're viewing on a site, but they still see which sites you connect to.
Why don't you come connect to my wifi hotspot, and log into all your sites unencrypted? I'll even cache the pages for you so reloads are faster. Even better, you can use my local DNS server.
Oh, you don't want to connect to my hotspot? Well why not just connect to your home wifi network, that just magically appeared at Starbucks.
In my professional judgement, there is little benefit to https for many sites, which simply present publicly available information.
Allow me to entertain the opposite argument:
Imagine trying to view wikipedia entry for homosexuality in Iran.
Imagine trying to view wikipedia entry for abortion from a catholic school library computer.
Imagine trying to view wikipedia entry for treatment of hemorrhoids at work computer.
Imagine trying to view wikipedia entry for Navalny in Russia.
Imagine trying to view wikipedia entry for Tibetian Buddhism in China.
Imagine trying to view wikipedia entry for teen pregnancy from home computer.
Imagine
In my professional judgement, there is little benefit to https for many sites, which simply present publicly available information.
Your professional judgement is wrong, because you're only looking at half of what HTTPS provides. Encryption is only one of the things HTTPS provides, and it's arguably the less important one. Integrity is the more important one. HTTPS ensures that you're connecting to the site you think you are, and that the content it provides arrives at your browser unmodified.
Without this, if a malicious party can get access to your connection at any point between your browser and the server they can make arbitrary mo
Not just governments spying on you, but your own ISP and advertisers too. We have already seen lots of ISPs doing MITM attacks that insert unwanted content into pages.
Being able to see that you connected to Wikipedia is very different from being able to see that you looked at the Wikipedia page on STDs or pressure cookers or Casio watches.
Organisation level caching is overrated these days anyway, since so much content is dynamic anyway. The benefits far outweigh the costs, especially considering that people
Spewing â-characters? Who's the idiot?
One motivation is to make it more difficult to distinguish important and sensitive information from wasted bandwidth, which makes it harder to censor. Of course, since the destination is known at the IP layer with HTTPS, that's of somewhat limited value.
Of more value is ensuring that all your traffic goes over a VPN.
even Slashdot! (Score:2)
You know a technology is really ubiquitous when even a tech news site switches to it. Maybe, perhaps, I will see working Unicode on Slashdot within my lifetime. For dig -t AAAA slashdot.org returning something else than NXDOMAIN, though, my hopes are not so high.
dig -t AAAA slashdot.org returning something else than NXDOMAIN, though, my hopes are not so high.
What do you mean by that? If I do it I get
What are they smoking? (Score:1)
So, just as the 'net is making major moves to https, I see this on
/., "EFF Applauds 'Massive Change' to HTTPS"! Really?
Why are they changing it now that the majority of sites are using it? Don't they know that massive changes just as people are adopting it can kill a protocol? People will move on to something that "just works". Why don't they leave it alone until most everyone is using it and gets used to it, then make their massive cha...
What? There is no massive change to https? TFA is talking about peop
Half the web, not half the internet (Score:1)
Certification Required (Score:1)
So now in this brave new world you are required to be 'certified' to put up a web site.
Why does an organisation with 'freedom' in their name applaud this?
under-rated
indeed, I don't appreciate this agenda driven bullshit for what it totally unnecessary for many websites. Someone's going to snoop my relatives looks at family pictures on my website? I have to use a web stack that that shitty 90 day free cert ware they're pushing supports. and browsers are on board with your stupidity? fuck you, EFF.
HTTPS prevents tampering with the connection. Even if nobody cares about your family pictures, someone cares about the opportunity that you give them to modify the content sent by your server before it reaches your relatives, do some social engineering at their expense (they’ll be convinced that whatever they see comes from trusted you) and get them to fall for a phishing trap or install malware. By serving through HTTPS, you are adding some protection for your relatives.
There is no need for you, the operator, to be “certified”. The TLS certificate installed on your server merely increases the odds (for your users) that the machine serving the content (your server) is really the one that they expected (rather than a server operated by a malicious operator) and that the content received is really the content that was sent by that machine (rather than fake content fraudulently injected during transit by a malicious actor). It’s rather sensible to promote sec
I'm pretty sure they go by their acronym "EFF" alone (kinda like "KFC" and "SAT"), which doesn't stand for anything any more---which is quite fitting, because the organization itself doesn't stand for anything any more.
This is how the seniors will take over. (Score:1)
Who needs government we worship when a corporation or authority that gives certs can just invalidate any very whoâ(TM)s owner they donâ(TM)t like.
Now if browsers would isolate resources (Score:3)
Now if only browsers would isolate resources from third party web sites so they can't scrape info from other parts of the page or grab keyboard/mouse input, and allow per-page access to certain hardware like mic/camera/filke system, then it would go much further.
Https stops ISPs and nodes from tapping info, but a lot of third parties end up with all of that anyway.
You just watch. In five years the major Web sites, having switched to HTTPS-only, will require personal SSL certificates to use their services. You think Google and Facebook track you now? Just wait until they can tie a browser session with your personal identity with virtual certainty.
Exactly what was this massive change to HTTPS? Was HTTPS insecure in some way and needed to be fixed? Oh wait, what you probably meant was EFF Applauds 'Massive Adoption' of HTTPS.