Shifters, signals, lights, wipers, gas, break, hazards, fogs, steering..etc are designed to be manipulated by tactile feedback alone. Likewise my audio system was selected for its ability to be fully controllable via tactile feedback.
Driving is not a "game"
Too often when I hear of "researchers" discovering "flaws" turns out all they are doing is demonstrating an obvious result from commonly known properties of a system.
You mean you can just mount that unencrypted drive, change root password, boot up and have full access to everything? Well jolly geeewiz...
SS7 "flaw" is standard operating procedure for Telco's where only meaningful form of security has always been adult supervision.
Not much different from what happens when one or more "adults" setting up BGP sessions turns out to be an immature little brat.
Only difference at least people know the Internet isn't secure and can plan accordingly by plugging in the E2E security solution of their choice.
Have a smartphone and want to replace standard voice codec with an encrypted one? Sorry that's locked away in the baseband.. access denied son.
Attempts to setup globally trustworthy systems have consistently devolved into jokes. Humanity appears to lack necessary intelligence and integrity to pull it off. The best we can do right now is piecemeal E2E solutions.
You forgot that:
- the connection is permanent, multiple request pipe lined trough same connection
- The page are by today standard variable sized, headers are vaiable sized
- Compression is often used
- AES and most symmetric cipher are block ciphe rand rounded
People pointing out all of the ways my response COULD be wrong or if x, y, z countermeasures taken then my scheme is foiled....and and if you used TOR or something then even your IP would be safe... My central goal here is to communicate Joe Biden's point when asked about telephone metadata collection not to nit pick and dot my j's and cross my 0's.
Lets examine some of the responses..
Well just add padding so they won't know... well ok...who is doing that?
Multiple requests encapsulated in an HTTP 1.1 pipeline or futuristic 2.0 scheme... so what? You visit a page and the chatter stops while your reading it and starts up again when you click something else and follow a different link.
There could be dynamic content and that could render it difficult to discern x, y and z... This could be true or not depending on the site.
Compression - I don't get how this is relevant... When NSA/KGB goes to your site to collect baselines wouldn't the data be compressed or not the same as any other visitor?
- AES and most symmetric cipher are block ciphe rand rounded
With AES your looking at a block size of between 16 and 32 bytes.
Insecure shopping cart comments.. If you have a shopping cart on your website it stands to reason you already have an SSL certificate so the question posed regarding value of HTTPS over HTTP is not applicable - otherwise I agree what you enter on a form is probably very safe from prying eyes when using HTTPS vs HTTP.
Random padding for BREACH mitigation... I'll believe there is someone on earth who cared enough to implement this vs simply disabling compression for *dynamic* assets when I see it for myself. Compression overhead for dynamic content was always of questionable ROI as it is.
We're all holding our collective breath waiting to hear your practical, commercially and technically feasible alternative.
The proper technical solution is to bind encryption with a secure user authentication protocol.
Dump the certs in the trash where they belong and use TLS-SRP.
Technology is readily available and easy to implement.
Seems only thing this industry is capable of producing these days is creepy stalker gadgets.
I strongly disagree with the people who say encrypted but unauthenticated is as bad as unencrypted. Yes a targetted attack can use man-in-the-middle techniques but if anyone starts doing that on a large scale they are likely to get noticed.
I don't think people realize how easy it is to hijack a TCP session. There is essentially no filtering being done by any operator... packet spoofing can be trivially carried out from virtually anywhere on the network.
I think your right in the abstract that opportunistic encryption is helpful against certain types of threats (e.g. Room 641A)
The trouble is this nuance is too big an ask for normal users whose day job is not security to understand. When we say "it's encrypted" they hear "it's secure"
This is my problem with opportunistic encryption is that people will rely on it and then get burned by it and this is worse than not doing it.
I don't think I've entered either of those things in the last 10 years. Heck they aren't even shown on my URL at the moment.
That's the problem they removed all of the indicators that would tell people what the hell is going on and confuse them with fake pointless assertions. Only now they are realizing they fucked up. When and if they fix it I hope they don't overreact and put even more people at risk.
Do you also consider having a front door with a door lock any better than just having a hole in the wall open to the road?
HTTP should look like the entrance to a 7-11 busy churning our Slurpees for all the good little boys and girls.
HTTPS should look like the entrance to a bank vault with armed guards standing watch.
The industry has failed for a number of reasons to present this picture to the user... at every turn they let their designers loose with their abstract Spartan design bullshit taking away critical information from the user. All the while legitimate sites routinely trick users with fake assertions of security having no basis in reality.
I don't think doubling down and forcing SSL on everyone is the answer.. the answer is realizing you have fucked up and fixing the underlying problem. The underlying problem is browser is not saying shit about security status of a site and when it does it is not obvious enough.
Any employee dumb enough to fall for a phish should be fired.
The messages were *targeted* they appeared to come from real people within the company. If your PM sent you a word doc detailing a new project proposal and you opened it should YOU be fired?
SMTP email is a failed experiment causing untold damage to millions of users around the world.
Doesn't it make sense? What makes you so sure? Do you run a gardening shop? How do you know your customers aren't being watched for fertilizer references? Maybe you sell some memorabilia or trinkets with a war or political relevance? God forbid you actually sell stuff that can be used to make firearms.
Your fertilizer page is 14674 bytes in length. What differences does it make if you encrypt it? I still know you went there and I know who you are by your address. Fail.
The secure vs trustworthy issue is a fundamental flaw with HTTPS where both encryption and authenticity are meshed into the same protocol.
This is doublespeak. Encryption without authentication is an illusion.
Trivial to defeat HSTS:
https://github.com/sensepost/m...
Oh give me a break this does not defeat HSTS it just links to the wrong hostname offered up by an insecure site. Garbage-In-Garbage-Out.
Saying this defeats HSTS is like saying getting domain micr0s0ft.com registered and an SSL cert assigned defeats SSL because I tricked someone into going there and thinking it was the real deal.
It has bugged me for years that unencrypted plain text data is given a pass, but a self-signed certificate with encryption brings up a warning that requires multiple clicks and in some cases even importing a certificate to get through.
When you enter http:/// you are declaring your intent to view unsecured content.
When entering https:/// you are declaring your intent to view secured content. An untrusted certificate is not trustworthy and cannot be used as a means of securing content.
Personally I think the colour scheme is simply wrong. Rather than White for plain, Red for SSL with some minor error (self signed cert), and green for proper encryption, why not go red for unencrypted, orange for encryption with problems, and green for encrypted and verified?
That's easy most websites will appear red and users will tune it out. You have now increased confusion and lost your ability to communicate important information to the user.
Encouraging the web to go 100% SSL only is a unquestionably a good thing.
Not if it means paying rent to CAs every year so they can sit on their fat ass and do nothing.
The issues with performance were gone a decade ago...
Even if maintaining session state and TLS were completely free round trip delay and assuming the best case that session resumption occurs for all accesses you still have to eat additional round trips...delay that is quite noticeable to those accessing content internationally and over wireless or low bandwidth links.
It makes no sense that all the "anti-SSL"
posts have been modded up.
Why should people have to screw with SSL when they have no secure content to offer? This is what makes no sense to me. Google is twisting arms to have their way.
Regardless of what you think of making everything "secure" I don't subscribe to the notion that ends should justify means.
Every web connection needs to be HTTPs, to keep random people from snooping on which URLs you visit. Problems only multiply with every cookie that discloses information or correlation between different requests.
Fire up wireshark, sort by DNS and pick any well known website at random. why are there all these queries for dozens of others sites? Their all leaking tracking cookies and all kinds of bullshit to many DOZENS of providers who have nothing to do with providing content your browser requested their only job is to stalk your ass wherever you go on the Internet. Turning on HTTPS won't make them go away.
Just sitting on the wire and collecting destination addresses, amount of data transferred and timing stats is more than enough to piece together exactly what your doing even while everything is encrypted.
The optimum committee has no members. -- Norman Augustine
