From the people who brought you "referer"...
-
@boomzilla said in From the people who brought you "referer"...:
@pie_flavor said in From the people who brought you "referer"...:
Yes, the information presented is perfectly accurate. amazon-rewards.money is still secure, even though it's not trustworthy.
Um...actually, we have no idea how secure amazon-rewards.money is. We just know that traffic between us and them is encrypted.
Perhaps that could be better communicated. But this is hardly new. Chrome has always displayed HTTPS this way. And you're only just now caring?
-
@gąska said in From the people who brought you "referer"...:
green padlock = security
Not so much. Someone was able to get an EV certificate for "Stripe, Inc." for the cost of $177 and two hours of time. They did it by incorporating a "Stripe, Inc." in Kentucky.
-
@pie_flavor said in From the people who brought you "referer"...:
@boomzilla said in From the people who brought you "referer"...:
@pie_flavor said in From the people who brought you "referer"...:
Yes, the information presented is perfectly accurate. amazon-rewards.money is still secure, even though it's not trustworthy.
Um...actually, we have no idea how secure amazon-rewards.money is. We just know that traffic between us and them is encrypted.
Perhaps that could be better communicated. But this is hardly new. Chrome has always displayed HTTPS this way. And you're only just now caring?
No, that's just you assuming you're important enough to be the first to know what I care about and also being butthurt that you're saying false things.
-
@blakeyrat said in From the people who brought you "referer"...:
If it's a site that's hosted on the LAN and firewalled entirely, or literally not even connected to, the Internet at large, it is guaranteed to be secure.
*snicker*
Go ahead, keep believing that. I'm sure no hacker will ever figure out a way in through other devices that are connected to both the LAN and the external network...
-
@greybeard said in From the people who brought you "referer"...:
@gąska said in From the people who brought you "referer"...:
green padlock = security
Not so much. Someone was able to get an EV certificate for "Stripe, Inc." for the cost of $177 and two hours of time. They did it by incorporating a "Stripe, Inc." in Kentucky.
That's exactly the problem I was talking about. Seriously, is there a single person in this entire forum that reads what others write?
-
@blakeyrat said in From the people who brought you "referer"...:
But I also disagree that that should be the case. I think there's too many barriers to people communicating their thoughts now. We're talking about a change that adds more barriers.
You have a very pessimistic viewpoint here. Generally, when external regulations of some variety require the existence of something as a part of a product, it ends up becoming a standard feature. ISTM the most likely outcome from all this is that it becomes much easier for ordinary users to get encryption set up.
-
@masonwheeler said in From the people who brought you "referer"...:
@blakeyrat said in From the people who brought you "referer"...:
If it's a site that's hosted on the LAN and firewalled entirely, or literally not even connected to, the Internet at large, it is guaranteed to be secure.
*snicker*
Go ahead, keep believing that. I'm sure no hacker will ever figure out a way in through other devices that are connected to both the LAN and the external network...
You've seen too many Hollywood movies. Perfect security is possible.
-
@gąska That's not Hollywood; that's real-world hacking. Compromising one device and using it as a bridge to new stuff it's connected to has been a mainstay of cyber B&E tactics for decades.
Try reading The Cuckoo's Egg sometime, if you haven't already. It's the true story of an ordinary university sysadmin in the 1980s who found someone in his system, and spent months tracking him back and back through multiple links and networks before finally uncovering the hacker's identity. A lot's changed since then, but there's a lot that hasn't too, and it's one of those books that everyone in our business ought to read.
-
@gąska Not even the institution name is necessarily going to help you. Go to the guy's personal site with Safari and you'll see:
With Chrome, you'll see:
Firefox puts the "US" in parentheses instead of square brackets.
-
@greybeard you're halfway there. You read about company names, but not about cert pinning inside executable. D+.
-
@gąska That is a verified institution, Stripe, Inc. of Kentucky.
Or are you saying the browser makers have to take over the CAs' function, somehow magically being able to tell what is and is not a trustworthy institution?
-
Bitch bitch bitch. Browsers are open source. Make your own.
-
@greybeard yes - especially considering that they already do that for a very limited number of cases (google.com and a bunch of other similarly big websites). That, or make CAs create a new Extra Extended Validation certificate category that would cost million dollars and would only be available to the biggest of the biggest. A third way is to completely ignore the problem of people blindly trusting everything with green padlock icon. As a meritocrat, I like the last option the most.
-
Meh. If more sites had switched to https proactively instead of waiting until it's forced down their throat, maybe we wouldn't be in this situation. Let's face it ... it's 2018 and you still occasionally stumble across major sites that will happily transmit fairly sensitive information in plain text. Then there's the whole mess with injecting ads and possibly other content, which https also stops.
-
Can someone clarify for me whether HTTPS blocks client side viruses from fucking with your traffic too?
-
@gąska said in From the people who brought you "referer"...:
@masonwheeler said in From the people who brought you "referer"...:
@blakeyrat said in From the people who brought you "referer"...:
If it's a site that's hosted on the LAN and firewalled entirely, or literally not even connected to, the Internet at large, it is guaranteed to be secure.
*snicker*
Go ahead, keep believing that. I'm sure no hacker will ever figure out a way in through other devices that are connected to both the LAN and the external network...
You've seen too many Hollywood movies. Perfect security is possible.
Of course it is. Just leave the server disconnected from both the network and the power outlet.
-
@dragnslcr the only thing it needs to be disconnected from is a human.
-
@pie_flavor said in From the people who brought you "referer"...:
Can someone clarify for me whether HTTPS blocks client side viruses from fucking with your traffic too?
Presumably a client side process can fuck directly with the browser's memory, so no.
-
@pie_flavor said in From the people who brought you "referer"...:
Can someone clarify for me whether HTTPS blocks client side viruses from fucking with your traffic too?
HTTPS guarantees that the data that the client's network driver received is the same data that the server's network driver sent. It prevents data tampering between server's network driver and client's network driver, but nowhere else. Specifically, it DOES NOT prevent data tampering between client's network driver and GPU's framebuffer.
Fun fact: just last week I had to explain this to my non-technical dad w.r.t. his bank sending him recipient's full account number in wire transfer confirmation text message. He wondered whether it's a waste of time checking these 26 digits.
-
@gąska said in From the people who brought you "referer"...:
HTTPS guarantees that the data that the client's network driver received is the same data that the server's network driver sent.
No, it guarantees that the client process receives the same data that the server process sent. If there's another program on your computer reading network traffic that isn't reading process memory, it can't see what the TLS-encrypted data was.
-
@gąska said in From the people who brought you "referer"...:
You must have missed the hundreds of his "IT'S CURRENT YEAR WHY WE HAVE NO DECENT GRAPHICAL PROGRAMMING SOFTWARE YET" rants.
I'm starting to believe Blakeyrat is like a mirror. People look into Blakeyrat and they see themselves reflected.
I also got this from Pie Flavor on the Discord:
in fact, I flag you as the sort of person who browses with NoScript enabled already
Huh.
Color me bemused.
-
@pie_flavor said in From the people who brought you "referer"...:
because they're an idiot with an FTP client and Word.
You sure are convincing me that this isn't a "high priesthood of technology" issue. Good job.
Personally I think the idiots are the ones at the W3C.
@pie_flavor said in From the people who brought you "referer"...:
Perhaps that could be better communicated. But this is hardly new. Chrome has always displayed HTTPS this way. And you're only just now caring?
Oh good, now we've moved on to "we've always done it this way". Pie Flavor is a treasure trove of stupid moronic arguments today.
-
@gąska said in From the people who brought you "referer"...:
That's exactly the problem I was talking about. Seriously, is there a single person in this entire forum that reads what others write?
Ooh, ooh! I know this one!
No.
-
@gąska said in From the people who brought you "referer"...:
You've seen too many Hollywood movies. Perfect security is possible.
Do not own a computer; do not power it on; and do not use it.
-
@blakeyrat said in From the people who brought you "referer"...:
@gąska said in From the people who brought you "referer"...:
You must have missed the hundreds of his "IT'S CURRENT YEAR WHY WE HAVE NO DECENT GRAPHICAL PROGRAMMING SOFTWARE YET" rants.
I'm starting to believe Blakeyrat is like a mirror. People look into Blakeyrat and they see themselves reflected.
It must be this strange kind of mirror seen only in video games that inverts all colors and shows people in opposite roles to what they actually are - since my dreams are polar opposite of your dreams: I want regular users as far away from anything even remotely related to programming as possible, and want dev tools devs to exclusively focus on needs of experienced devs.
-
@ben_lubar said in From the people who brought you "referer"...:
@gąska said in From the people who brought you "referer"...:
HTTPS guarantees that the data that the client's network driver received is the same data that the server's network driver sent.
No, it guarantees that the client process receives the same data that the server process sent. If there's another program on your computer reading network traffic that isn't reading process memory, it can't see what the TLS-encrypted data was.
Assuming malware hasn't injected its own code in place of network library calls and hasn't copied your encryption keys. Though you might argue such malware is part of a process.
-
@gąska said in From the people who brought you "referer"...:
Assuming malware hasn't injected its own code in place of network library calls
TLS is not done by the network driver.
@gąska said in From the people who brought you "referer"...:
and hasn't copied your encryption keys
That cannot be done without reading memory from the process on either end of the connection.
-
@ben_lubar said in From the people who brought you "referer"...:
@gąska said in From the people who brought you "referer"...:
Assuming malware hasn't injected its own code in place of network library calls
TLS is not done by the network driver.
But it's done by a library. Hopefully.
@gąska said in From the people who brought you "referer"...:
and hasn't copied your encryption keys
That cannot be done without reading memory from the process on either end of the connection.
And we're back to this question: is malware that aggressively inserted itself into address space of a process part of the process?
-
@gąska my point is that malware that cannot interact with your browser process but can interact with your TCP packets cannot read or modify your TLS traffic.
If the malware is running code inside your browser, it is by definition interacting with your browser process.
-
@ben_lubar I just wanted to make a clarification in case some naive reader thinks that TLS makes his process safe from malware.
Also. Malware that can access network traffic but not process memory? Sounds unlikely.
-
@gąska So you're just basically talking out your backside. Not only does cert pinning in code not scale, less technically sophisticated organizations, such as Microsoft, can't even manage domain renewal, much less pinning.
-
@greybeard the only way to keep trust in secure websites is to severely limit them. Nonscalable solution is the goal. It's like university degrees - the moment we started to give them away to everyone, they've lost all meaning.
That's all assuming lack of trust is a real problem worth solving.
-
@greybeard said in From the people who brought you "referer"...:
Not only does cert pinning in code not scale
This site has cert pinning enabled. https://buildmaster.local.lubar.me has cert pinning enabled.
*.lubar.me
has strict transport security preloaded by default in all major browsers.It's very simple to set up.
-
@ben_lubar Cert pinning in code.
-
@greybeard code is data
-
@ben_lubar @Gąska posited "with certificates pinned in browser's binary." That does not scale.
-
@greybeard yeah, binary might have been going too far. "Browser distribution" would work as well. Either way, my point is that the process has to be hard and very selective, because otherwise it wouldn't serve its function. Unscalable process is a feature.
-
@gąska said in From the people who brought you "referer"...:
Except the general public is currently conditioned to look for green padlock specifically. Not institution name. Green padlock.
The general population thinks that icon is a handbag.
-
@gąska said in From the people who brought you "referer"...:
- You don't make websites in Word. You make them in FrontPage.
Word has the ability to create a document and save it as HTML, which absolutely 1000% guarantees that there are people using Word to create web pages.
-
@zemm said in From the people who brought you "referer"...:
@gąska said in From the people who brought you "referer"...:
Except the general public is currently conditioned to look for green padlock specifically. Not institution name. Green padlock.
The general population thinks that icon is a handbag.
QFT.
-
@cvi said in From the people who brought you "referer"...:
Then there's the whole mess with injecting ads and possibly other content, which https also stops.
Which is a bit of a red herring. Most of the problem with injected ads seems to be done with the participation of the endpoint sites themselves.
-
@gąska said in From the people who brought you "referer"...:
Assuming malware hasn't injected its own code in place of network library calls
Those are actually part of the unsecured channel, and don't need to be trusted much at all. The encryption is done via a higher-level library and is really very good indeed, along with the system for negotiating the keys and ensuring that the client can make a sensible (but machine-readable) statement about the identity of who it is talking to. That machine-readable statement is in a horrible format (an X.509 certificate encoded in a nasty format) so it needs to be presented very carefully to users, and that can trip people up, but it is stupidly difficult to come up with an alternative that is genuinely better at the security layer itself.
-
@gąska said in From the people who brought you "referer"...:
@deadfast my boss was just as baffled as me and the customer's wife.
Maybe your boss was just baffled by your level of restraint?
-
@gąska said in From the people who brought you "referer"...:
"Browser distribution" would work as well. Either way, my point is that the process has to be hard and very selective, because otherwise it wouldn't serve its function. Unscalable process is a feature.
In practice, the deep pinning of the kind you're talking about can only really scale up to the root CAs. They have certificates that are very long lasting and extremely heavily protected on the other end (the private keys are probably kept on isolated systems) and yet their updates are still a PITA. Everything else uses derived certificates, virtually always derived through a chain of other CAs since that greatly simplifies operations. (Basically, a security breach at a CA is bad enough but not actually catastrophic precisely because the private keys of the root certificates aren't available and the operations can be rebuilt.)
It's possible to provide a system in browsers to warn of a site's certificate changing, but I'm not sure how much benefit it provides for anyone not interested in ubernerding over certificate management changes. That'd be like being a trainspotter except for website management. :too_nerdy_for_me:
-
@ben_lubar said in From the people who brought you "referer"...:
no API has ever been disallowed on non-HTTPS sites after being allowed there in a released version of a major browser. They're not going to break existing sites with this.
That is not correct. Chrome and Firefox already have disabled several APIs on insecure origins (e.g. Geolocation, AppCache) and are deprecating/disabling additional ones:
Firefox bug to "https-everything", including a number of APIs being affected
-
@el_heffe said in From the people who brought you "referer"...:
@gąska said in From the people who brought you "referer"...:
- You don't make websites in Word. You make them in FrontPage.
Word has the ability to create a document and save it as HTML, which absolutely 1000% guarantees that there are people using Word to create web pages.
Since my company also runs
spam delivery serviceemail advertisement sending network, I can tell you that half of our client uses Word to create their EDM that we re-process to something that can work on mail clients or webmail sites.
-
-
@blakeyrat said in From the people who brought you "referer"...:
You sure are convincing me that this isn't a "high priesthood of technology" issue. Good job.
What the fuck?
Just to make sure your brain didn't suddenly develop some sort of growth, please confirm that you are in fact saying that in your original example of some idiot with an FTP client and a copy of Word being able to use those two things to create a website, that said idiot would be writing any JS whatsoever, let alone background workers and caching.
-
@gąska said in From the people who brought you "referer"...:
the general public is currently conditioned to look for green padlock specifically.
where have you pulled that ass-umption from? :P in my experience, the general public doesn't even notice the UI.
-
@lorne-kates said in From the people who brought you "referer"...:
Bitch bitch bitch. Browsers are open source. Make your own.
You know, any widget toolkit lets you stick a webview and a textbox to type in URLs inside a window in like 10 minutes. That's 70% of Chrome's interface done.