Firefox, again
-
-
The devices don't belong to you and as a result, you have no right to access data to, from or on it.
I am quite sure that some clever lawyer could come up with a form of words for a network connection agreement that allows end users to waive their right to data privacy when connected to that network, and I am equally sure that most users would blithely agree to it for the sake of resumed access to Grumpy Cat.
-
Unlikely. You can sign away your rights so that they can, for instance, have a look at which pages you browsed or whom you wrote an e-mail to.
However, the content is an entirely different matter. There are certain topics which are not merely protected but especially protected, among them stuff like health, political and religious affiliation. The problem is that you simply don't know in advance what the content will be.
As a result, such a scanning process would a) need to be highly regulated, b) have to be very secure (a mere padlock would not suffice) and c) would also need the agreement of the chief privacy officer. And I can tell you from personal experience, that our district's officer would laugh you out of the office if you tried to get him to agree to this.
Especially because we're talking about children and youths, not adults.
-
You can sign away your rights so that they can, for instance, have a look at which pages you browsed or whom you wrote an e-mail to.
However, the content is an entirely different matter.
Unfortunately, the way HTTPS works means that you can't actually enforce inspection of the former by any method that doesn't also give you access to the latter.
If there were some kind of intermediate security level available that allowed network administrators to whitelist and blacklist encrypted content on a per-URL basis, the corporate security case for running blanket MITM against SSL would be much weaker. But there isn't. So we get told to.
I'm in the fortunate position, for the time being, of being able to say no to that. But I can't see it lasting, and that (among other things I don't like about the way the IT industry is headed) is why I'm seriously considering early retirement.
-
If we stopped pretending that an SSL/TLS connection proved you were talking to the right server, we might actually get to a place where you could allow deep SSL inspection while telling users the connection wasn't completely private.
-
That's pretty much the approach I'm currently taking at school, for services like YouTube that insist on being HTTPS-only for no good reason. I spoof DNS locally so that youtube.com resolves to an address inside my LAN, then I provide an HTTP service on port 80 of that address that proxies the HTTPS service on the real youtube.com's port 443. This works because SSL client certs have never really been a thing.
The result is that the user sees a not-secured page and therefore has no expectation of privacy which, given that I'm inspecting and logging all their requests, is exactly as it should be.
If browsers in general make HTTP a second class citizen (and I am completely sure that if Mozilla does this, the others will follow) then this approach is going to become infeasible at some point, which leaves me with the choices of (a) SSL MITM or (b) retirement. And I would certainly take (b) because I think (a) is unethical.
-
The result is that the user sees a not-secured page and therefore has no expectation of privacy which, given that I'm inspecting and logging all their requests, is exactly as it should be.
While that works as an indicator, there's really no way to know where the downgrade occurs which is incredibly problematic from a security standpoint. Browsers can't know, a priori, whether any connection should be encrypted so there's no way to do some form of "WARNING: HERE BE DRAGONS" before the user continues to the site (HSTS + cert pinning kind of does this, but that requires connecting to the site at least once on a known non-compromised connection ...).
There's a couple things that could be done so that you'd at least get to know:
- that the data was unmodified (signature header)
- the identity of the closest SSL endpoint
My only concern is that my current idea for this solution requires loading identity certs into DNSSEC, which just makes DNS reflection even nastier.
-
there's really no way to know where the downgrade occurs which is incredibly problematic from a security standpoint
That's perfectly true, which is why I only use this technique for sites such as YouTube that insist on running over HTTPS for no good reason. Anything that requires a login to be useful from inside the school I leave strictly alone.
I'm not attempting a general solution to the non-inspectability of HTTPS requests, just trying for something that works well enough for the school to get by on.
-
@rad131304 said:
there's really no way to know where the downgrade occurs which is incredibly problematic from a security standpoint
That's perfectly true, which is why I only use this technique for sites such as YouTube that insist on running over HTTPS for no good reason. Anything that requires a login to be useful from inside the school I leave strictly alone.
I'm not attempting a general solution to the non-inspectability of HTTPS requests, just trying for something that works well enough for the school to get by on.
Right, but a malicious proxy (a-la the crapware that Lenovo installed to "improve" their customer's experience) is probably not going to be so responsible. And in your solution, the user doesn't necessarily know they've been downgraded ... we're dealing with normal people – which, if I said were as sharp as a bowling ball, I kind of feel like I'm insulting bowling balls.
Plus if we get to the "all HTTPS utopia" that Mozilla hopes we achieve, there's going to need to be a better solution than the, currently, transparent MITM'd SSL.
-
I'm not attempting a general solution to the non-inspectability of HTTPS requests
Also, this statement confuses me - all HTTPS requests can be inspected by a sufficiently determined government. As said government, all I have to do is to force the ISPs to give me the capability to inspect their wires (like, say, with FISA), then make a "request" to one (or all) of the certificate authorities to provide a valid cert signed by each of their signing certs so I can transparently spoof any transaction, and then "politely" request that they not disclose this request (hi NSL ... I mean NSA).
There's no government anywhere that could acquire that kind of power ....
Filed Under: Think Of The Terrorists!, Think Of The Child Pornographers!
-
all HTTPS requests can be inspected by a sufficiently determined government.
Yeah, but I'm a school netadmin charged with making reasonable efforts to keep pictures of people's junk off school screens and malware out of school computers, not a sufficiently determined government.
-
The SSL/TLS standards actually includes ciphers which include signing but no data encryption. I seem to recall these being deprecated in recent standards, though I can't find any note of it in the RFCs offhand.
-
The SSL/TLS standards actually includes ciphers which include signing but no data encryption. I seem to recall these being deprecated in recent standards, though I can't find any note of it in the RFCs offhand.
IIRC SSL certs are X.509 certs, so you can sign with them if you want. The real issue isn't doing the signing, it's having any confidence in the signature. Relying on the normal SSL/TLS setup mechanism means signatures are just as vulnerable to MITM attacks as the encryption.
-
True. Still, my main point is that you could use SSL for signing without encryption, and in this case no MITM certificates would be required, though you'd still need a proxy to block encrypted ciphers.
-
Ah, I thought you were talking about something different.
-
Relying on the normal SSL/TLS setup mechanism means signatures are just as vulnerable to MITM attacks as the encryption.
That was always the complicated part with secure communication (once we figured out strong enough basic crypto algorithms). Identifying the other party is a non-trivial challenge, as one crypto key looks very much like any other. The techniques that have been developed (direct pinning, web-of-trust and certificate authorities) all have their down-sides, though a private CA is pretty strong in practice provided you're only working with a relatively small number of parties.
-
for services like YouTube that insist on being HTTPS-only for no good reason
The reason is people kept stealing their users' passwords/sessions.
-
I don't mind it insisting on being HTTPS if there is a good reason, such as that you're logging on or logged on. But it works just fine without being logged onto as well, and there is no reason I can think of why that shouldn't run over HTTP if that's what the browser asks it to do.
-
Believe it or not, YouTube is banned in some countries, HTTPS-only makes MITM attack on unsuspecting users harder, or at least harder to snoop on what they watch.
-
Again, I have no objection at all to the availability of YouTube over HTTPS. It's the unavailability over HTTP I find bothersome.
-
If HTTP is an option, people (in those countries or using a rogue ISP or connected to a fake BTS) get MITM attacked easier, so it is for their sake everyone gets the HTTPS-only option.
IOW, having HTTP makes attack easier. For example in a simplistic scenario, lets say I embed a YouTube video in my HTTPS website, if user has switched off mixed content warnings (just to see the cute cat before) suddenly he is vulnerable.
Even if you think about an API for the web (end-to-end), the weakest link is the vulnerable point and HTTP is weak, a reminiscent of the time plain text passwords were good enough.
-
Scenario: you're sitting on a Greyhound bus, or riding goat class in an airliner, and you have a sudden hankering for Grumpy Cat. You pull out your device and connect to the only available SSID. You're taken to a landing page. There is a box in the middle with a bunch of boilerplate legalese and a big Agree button. You click the Agree button. Your browser prompts you for permission to install a new certificate.
What do you do?
What does Mozilla's most advanced user do?
-
Yes, I am aware of ID-10T type of errors.
If the cat is very grumpy, and I have to like a video on YouTube app (not in a web page) to save him, then I most certainly go the extra length. Unaware that the Greyhound dog overlords have a grudge against cats and MITM attack the Youtube app, the app meanwhile is all happy to get the contents through a CDN that is connected to HTTP version of YouTube but behind the scenes attributes all the likes for the dogs. I am sure this scenario itself is not easy, just easier when API has a 30 year-old back door.
Just to be clear: I am not for Mozilla forcing HTTPS on everyone (instead they should do what DDG does and automatically select the secure version when possible). However, YouTube and other content providers serving HTTPS-only makes perfect sense and is a different thing.
-
then I most certainly go the extra length.
Congratulations. Your browser now trusts a new root certificate that the WAP you just connected to, as well as every other WAP on every other transport system you ever ride, can use to validate the spoofed certs they'll use to MITM every HTTPS connection you ever make.
-
The app is not a browser, it either shows the cat or not and there would be no indication of whether it comes from a secure connection or the dogs server in Russia.
-
What does Mozilla's most advanced user do?
One of the others:
“I prefer the older version because it allows me to see advertisements that I could actually be interested in and I can also see screen shots of videos and games or they can load without me having to click on them.” -P8Same idiot:
“It forces me to have to click on the advertisements and videos without knowing exactly I am clicking on.” -P8Conclusions in the report:
Potential Interpretations
- Users like ads
- Users want to see what is being “covered” by the CTP UI, and thus click on ads and target content indiscriminately
-
That's like finding a unicorn. Some marketing guy probably had a seizure reading that.
-
Here's the repro! This fucking thread.
227/227
Press HOME
147/227Press HOME again
126/227Press END
"suggested threads"Press HOME
107/227DISCOURSE!
-
WOMM
NO_REPRO
-
-
-
-
That comic is very offensive to people who don't like numbers to appear in a comic more times than the number's own value.
-
Which number?
2appears once and167801appears twice. Does not seem like a problem to me.
-
it's XKCD. Usages of the comic need not be relevant, just as complaints about references to the comic need not be relevant.
-
Which number? 2 appears once and 167801 appears twice. Does not seem like a problem to me.
I don't even see the 167801. All I see is 1, 6, 7.
Filed Under: [url="#"]Alternate joke: something about a different base number ha ha?[/url]
-
it's XKCD. Usages of the comic need not be relevant, just as complaints about references to the comic need not be relevant.
Personally, I feel this one would have been way more appropriate:
[img]http://sevenseventeen.ca/xkcd.php[/img]
-
@Lorne_Kates said:
Personally, I feel this one would have been way more appropriate:
that's the thing about XKCD. there's so many to choose from!
-
That was taking a while to load and it had a .php extension, so I figured I'd take a peek at the HTTP response via the developer tools.
TIL I learned Firefox can display images down there:
-
Wow. Welcome to like 7 years ago.
-
Sheeeit. 42 broke "Tree Style Tab." It shows only the first tab somehow. Anyone know of something similar that still works?
-
-
LIAR
$ aptitude search edge p hedgewars - Funny turn-based artillery game, featuring fighting Hedgehogs! p hedgewars:i386 - Funny turn-based artillery game, featuring fighting Hedgehogs! p hedgewars-data - Data files for hedgewars p hledger - command-line double-entry accounting program p hledger:i386 - command-line double-entry accounting program p hledger-interest - interest computing for (h)ledger p hledger-interest:i386 - interest computing for (h)ledger p hledger-web - web interface for the hledger accounting tool p hledger-web:i386 - web interface for the hledger accounting tool p kernel-wedge - udeb package builder for Debian-Installer p knowledgeroot - web-based knowledgebase system p ledger - command-line double-entry accounting program p ledger:i386 - command-line double-entry accounting program p ledgersmb - financial accounting and ERP program p libghc-hledger-dev - CLI libraries for hledger p libghc-hledger-dev:i386 - CLI libraries for hledger v libghc-hledger-dev-0.22-28e53:i386 - v libghc-hledger-dev-0.22-f9fec - p libghc-hledger-doc - CLI libraries for hledger; documentation p libghc-hledger-lib-dev - core data types, parsers and utilities for the hledger accounting tool p libghc-hledger-lib-dev:i386 - core data types, parsers and utilities for the hledger accounting tool v libghc-hledger-lib-dev-0.22-2fc1f - v libghc-hledger-lib-dev-0.22-3191d:i386 - p libghc-hledger-lib-doc - core data types, parsers and utilities for hledger; documentation p libghc-hledger-lib-prof - core data types, parsers and utilities for hledger; profiling libraries p libghc-hledger-lib-prof:i386 - core data types, parsers and utilities for hledger; profiling libraries v libghc-hledger-lib-prof-0.22-2fc1f - v libghc-hledger-lib-prof-0.22-3191d:i386 - p libghc-hledger-prof - CLI libraries for hledger; profiling libraries p libghc-hledger-prof:i386 - CLI libraries for hledger; profiling libraries v libghc-hledger-prof-0.22-28e53:i386 - v libghc-hledger-prof-0.22-f9fec - p libvtkedge - Library of advanced visualization and data processing techniques - runtime p libvtkedge:i386 - Library of advanced visualization and data processing techniques - runtime p libvtkedge-dev - Library of advanced visualization and data processing techniques - developmen p libvtkedge-dev:i386 - Library of advanced visualization and data processing techniques - developmen p python-feedgenerator - Syndication feed generation library p r-bioc-edger - Empirical analysis of digital gene expression data in R p r-bioc-edger:i386 - Empirical analysis of digital gene expression data in R p sql-ledger - Web based double-entry accounting program
-
WOMM
-
There are pre-release versions of Tree-Style Tab, Tab Tree, and Tab Mix Plus that seem to work, if you're willing to go to AMO and hit the pre-release button.
-
...is it bad that I wondered what version of Firefox I had installed, so I:
- Clicked the Toaster
- Clicked "Help and about"
- Clicked "About Google Chrome"
- Facepalmed.
Don't ask me how I managed to forget I changed my primary browser at work to Chrome.
-
Aaaand... 43 removed the Old Search UI.
I mean it was removed around FF36, but you could set a flag to restore it in about:config.
Now the config setting is still there, but ineffective, and you get the New Search UI anyway.
So I filed my complaint, I don't know how much they read those:
Mozilla Connect
Share product feedback, submit ideas for new features, and help shape future releases.
Firefox 43 removed the old search UI. I don't want to invest time to
learn the new UI. I have the layout, the clicks and the shortcuts
memorised for the old one.I know I can restore the old search UI with Classic Theme Restorer,
but that one comes with a myriad of options, and I, for example,
couldn't find how to remove a bookmarks button that it added, that
didn't even do anything when clicked. I don't want to invest time
learning Classic Theme Restorer either.I want a solution to restore the old search UI with either a
configuration flag as before, or with installing a single addon that
does exactly this and nothing else.Until that happens, I'm sticking to Firefox 42. 42 is a good number too.
-
The icon on the new search bar is a magnifying lens.
Because why would you want to know what search engine is currently active?
-
And it disabled my own, unpacked, not even under my profile directory, extension because "it could not be verified for use in Firefox". Had to set
xpinstall.signatures.requiredto false, because apparently it's all or nothing.Goddammit.
-
Also, when there's a search engine in the currently visited page that can
be added, the magnifying lens gets something like a green + sign next to
it. That makes it look just like one of those crapware search toolbars
that override your search engine such as Ask or Conduit.
