Is the deprecation of insecure HTTP an attack on alternative media?

[Tesla_WTC_Solution]

Paul, sorry for the snark, we've had some real router issues etc lately that prevent certain types of work

it puts us in a bad mood.

[lucidity]

Posted by Hervé (here)

Posted by amor (here)
[...]
.... I have McAfee active and so I do not understand how this virus got through to me.

Get rid of McAfee!

Use Comodo "Free Internet Security."

Or better still... switch to a MAC or Ubuntu (or some other flavour of linux/unix)
then you wont even need a virus checker.

99.99% of all viruses are written for windows.

be happy

lucidity :-)

[ThePythonicCow]

This week's Security Now episode with Steve Gibson sheds some new light on the wider use of https.

Steve spends most of this weeks show on the topic, beginning at 28 min 52 sec

Source: https://youtube.com/watch?v=g3C9PPZbnrI

We are increasingly enabling more powerful and capable client software on the user's computer or smartphone, within the web browser and within other client software. Such complicated, increasingly feature rich, execution environments will always have serious security flaws. To the extent that plain text, unencrypted, html webpages, are allowed to execute in those environments, to that extent, security will always be compromised.

For example, the Great Cannon of China works by replacing a bit of Javascript in http (unencrypted) search results from Baidu, the dominant Chinese search engine, anytime they passed through routers controlled by the Chinese government (the same routers used to implement the Great Wall of China web censor). The replacement Javascript can be used to drive a massive denial of service attack, from hundred's of thousands of end user PC's, simultaneously, against any target designated by the Chinese government, as was done against on March 16, 2015 against GreatFire.org and on March 26 against GitHub. Both the GreatFire and GitHub attacks targeted repositories, https://gitub.com/greatfire and https://github.com/cn-nytimes that provide technology for users who wish to circumvent Chinese government censorship.

The fundamental mechanism used by the Great Cannon of China is a "man in the middle" attack ... altering web pages on the fly as they traversed the Web and happened to pass through a smart router controlled by China. This mechanism depends on the web page being plain text HTML (http), not encrypted SSL (https). Substituting, adding, or removing text in plain text http pages on the fly is trivial, for anyone who controls any router that the page passes through. Encrypting pages as they traverse the web, such as using SSL encryption (https), disables, or at a minimum makes far, far more expensive, any such endeavors.

We have long (well, for the last decade or two, anyway) understood the need to encrypt sensitive data sent over the web, such as the password to our bank account. This stops others from spying on what is sent on the web.

However we now face a second challenge, stopping anyone with man in the middle access (a surprising and increasing variety of untrusted parties, given the increasing complexity of web pages) from executing hostile code on our own computers and smartphones (and increasingly, other devices, such as smart meters on our electric power, smart cars, refrigerators, major appliances, etc, etc.)

In my present view, after listening to Steve Gibson this week, all websites that allow even so much as Javascript must plan to convert to HTTPS, in the coming next few years. Browsers will increasingly force this transition on websites, out of necessity, because they will provide increasingly complex features that execute within the client's browser, hence expose a never ending series of security flaws that expose the client's computer or smartphone to abuse, spying, ransom, or whatever other uninvited activity some "hostile" entity might attempt, whether that be a teenage hacker in his mother's basename or the NSA or Chinese government.

The main browser providers are learning that they simply cannot provide an acceptable level of reliability over http, reasonably secure from hacking, to their user's while at the same time continuing to provide the increasingly sophisticated browser based client interactions that users will prefer, if given the choice. So the browser providers will have to shut off more advanced browser features from being used over http, and deprecate the use of http in order to force web providers to adapt more secure https.

As with any change that involves some centralization of authority (such as, in this case, centralized issuance of browser accepted SSL security certificates), that change creates a new "central control point" that a sufficiently powerful entity can use to further their control over humanity. Perhaps in the next year or two from now, the Project Avalon forum converts to https, and perhaps a few years from that, Avalon pisses off some bastard in power sufficiently and is denied the issuance of a security certificate, making it quite difficult for people to access us. However in my view we must,convert to https (SSL). There is, as usual, no "free lunch", or in this case, no place on this planet that is both (1) worth being and (2) guaranteed secure from the reach of the bastards in power.

Just as the centrally controlled DNS service (which maps URL's such projectavalon.net to IP addresses such as 198.143.158.131) is currently used by some national entities to shut down access to some websites, similarly centrally issued SSL security certificates will no doubt be similarly (ab)used in the future.

The constant struggle between "good" guys, "bad" guys, tyrannical bastards in power and us ordinary humans, guarding our own freedom and well being, will continue.

[ThePythonicCow]

Posted by Paul (here)
The fundamental mechanism used by the Great Cannon of China is a "man in the middle" attack ... altering web pages on the fly as they traversed the Web and happened to pass through a smart router controlled by China. This mechanism depends on the web page being plain text HTML (http), not encrypted SSL (https). Substituting, adding, or removing text in plain text http pages on the fly is trivial, for anyone who controls any router that the page passes through. Encrypting pages as they traverse the web, such as using SSL encryption (https), disables, or at a minimum makes far, far more expensive, any such endeavors.

From one of several sites supporting this conclusion, Google Analyzes China's "Great Cannon" DDoS Attacks:

“Had the entire web already moved to encrypted traffic via TLS, such an injection attack would not have been possible,” said Niels Provos, distinguished engineer in Google’s Security Team. “This provides further motivation for transitioning the web to encrypted and integrity-protected communication.”

[Ilie Pandia]

Hello,

Interesting post you have here Paul.

I am not yet done with the video, but I've paused to write this.

I find myself in agreement with what you wrote and I would like to add some other things to the mix.

Yes, using a Certificate requires that you get one from a Certificate Authority (CA) that then becomes a central point of power. However, I am sure that many CAs will show up because of the demand, and I have already seen free or very cheap certificates out there that will do the job good enough.

So, why is not everybody creating their own CAs? Well, the simple answer is that if a browser does not support you as a CA then it will deny the certificates that you are issuing. This means that Mozilla, Google (and other browser developers) have even more power by choosing who they trust implicitly. That can be used for "good" to prevent monopoly and centralization of power, or for "bad" to create said monopoly. To be fair, you can install new CAs into your browser but it is not something that most uses know how to do or understand what that is.

Because there is still room for flexibility and I've seen a proliferation of CAs and a drop to almost zero in the cost of simple certificates I assume that "centralization of power" will not really be an issue, but the possibly for abuse remains (same as with DNS).

In the video that Paul posted above, the presenters see now reason why to have Secure HTTP in a site that you only read?! Why secure that?

In my opinion, there are actually two reasons:

1) man in the middle attack: you as the content provider cannot know for sure that you write is actually what the visitor sees. Your content can be intercepted and changed. Sometimes in obvious ways, sometimes in more subtle ways. This can be a very effective tool for silencing (or redirecting) dissent or other "uncomfortable content" without you being the wiser.

2) profiling. If someone intercepts the NON secure requests you make towards say a newspaper, over time they can profile you to learn your interest, political view and sexual orientation. Why? Because in NON secure requests the LINK to the pages you visit is completely visible and super easy to intercept. This is very different with SECURE requests. With Secure requests a third party can see that you visit a website, but NOT what are you looking at there. It's like someone seeing you buy a paper magazine, so they know something there interests you, but they cannot say what pages really interest you.

Because of the above two reasons, I am leaning forward SECURING the web requests by using HTTPS. The costs to do that have dropped significantly in the past few years and (in my estimation) they will continue to drop.

In conclusion I see a lot of benefits (for privacy, content integrity and proper authentication) and only one draw back, albeit a big one: you have to rely on an external Certificate Authority for your site to continue to work.

Q: "Is the deprecation of insecure HTTP an attack on alternative media?"

My answer: we cannot say. There is a real need to secure the connections and traffic. It all depends on what the solution will be and who will control it .

[ThePythonicCow]

Posted by Ilie Pandia (here)
2) profiling.

As I was reading your post in this window, I was sharing with a few others the following link about the UK elections today: Google Search tips Cameron to win election - and Nigel Farage's Ukip will beat Labour and the Liberal Democrats.

So I am figuring that the "profiling" efforts of the bastards in power, and of anyone with sufficient funds to hire a reliable Search Engine Optimization team, are doing just fine, thanks to the enormous success of Google and Baidu.

I doubt that the reduced visibility into the contents of web traffic will significantly impact profiling efforts .

Besides, the meta-data collection efforts are proceeding with much success. Knowing the location and contacts of a billion people is quite enough, without actually reading their drivel (much of which is open anyway, on social media sites such as Twitter, Facebook and Avalon).

[ThePythonicCow]

Posted by Ilie Pandia (here)
There is a real need to secure the connections and traffic. It all depends on what the solution will be and who will control it .

Yes