Slashdot Mirror
With HTTPS Everywhere, Is Firefox Now the Most Secure Mobile Browser?
Peter Eckersley writes "Over at EFF, we just released a version of our HTTPS Everywhere extension for Firefox for Android. HTTPS Everywhere upgrades your insecure web requests to HTTPS on many thousands of sites, and this means that Firefox on Android with HTTPS Everywhere is now by far the most secure browser against dragnet surveillance attacks like those performed by the NSA, GCHQ, and other intelligence agencies. Android users should install the Firefox app and then add HTTPS Everywhere to it. iPhone and iPad users will unfortunately have to switch to Android to get this level of security because Apple has locked Mozilla Firefox out of their platforms."
Mixed-mode, beware!
I don't think HTTPS will stop the NSA
Of course they did.. Anyone ever try to get an App on Itunes? The approval team are ran by a bunch dumb Indians who don't know their ass from a hole in the ground. The people above them are even more retarded and don't understand basic software engineering concepts. In fact the entire company, is ran by "holier than thou" pompous assholes who play god.
It takes literally 5 minutes to deploy an App on Google Play. It takes months to get something on I-tunes.
To All Developers: Stay far away from Apple, and hope they die the overpriced under-powered death they deserve.
To All Developers: Stick with android and urge everyone to throw away their Apple products.
And no I'm not RMS :(
http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security
It is really so hard to type an S?
HTTPS Everywhere is just a huge crutch for people who are really really lazy.
comment spam on an article about how something is so secure.
Too bad it doesn't have anything for spam bot control.
http://postimg.org/image/ryho8lbfj/
Doesn't mitigate any vulnerabilities already present in the browser. Doesn't add any encryption beyond what's already provided by the web servers.
Honestly.. I liked what the comment spammer said more. Less whine and more vomit..
I think they might be talking about MyCleanPC but I can't be sure.
People most likely don't type HTTP to begin with... I don't type http://facebook.com... just facebook.com. Google.com. slashdot.org. etc...
The S isn't just an extra S...
About 6 months ago the angry Android fanboi above these comments was rearranging his "apartment" in the "lower-level" of his parents home when he got his app rejection notice from Apple for his awesome new game "Flamin' Fowl".. the note contained a remark something to the effect that his app was of less quality than those Chinese knock off apps.
Since then he has with drawn even more.. he even stopped playing Magic.
I think MyCleanAndroid would have been a better app to flog with this article. Really.. what good does it do to https on your browser when the apps you have are full of holes and barely examined before being placed on the Google Play app store.
It was highly illogical for you to blockquote all of that bullshit, Spock. I am unsure which one of you is the dumber one.
And no I'm not RMS :(
RMS runs Hurd-Mobile OS on his phone.
I will admit that I was skeptical that a piece of software could cure my cancer, bring back my wife and prevent me from beating my daughter but, based on dozens of posts on Slashdot, I'm willing to give it a try.
The above commenter is quite serious about their software fanboi-ism it verges on the realm of being a Linux anti-microsoft zealot.
'Secure' isn't really something where you can just boil it into a number between 1 and 100 and call it a day. If you are worried about attackers sniffing the wire, a plugin that enforces SSL use is a major advantage. If you are worried about being hit with a zero day by the guy on the other end of the wire, it's entirely irrelevant.
Replace the above comment with some drivel about Creationism and it will be just as useful.
NSA has a copy of the private keys as well.
WTF is with the my clean PC BS? Can't the posts be deleted? For the first time I see the death of /. coming around the bend. So sad.
I'm not sure what's worse: the My Clean PC spam, or the hipsters that feel the need to reply to it every chance they can and tell us all about how they use Macs and how wonderful of people they are for doing so.
The NSA likely has keys from all the major SSL cert vendors, rendering this "spamvertisement" moot. HTTPS does not mean that you're secure from everybody. It means you've added a layer of security that will thwart MOST prying eyes, but those that really want to know what you're doing WILL know what you're doing.
What a silly thing to appear on slashdot.
> this means that Firefox on Android with HTTPS Everywhere is now by far the most secure browser
> against dragnet surveillance attacks like those performed by the NSA, GCHQ, and other intelligence agencies.
While I certainly think it is a good idea to encrypt traffic, this statement is highly misleading or naive: Since the CA
system is *flawd by design* and every one of those "authorities" in the long list of built-in CA inside
your browser can, by negligence or choice, supply any of these and other agencies with a valid certificate for
*any hostname in the world*, initiatives like these protect your privacy only from your local sysadmin/ISP, and also
do nothing against traffic analysis.
Should a US person/company trust that "China Internet Network Information Center" isn't going to create a cert for a
US bank or company to perform a MITM attach with? Should a Chinese company trust "Wells Fargo" not to?
Should the Greeks trust "TÜRKTRUST Bilgi letiim ve Biliim Güvenlii Hizmetleri A.. (c) Aralk 2007", or the
Turks "Hellenic Academic and Research Institutions Cert. Authority"? What on earth makes you think ALL of these
companies can resists pressures to misbehave? Yet all of them are built-in to your browser and "you" trust them.
Just go to any (Cloudflare, Akamai..)-accelerated site using https and check out the certificate used to see how that works:
They are issued certificates for the customer domains they accelerate, and hence have access to all the traffic.
In essence, they do exactly what a man-in-the-middle attack would do, except on a much grander scale (and with the collusion
of the actual domain holders). The agencies can carry out such attacks from within the ISP's, and your browser would still show "green".
The Cert validation in the browsers leads to a *dangerous false sense of security* at most. This is crypto, a weakest-link business
if ever there was one, folks. It's not ALL, or SOME that need to fail in order for PKI to fail, it's ANY of them.
Surely, we can do better than that: We should get rid of all centralised security illusions. Why aren't we signing contents using our PGP
keys that at least make multiple signers possible and habitual, and, and this is the essential difference, IMHO: That *you* have made a
conscious decision to trust or mistrust, to a certain degree, by reviewing a web of trust, as in informed consent as opposed to blind paternalism
of massivly built-in, pretrusted certificates by distant companies you really have no clue about.
WKR,
-f
Yes, secure connections are pretty useless if you are being tracked all the time anyway.
At "mobile".
Talk to me again when Desktop is in your vocabulary.
So what's with the uber pro-Firefox and Android spiel?
According to the web-site you can get the plug-in for Chrome as well. Albeit beta, but still.
And if that's the case, you can just install Chrome on your Apple device, it's in the itunes store, and install the plugin for it instead.
MyOverpricedUnderpowerdApple.com
goodbye, slashdot.
bye!
wait don't go! have you tried MyCleanPC.. or maybe a https plugin for your mobile browser?
slashdot doesn't do https
Use iptables to block outgoing requests to any port 80. Then decertify all the certs you don't trust (all of them.) Congratulations! Your web browsing experience is now secure!
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
This is a strong move by the EFF and Mozilla.
wtf is Apple going to do? promise they will offer the same protection?
I hate that Firefox can't get on the Apple App Store, and I like Apple products. But this...this is bullshit.
Will Apple somehow integrate a similar HTTPS into Safari?
Thank you Dave Raggett
seriously if they were trying to troll in order to stifle discussion about this topic, that mycleanPC thing kinda worked...
reminds me of APK...
maybe this is a level 2 deployment of the APK chatbot AI
Thank you Dave Raggett
And no I'm not RMS :(
no need to stipulate that.
For this to work, the site must support https, and a lot of sites don't...
But you might have a reason to reply to a post from a creationist. In this case, parent is just wasting everyone's viewport space.
If you post as an AC, don't expect me to spend a mod point on you.
Requesting sites over HTTPS doesn't do very much if the provider doesn't require Perfect Forward Secrecy. You may request something over SSL, but it is easily discoverable to anyone with a subpoena after-the-fact if it's not PFS.
See http://en.wikipedia.org/wiki/Perfect_forward_secrecy and http://googleonlinesecurity.blogspot.com/2011/11/protecting-data-for-long-term-with.html for more on why.
If you want to talk about secure browsers, it's probably worth noting that with PFS, endpoint compromise is the next best strategy for finding out what you are up to. Given that the server is out of your control, that means owning your machine (probably via the browser). Only IE and Chrome use the most modern sandboxing strategies to make exploitation more difficult. This is a little old but still mostly accurate: http://files.accuvant.com/web/files/AccuvantBrowserSecCompar_FINAL.pdf
dude you are owning this thread. is the plugin compatible with my HOSTS file?
And now the NSA has a single location to wiretap to gather intelligence on a collection of security concerned and tech savvy users
Why no https everywhere for FF on iOS?
In case you don't get it: It's obviously intended to mimic a fake anti-malware product that spams people with ads for itself.
Yes, there is a product by that name, which is called out as a "borderline scam" - though mainly with claims that it does little (removing key-only registry entries), may cause trouble, and buying it can result in a periodic charge to your credit card that is difficult to stop.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
... it gets boring when repeated too often,
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
With HTTPS Everywhere, Is Firefox Now the Most Secure Mobile Browser?
You obviously think it is, so why did you phrase that as a question?
systemd is Roko's Basilisk.
Supporting https everywhere is *not* a sufficient single reason to be called "the most secure browser".
Monocausal interpretations of security are the worst enemy of security.
Firefox most secure? No! No! No!
They dont care about security.
Look at this bug and think again.
While Chrome can connect to proxy over https, Firefox cant. And wont any soon i guess.
Anyone who thinks this will prevent dragnet surveillance is fooling themselves.
So basically all this does is to force HTTPS requests instead of HTTP? (took me a while to find out - gotta love the fact that the "clever technology" link on their site, instead of going to a description of the actual technology, goes to... xkcd?! :) )
I see a few problems with this approach:
1)Not all content is provided over both HTTP and HTTPS. For multiple reasons, one being performance. Which leads us to the second problem...
2)A HTTPS session incurs a significant overhead for encryption. Which may be no problem for someone like Google. But for someone hosting his/her own (moderately successful) website on a small server, it might just overload said server.
3)Quite possibly the biggest problem with HTTPS is the fact that users have been trained over many years to just click "accept/install certificate" on self-signed certs. Not knowing that if you do this you are no longer secure.
And the more we keep forcing HTTPS, the more webmasters will use self-signed certs. Not many people want to go through the hassle of obtaining (and maintaining!) a valid SSL certificate for every single website they run, even if that cert is free. Which will only exacerbate the problem...
Everybody knows RMS doesn't have a phone, he's still trying to assemble his first from open hardware made by happy fairies from StallmanLand(TM).
... whatever
Well, We do government purchase contracrts where I work. We tend to buy 100+ of anything (including HP DL servers) an year, and unlike standard "buy and get screwed" deals, governments buy through a services contract.
Guess what I just added to our standard boilerplate? We already required unlimited 5yr warranty for everything inside the chassis (yes, including HDDs, SSDs and RAID batteries). Now we also require unlimited, lifetime firmware updates. lifetime we define as "from the time of purchase until a minimum of 5yr after the product has been declared in end-of-life status by the vendor".
If HP doesnt want to sell it that way anymore, we will just buy Lenovo or Dell. Supermicro is out because their firmware team is a two-man operation or something which is still doing things as they were in '80s.
Well, I have a Mac too. I'd like to know when this "Apple has locked Mozilla Firefox out of their platforms" shit happened, because I was using Mozilla Firefox at home just last night and I went to bed around midnight...
I might have understood if the had said something along the lines of "locked FF out of [some/one] of their platforms" ...or is this yet another reason why I shouldn't "upgrade" to Mavericks??
Work on that bug depends on bug 715905 being patched first. It is already ASSIGNED and if you have ChatZilla you can pester mayhemer about it with the following command:
/at ircs://irc.mozilla.org:6697/mayhemer,isnick?msg=Please%20hurry%20up%20and%20patch%20bug%20715905%20so%20work%20on%20bug%20378637%20can%20proceed
The article is only talking about mobile, and "Mavericks" isn't what Apple have called their mobile platform on iOS. I mean seriously, why would you pick on an added "s" in the summary by incorrectly abbreviating Firefox as "FF" instead of "Fx"?
This is stupid, there's no benefit to using https on many sites. We can understand a security need by thinking about confidentiality, integrity, and availability. If I connect with https to a site which doesnt have my personal data (e.g. news sites) there is no benefit to confidentiality - the site is availabile to anyone, the info isnt confidential to me. Integrity - without 2 way authentication (which https typically doesnt do) there is only a marginal increase in difficult to compromise the integrity of a http request or response. Why would anyone do that with something like news though. Availability https doesnt change anything, probably makes it worse as the site has to negotiate TLS sessions Accessing sites with personal data, banks, email, faceboook - https is essential. Accessing sites without personal info, such as news, https accomplishes strictly nothing, it's is a waste of cpu cycles and the energy that powers them
HTTPS Everywhere sounds good, but many web sites aren't set up properly and break badly. Using this extension on a mobile device would be a royal pain, trying to add exceptions and fix breakage without a normal browser.
I see a lot of sites which don't implement CSS properly over HTTPS, so their pages look like a disaster because the CSS doesn't load properly. It's like they never test their web sites on anything but default IE installs. Lowest bidder!
is this publicity stunt a sign of some trouble at firefox? otherwise they should be smarter than making stupid claims like this, right?
where is the HTTPS terminated and who holds the keys?
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
This does not stop the feds.
They simply go to the isp, hand them an nsl, and have them pipe all traffic into/out of a vpn/ssl anonymizer service through their blackbox, and then follow it to the destination.
You watch all the traffic to somedescent.org, correlated back to the vpn/ssl provider, and using your box in the middle can unmask whoever you want.
Your welcome.
Sincerely,
A former ISP syseng
The NSA likely has keys from all the major SSL cert vendors [...]
The more we can prevent wholesale collection and analysis the better. Even if the spooks had the private keys, it would still mean they have to spend time/energy decrypting they've just snapped up. This is still worth something, especially relative to them just snapping it up and being able to work on it right away.
Even if they had the private keys, using ECDH and DHE means that they have to spoof and interact with client/s directly.
The more speed bumps we can put in before the analysis process, the more the spooks will have to start focusing on individuals and leave the public-at-large alone.
Noooooooo. This is a wonderful opportunity for iOS sufferers to switch to the Android experience they've been craving. Bonus: Now they have no excuse not to throw their Apple device into a busy roadway and enjoy watching it be ground into dust by 18-wheelers! Win-win-win.
Just want to say thank you
if you see me, smile and say hello.
You need to add them to the Java Control Panel applet exception list. Works for me.
This doesn't work with Slashdot. At least if you put in a https, it redirects, so they have it set up; they just don't use it. You would think that a technology site would be up on current technology.
.
It is not.
It's actually wrapped back around to advertising. See, they're just trying to camouflage it as "humorous" to get one or two people to think it's funny, haha, cute joke while getting their name out there. The problem is that it's still just advertising. It just requires an extra layer of cynicism to see it for what it is.
as sweet
Or the people who feel the need to start a new comment thread talking about people talking about spamming...
Crap. Now I'm talking about people talking about people talking about spamming.
Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
Betteridges Law of Headlines finally proven wrong?
Talking about people talking about people talking about people spamming is so 6 comments ago.
That spam is recycled from a few years back, he stopped when folks started making him look too stupid for even him. I wish someone would bitchslap him, and while you're bitchslapping people, bitchslap whoever made this beta bullshit that won't let you log in or change the threshold above -1.
Journaling about it this evening. Why is Dice trying to kill slashdot?
It looks like I can filter the Beta site comments by ranking, but there is then no way to read a parent comment if it doesn't make the cut. This gives me the choice of, read all this CleanPC shit, or not be able to read the low ranked parent of any highly ranked post.
It also appears that the post anonymous feature is gone. Now I'm going to have to completely log out to do that. I'm not impressed with this.
Too many are interpreting "most secure" as "completely secure." Try dispproving Firefox w/HTTPS everywhere as most secure rather than arguing away it as completely secure.
you can't install it yourself on the vast majority of shared hosts - many also don't have SNI enabled and will also require that you use a dedicated IP for the cert which is extra cost there.
SNI support is part of why I switched pineight.com from Go Daddy shared hosting to WebFaction shared hosting. But I think shared hosts don't offer SNI hosting because of the perceived support cost of complaints from users of Internet Explorer for Windows XP. It and Android Browser for Android 2.x are the last two remaining major browsers that don't support SNI. But in two months, Microsoft will stop releasing security updates for Windows XP. At that point, migrating to SNI will make sense because server operators can presume that IE/XP is insecure, especially once computer vandals start deploying client-side MITM through a forever-day exploit in Windows XP. The login form summarizes the Firesheep, SNI, and IE/XP issues and links to a TLS version of the form for users with compatible browsers.
Why do people trust HTTPS? If you are using a company computer or phone it's likely that your machine is already compromised. Our corporate IT has a self-signed CA certificate that they drop on every machine and then issue spoof certificates for any HTTPS site you visit so they can MITM your SSL session. Unless you really know how SSL works, you'd be none the wiser.
I have a website that uses static text so I have no php, perl, databases, etc. if you visit it with forced HTTPS that means that my site will work or my humble server plan will suffer for something that I cannot deliver?
Unfortunately i'm not sure that [end of support] will stop people using [Windows XP].
They will likely stop once enough popular web sites start informing them about the end of support and its ramifications. The message for old IE would look like this, including a subtle dig at the Copyright Term Extension Act:
And the message for old Android Browser would look like this:
I used soap and water to clean my PC of viruses. I had a bit of problem with the mouse and keyboard, because of the layers of dirt from years of fingering the keys, while drinking coffee with the other hand, or eating a "fresh donut".
The mouse was easier, just a problem with the wheel. It too was caked with old icing.
Now my pc works like new. The fins on the cooling heatsinks have no lint, the DVD reader works like new.
And after the equipment dried up, all was well. Ohh, I forgot to mention, I use a VM and Linux.
That's GNU/Hurt-Mobile OS. Have you heard a single word RMS has said?!
Chuuch. Preach. Tabernacle.
I think RequestPolicy is more important for security than https-everywhere.
Unfortunately, the mobile version of NoScript makes page loading extremely buggy and slow, at least in my experience. Once it gets fixed, Firefox for Android + Self Destructing Cookies + HTTPS Everywhere + NoScript + ProxyMobile = best, most secure Android browser.