Slashdot Mirror
Security Collapse In the HTTPS Market
CowboyRobot writes: HTTPS has evolved into the de facto standard for secure Web browsing. Through the certificate-based authentication protocol, Web services and Internet users first authenticate one another ("shake hands") using a TLS/SSL certificate, encrypt Web communications end-to-end, and show a padlock in the browser to signal that a communication is secure. In recent years, HTTPS has become an essential technology to protect social, political, and economic activities online. At the same time, widely reported security incidents (such as DigiNotar's breach, Apple's #gotofail, and OpenSSL's Heartbleed) have exposed systemic security vulnerabilities of HTTPS to a global audience. The Edward Snowden revelations (notably around operation BULLRUN, MUSCULAR, and the lesser-known FLYING PIG program to query certificate metadata on a dragnet scale) have driven the point home that HTTPS is both a major target of government hacking and eavesdropping, as well as an effective measure against dragnet content surveillance when Internet traffic traverses global networks. HTTPS, in short, is an absolutely critical but fundamentally flawed cybersecurity technology.
OpenSSL's heartbleeed bug was a bug in openssl, a buffer overrun that didn't really have anything to do with ssl. A similar bug in any other server software would be approximately as bad. Where https protocol specified a ping, openssl instead leaked the contents of arbitrary memory locations .
Apple's goto bug was Apple's bug. Again, little to do with the protocol. Ssl/tls/https didn't fail here, the company failed to implement https.
The one "fault" of the protocol in the cited cases could be that it isn't brain-dead simple. Since the standard isn't idiot-proof, idiots can screw it up.
I agree that currently, objectively even if it's uncomfortable to have the government read and log all my electronic communications I'm not *currently* hugely worried about it. I'm much more worried about thieves, etc.
The problem is what's going to happen moving forward? The logical end game, is total surveillance of everything electronic/physical ( with cam, image recognition ) where the police comes knocking on your door because your phone GPS logs and CCTV show that 2 months ago you were in a house that's just been busted for being a drug dealer den. It's all automatic, they just had to tell the datamining tools to flag every single person that came in and out of that house since the drug dealer moved in 4 years ago.
I would like to say it's alarmist and stuff but for example where I live in Canada, Cop cars now have automated license plate scanners. It's all tied to your police file, DMV, ticket, etc. If *anything* is out of order like unpaid plates, broken tail light 2 days ago that you needed to repair, etc it's going to popup a warning that they should check you. I was pulled over ( rightly so ) because I was 2 days late on my driver license, the cop car just happened to be parked on the side of the street and when I drove by it signaled that a car ( with picture ) just drove by with an owner that hadn't renewed his driver license on time. The next step of this, is already in the works,it's going to be total surveillance of all car plates all the time. It's nothing ground breaking but I know where I live it's being worked on, we have a shitload of camera everywhere to monitor traffic, it's just a natural extension of that. They'll just signal in somewhat real time the position of a car the cops want tracker and I imagine at some point they'll extend it to unpaid license plates and stuff. Obviously that system works mostly in urban areas. I can't find the news article about it, but I read about it almost a year ago IIRC.
Most all the responses I see to this story so far are kneejerk response to the summary, not very relevant.