EFF: Wider Use of HTTPS Could Have Prevented Attack Against GitHub
itwbennett writes The attack against GitHub was enabled by someone tampering with regular website traffic to unrelated Chinese websites, all of which used a JavaScript analytics and advertising related tool from Baidu. Somewhere on China's network perimeter, that analytics code was swapped out for code that transparently sent data traffic to GitHub. The reason GitHub's adversaries were able to swap out the code is because many of the Chinese websites weren't encrypting their traffic.
duh. better security == better security.
You cannot tamper with the contents of a HTTPS stream.
But don't be under the illusion that that actually provides security, after all, if you can't MITM, you just need to poison the watering hole.
How will HTTPS help in this situation? The Great Firewall could just as easily act as a MITM attack and still do the exact same attack? Are we even sure it was the firewall and not Baidu themselves?
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
https://www.eff.org/deeplinks/...
So basically if China allowed HHTPS a non-Chinese server wouldn't have been DDoS'd.
Like China will give a crap about that.
Lost at C:>. Found at C.
Can HTTPS help when even the certificate is faked? I can barely hold any trust about anything from China these days.
Regular http will be basically dead by 2020.
It will be if setting up an HTTPS and virtual-hosts using HTTPS becomes as easy as setting up a basic HTTP server.
The main issues as the moment is that getting a certificate is complicated, expensive and then dealing with setups is not always straightforward. Now, that is just for a basic Apache server. Create scenarios where you have load balancers, Apache servers serving multiple domain names and applications servers fronted by Apache and you have another set of problems.
HTTPS needs to become easy to setup for anyone, and not just necessary.
I may have missed some of the advances in simplification, so I would welcome any new information here.
Jumpstart the tartan drive.
Is for free cheap enough? https://letsencrypt.org/ Granted, letsencrypt is a few months away, but there are already plenty of other sources available for free domain verified SSL/TLS certificates and have been for quite some time. And it really isn't that difficult to set up as you seem to believe.
...for web sites that are https-capable to start refusing all non-https connections. That might go along way to ensuring the ubiquity of https...
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
Sounds like it's time for DANE, http://en.wikipedia.org/wiki/D.... SSL certificates via DNS
Is for free cheap enough? https://letsencrypt.org/
Not if you run a small site that doesn't yet have its own dedicated IPv4 address, and you have to serve older clients that lack support for Server Name Indication, such as Internet Explorer on Windows XP, Android Browser on Android 2.x, and urllib2 on Python 2. SNI-ignorant clients can see only the first certificate on port 443 of a given IP address, not certificates associated with other hostnames on virtual hosting. A subjectAltName certificate works only if all listed hosts share the same owner, and this is unlikely on shared hosting. So you'll have to lease an IPv4 address for your site, and we're pretty much out of those.
www.openssl.com Basic SSL certificates free with an email address, wildcard SSL $59 with proof of address and identity (i.e. passport and 2 recent billing for utilities gas electric water etc) good for 1 year. How difficult could it be?
Exactly.
It is easier to setup a secure SSH server then a HTTPS server. We have the issue of Certs, and the browsers only wanted trusted certs, If you don't go threw the trusted method, then you get scarry Alerts on how such a horrible site owner you are, for not shelling out cash to be on the good guys cert list.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Eh... why support such out of date clients?
WinXP went out of EOL about a year ago. Usage is down to about 16%. And they can use alternative browsers or SSL libraries to deal with SNI. At this point, anyone left on WinXP is not worth the cost of support.
Android 3.0 came out in 2011. Only 7.3% of Android devices run a version older then 4.0.
At some point, you have to draw a line in the sand and say "we will not support that". Those older devices are insecure, don't support modern features, and increase your support and development costs by a large amount. If you can reach 90% of your audience for X cost, trying to reach 99% for X*10 or X*100 is not worth it.
It's the same deal as HTML5. Two years ago? It would have been near-suicide to base your website solely on HTML5. Today? There's no reason not to go 100% HTML5.
SNI support is now widespread enough that you don't need to worry about it.
Wolde you bothe eate your cake, and have your cake?
The main issues as the moment is that getting a certificate is complicated, expensive and then dealing with setups is not always straightforward. Now, that is just for a basic Apache server. Create scenarios where you have load balancers, Apache servers serving multiple domain names and applications servers fronted by Apache and you have another set of problems.
Which could all be mitigiated.
- Free CA (like CACert or StartCom)
- Server Name Indication (serving several virtual domains, each with its own certificate, but all mapping to the same IPv4 address)
- IPv6 (enabling you to assign 1 different address for each virtual domain)
etc.
But that would require work. Lots of it. And rethinking the infrastructure and reorganising it in a way that actually works better and is more forward upgradeable.
So yeah, expect HTTP to day in the 20s...
2120s...
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
And they can use alternative browsers
Can in theory; can't in practice because IT refuses to install them.
or SSL libraries
How do you install an alternate SSL library into an existing application?
Android 3.0 came out in 2011.
Only for tablets. Phones were stuck on 2.3 throughout the entire 3.x series.