Slashdot Mirror
Safari Tests 'Not Secure' Warning For Unencrypted Websites (cnet.com)
Similar to Chrome, Apple's Safari browser is testing a warning system for when users visit websites that aren't protected by HTTPS encryption. "The feature for now is only in Safari Technology Preview 70, a version of the web browser Apple uses to test technology it typically brings to the ordinary version of Safari," reports CNET. From the report: Apple didn't immediately respond to a request for comment on its plans for bringing the warning to mainstream Safari. Apple's browser does warn you already if you have an insecure connection to a very sensitive website for typing in passwords or credit card numbers.
Do we really need SSL on everything?
I've pre-paid for a few years on a shared-hosting plan. Since I don't have a dedicated IP address, that means my little blog doesn't have an SSL certificate. I've got 2-factor authentication turned on, so I'm not super-worried about credentials being intercepted... is there anything else I really need to worry about?
Silicon & Charybdis McLuhan Kildall Papert Kay
This is some great performance art. It almost reaches GNAA level.
Classic seeing ZIP \ Zach squirm unable to back his bs eating his words foot in his mouth ramming them down with a bitter taste of SELF-defeat his big mouth bit off more than it could chew impersonating apk, attacking him and failing hugely https://tech.slashdot.org/comm... and saying he is a better programmer but with nothing to show for himself. ZIP is on the receiving end of his big mouth. Poetic justice. What goes around comes around and now Zach's on the receiving end getting what he dished out and can't take eating crow and his words he can't back up.
I don't see why a self signed certificate gets a warning, but http doesn't it is no less secure. An Icon saying it is less secure should be enough (say you may not be going to the site you expect). It is really annoying that you have to pay someone a recurring fee just to add a little security. Even worse for routers that don't have a DNS entry, you have to start managing your own certificates.
Coming soon to a device near you:
- Attempt to access an Unencrypted / Self-Signed site? 452: Unavailable for Browser Developer's Personal Belief Reasons. (Extended Info: The request was valid, but the browser's developers have refused to provide support for it.)
- Bypass 452? 453: ISP Bundle Upgrade Required. (Extended Info: The request was valid, but your ISP has refused to carry the packets because you have not subscribed to the service tier the site belongs to. Contact your ISP for more information.)
For your protection of course. You wouldn't want to access a bad site now would you? Let us protect you from it. After all we know what's best for you.
I was about to complain about local devices, like my NAS, before I discovered that I can set up a self-signed cert for its local domain in a few clicks.
How easy is it to add an exception on your mobile and set-top devices in order to use a self-signed certificate? I seem to remember reading that some game consoles and streaming boxes didn't allow clicking through the unknown issuer exception interstitial.
SSL also helps to prevent modification of data in transit.
So would a signing-only cipher suite. Signing-only would also have the advantage, as Strider- points out, of allowing an ISP to run a caching proxy for its subscribers to use.
Have they fixed this problem? As I recall, the httpd would have to furnish the certificate before the client even sent the Host header.
That's why the client sends the hostname in cleartext as part of the ClientHello message when it opens a connection. Firefox, Edge, Chrome, and Safari all send Server Name Indication (SNI) in the TLS handshake, as does Internet Explorer on all supported Windows operating systems. The last major web browsers not to support SNI were Internet Explorer on Windows XP (whose extended support ended four and a half years ago) and Android Browser on Android 2.x. Does your site get a lot of page views from those ancient, unsupported browsers?
I don't see why a self signed certificate gets a warning, but http doesn't it is no less secure.
A self-signed certificate gives a false sense of security, whereas the http: scheme gives a true sense of insecurity. A true sense is better than a false sense.
It is really annoying that you have to pay someone a recurring fee just to add a little security.
Every domain name registrant is entitled to a reasonable number of certificates from Let's Encrypt without charge. Or by "someone" do you refer to Gandi, Namecheap, Amazon Route 53, and other domain name registrars?
What you are saying is like saying that since you downloaded a piece of software through SSL, you are safe enough and you don't need to check the signature.
Every connection you make to a TLS server is signed by that server. Are you assuming an attack model that involves tampering with the downloadable software before it even reaches the server?
Furthermore, encryption is a weak way to guarantee that content hasn't been altered compared to signing.
A form of signing is implicit in TLS, as it uses a message authentication code (MAC) to detect tampering with a packet's ciphertext. Older cipher suites in TLS separate the MAC and encryption into two steps; newer ones use authenticated encryption with associated data (AEAD), which bakes MAC into the cipher's mode.
I have been talking about it for over a decade probably, if you want real security (anonimity) on the web you have to stop treating self signed certificates worse than plain HTTP. The amount of hate (follow the links and read the threads) was through the rough, but it only takes what, about a decade for something 'radical' to become mainstream?
You can't handle the truth.
It should also warn if it detects corp MITM with forged root CA and wildcard certs.
I do not understand why Apple neglects Safari's development so much. It is years behind Chrome, and the only reason why it's market share is still that high is probably that iOS users simply have no alternative.
If you ever tried to get involved into the development process of webkit you will soon understand why Safari has become the worst browser around. I posted a couple of bug reports over the last few months and the reaction I got was zero, absolutely nothing. During the same period I wrote some bug reports for Chromium and Firefox, and about half of the bugs were fixed, on the others there usually was a brief discussion. Screw webkit, I will no longer write bug reports because it obviously is just a waste of time.
Signature deleted by lameness filter.
Surely we can come up with a solution that actually works and does not make the web an expensive pain in the butt for individuals and small businesses.
The certificate stuff is a scam. There's no reason the protocols used need to use a server and expensive certs, or some server on the web that will generate free certs but only with certain conditions and only with short lifetimes etc.
Anybody can setup a simple web site using notmal HTTP, but setting up an HTTPS site is a hassle and it costs a ridiculous amount of time and money.
With QUIC on the way and HTTP3 on the horizon, we need an encryption scheme that is on be default on any web server and that does not require certificates - just the encryption. If some people want some cert authority to supposedly prove that a site as actually what it says it is, then make that an optional thing aside from the encryption.
Then and only then should web browsers freak-out users by claiming that an unecrypted site is not safe to use.
Shot of that, this reeks of a scheme to further squeeze-out small sites and encourage most users to stivk with the tech giants for everything, which is funny given that some of these tech giants have been the worst abusers of user safety and priivacy.
As smartphones' navigators do not update their root certs, slowly over time they become unable to browse the web. See for example Android's default web browser.
Then after two or three years, mechanically, the phone becomes unusable and people have to switch. Wonderful world I tell you!
So what you’re saying is that we need content validation without full encryption for most things. This is how windows update (and I think apple update). Hashes of the packages are transferred securely, while the bulk data is in the clear. This allows the data to be verified, while still permitting caching to work.
This is available as "Subresource Integrity":
* https://en.wikipedia.org/wiki/Subresource_Integrity
* https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
While it protects against in-flight altering, it also prevents resource alteration on CDNs.
I was disappointed that RFC 2817's opportunistic encryption was never deployed:
* https://en.wikipedia.org/wiki/HTTP/1.1_Upgrade_header
Each HTTP server could have a self-signed cert and while there was no authentication, it at least encrypted all traffic, which would prevent passive collection of traffic via 'tapping glass' like the NSA did in Room 621A:
* https://en.wikipedia.org/wiki/Room_641A
Certainly not 'good enough' for protecting login credentials, but certainly useful for surfing YouTube and raising the bar on the resources needed for a digital eavesdropper to monitor everything and perhaps forcing them to be more focused.
How do you make sure a malicious actor will not serve the old content on purpose
If you're using a signing-only scheme for long-lived bulk data, each version has a different URL. Then the index file, which was transmitted separately using a replay-resistant scheme, indicates that a different URL is the newest version of the file.
that "trust" requires an expensive cert and a third computer in the loop (the server which is inexplicable presumed to be trustworthy even thought there is no cert for it being verified by some other (fourth?) server, which would of course need a cert verified by some (fifth?) server, etc.
In fact, who said that this current scheme/scam provides ANY true confidence and security?
The old line "who died and made YOU king?" comes to mind. We're all just supposed to trust the servers that the web browser makers decide to trust? Who validates these servers and their certs? What if THEY decide to start discriminating, even using non-technical reasons like perhaps politics, or pressure from their local governments, or from big important corporations?
What's required is a new scheme that ditches all this fake confidence. The new scheme should allow users to "sneakernet" certs and keys too... so a private business concern or members of an extended family, for example, could exchange digital certs in-person or via snail mail (like on USB keys) which would then be used on each end of the digital communications without the use of some 3rd party server.
See how STUPID "ZIP" (Zach Patterson) the CHIMP is (tried to take credit for what I solved before him) https://tech.slashdot.org/comm... (he needs to LEARN TO READ)!
I even SHOW ways to do it YOURSELF https://tech.slashdot.org/comm... (he couldn't).
Delphi/FreePascal/ObjectPascal HAS no issue w/ null-term'd string bufferoverflows - C does, C++ can UNLESS you do what I said 1st loser.
Tell us about CODE SIGNING (which has been STOLEN & ABUSED) https://www.helpnetsecurity.co... MY METHOD CAN'T BE (upmodded +2 INTERESTING in CODING FOR DEFCON no less) https://it.slashdot.org/commen...
"I'm a much better programmer than APK" - by Anonymous Coward ZIP on Monday October 08, 2018 @11:27PM (#57449082) FROM https://yro.slashdot.org/comme...
BIG TALK - Yet ZIP has nothing to show in programs. I can https://news.slashdot.org/comm... from registered /.ers liking/using/praising my work (& 100k users worldwide too). He can't.
LIAR ZIP says he has no account "I don't have an account, so I don't have mod points" https://news.slashdot.org/comm...
Yet LIAR ZIP says he downmods my posts (IMPOSSIBLE MINUS AN ACCOUNT on /.): "I down-modded a few of your post on other threads" - by Anonymous Coward "ZIP" on Thursday October 11, 2018 @11:31AM (#57461058) FROM https://yro.slashdot.org/comme...
APK
P.S.=> KEEP IMPERSONATING ME CHIMP - this comes out every time, lol!... apk
You said it ZIP: Where's your work everyone can see/use? It's not. It's HOTAIRWARE/NOTWARE (lol) "I'm a much better programmer than APK" - by Anonymous Coward ZIP on Monday October 08, 2018 @11:27PM (#57449082) FROM https://yro.slashdot.org/comme...
The BETTER PROGRAMMER w/ no programs, lol - @ least you can say your "code" has NO BUGS - of course, it also does ZERO (like you) since it does nothing @ all, lol!
You hotair BLOWHARD talker, lol!
You f'd up ZIP https://tech.slashdot.org/comm...
Yet 100,000++ users of my ware & dozens of even REGISTERED /.ers like/use/praise MY work https://news.slashdot.org/comm... vs. your HOTAIR talk punk!
* LMAO!
(Let's see how YOU take it when I publicly SHIT ALL OVER YOU by letting FACTS of YOUR FUCKUPS vs. ME https://science.slashdot.org/c... do the job for me)
APK
P.S.=> You STUPID & LAZY all talk chimpanzee - KEEP IMPERSONATING me - I'll expose your BLOWHARD INCOMPETENCE publicly, lol... apk
You said it ZIP: Where's your work everyone can see/use? It's not. It's HOTAIRWARE/NOTWARE (lol) "I'm a much better programmer than APK" - by Anonymous Coward ZIP on Monday October 08, 2018 @11:27PM (#57449082) FROM https://yro.slashdot.org/comme...
The BETTER PROGRAMMER w/ no programs, lol - @ least you can say your "code" has NO BUGS - of course, it also does ZERO (like you) since it does nothing @ all, lol!
You hotair BLOWHARD talker, lol!
You f'd up ZIP https://tech.slashdot.org/comm...
Yet 100,000++ users of my ware & dozens of even REGISTERED /.ers like/use/praise MY work https://news.slashdot.org/comm... vs. your HOTAIR talk punk!
* LMAO!
(Let's see how YOU take it when I publicly SHIT ALL OVER YOU by letting FACTS of YOUR FUCKUPS vs. ME https://science.slashdot.org/c... do the job for me)
APK
P.S.=> You STUPID & LAZY all talk chimpanzee - KEEP IMPERSONATING me - I'll expose your BLOWHARD INCOMPETENCE publicly, lol... apk