The ISP can run a proxy which pretends to be the user from the point of view of facebook and pretends to be facebook from the point of view of the user.
Wouldn't work if the user connects directly to https (as in, "enters https URL into address bar" or "has https address bookmarked").
Unfortunately, in the name of the sacrosanct "user friendliness", that's not how most sites work. Most sites ask the user to go to a plain http address, which they then redirect to https. This is vulnerable to a malicious proxy, which just makes sure that that redirect doesn't happen...
However, a properly set up https (i.e. to which the users connects directly) cannot be thwarted in such a fashion, as far as I know.
it is quite possible that just using HTTPS would have thwarted the attack simply because it puts a rather higher technical barrier in place and makes
... probably it would have thwarted the attack in this case, as Tunisia doesn't run its own certification authority, as far as I know. There apparently is a joint CA project between Tunisia and Oman. Thanks to Oman's presence, it would make it more difficult for Tunisia to pull a fast one...
However, many other "less than democratic" regimes, such as China, do run their own certification authorities, which are recognized by the browsers. So plain https would not be a protection.
And even client certificates can be compromised, as the Luxembourgish Luxtrust guys had to experience (they foolishly bought the hardware tokens from France, which then turned out to be backdoored...)
Meaning the calls to always use https actually make sense.
Indeed. Most (all?) those online services, whether it be yahoo, facebook or myspace have their login box accessible from their main (non https) page. Even though login itself may be encrypted, the user is not supposed to enter the https himself, but he is instead redirected to a https page once he clicks login.
... which makes it easy to hijack this first step, and unless the user doublechecks the URL just before login for https, he will fall for it.
It's scary how easy this is (I once did it for a friend who wanted to spy on his estranged wife), and you don't even need any funny javascript. Just have a proxy that substitutes https://login.service.com/ with http://login.service.com/ and you're set.
This also makes those obnoxiously scary "bad certificate" warnings so pointless: the smart man-in-the-middle will avoid the certificate issue entirely, and just redirect everything to non-encrypted http.
The only solution to this is to make the user aware of the process. Make it explicit that in order to login, you need to go to https://www.facebook.com/ or https://yahoo.com/ . That way, the user is forced to "do the right thing" if he wants to log in, and an interloper will have much more trouble intercepting. Instead of just hacking up a quick proxy perl script, he'll actually have to ask TunisCert to issue a fake certificate...
If I were a Terrorist(TM) I'd get a job with a mining company, get a letter from my employer certifying that I handle explosives, and then blow something up.
... and such a job is also very convenient to get any needed supplies...
There are plenty of sharp, smart programmers or techies who are pulling down $150/hour; if this saves them more than 12 minutes, it's arguably a good deal.
But does it even save them time? Either spend 12 minutes in the comfort of their home, or drive downtown, find a parking spot, wait in line, hand the thing in, and same dance again the next day to pick it up.
Are the cryptome operators geeks, or are they not? This incident could have been trivially avoided if they had run Linux Intrusion Detection System. Come on! Of all people, they should have known!
There's a reason most companies that make laptops started renaming them "notebooks", because you shouldn't keep the damned things on your lap.
Do it right. Put them on your lap, but closer to your knees rather than to your crotch.
Oh, and wear long trousers (or pijamas), not shorts. Not (only) because of the heat, but rather because the fan will otherwise suck in the hair you've got on your legs, and this generates a very weird feeling...
That doesn't mean we need to add yet another warning label to the sea of ignored little red and yellow stickers already covering every product you buy.
A, that's what this "Windows" sticker is... a warning label!
should have been doing this ages ago, but yet again, no pressure to do so while supplies were cheap
Indeed, the KOBE trade group (an association of leading electronics manufacturers) have been lobbying for this recycling for years, but were butting against the refusal of the retail sector.
Yeah, it would never dawn on a mining state to be interested in obtaining lithium, Rare Earths, etc. Nor would they or the EPA know how to handle this correctly.
Exactly. If you actually read google's press release about this, you'd know that collateral mining is integral part of the project.
Slashdot Mirror
The ISP can run a proxy which pretends to be the user from the point of view of facebook and pretends to be facebook from the point of view of the user.
Wouldn't work if the user connects directly to https (as in, "enters https URL into address bar" or "has https address bookmarked").
Unfortunately, in the name of the sacrosanct "user friendliness", that's not how most sites work. Most sites ask the user to go to a plain http address, which they then redirect to https. This is vulnerable to a malicious proxy, which just makes sure that that redirect doesn't happen...
However, a properly set up https (i.e. to which the users connects directly) cannot be thwarted in such a fashion, as far as I know.
it is quite possible that just using HTTPS would have thwarted the attack simply because it puts a rather higher technical barrier in place and makes
... probably it would have thwarted the attack in this case, as Tunisia doesn't run its own certification authority, as far as I know. There apparently is a joint CA project between Tunisia and Oman. Thanks to Oman's presence, it would make it more difficult for Tunisia to pull a fast one...
However, many other "less than democratic" regimes, such as China, do run their own certification authorities, which are recognized by the browsers. So plain https would not be a protection.
And even client certificates can be compromised, as the Luxembourgish Luxtrust guys had to experience (they foolishly bought the hardware tokens from France, which then turned out to be backdoored...)
Meaning the calls to always use https actually make sense.
Indeed. Most (all?) those online services, whether it be yahoo, facebook or myspace have their login box accessible from their main (non https) page. Even though login itself may be encrypted, the user is not supposed to enter the https himself, but he is instead redirected to a https page once he clicks login.
It's scary how easy this is (I once did it for a friend who wanted to spy on his estranged wife), and you don't even need any funny javascript. Just have a proxy that substitutes https://login.service.com/ with http://login.service.com/ and you're set.
This also makes those obnoxiously scary "bad certificate" warnings so pointless: the smart man-in-the-middle will avoid the certificate issue entirely, and just redirect everything to non-encrypted http.
The only solution to this is to make the user aware of the process. Make it explicit that in order to login, you need to go to https://www.facebook.com/ or https://yahoo.com/ . That way, the user is forced to "do the right thing" if he wants to log in, and an interloper will have much more trouble intercepting. Instead of just hacking up a quick proxy perl script, he'll actually have to ask TunisCert to issue a fake certificate...
If I were a Terrorist(TM) I'd get a job with a mining company, get a letter from my employer certifying that I handle explosives, and then blow something up.
... and such a job is also very convenient to get any needed supplies...
A much better writeup can be found here
There are plenty of sharp, smart programmers or techies who are pulling down $150/hour; if this saves them more than 12 minutes, it's arguably a good deal.
But does it even save them time? Either spend 12 minutes in the comfort of their home, or drive downtown, find a parking spot, wait in line, hand the thing in, and same dance again the next day to pick it up.
A happy face
http://socuteurl.com/cutesybutt. Yeah, that's what it is, after all!
And this one is quite as well, maybe a little bit too obvious:
http://socuteurl.com/gooseygoopoo
poofyfuzzbutt, hehe... how fitting!
my eyes, goatex ... :(
Don't forget, you've got eyelids.
Use them!
What a Feat, the greens convinced the military to mind the planet!
Are the cryptome operators geeks, or are they not? This incident could have been trivially avoided if they had run Linux Intrusion Detection System. Come on! Of all people, they should have known!
Oops, now I need to change the passphrase on my luggage.
I simply use 5993. It's so simple that nobody will believe it is my true combination...
(Your wife may of course decide to roast them after you show her the bill.)
Your husband. It's an Apple product after all...
My cousin blames his testicular cancer on ...
Or maybe, he just didn't jack off enough?
There's a reason most companies that make laptops started renaming them "notebooks", because you shouldn't keep the damned things on your lap.
Do it right. Put them on your lap, but closer to your knees rather than to your crotch.
Oh, and wear long trousers (or pijamas), not shorts. Not (only) because of the heat, but rather because the fan will otherwise suck in the hair you've got on your legs, and this generates a very weird feeling...
That doesn't mean we need to add yet another warning label to the sea of ignored little red and yellow stickers already covering every product you buy.
A, that's what this "Windows" sticker is... a warning label!
should have been doing this ages ago, but yet again, no pressure to do so while supplies were cheap
Indeed, the KOBE trade group (an association of leading electronics manufacturers) have been lobbying for this recycling for years, but were butting against the refusal of the retail sector.
they would also be unlikely to respond to a bill with a check.
... or to a check with a bill, if they're British.
Yeah, it would never dawn on a mining state to be interested in obtaining lithium, Rare Earths, etc. Nor would they or the EPA know how to handle this correctly.
Exactly. If you actually read google's press release about this, you'd know that collateral mining is integral part of the project.
choke and die on your pompous cock please and thank you
Do you really think GP is that supple?
Beware: it's not what you might think it is...
goo'gl it!
What a feat, a simple cheesy iPhone app that has pilots quaking in their boots.
Twitter is so out, hip geeks use Google Live instead.