Menu

Home Forums Other Coming to a website near you soon

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • September 22, 2016 at 6:34 PM #22134
    moneymaker
    Participant

    http://money.cnn.com/2016/09/08/technology/google-chrome-flag-non-secure-sites/

    After a recent windows 10 update noticed that non secure websites have this ¡ in front of the url

    September 22, 2016 at 6:46 PM #801461
    spdrun
    Participant

    Unnecessarily alarmist. It’s only an issue if you’re sending info or viewing private info, not just viewing public info.

    September 22, 2016 at 6:55 PM #801462
    moneymaker
    Participant

    I’m surprised to hear you say that spdrun because I thought you were all about privacy. Even redfin is secure now which is why it doesn’t load from piggington anymore. The only thing secure on the site is the google link that counts visits.You might want to read the link article, starting in Jan 2017 you will be warned about the site not being secure. I’m not a programmer but I do notice trends when I see them.

    September 22, 2016 at 7:03 PM #801463
    spdrun
    Participant

    If you’re reading email online, it should absolutely be encrypted via SSL at minimum. If you’re viewing confidential information, same. If you’re viewing a basic informational website with minimal interaction, WGAS?

    September 23, 2016 at 1:59 PM #801496
    Rich Toscano
    Keymaster

    Thanks for the heads up. Spd is right, in the case of pigg, there isn’t much sensitive information going back and forth — but still, this is something I’ve been meaning to get to for a while. So this will kick my butt into finally doing it!

    September 23, 2016 at 2:22 PM #801497
    afx114
    Participant

    [quote=spdrun]Unnecessarily alarmist. It’s only an issue if you’re sending info or viewing private info, not just viewing public info.[/quote]

    Not true. Someone in between you and a non-encrypted site can modify the code in any way they see fit, including injecting ads, or worse, malware/keyloggers/etc. Any public wifi is susceptible to this if you’re not viewing encrypted content.

    How do you know that this or any non-SSL site hasn’t been modified between the data center and your browser? You don’t. Because it’s not encrypted.

    See:

    Middlemen can’t modify encrypted content, which is why you need SSL even on “public” sites.

    SSL certs are basically free now (https://letsencrypt.org/) and all technical arguments against them (take up CPU cycles, browsers don’t support them) are irrelevant on today’s hardware/browsers.

    Basically:

    September 23, 2016 at 2:26 PM #801498
    Rich Toscano
    Keymaster

    That picture is from my webcam as I try to figure out how to encrypt the site 😉

    September 23, 2016 at 7:53 PM #801505
    ucodegen
    Participant

    [quote=afx114]
    Not true. Someone in between you and a non-encrypted site can modify the code in any way they see fit, including injecting ads, or worse, malware/keyloggers/etc. Any public wifi is susceptible to this if you’re not viewing encrypted content.[/quote]Yes and no. It requires guessing the random number sequence used in TCP/IP. Some systems create a more ‘guessable’ number than others. On the other had, if it is a true man in the middle (not WiFi) then they can because they catch the packet (preventing it from going to you) then spit out the replacement – copying the sequence from the packet that they caught. Wifi – has to guess and inject sequence numbers because you will receive the valid packet and the injected packets.

    That said, non-encrypted on pubic WiFi – means that you are working ‘in the nude’ and all will be seen – not necessarily intercepted and re-written.
    [quote=afx114]
    How do you know that this or any non-SSL site hasn’t been modified between the data center and your browser? You don’t. Because it’s not encrypted.

    See:

    Middlemen can’t modify encrypted content, which is why you need SSL even on “public” sites.

    SSL certs are basically free now (https://letsencrypt.org/) and all technical arguments against them (take up CPU cycles, browsers don’t support them) are irrelevant on today’s hardware/browsers.
    [/quote]
    Some computers actually have an AES capable crypto chip on the motherboard. The WiFi indicated was a true ‘man in middle’, vs a WiFi snoop. It can also be done by your ISP… or anyone else in the middle of the line.

    If you really need to use a public WiFi, use AddBlock.

    NOTE: on a side note, I am noticing that CNN.com is using some weird tracking code that flags as cross-site-scripting… anyone know more about it (before I consider digging)?

    September 24, 2016 at 8:21 PM #801520
    moneymaker
    Participant

    Don’t feel too bad Rich because I just realized the CA lottery site is not secure either. A lot of people confuse logging in with being secure, 2 different things. When I had jury duty last week the site to access the internet in the jury lounge required a log in but was not secure on the wifi side. So you have wifi,logging in,and secure/not secure websites. All 3 are different and pose a risk if there is a hacker involved.

  • Author
    Posts
Viewing 9 posts - 1 through 9 (of 9 total)
  • You must be logged in to reply to this topic.