- This topic has 8 replies, 5 voices, and was last updated 8 years, 2 months ago by moneymaker.
-
AuthorPosts
-
September 22, 2016 at 6:34 PM #22134September 22, 2016 at 6:46 PM #801461spdrunParticipant
Unnecessarily alarmist. It’s only an issue if you’re sending info or viewing private info, not just viewing public info.
September 22, 2016 at 6:55 PM #801462moneymakerParticipantI’m surprised to hear you say that spdrun because I thought you were all about privacy. Even redfin is secure now which is why it doesn’t load from piggington anymore. The only thing secure on the site is the google link that counts visits.You might want to read the link article, starting in Jan 2017 you will be warned about the site not being secure. I’m not a programmer but I do notice trends when I see them.
September 22, 2016 at 7:03 PM #801463spdrunParticipantIf you’re reading email online, it should absolutely be encrypted via SSL at minimum. If you’re viewing confidential information, same. If you’re viewing a basic informational website with minimal interaction, WGAS?
September 23, 2016 at 1:59 PM #801496Rich ToscanoKeymasterThanks for the heads up. Spd is right, in the case of pigg, there isn’t much sensitive information going back and forth — but still, this is something I’ve been meaning to get to for a while. So this will kick my butt into finally doing it!
September 23, 2016 at 2:22 PM #801497afx114Participant[quote=spdrun]Unnecessarily alarmist. It’s only an issue if you’re sending info or viewing private info, not just viewing public info.[/quote]
Not true. Someone in between you and a non-encrypted site can modify the code in any way they see fit, including injecting ads, or worse, malware/keyloggers/etc. Any public wifi is susceptible to this if you’re not viewing encrypted content.
How do you know that this or any non-SSL site hasn’t been modified between the data center and your browser? You don’t. Because it’s not encrypted.
See:
- Researcher catches AT&T injecting ads on free airport Wi-Fi hotspot
- Comcast Wi-Fi serving self-promotional ads via JavaScript injection
Middlemen can’t modify encrypted content, which is why you need SSL even on “public” sites.
SSL certs are basically free now (https://letsencrypt.org/) and all technical arguments against them (take up CPU cycles, browsers don’t support them) are irrelevant on today’s hardware/browsers.
Basically:
September 23, 2016 at 2:26 PM #801498Rich ToscanoKeymasterThat picture is from my webcam as I try to figure out how to encrypt the site 😉
September 23, 2016 at 7:53 PM #801505ucodegenParticipant[quote=afx114]
Not true. Someone in between you and a non-encrypted site can modify the code in any way they see fit, including injecting ads, or worse, malware/keyloggers/etc. Any public wifi is susceptible to this if you’re not viewing encrypted content.[/quote]Yes and no. It requires guessing the random number sequence used in TCP/IP. Some systems create a more ‘guessable’ number than others. On the other had, if it is a true man in the middle (not WiFi) then they can because they catch the packet (preventing it from going to you) then spit out the replacement – copying the sequence from the packet that they caught. Wifi – has to guess and inject sequence numbers because you will receive the valid packet and the injected packets.That said, non-encrypted on pubic WiFi – means that you are working ‘in the nude’ and all will be seen – not necessarily intercepted and re-written.
[quote=afx114]
How do you know that this or any non-SSL site hasn’t been modified between the data center and your browser? You don’t. Because it’s not encrypted.See:
- Researcher catches AT&T injecting ads on free airport Wi-Fi hotspot
- Comcast Wi-Fi serving self-promotional ads via JavaScript injection
Middlemen can’t modify encrypted content, which is why you need SSL even on “public” sites.
SSL certs are basically free now (https://letsencrypt.org/) and all technical arguments against them (take up CPU cycles, browsers don’t support them) are irrelevant on today’s hardware/browsers.
[/quote]
Some computers actually have an AES capable crypto chip on the motherboard. The WiFi indicated was a true ‘man in middle’, vs a WiFi snoop. It can also be done by your ISP… or anyone else in the middle of the line.If you really need to use a public WiFi, use AddBlock.
NOTE: on a side note, I am noticing that CNN.com is using some weird tracking code that flags as cross-site-scripting… anyone know more about it (before I consider digging)?
September 24, 2016 at 8:21 PM #801520moneymakerParticipantDon’t feel too bad Rich because I just realized the CA lottery site is not secure either. A lot of people confuse logging in with being secure, 2 different things. When I had jury duty last week the site to access the internet in the jury lounge required a log in but was not secure on the wifi side. So you have wifi,logging in,and secure/not secure websites. All 3 are different and pose a risk if there is a hacker involved.
-
AuthorPosts
- You must be logged in to reply to this topic.