OT: Interesting site about internet security

[moneymaker]

Just thought I’d pass this on for those that don’t know or are paranoid about government spying. https://www.grc.com/fingerprints.htm
Would there be any point in securing this forum? Probably not since anybody can come here without logging in. There are definitely advantages to connecting to a secure site. I particularly like the part at the end about EV certificates. Micrsoft’s Edge browser does use them so the site is not entirely up to date.

[ucodegen]

This is old news. The capability to validate security has been around since the beginning of SSL.

The security requirements in the EV-certificate 2008 CPS are (except for minor differences in the legalese used to express them) practically identical to the requirements for Class 3 certificates listed in Verisign’s version 1.0 CPS from 1996. EV certificates simply roll back the clock to the approach that had already failed the first time it was tried in 1996, resetting the shifting baseline and charging 1996 prices as a side-effect.

from https://en.wikipedia.org/wiki/Extended_Validation_Certificate. It really does not add anything, and may subtract things. One of the problems in the past has been with man in the middle attacks (which is the what is described in your link). There have been two issues leading up to those attacks:
1) For years, Internet explorer did not check the full certificate keychain. It would just check that it had a cert and not that the cert belonged to the website being accessed.
2) Certain 3 letter snooping agencies have negotiated with top level signatories for the purpose of getting a cert. This is why checking the full keychain is important.

One thing to note: because the certain 3 letter snooping agencies are negotiating with the CA (Certificate Authorities), they will also be able to negotiate access to the extended certs as well.

By the way, it is possible to access the top level certs in your browser and add or delete CAs as you feel necessary.

[moneymaker]

Never said it was anything new, just that most people don’t know it. The NSA can still spoof a MAC address and spy on somebody that way. Just interesting to me that Microsoft was so slow to join the EV thing. Also I hear that Apple is pretty darn secure. I have not had any issues but I did not realize how vulnerable one can be on a non secure site until now.

[spdrun]

Unless the forums require a login to view and/or are set to “no index”, this is a public site. HTTPS or not.

[ucodegen]

[quote=moneymaker]Never said it was anything new, just that most people don’t know it. The NSA can still spoof a MAC address and spy on somebody that way. Just interesting to me that Microsoft was so slow to join the EV thing. Also I hear that Apple is pretty darn secure. I have not had any issues but I did not realize how vulnerable one can be on a non secure site until now.[/quote]Even spoofing a MAC will not get you past the cert check on SSL. If you read my references, you will notice that the EV things is basically BS. BTW Apple is not that secure, though their recent phones have fixed previous problems. OSX still has some security problems, and they are not that proactive on fixing their browser – there are some known 0-days on Safari.

http://www.theregister.co.uk/2015/05/07/mac_malware/

BTW, there is hardened versions of Linux, SELinux, which is now incorporated into the main kernel thread. SELinux was mod’d on recommendation of NSA. https://www.nsa.gov/research/selinux/ This was not done to allow them to get in, the NSA needed a secure OS for themselves and MSFT nor Apple were stepping up. The NSA lost SGIs Trusted IRIX (which I used to work with) with SGIs implosion, Suns had questionable security – could barely hold onto their C3 cert. Trusted IRIX was B-1. This eval was along the old style inspect – test according to the Rainbow-Series publications and not the ‘newer’ EAL-CAPs.

[ucodegen]

[quote=spdrun]Unless the forums require a login to view and/or are set to “no index”, this is a public site. HTTPS or not.[/quote]True, but SSL has to do with interception and spoofing of communication as well as securing content. W/O SSL, your password(s) you use on a site can get snagged.

That said, I don’t think this site would be considered a critical site unless you are using the same password on this site as you are using for a more ‘critical’ or ‘sensitive’ site (bank account?).

[afx114]

SSL is not only important for submitting data (logins, passwords, etc), it is also important to ensure that what you’re getting back from the server is unaltered. Non-SSL transmissions can be modified on the wire, which means you can’t trust what you see in your browser. For example, there was an airport a few years back that got into trouble for injecting ads into websites for people browsing on their free WiFi. This example is rather tame (annoying ads) but you can imagine injecting more nefarious things into the payload: keyloggers, re-writing forms to submit to 3rd party servers, etc. SSL prevents tampering with the raw HTML/JS/CSS that the server sends to your browser.

SSL certs are basically free now (https://helloworld.letsencrypt.org/, https://aws.amazon.com/blogs/aws/new-aws-certificate-manager-deploy-ssltls-based-apps-on-aws/) so it’s only a matter of time before SSL becomes the norm for *everything* and not just login forms/banks/etc. Google even bumps your pagerank if your site is SSL, and penalizes non-SSL sites.

Basically:

[Author]

Posts