Skip to content

Secure Web connections

Featured Replies

I've only just noticed, but the IE 8 browser on my system by default now connects to the Google search engine using the HTTPS protocol. It appears that it won't establish an ordinary HTTP connection now.

 

IHow long has it been like this ?

 

In default setting, Opera reports using HTTP for the connection, though the legend says it is a secure connection and uses TLS 1.2 and RSA standard encryption, but if you set up IE 8 using TLS 1.2 it won't connect to Google.

 

Anybody know what's going on ?

 

Is this something to do with the US Gov PRISM surveillance system ?

 

 

Nick

 

 

 

 

i actually just wrote a huge reply explaining the ins and outs and whys but i just deleted it thinking, whats the point.

ImpliedFacepalm.jpg

Yes it's prism.  It's the clue you're a target, so best disconnect from the web and go off grid Nick.

 

I think is is the short version of Waplord's advice?

Yes it's prism.  It's the clue you're a target, so best disconnect from the web and go off grid Nick.

 

I think is is the short version of Waplord's advice?

 

Yes aside from the final bit of advice as the best way to go off grid is to park your car in the garage with the engine running, put a length of hose on the exhaust and through the drivers window, as you breath in the fumes it will mask the iron in your body preventing any satellite tracking while you make your escape 

  • Author

Why all the psuedo flip  teemage bull**** bluster ?  Either you know or you don't.

 

Nick

Nick, are you signed into Google at the time?

  • Author

No.

 

I have an account but  rarely log on.

 

Nick

Edited by Clunkclick

  • Administrators

Does not matter signed in or not google collect 50+ metrics from unsigned visitors anyway. Thats enough in one talk I saw to know who you are.

 

Or enough to describe you.

 

I don't know why the posts above are as they are, disappointed unless clear backstory, I'll have to watch out for it.

 

All I do know is, get yourself of IE8 if possible. Whilst not as riddled with sec bugs as 7 was, it's still End of life and quite a few new sites won't fully work on it... certainly one of the mii sites I'm preparing for here, will struggle on it.

  • Author

I was using IE8.

 

It appears  from web reports that Google have recently introduced mandatory HTTPS connections for all users/visitors and you can't switch it off (I understand that in the past HTTPs used to be restricted to Google  account holders).

 

Microsoft hasn't migrated. Facebook has. 

 

Without sight of an official notification from either google or my ISP, my initial concern was that somebody may have hijacked my machine.

 

Its causing some problems for schools in the states:-

 

http://www.seroundtable.com/turn-off-google-ssl-search-17477.html

 

And the work around doesn't work for me (again with SSL and TLS turned-off in IE8- presume you have to be specially signed-up ? or appear to have a UK equivalent !

 

 

Nick

Edited by Clunkclick

Lol

 

NSA and GCHQ have had SSL cracked for years.

 

If you want to be super secret you can try to use TOR but remember it was invented by the US Military anyway.

 

They cracked GSM years ago too and you can bet 3G and 4G are readable to security services too.

  • Author

Don't doubt that.

 

I take it that in the past, surveillance was distributed i.e. the surveillers had to set themselves up on a particular server (With or without owners permission !) and that there were workarounds to avoid surveillance, for some. Now it appears that everything is directed that through one surveilled staple, like it or not.

 

That must be a curse in disguise in terms of  volume processing, and more likely to produce false positives and waste of resources.

 

But presumably, going public and using HTTPS is only necessary if you're mounting a legal prosecution, so as to avoid  the legal  defence that communication (Or web -page update)  that is alleged to have originated from the perpetrator wasn't originated in the form received by the surveillers  i.e. its was interfered with on the way by a third party?

 

At the moment, can't see it affecting me, except for the fact that I've read that under the HTTPS standard, servers are not obliged to provide evidence of certificates (!!!), therefore  how does my system know the surveillers are genuine and authorised and not some bunch of crims or other vested interest mimimicing the technique and the search engine ?

 

Bearing in mind that if you go to a sensitive site e.g. banks and such like, you'll be protected by their own in-house security measures (Or not, if recent press reports are anything to go by) , implementing HTTPS just to read some everyday web pages is a bit OTT overhead on the web, if its just to provide legal substantiation for a case against a tiny minority of individuals who, in all probability, have already been identified by other means.

 

 

Nick

Edited by Clunkclick

I removed my comment as felt rude. So apologise from me ClunkClick

Lots of websites at the moment are starting to incorporate the https side of things.... It certainly isn’t prism and neither gchq....at the end of the day all traffic is logged, regardless of what the media or law says.... IE8 is an old browser and so i would recommend only IE9 as a minimum... Https is to encrypt the traffic between you and the server, this is to prevent interception of legit traffic.... At the end of the day there is nothing to worry about and certainly all communication is looked into no matter how hidden your system is.... As i was once told, everything gives off a signal, just like cars have tailpipes to give off emissions.....

If im honest, phones have been tapped for many years now and encryption is breakable, regardless what the selling point is.... Someone made it so someone can break!

With regards to knowing if the certs are legit, click them and read who the publisher is....only way of telling really.

  • Administrators

Implementing https for sites, now is actually not that expensive.

 

I mean expense in CPU processing and load. I tried it here a few weeks back but something isn't right in the site software so it's mixing https and http resources. I've not gotten back to it.

 

There are some places, mainly work places that block ssl... the theory being that most 'sites' e-commerce, email, facebook etc require ssl to log in. Block ssl you block sites that are wasting your employees time. Thats the theory, which is evidential in failing as more sites force ssl.

Quite a few web filters can now do SSL certificate capture and interception to stop employees using SSL to look at naughty things at work.

 

You specifically exclude shopping and banking from it to stop the work being accused of sniffing card details.

 

There have been a few attacks on HTTPS certificates. Usually by attacking the certificate authorities to produce real but compromised certificates.

In general and forgetting security services HTTPS/SSL is pretty decent security especially if you couple it with a second factor token.

2 levels is always better than one.....most websites are becoming far more secure than before....its the backoffice systems that some of us need to worry about....or the users with infected systems that allow the outside world to breach internal systems....

 

I think work filters are becoming far more complex than before. Websense was one i worked on a while back....implementing is a nightmare but onces done, administration can be easy....

We used to have Websense. It was actually pretty good apart from the reporting.

Got too expensive to replace.

Never fiddled with the reporting side of things.........Currently using at home Sophos UTM9 and the reporting on that is not bad.

Where i work now, we don't use much filtering due to the the company being based all over the world.....when you have countries that have restrictions or blocks, then it can get messy.... In some countries we are  not even allowed to use certain encryption methods. Either way my view is that filtering should happen regardless and if you have a good team of engineers that have the knowledge to make sure the system is regularly updated, then the system wont allow bypasses.....

  • Author

From my point of view, as a non-corporate home user, the issue is universal re-direction of user web requests by a particular service provider irrespective of the wishes of the user. The  user hasn't requested  this re-direction and  may not want or find it useful to them and is apparently now deprived of the means to opt-out by changing system settings on their machine when using this search engine. Even marketeers don't like it because it apparently deprives them of data. And school kids seeking to innocently read a few web pages on the fable of jack and the beanstalk will have their search re-directed to HTTPS. And its reported that many users are experiencing a severe slow down in search performance as a consequence. No doubt rural small business users on 2MBps down must be dancing in the street at the realisation that their internet service will be dven slower.

 

Its reported that the majority of and most significant hacks to the internet service provision occur as intrusions to servers, not as penetrations of the security of individual users internet activity.

 

So how does adopting HTTPS address that problem ?

 

Nick

Edited by Clunkclick

The wide adoption of HTTPS is primarily due to the fact that public wifi hotspots have massively increased everywhere you go, fast food places, Coffee Shops, Supermarkets everywhere you see a sign that says "logon to our FREE public wifi"

 

Most of these solutions are completely insecure in that there is no encryption between the base station and the wireless device, at most it may have some kind of logon page, that requires the companies "wifi password" that you present to a webpage that adds your wireless MAC to an ACL, again no encryption.

 

 

So to help try and secure their users data as its a massive pain in the arse for companies to keep resetting hijacked account passwords or investigating to return ownership to the right users, companies are enforcing HTTPS so even though the connection to the internet is insecure the connection for the session to their server is. With modern CPU's while the initial HTTPS session takes a little longer to establish with the site, the overhead isn't significant at all.

  • Author

Oh well, it just shows you how differently the professional world views these things.

 

From my experience the major issue in internet cafes with public wif-fi etc is mobile (Mainly smart) phones and people casually loaning their handsets to friends (Sometimes complete with passwords) and then falling out with said friends. 

 

I would have thought that the major IT threat would be from trojans left on said public servers attacking  mobile ISP accounts when user signed-on, maninthemiddle live monitoring being the province of these people:-

 

http://euobserver.com/justice/120516

 

https://www.privacyinternational.org/blog/russian-made-surveillance-technologies-being-used-in-the-west

 

 

Nick

 

 

Remember if you're on free wifi, even if it's encrypted, probably everyone else one the access point could read your internet traffic.

 

SSL helps but doesn't fix everything.

 

I was told today by people who know these things that basically anything that passes through the USA now can be read by the USA. Irrespective of the encryption. Apart from Blowfish.

Edited by Aspman

Remember encryption was written by a coder and another coder and another coder and so on, but can all be breached, far harder than normal, and will be breached by someone determined enough.

 

Its reported that the majority of and most significant hacks to the internet service provision occur as intrusions to servers, not as penetrations of the security of individual users internet activity.

 

A very imprecise statement as its the inexperienced user that clicks on the random popup generated on there screens that get the malware, trojan, virus and so on. Servers are mainly accessed by infrastructure admins who limit there access to servers by securing them down in the correct manor. Most systems that get breached are down to the fact they either hold sensitive information or about as secure as someone leaving there front door open.

 

When you access a website you are accepting there terms and conditions of usage and they are the owners, they have the right to change the way we access there website regardless if you like it or not. At the end of the day there are plenty other option you could use.

Remember if you're on free wifi, even if it's encrypted, probably everyone else one the access point could read your internet traffic.

 

 

Very much so its a case of ease of use VS security and unfortunately security took the nose dive in the equation. 

 

for those who are a little less initiated than some of us this video does a good job of explaining

 

Create an account or sign in to comment

Recently Browsing 0

  • No registered users viewing this page.

Important Information

Welcome to BRISKODA. Please note the following important links Terms of Use. We have a comprehensive Privacy Policy. We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

Account

Navigation

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.