Google Continues Clamping Down on HTTP

Subject: General Tech | September 8, 2016 - 11:02 PM |
Tagged: google, chrome, http, https

Many software vendors want to impose security and encryption basically everywhere. Google and Mozilla are two of the more vocal organizations about it, and they have been slowly implementing ways to discourage insecure HTTP (in favor of HTTPS). Some of these make sense, like preventing insecure sites from accessing your webcam so the video stream cannot be intercepted, while others seem a bit pushy, like lowering HTTP-based sites down in search results.

google-2016-chrome-http-not-secure.png

This announcement's change is technologically benign, but is designed to make HTTP feel a bit uncomfortable. Rather than just promote HTTPS sites with a secure padlock symbol, Google Chrome 56 and later will begin to add a “not secure” label to HTTP sites. At first, Google claims that it will only mark sites that transmit sensitive data, like passwords and credit card info. They intend to expand this to all HTTP websites going forward.

Again, this has pros and cons. The main benefit of encryption is that it's much harder to view or manipulate what flies across the data stream. One major disadvantage is that the content needs to be authenticated, which is a concern for truly anonymous expressions. Google Chrome treats local, offline content as secure, but that use case could be easily forgotten, and that could have terrible rammifications, especially in areas controlled by oppressive governments that massively censor art.

Source: Google

Forcing HTTPS Is Being Discussed

Subject: General Tech | April 14, 2015 - 08:08 PM |
Tagged: mozilla, http, https, firefox

On the Mozilla Dev-Platform Newsgroup, hosted at Google Groups, a proposal to deprecate insecure HTTP is being discussed. The idea is that HTTPS needs to be adopted and organizations will not do it without being pushed. The plan is to get browser vendors to refuse activating new features, and eventually disable old features, unless the site is loaded as a “privileged context”.

22-mozilla-2.jpg

This has sparked a debate, which was the whole point of course, about how secure do we want the Web to be. What features should we retroactively disable unless it is done through HTTPS? Things that access your webcam and microphone? Things that write to your hard drive? Then there is the question of how to handle self-signed certificates to get encryption without verification, and so forth.

Note: Websites cannot access or create files on your hard drive, but standards like localStorage and IndexedDB allow websites to have their own spaces for persistence. This is to allow, for instance, a 3D game to cache textures (and so forth) so you don't need to download them every time.

Personally, this concerns me greatly. I started helping Mozilla a couple of years ago, a few weeks after I saw Microsoft's Windows 8 developer certification program. I do not like the thought of someone being able to stifle creation and expression, and the web was looking like it might be the last bastion of unrestricted development for the general public.

In the original Windows Store requirements, no browser could exist unless it was a skin of Trident. This meant that, if a site didn't work in Internet Explorer, it didn't exist. If you didn't want to play by their rules? Your app didn't get signed and your developer certificate could even be revoked by Microsoft, or someone with authority over them. You could imagine the problems a LGBT-focused developer might have in certain countries, even if Microsoft likes their creations.

This is obviously not as bad as that. In the Windows Store case, there was one authority whereas HTTPS can be authenticated by numerous providers. Also, if self-signed certificates are deemed “secure enough”, it would likely avoid the problem. You would not need to ask one of a list of authorities permission to exist; you could secure the connection yourself. Of course, that is a barrier of skill for many, and that is its own concern.

So we'll see, but I hope that Mozilla will take these concerns as a top priority in their decisions.

Source: Mozilla

Nothing new to see here but Firesheep may be news to some

Subject: General Tech | September 12, 2011 - 11:56 AM |
Tagged: firesheep, security, fud, https

About a year ago you may have read about FireSheep, a FireFox add-on which takes advantage of the unencrypted nature of many packets being sent to social networks to allow others to access your accounts.  It is specifically used on wireless connections, in what is called a man in the middle attack, as you surf using an unencrypted connection the laptop running Firesheep captures your data before it even hits your account.  That extension is still around and causing havoc, making the news recently with the revelation that packets sent via Google have a unique session ID sent in plain text which can be used to identify a Google acount and then access the search history of the acccount.   Check out The Register for more on this topic and consider HTTPS Everywhere for your laptop.

Firesheep.JPG

"Researchers have released a Firefox extension that demonstrates the risks of using Google search services on Wi-Fi hotspots and other unsecured networks: With just a few clicks, attackers can view large chunks of your intimate browsing history, including websites you've already visited."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register