Comments for Rx4G https://rx4g.com Sat, 31 Aug 2013 14:12:56 +0000 hourly 1 http://wordpress.org/?v=4.1.7 Comment on Why Browsers Need Encrypted-Only Mode by cwilper https://rx4g.com/2013/08/26/why-browsers-need-encrypted-only-mode/#comment-13 Sat, 31 Aug 2013 14:12:56 +0000 http://rx4g.wordpress.com/?p=13#comment-13 True, anyone who has obtained a root CA key is capable of creating certs that are automatically trusted by most browsers, and most people wouldn’t notice if they’re being MitM’d with the use of a bogus cert until it’s too late.

]]>
Comment on Why Browsers Need Encrypted-Only Mode by cwilper https://rx4g.com/2013/08/26/why-browsers-need-encrypted-only-mode/#comment-12 Sat, 31 Aug 2013 13:51:14 +0000 http://rx4g.wordpress.com/?p=13#comment-12 Actually I don’t really think understanding the internals is necessary or practical for most people. All I’m saying is if you’re driving through Baltimore, you ought to know to operate your door locks.

]]>
Comment on Why Browsers Need Encrypted-Only Mode by John https://rx4g.com/2013/08/26/why-browsers-need-encrypted-only-mode/#comment-9 Tue, 27 Aug 2013 17:36:23 +0000 http://rx4g.wordpress.com/?p=13#comment-9 Once Browsers had warnings, when submitting unencrypted data from an encrypted page.

]]>
Comment on Why Browsers Need Encrypted-Only Mode by Bryan Starbuck https://rx4g.com/2013/08/26/why-browsers-need-encrypted-only-mode/#comment-8 Tue, 27 Aug 2013 13:34:50 +0000 http://rx4g.wordpress.com/?p=13#comment-8 > This would make mass surveillance a nightmare, as NSA would have to actively man-in-the-middle every connection ever made to spy on everybody as they are now.

They would. But this would be easy. I have a friend of mine who works for F5, which is similar to Cisco. They sell the networking hardware that does routing of very high speed traffic. They love to pack extra “features” into that hardware to win customers over their competitors, and charge more.

That networking hardware enables reading/modifying traffic in real time. It also includes forking a copy of traffic, even as it travels at very high speed.

This attack would be trivial. With a CA’s private key, they can make their own MitM cert and return that, which they can do at scale since they can hand out the same cert to all users. It would be more work for them to handle TLS encrypt/decrypt on the router during the MitM attack, but straight forward and they wouldn’t need to add latency of routing traffic towards NSA because the routers could handle all of the MitM encrypt/decrypt/fork work.

Even Iran pulled this off with TLS to gmail.com for their citizens. http://news.cnet.com/8301-27080_3-20099421-245/google-users-in-iran-targeted-in-ssl-spoof/

]]>
Comment on Why Browsers Need Encrypted-Only Mode by Security though unscalability https://rx4g.com/2013/08/26/why-browsers-need-encrypted-only-mode/#comment-7 Tue, 27 Aug 2013 11:24:46 +0000 http://rx4g.wordpress.com/?p=13#comment-7 HTTPS actually could be good enough even without Root CAs, meaning that the key a server gives you can be easily man-in-the-middled.

Fortunately, this is not a problem.

HTTPS without trust would be like switching from postcards to letters, which still can be opened and read by the postman, but require active effort of opening and re-sealing the letter. This would make mass surveillance a nightmare, as NSA would have to actively man-in-the-middle every connection ever made to spy on everybody as they are now.

]]>
Comment on Why Browsers Need Encrypted-Only Mode by Fellow Traveler https://rx4g.com/2013/08/26/why-browsers-need-encrypted-only-mode/#comment-6 Tue, 27 Aug 2013 03:04:50 +0000 http://rx4g.wordpress.com/?p=13#comment-6 I think a lot of people actually don’t know what HTTPS really is: a giant backdoor. A man-in-the-middle attack. HTTPS is definitely not real security, but it’s at least better than walking around naked using HTTP.

]]>
Comment on Why Browsers Need Encrypted-Only Mode by Bryan Starbuck https://rx4g.com/2013/08/26/why-browsers-need-encrypted-only-mode/#comment-5 Tue, 27 Aug 2013 02:01:09 +0000 http://rx4g.wordpress.com/?p=13#comment-5 Having websites use https (SSL / TLS) is fine, EXCEPT it is of NO USE until we fix the problem with ROOT CERTIFICATE AUTHORITIES. We must assume that the NSA has the master private keys of root cert authorities. They did with two Korean Cert Authorties and one in Scandinavia that they used when carrying out the Iranian attack Stuxnet. Iran did it with a man-in-the-middle attack on SSL to gmail.com.

]]>
Comment on Why Browsers Need Encrypted-Only Mode by Jamie Hall https://rx4g.com/2013/08/26/why-browsers-need-encrypted-only-mode/#comment-4 Mon, 26 Aug 2013 19:14:11 +0000 http://rx4g.wordpress.com/?p=13#comment-4 One thing to keep an eye on is the experimental QUIC protocol, which will be encrypted at all times. It’s not going to be in common use for a while, but it could easily be the future of the web. Similarly, HTTP/2.0 is likely to use TLS all the time.

]]>
Comment on Why Browsers Need Encrypted-Only Mode by Why Browsers Need Encrypted-Only Mode | d@n3n |... https://rx4g.com/2013/08/26/why-browsers-need-encrypted-only-mode/#comment-3 Mon, 26 Aug 2013 17:30:17 +0000 http://rx4g.wordpress.com/?p=13#comment-3 […] Recently I had a conversation with my uncle about his lack of computer use. He told me he doesn't get online much, doesn't "have a Facebook", and has only sent a dozen or so emails.  […]

]]>
Comment on Why Browsers Need Encrypted-Only Mode by bacon https://rx4g.com/2013/08/26/why-browsers-need-encrypted-only-mode/#comment-2 Mon, 26 Aug 2013 17:09:27 +0000 http://rx4g.wordpress.com/?p=13#comment-2 your surprise he does not know what https is? why should he..he just wants to buy stuff. Like when you drive to work you just want to get there not care about all the car internals.

]]>