I only just noticed...
El-Reg uses https:!
Holy crap - when did that happen?
The adoption of HTTPS among the top million sites continues to grow with 38.4 per offering secure web connections. A study by web security expert Scott Helme, published on Tuesday, found that HTTPS adoption by the web's most-visited sites had grown more than 7 percentage points from 30.8 per cent over the last six months since …
"How else would you know you are reading real Anonymous Cowards and not some Russian hackers?"
Russian hackers haven't learnt to:
a) babble incoherently like the majority of us commentards
b) they can't avoid the pull of defending Mother Russia in the time sink that is TheReg forum's
Sometimes. I'm sure it was all https for a bit, but today it's back to regular http on the main site and only https on forums.reg. Maybe they're making sure to stay at 38.4% secure?
For the <www.thereg> subdomain they're not doing redirects to the HTTPS version, so you can browse to http or https and both work.
<forums.theregister.co.uk> do have redirects enabled, so if you try and hit the http, it will bounce you to https.
I assume the absence of redirects on the www. is down to having some legacy or mixed content that could break browsers, whereas the forums are entirely https safe.
Neither part has HSTS enabled however because they're using Cloudflare which IIRC is a bit all-or-nothing as far as HSTS is concerned.
"For the <www.thereg> subdomain they're not doing redirects to the HTTPS version, so you can browse to http or https and both work.
<forums.theregister.co.uk> do have redirects enabled, so if you try and hit the http, it will bounce you to https."
Ah, makes sense. I wondered why the main site suddenly started using https right after I posted that comment. I guess I have an out of date bookmark that gets me to the http site, but visiting the forum and then hitting the top banner to get back to the main site hooks me into the https version.
I'd like https a lot more if there weren't a potential "tollbooth" designed into the protocol (i.e. having to periodically pay a 3rd party for a cert).
also I wouldn't expect a public key method to protect you from a man-in-the-middle attack. self-cert https sites don't either, in theory, though I suppose you could verify the DNS request by contacting multiple DNS servers directly. An MITM that could be so clever as to mask itself as a particular name server, including the root name servers, would be pretty amazing.
Just to re-iterate: the absolute LAST thing we want on the intarwebs is a TOLLBOOTH that prevents independent small-time web server operators from publishing content WITHOUT a google, github, amazon, faecebook, linkedin, or ANY other 'web site or cloud service provider' being involved.
"self-cert https sites don't either"
If a site acts as its own CA, and signs certs that it generates (so the certs the site uses aren't self-signed), then that's actually more secure than those signed by a commercial CA, because the chain of trust is actually trustworthy.
The catch is how to get the root cert into users browsers. This is the problem that commercial CAs more-or-less "solve". However, if you're running a site that is intended for a small audience that you personally know and can get the root cert to, that's a far superior solution.
And, it's free.
--- but the https is still 256bit key, or something like that. So it's still visible in my old browser.
As it happens, I do most of my browsing in http, only doing more complex stuff (like posting) when I'm on a cumputer that supports modern browsers. This means that increasing chunks of the web are becoming invisible to me.
At the moment, forums.theregister.co.uk is still visible to me, as short-key https. When that goes, I'll be reading less of it.
Serious question. Is there any real point in sites like The Reg, Slashdot, Stack Overflow, etc requiring https? I'm here to read stuff and maybe post a comment or two. That's not a secure (or AFAICS a securable) process. I ask, because on on any given day, it seems like maybe 15-20% of the sites I try to access have certificate or similar problems. What's the value to anyone in that?
I'm not against encrypting personal financial/medical data and such. Seems like a good idea in fact. But is this "Let's run everything through https" anything other than security theater analogous to the ineffective and annoying security show at US airports?
3 thumbs down on a simple statement that is factual.
OK, let me give you something to hate. Everything is going Https - I mean everything... To include all the packages the bad guys are pushing. From a network security prospective, that means unless you fork out big cash on expensive systems that can't offer true on the fly decryption/re-encryption, or use a proxy that can perform this (and still expensive), you are not going to be able to perform packet inspections on anything. Cisco is about there last I heard, other's are selling products that don't even come close to this but are only using tricks such as IP reputation. why does a blog need to be decrypted, and why does an organization's system have to be upgraded to decrypt and inspect everything?
This is a double-edged sword.
OK, riddle me this, Batman.
Do you send EVERYTHING on postcards? Because that's what unencrypted HTTP is, essentially. With an envelope of encryption, the contents of your postcard cannot be sure to be the same as that which you originally sent. Things can be inserted, removed, or altered, and there is no way you can stop it because it all happens in transit.
"But is this "Let's run everything through https" anything other than security theater analogous to the ineffective and annoying security show at US airports?"
It is more than that. The security at US airports doesn't actually provide an increase in security, but using HTTPS really does.
As to your main question -- is HTTPS actually required everywhere -- the answer is technically no, not every website needs to be secure in that way. However, there are two strong arguments for why all websites should, even if they don't collect or disseminate sensitive information. First, every data stream on the internet being encrypted is a good and worthy ideal, because then attackers can no longer identify high-value targets based on the fact that they use encryption. Second, website and users are often pretty terrible at determining if the information they're dealing with is sensitive or not, so encrypting everything removes that possibility of error.
"And for most websites it doesn't matter one bit. No one is going to put up a spoof website of say diptera.info, britishbugs.org.uk, or tolweb.org. There are millions of websites like those, none of which need SSL certs."
They don't have to spoof you. They don't even have to pwn you. ANY unencrypted HTML, regardless of its source, can be altered and hijacked...IN TRANSIT. Think Verizon's supercookie or the Chinese Cannon: both concrete examples of this.
"because then attackers can no longer identify high-value targets based on the fact that they use encryption."
Why should the rest of us effectively pay either for SSL certs, or in the time spent installing and keeping it up to date, just to help the banks, amazon, google et al? Let them secure their own stuff. too often we end up subsidizing large corps. Fuck em one and all.
Privacy in general is a good thing. It's rather scary what a bit of meta-data can reveal. But besides that, it also keeps your sleasy ISP or whatever from injecting unwanted bits of tracking, ads or censorship-stuff.
More encryption also avoids the problem of "Oh, this is encrypted! We should investigate this."
"Serious question. Is there any real point in sites like The Reg, Slashdot, Stack Overflow, etc requiring https?"
Dunno about the rest of you, but I don't want my grubbermint knowing I said some of the bad things I say about them on El Reg. So I tunnel https via ssh to my foreign located server. I'm thinking of adding OpenVPN and Tor into the mix.
Mines the one with large rolls of tin foil in the pockets.
A MitM* can easily modify the El Reg homepage to add a coinhive JavaScript or any other tracking token they want. They can manipulate the stories you see, include content not in the original or censor content they don't want you to know. If there is a link to the forums login screen, they can point that to a phishing site.
*And let's be clear here, a WiFi pineapple can be had for a few hundred local currency and about 15 minutes of YouTube instructions will have your MitM up and running. This isn't a TLA level hack.
Serious question. Is there any real point in sites like The Reg, Slashdot, Stack Overflow, etc requiring https? I'm here to read stuff and maybe post a comment or two.
It's authentication as much as privacy.
1. Your ISP cannot insert advertising into your HTTPS stream. ISPs can and do have history of inserting ads into HTTP pages, and have then been hoisted by their own petard when they accidentally served malicious ads to their customers.
2. Related, things like setting security headers to prohibit x-site scripting don't work terribly well if an intermediary can strip those headers out! You need the HTTPS to protect those headers.
3. People are idiots. They reuse passwords. I would hope that noone on El Reg is reusing their forum password anywhere else (or if they are, that it's a specific password "for forums I don't care about"), but in many cases your users cannot be trusted. You are protecting them from themselves by hashing their passwords and not passing them in plain HTTP, even if the perceived value of the service is relatively low.
"By contrast there's almost no growth in the use of EV (extended validation) certificates, according to Helme."
Doesn't surprise me, they're a bloody con.
Windows 7 - ok, you've signed your code so I'll not bother annoying the user and let them get on with installing your app.
Windows 8+ - ok, you've signed your code, but oh wait...what's this...not with an EV certificate, so popup warnings here we come again. Want to get rid of them? Well, that'll cost you even more than before (despite the extra checks probably taking about 10 seconds), and you can forget about software-based signing too...oh no, now the key comes on a physical doodad, so you can only use it on one development machine at a time, oh and you can forget about remote desktopping into it, cos we'll disable it if you do that (thank god for vnc), etc, etc...
Many webmasters don't bother themselves to look at how stuff works but only focus on "what's good". Which is exactly why I'm so critical about this current "HTTPS = good" push, because just using HTTPS is by no means any guarantee that your site will be safe.
I wouldn't be surprised if some didn't even realize the depreciation and would even respond with: "But we're using HTTPS, that's good right?".
Many webmasters don't bother themselves to look at how stuff works but only focus on "what's good". Which is exactly why I'm so critical about this current "HTTPS = good" push, because just using HTTPS is by no means any guarantee that your site will be safe.
I'm gonna point out that we have the global slurp-o-rama organizations to thank for this. And some entirely stupid historical events. Like a well known commercial vendor of home maintenance tat redirecting to an HTTPS secured payments page that embedded an HTTP frame for the "card number name cvs number" block.
point one: if all the data is being encrypted on the internet - the slurp monkeys have more work to do. They have to go back to relying on metadata and actually thinking.
point two: if *every* component of your site(s) are https you're less likely to have a *duh* moment.
(And I've had web developers bitch and whine that securing the entire site made their lives more difficult when they were developing WL java apps that hid behind an apache reverse proxy that did the https *and* the redirection from http so that their stupid typos didn't cause problems)
No, https doesn't mean "safe" - it means more likely safe -- and yes, apache to WL was unencrypted but on a dedicated network path, internal to the chassis of blades. No it wasn't monstrous but it was miles better than what it replaced.
It seems that some websites, and of small and large organizations too, insist they have nothing on them to require HTTPS and so use HTTP instead, If there is something to secure they will only use HTTPS on that specific page.
Perhaps it's logistical?
Now for the uninitiated the HTTPS is another directory/folder on the server and to have HTTP & HTTPS means everything has to be duplicated in two directories/folder, so it would be easiest to put everything in one directory/folder and be done with it. A compromise is only a few pages being put in HTTPS director, those that require security.
Then there is the cost of the certificates, it costs money and time and to get updated ones later.
Many sites are not built by their owners but by others, even off shore web design companies, who just don't have the love for the client organization's customers as the organization may have( or not).
So it's {yawn} just not a priority for them......
> Now for the uninitiated the HTTPS is another directory/folder on the server and to have HTTP & HTTPS means everything has to be duplicated in two directories/folder
Errm... How could I break this to you...
May I strongly suggest that you should consider delegating your web server configuration tasks / maintenance to someone else?
Errm... How could I break this to you...
May I strongly suggest that you should consider delegating your web server configuration tasks / maintenance to someone else?
The problem is typically when you do that.
I have some cheapy web hosting that uses Plesk and in the directory structure there are indeed separate HTTP and HTTPS folders. This is the sort of hosting a less-savvy user would subscribe to.
If I were setting up my own server then obviously yes, I would bind 80 and 443 to the same folder and only have one copy of the content (with the requisite redirect for any traffic landing on port 80).
And in the case of the cheapy web hosting, I dump everything in the HTTPS folder, click the "On" toggle for Let's Encrypt and run the lot over HTTPS. But it's easy to see where a novice might be confused, especially if they're reading a dangerously dated copy of "XHTML For Beginners (Updated for 2007!)" that they found in the library.
Listen, I know how the whole dial-an-expert thing works and I have nothing against it. In fact, we use it ourselves and, done responsibly, it is a great tool in an earned media strategy¹.
However, I am starting to be concerned that this may be over-representing Mr Helme's actual standing or achievements, however great they may be, within the infosec community. I do also freely admit that his attempt at manipulating opinion and throwing dirt at uBlock Origin developer Mr Hill for the purpose of scoring a cheap publicity point did not exactly endear Helme to me, and caused me to have some concerns about the rigour of his methods and analyses.
Therefore, I should like to suggest to ElReg that, in order to safeguard its journalistic integrity as well as the public interest, in having well-contrasted, balanced and attributable news, it may be more appropriate to either give Mr Helme his own column, making him responsible for both his own research and conclusions, or give equal treatment to other, perhaps more meticulous but less publicity-inclined professionals.
For reference: https://www.google.co.uk/search?q="scott+helme"+site:.theregister.co.uk
¹ This is not an assertion that Mr Helme approached ElReg first. It may also be that Mr Leyden subscribes to his blog feed. Either way the end result is the same.
> I know how the whole dial-an-expert thing works
For those who may not be au courant, this refers to where you, a subject matter expert in something or other, are in the contact list of one or more journalists who seek your input when writing an article about whatever it is you supposedly know about.
You provide your commentary, opinion or advice which the journalist may or may not decide to publish with different levels of mangling and in exchange for your time you get a mention on his article ("according to Mr Bloggs, an expert yo-yo performer ..."), and often a link back to your own website in these digital media days.
If you work with the right journalists, so that your words are not misrepresented too much, this is a very effective form of free publicity: it makes people aware of your existence and it reinforces your standing, since you are an "expert". That is of course assuming that you are minimally able to talk sense, explain things in a manner which is understandable to the target public and, importantly, know when to shut up (you can't always know everything).
For journalists working with the right experts, they get to write more informative and engaging articles which are less likely to contain gross inaccuracies or incorrect terminology. It does not cost them or their employers anything and it does enhance their reputation as a reliable source.
For the audience, they get the benefit of detail, accuracy and reliability, assuming that you do have the right expert-journalist symbiosis. However, as with everything, the system is open to abuse and sloppiness from all parties, so as usual the audience should always apply critical thinking (and do not be afraid to contact the "expert" if you think he made a blunder).
I think that it should be considered on a case by case basis. There is nothing in this article that the wider security industry would take umbrage with. HTTPS becoming more common. Check. His survey has been running over years and the methods are generally quite sound. May be off by a percentage point or 2 because of limited sampling capabilities with subdomains, but this doesn't impact the trend. Does he have any conflict of interest? Well I guess he will have more business opportunities if he can establish that HTTPS is inevitable, but I can't think of any subject matter expert who wouldn't equally benefit. And no one serious is questioning his expertise in this area.
The uBlock origin thing is one where he does have a direct commercial interest, but I believe this was disclosed. It would have been impossible to cover that story without sourcing his views because he was the one complaining. And for the record, there are legitimate arguments for both positions on the uBlock reporturi thing. There is a potential side channel tracking capability if it is honoured but it can also benefit *other* people by notifying the site owners if someone injects a coinhive JavaScript into your site. You don't personally need it fixed because your browser has already protected you. On balance, I think the tracking protection is a better benefit (and I made this point at the time). But yes, that does impact his commercial reporturi service so that needs to be disclosed.
Ultimately, that is a journalistic integrity decision. I personally find this particular red top acts reasonably responsibly.
All it does is cause problems. You try to connect from an old device? Boom "no cypher overlap". They forget to renew their cert? Now everybody's locked out because browser makers are too stupid to realize this isn't even a serious problem.
And almost invariably this nonsense happens on sites that don't even have a legitimate need for security. Knock it off, people.