LinuxVillage

LinuxVillage welcome => Technical discussions => Discussion démarrée par: ka9yhd le 14 juillet 2013 à 14:25:12

Titre: The “S” added to the end of the “HTTP” means SECURE.
Posté par: ka9yhd le 14 juillet 2013 à 14:25:12

Here is an interesting read.

"The Internet is a cooperative PUBLIC DATA NETWORK. Its data traffic flows around the globe freely, transported by an incredible variety of intermediate carriers. These carriers cooperate because they need each other equally: “I'll carry your traffic if you'll carry mine.” And the system works. But with all of this traffic zipping around all over the place, in full public view, how do we KNOW that we are really connected to our bank, our medical records database, or any other public or private website? Websites are (obviously) easy to create, so copying a popular website and redirecting traffic there would not be difficult. And, unfortunately, the world has no shortage of people who would like to do that.
The original un-secured HTTP web connections never attempted to authenticate or encrypt their connections. Users who knew enough to wonder and worry could only hope that they were actually interacting with the website they intended. And that was fine back when the Internet was just a curiosity. But the Internet has grown into a resource where people conduct business, place orders, exchange stock, refer to their medical histories, perform their banking, and everything else—very much as they do in the physical world. For the “cyber versions” of these activities to be feasible, users expect, need, and must have security and privacy"

https://www.grc.com/fingerprints.htm (https://www.grc.com/fingerprints.htm)

Titre: Re : The “S” added to the end of the “HTTP” means SECURE.
Posté par: mimas le 14 juillet 2013 à 20:44:39

Very interesting. A few months ago, I read something about how to fingerprint browsers with installed plugins, fonts and other informations provided by browser when surfing a website. It is amazing to see how an ocean of users can be reduced in small buckets and how anonymity can be mostly erased. I think it was on this website.

> Web browsers trust the identity assertion made by a remote web site when that site presents a certification of its identity that has been signed by a higher authority that the browser already trusts.

This happened in Tunisia, and probably other countries too,  when Microsoft helped the government to forge false certificates for man-in-the-middle attacks.

https://news.ycombinator.com/item?id=2138565 (https://news.ycombinator.com/item?id=2138565)

Firefox extension "HTTPS everywhere" has a SSL Observatory for detecting certificates problems.

https://www.eff.org/deeplinks/2012/02/https-everywhere-decentralized-ssl-observatory (https://www.eff.org/deeplinks/2012/02/https-everywhere-decentralized-ssl-observatory)