back to article Insecure web still too prevalent: Boffins unveil HSTS wall of shame

How's that migration to "HTTPS everywhere" going? With some Chrome browsers* now flagging insecure sites, there's a lot of work still to do, according to security bods Troy Hunt and Scott Helme. Sceptical looking people check something on a laptop Google Chrome: HTTPS or bust. Insecure HTTP D-Day is tomorrow, folks READ MORE …

  1. Dave_uk

    just noticed at number 114 we have..... dah dah.... dailymail.co.uk

    Not as if anyone is really interested!

    Its at the top for the UK:

    https://whynohttps.com/country/gb

    And I never knew it was such an important website.

    1. Shady

      Please be aware that looking at dailymail.co.uk through an insecure connection may enable hijackers to replace content such as bile loaded thinly veiled hate-driven articles with well-researched, unbiased stories, and you would never know.

      You have been warned.

      1. Rich 11

        It's not surprising that the DM remains unaware of the potential for man-in-the-middle attacks given that they are laser-focused on undertaking man-on-the-far-right attacks.

      2. Aladdin Sane

        If Daily Fail started showing well-researched, unbiased stories, their "readership" certainly would notice. Those that can actually read and don't just look at the pictures that is.

  2. Anonymous Coward
    Anonymous Coward

    Fearmongering, Uncertainty and Doubt

    Once again, Troy and Scott massively overstate the problem. It is nonsense to suggest that a website served over HTTP is going to immediately expose you to phishing or malware, which is what they seem to be saying.

    What does it matter if speedtest.net or bbc.com are accessible over HTTP?

    if you want to create an account or login, then those pages are served over HTTPS anyway.

    MITM attacks are not common, and not usually carried out by script-kiddie level perpetrators, they are much more likely to be carried out by ISPs or Governments (Like the Chinese Firewall), who will happily MITM HTTPS as well.

    1. Charles 9

      Re: Fearmongering, Uncertainty and Doubt

      Oh? How do you MITM HTTPS without tripping things like certificate pinning? You keep saying governments can just MITM secure sessions. Why not offer some proof of this?

      1. GnuTzu
        Headmaster

        Re: Fearmongering, Uncertainty and Doubt

        "governments can just MITM secure sessions"

        It requires getting control of trusted CA certs. I suppose they could try and get one of their own listed as trusted, but I think someone would notice.

        1. Anonymous Coward
          Anonymous Coward

          Re: Fearmongering, Uncertainty and Doubt

          Shuould I trust, for example "China Financial Certificate Authority", "GUANG DONG CERTIFICATE AUTORITY CO., LTD", and many others? Do you vet personally every CA that is pre-installed in your OS and browser? Do you believe it's hard for a government to get one listed? Do you check the chain of trust of every certificate a site use?

          1. This post has been deleted by its author

        2. stephanh

          Re: Fearmongering, Uncertainty and Doubt

          FYI, the Japanese, Dutch and Taiwanese government have their own CA.

          1. Nick Stallman

            Re: Fearmongering, Uncertainty and Doubt

            The argument about government CAs isn't a good one.

            You can always verify who issued a particular certificate, so if you went to Google.com and you noticed their SSL certificate was issued by a Chinese CA it would be blatantly obvious.

            For most potential targets various monitoring would pick it up so manually verifying it each certificates CA isn't needed - it'll be noticed by others.

            1. Anonymous Coward
              Anonymous Coward

              "it'll be noticed by others."

              No, if I were a government agency and I'm doing MITM for specific targets, I wouldn't do a blank replacement of certs for everybody - I would specifically target only the "people of interest" - exactly to avoid easy spotting.

              Again, how many do check the chain of trust of a certificate? Pinning could help, but it has its disadvantages, and Chrome removed it, while MS never used it. And if badly implemented, it's still vulnerable:

              https://www.schneier.com/blog/archives/2017/12/security_vulner_10.html

        3. ma1010
          Big Brother

          Re: Fearmongering, Uncertainty and Doubt

          They do it where I work, a complete MITM attack on almost all web sites (they did leave out some banking sites). The "official" browser is IE, and our intrepid IT department installed a bogus certificate in the Windows certificate store to keep IE quiet about it, and also Chrome, because it uses the Windows certificate store.

          Fortunately, I use Firefox, which has its own store that hadn't been tampered with, so I was warned immediately. I deleted private accounts I had at work (mainly IMAP email) off my work computer and changed all the passwords.

        4. Anonymous Coward
          Anonymous Coward

          Re: Fearmongering, Uncertainty and Doubt

          It requires getting control of trusted CA certs. I suppose they could try and get one of their own listed as trusted, but I think someone would notice.

          I'm not sure I understand your point. I would have thought the TLAs have access to the original signing cert and just create their own certificate for google.com and happily sit in the middle.

      2. brotherelf

        Re: Fearmongering, Uncertainty and Doubt

        You mean that certificate pinning which is already on the way out again (deprecated in Chrome) before it's even fully arrived (no support in Edge yet), because between short-lived certs and spare private keys, you actually need some amount of planning to deploy it reliably?

  3. This post has been deleted by its author

  4. iron Silver badge

    "Twitter's T.co URL shortener, the BBC (.com), Fox News, Speedtest.net, Fedex, 4chan, or Australia's ABC or Bureau of Meteorology (to name just a few) have no such excuse."

    For most of these who the hell cares? What is so secret about the weather forecast? I can look out the window and see it. Or a speed test, a short URL that redirects to a longer URL or news? None of these things need to be encrypted.

    1. MAH

      I agree, this whole everything must be secured is absolutely stupid. If the site doesn't do login's, it doesn't need an ssl certificate. Its not like every site being secure actually adds to any protection from phishing sites...90% of them nowadays are just registering domains, setting up email, getting a lets encrypt certificate and voila from zero to phishing in 15 minutes....sheeple are stupid and will click links anyhow without looking at the address anyhow. www.micr0soft.com is the same as www.microsoft.com to most people anyhow...

      How exactly is that site now NOT giving an SSL warning really providing people with better security?

    2. Anonymous Coward Silver badge
      Pirate

      HTTPS isn't just about hiding the content. It's also about proving that the content is intact, as it left the source server, and that the source server is who they claim to be.

      That URL shortener, for example, if someone MITMs that they can make any shortened URL redirect to a site of their choosing. That opens the door to all manner of phishing attacks. (URL shorteners are a ludicrous blight anyway, but that's off-topic)

      At a bare minimum level, a MITM could change the advertising token so that the site's authors no longer receive the credit for that advertising, but the attacker does instead...

      1. Charles 9

        And we KNOW that unencrypted HTTP CAN AND HAS been MITM'd--ubiquitously--to the point of not being trustworthy anymore. Not just with the Chinese Cannon but with the Verizon Supercookie, among other things (and note, the latter means the US is involved, too, so no Chinese outs for you).

      2. Kevin McMurtrie Silver badge

        And this is exactly why HTTP should support digital signatures. There's tons of content that's always in public view and there's no need to keep it secret. You just want tamper resistance. SSL slows down low power devices.

        1. Nick Kew

          SSL slows down low power devices.

          Not just low-power devices!

          HTTPS is far, far worse than that. It buggers up web caching. The effect of that on web traffic is like taking 1000 people off a commuter train and putting each of them in a car to clog up the roads!

          1. Anonymous Coward
            Anonymous Coward

            But, to extend the analogy, if you know one of them is a suicide bomber, at least that bomber would only blow up the one car, not the hundreds of passengers in his/her vicinity.

        2. Charles 9

          "You just want tamper resistance. SSL slows down low power devices."

          But encryption is the only way to ensure the signature isn't also altered on the fly to match. If not the page itself, then the signature must use some system where someone without an authentication certificate can't just change the page then change the signature to match.

      3. Nick Kew

        HTTPS isn't just about hiding the content. It's also about proving that the content is intact, as it left the source server, and that the source server is who they claim to be.

        Sometimes that matters. Other times it really doesn't: who cares if it was some anonymous MITM who inserted your comment? And there are much-lower-overhead ways to achieve such goals: for example, the rarely-used Content-MD5 HTTP header offers a way to verify intactness of content against accidental damage, and similar use of a cryptographic signature such as PGP could protect where it really matters.

        There are also legitimate reasons to rewrite content on the fly. My own involvement with such go back to about 2002 when I was working on accessibility tools, and provided a proxy that would rewrite elements of HTML on-the-fly to make it more readable to someone with a linear or text-only browser. Remove some of hurdles faced by blind users, or by Granny Arthritic who stands no chance chasing script-driven menus with a mouse.

        1. Charles 9

          "Sometimes that matters. Other times it really doesn't: who cares if it was some anonymous MITM who inserted your comment?"

          What if the comment was actually malware? Chinese Cannon inserted malware in unencrypted pages, what's to stop anyone else, and it need not be JavaScript, it could be something that could pass through even NoScript, for all we know.

        2. Charles 9

          "Remove some of hurdles faced by blind users, or by Granny Arthritic who stands no chance chasing script-driven menus with a mouse."

          Threaten the webmaster with lawsuits for NOT complying with accessibility acts which require pages that are usable for, say, screen readers for the blind.

    3. david 12 Silver badge

      The people who care are the pensioners and underemployed, using old technology to access sites like the ABC and the BBC, who won't be able to access those services with large-key HTYPS

      1. Charles 9

        How old of a technology does it have to be to be TOO old for this stuff. Hell, I have a $150 and $300 laptop that can do the whole shebang handily and are quite affordable, so HOW old are we talking?

  5. Aladdin Sane
    Facepalm

    Advice from Aunty, regarding HTTP websites

    From their own article:

    To stay safe, pick a hard-to-guess password

    1. Mark 85

      Re: Advice from Aunty, regarding HTTP websites

      From other El Reg articles, maybe something like "dogdogdogcatmouse"?

      1. DropBear
        Trollface

        Re: Advice from Aunty, regarding HTTP websites

        maybe something like "dogdogdogcatmouse"

        Passable, but for real security use a cryptid-based one instead, like "sasquatchogopogochupacabra" - I mean "crypto" is right there in the name...

    2. Anonymous Coward
      Anonymous Coward

      Re: Advice from Aunty, regarding HTTP websites

      But a hard to guess password is also hard to remember, especially for someone with a bad memory, no personal store trustworthy enough, and a hundred other logins to remember at the same time.

      1. Anonymous Coward
        Anonymous Coward

        Re: Advice from Aunty, regarding HTTP websites

        The simplest way to make a hard to guess password that is memorable is to use a film quote or song lyric etc.

        Using "Frankly, my dear. I don't give a damn." from Gone With the Wind, which was released in 1939, you get something like:

        FmdIdgad!GWTW1939

        If you aren't geeky about songs or films, pick something you have a wide field of knowledge about, it makes it easier.

        1. Charles 9

          Re: Advice from Aunty, regarding HTTP websites

          No, because hackers aren't stupid. Those kinds of mnemonics can be easily figured out, and if you try to mangle them to make them harder to remember, you make them harder for YOU to remember. Even xkcd's famed method has flaws, especially as the site count rises (Now was it correcthorsebatterystaple or donkeyenginepaperclipwrong?)

  6. john.jones.name

    update to DANE at the same time...

    simply pin your CA into your DANE DNS record and it buys you a little more coverage...

  7. Pascal Monett Silver badge

    I protest

    I followed the link and, to my surprise, found leboncoin.fr in their list.

    LeBonCoin has been HTTPS for a while now. When did they compile that list ?

    In any case, they're not maintaining it.

  8. Aodhhan

    Not shocked...

    This is a lot more common than most people think. The reason is pretty simple. For corporations who don't use experienced penetration testers and rely on application and web scanning tools. This is because findings from these scanning tools typically state HSTS and other "header" misconfiguration findings are considered "LOW". Because of this, the risk is typically accepted or placed deep in the queue to be fixed.

    For those who hire good penetration testers or have them on staff, they will consider most header findings as a medium; even for internal sites (it doesn't take long to fix) to ensure these findings are corrected. Once the developers and middleware admins get used to this, it doesn't take them long to ensure all headers are correctly added and configured for each site.

  9. Anonymous Coward
    Anonymous Coward

    this obsession with https is overstated, especially when you're more likely to get f*cked by companies mishandling the data you willingly gave to them anyway.

    https is good for verifying the authenticity of the message. but that's it. if we're seriously going to be talking about it in terms of security, we need to focus on other, more common vulnerabilities instead. eg user training, data handling policies such as gprd, tougher fines for security negligence by companies etc.

    1. Charles 9

      User Training is a lost cause when you're up against Joe Stupid. The only solution there is a license to use the Internet, and do you REALLY want to license things done in the privacy of homes? As for data handling policies, that's going to be difficult to enforce outside the EU, especially for sites whose contents and handlers never touch Europe.

  10. Electronics'R'Us

    https helps prevent this

    Comcast (amongst others, apparently), likes to inject their own code to websites requested.

    https://thenextweb.com/insights/2017/12/11/comcast-continues-to-inject-its-own-code-into-websites-you-visit/

  11. alex_t
    Thumb Up

    Great project!

    Since the site is online, at least 5 big companies switched to HTTPS! HTTPS is very hard to hack, so I think we will see 90% less hacks, as soon as all sites switched to HTTPS!

    Troy Hunt and Scott Helme are heroes for fighting so hard for our security!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon