* Posts by iwrconsultancy

7 posts • joined 22 Jan 2018

Google Chrome: HTTPS or bust. Insecure HTTP D-Day is tomorrow, folks

iwrconsultancy

Cartel situation.

SSL/HTTPS is supposed to protect high importance sites, and when used correctly, it does so.

The mass rollout compromises its ability to protect high importance sites.

We already have a situation with Let's Encrypt, where a fraudster can very easily create a spoof site with a padlock, something which would have been difficult when that required a proper certificate involving human checking of the request. Thus, the value of SSL as an indicator of safety on banking sites has been seriously degraded.

That, and on sites with advertising, HTTPS does NOT prevent MITM attacks, because any advertiser can inject a keylogger into the browser. Guess who serves most of the advertising? Yep, the same corporation pushing universal HTTPS.

Perhaps worst though, is the blaze of propaganda that's been put around hyping SSL as a 'miracle cure' for IT security. This is no less than snake oil selling. SSL has its uses, as does snake oil (it's actually for rubbing on sore feet) Neither is a cure-all though, and by convincing people that it will offer blanket protection it will lead to other more effective protective measures being dropped. That will be bad. It will result in people being hit by ransomware, etc when they otherwise might have taken effective precautions.

Our analysis:

https://iwrconsultancy.co.uk/blog/https

Don't panic... but our fragile world is drifting away from the Sun

iwrconsultancy

" The Sun loses about 4 million tonnes a second from fusion "

Clearly this is unsustainable. We need to replace it with renewable energy.

HMRC dev support team cc blurtfest: Over 1,400 email addresses blabbed

iwrconsultancy

Re: The CC error

Likewise, all webservers should ask, "Are you sure you want to publish your email address on this page for harvesting by the spambots? Only respond Yes if you love getting p*nis-pill adverts in your inbox."

The Register Lecture: What will drive our cars when the combustion engine dies

iwrconsultancy

Battery cars - a premature technology

I just think that forcing a switch to battery cars will turn out like the forced switch to CFL lightbulbs. A better tech came along not long after in the shape of the LED. Suddenly, you couldn't sell the things, not even for 20p each. Forcing the premature uptake of a new technology seldom turns out well.

Fuel cell technology may well advance to the point where it can replace the IC engine, using similar fuels. Or, perhaps alcohols. If that is developed in a few years time then there will be a monster pile of battery cars that nobody wants. Which will not be good for the environment.

We have been using IC engines for a century anyway. There is no justification for a mad rush to replace them. The Green Party pollution scare claims don't seem to be backed up by DEFRA figures, which indicate that pollution levels have fallen over the last few decades, not increased. -Who is telling the truth here? Personally, I'd go with DEFRA.

Then again, most existing IC engines can be modified to use hydrogen. The efficiency is not quite as good as a fuel cell, but the capital cost is far lower and the pollution reduction about the same.

We should wait for a better solution. Especially as developments like the Bloom Box suggest that it might not be far away.

Mozilla edict: 'Web-accessible' features need 'secure contexts'

iwrconsultancy

Re: Dr Marvel's wonder liniment...

I stand corrected in that individual page hits cannot be tracked by a MITM. The full URL is not sent until after the SSL handshake. Site hits can though. As can the browser you are using and quite a lot of other info.

Connections made when opening this page:

Host: forums.theregister.co.uk:443

Host: fonts.googleapis.com:443

Host: nir.regmedia.co.uk:443

Host: www.theregister.co.uk:443

Host: www.googletagservices.com:443

Host: clients1.google.com

Host: regmedia.co.uk:443

Host: fonts.gstatic.com:443

Host: clients1.google.com

Host: stats.g.doubleclick.net:443

Host: a.dpmsrv.com:443

Host: ib.adnxs.com:443

Padlock info only shows a cert for theregister.co.uk -as if this is the only data source. The other sites are all SSL and therefore must use certs, but it's as if these certs do not exist.

Since I can't access the cert info, I have no way of knowing if they are who they claim to be. (Not that I necessarily trust them all anyway!) One might well be a link inserted into an advert by a hacker, pointing to his own site using Let's Encrypt and serving a js keylogger. The browser would not flag any warning if that was the case.

By no means the worst example, try a tabloid and there may be 50 connections, some to very dodgy sites.

I don't know if elreg uses any special sandboxing of js or logins, but most sites do not. In which case any of these sites can crib the forum password.

iwrconsultancy

Dr Marvel's wonder liniment...

"What I am not OK with is for my ISP to know which articles I read.."

It's amazing how many people have unrealistic expectations about the security offered by HTTPS.

It DOES NOT not prevent your ISP from tracking sites or pages you visit.

It DOES NOT prevent advertisers from acting as MITM, and reading passwords you type into the main website. Or, even logging all keystrokes typed into the browser. It is a trivial piece of coding to demonstrate that this is still possible on an HTTPS site.

It DOES NOT prevent the kind of mass password thefts we've seen so many of in the news recently. This is because the password is decrypted as soon as it arrives on the webserver. Just in time for a malicious process planted on that server to snaffle it.

It DOES NOT correctly identify the source of the data you see in the browser. The 'padlock' info fails to mention that data is also being supplied under numerous other certificates, as well as the declared one.

When HTTPS is used for its intended purpose (Protecting single-origin banking transactions) it does the job it was designed to do. It is not HTTPS which is at fault here. It is the hard-sell marketing hype which is the problem.

The Reg visits London Met Police's digital and electronics forensics labs

iwrconsultancy

Re: A question for all my fellow (and fellowess) El-Reg readers.

"it takes a lot more effort and money to change a face."

That, and unless you're going to dress like Tony Stark, it's kinda like a post-it note perched on top of your body.

Biting the hand that feeds IT © 1998–2019