Weekly Edition
Return to the Announcements page
| |||||||||||||||||||
EFF: New 'HTTPS Everywhere' Version
Electronic Frontier Foundation Media Release For Immediate Release: Tuesday, February 28, 2012 Contact: Peter Eckersley Technology Projects Director Electronic Frontier Foundation pde@eff.org +1 415 436-9333 x131 New 'HTTPS Everywhere' Version Warns Users About Web Security Holes Firefox Browser Extension Detects and Notifies Users of Encryption Weaknesses San Francisco - The Electronic Frontier Foundation (EFF) launched the 2.0 version of HTTPS Everywhere for the Firefox browser today, including an important new update that warns users about web security holes. The "Decentralized SSL Observatory" is an optional feature that detects encryption weaknesses and notifies users when they are visiting a website with a security vulnerability – flagging potential risk for sites that are vulnerable to eavesdropping or "man in the middle" attacks. "In recent weeks, an unexpected weakness in the encryption used by many routers, firewalls and VPN devices made big news," said EFF Technology Projects Director Peter Eckersley. "The new version of HTTPS Everywhere for Firefox will let users know when they connect to a website or device that has a security problem – including weak key problems like the ones that were disclosed two weeks ago – giving people the information they need to protect themselves." The HTTPS Everywhere browser extension has already been installed more than a million times since it was first launched in 2010 in collaboration with the Tor Project. HTTPS Everywhere helps secure web use by encrypting connections to more than 1,400 websites, using carefully crafted rules to switch sites from HTTP to HTTPS whenever possible, increasing your security and privacy. Without HTTPS, your online reading habits and activities are vulnerable to eavesdropping, and your accounts are vulnerable to hijacking. "EFF and the Tor Project created HTTPS Everywhere to make it easier for people to keep their usernames, passwords, and browser histories secure and private. Now, the 2.0 release also gives Internet users more information about deeper security problems they couldn't spot on their own," said Eckersley. "This is an extra level of protection that we encourage Firefox users to download, install, and use." The user interface for HTTPS Everywhere for Firefox has now been translated into 12 languages, as browser security is critical in countries around the world. Also available today is a beta version of HTTPS Everywhere for the Chrome browser. The Chrome release includes the increased encryption features available in the Firefox version, but it does not yet notify users of weak key vulnerabilities and other certificate problems. To download or update HTTPS Everywhere: https://www.eff.org/https-everywhere For this release: https://www.eff.org/press/releases/new-https-everywhere-v... About EFF The Electronic Frontier Foundation is the leading organization protecting civil liberties in the digital world. Founded in 1990, we defend free speech online, fight illegal surveillance, promote the rights of digital innovators, and work to ensure that the rights and freedoms we enjoy are enhanced, rather than eroded, as our use of technology grows. EFF is a member-supported organization. Find out more at https://www.eff.org. -end- _______________________________________________ To unsubscribe or manage your email options: https://mail1.eff.org/mailman/listinfo/presslist (Log in to post comments)
'HTTPS Everywhere' is a PITA Posted Feb 28, 2012 20:42 UTC (Tue) by HelloWorld (guest, #56129) [Link]
Really, what is it supposed to be good for? There's simply a lot of data which doesn't need to be encrypted and where encryption is just a waste of energy and processing power. On the other hand, I keep getting Firefox's super-annoying I-don't-like-self-signed-certificates-so-please-add-this-site-to-a-whitelist dialog. So please, PLEASE, could somebody just kill of this HTTPS everywhere nonsense?
'HTTPS Everywhere' is a PITA Posted Feb 28, 2012 21:42 UTC (Tue) by paravoid (subscriber, #32869) [Link]
While the name is "HTTPS *everywhere*", that's not actually what it does. It just forces HTTPS to websites that are known to be important for your privacy, like your Google searches or your favorite social media website.
I've been using it for some time and it's really worth it. Especially on laptops, where anyone can be snooping your WiFi and profiling you.
'HTTPS Everywhere' is a PITA Posted Feb 28, 2012 22:10 UTC (Tue) by josh (subscriber, #17465) [Link]
HTTPS Everywhere specifically doesn't add rules which point to sites using self-signed certificates. If you encounter a self-signed certificate due to an HTTPS Everywhere rule, report it as a bug.
And I strongly disagree that any data "doesn't need to be encrypted". I want *everything* encrypted, to avoid singling out encrypted data as sensitive, and to avoid mistakes about the sensitivity of information. (I also want to ensure that ISPs don't get to care about types of traffic; only endpoints should ever get to see unencrypted data.) For similar reasons, I use full-disk encryption, not because I care if people can read /bin/ls, but because I don't want to worry about bugs in arbitrary programs that might write sensitive data to locations outside of an encrypted $HOME.
'HTTPS Everywhere' is a PITA Posted Feb 29, 2012 0:19 UTC (Wed) by HelloWorld (guest, #56129) [Link]
I disagree with you. It is utterly pointless to encrypt, say, the traffic between lwn.net and my machine, as all information I'm retrieving is publicly viewable or can be obtained for a small amount of money.
Whether some data is sensitive or not can most of the time be figured out based on the host you're communicating with. lwn.net? Not so sensitive. citibank.com? Probably more so. Also, what's the problem with singling out sensitive information? As long as whoever is eavesdropping on you can't decrypt the data everything is fine, and if you question this assumption, you shouldn't be transmitting sensitive data at all. So sorry, but encrypting everything no matter what still seems like a bad idea to me. Especially considering that most people are already annoyed by all the expired and self-signed certificates that are being used in all kinds of places, leading to bad habits regarding certificate checking.
'HTTPS Everywhere' is a PITA Posted Feb 29, 2012 0:33 UTC (Wed) by smadu2 (subscriber, #54943) [Link]
The point is not that you don't care about if stuff you are sending is insesitve/sensitve - the point is if the stuff you are sending/receiving is actually the stuff thats being sent/received - man in the middle.
'HTTPS Everywhere' is a PITA Posted Feb 29, 2012 1:11 UTC (Wed) by sjj (subscriber, #2020) [Link]
You do know that you can buy firewalls that do automatic man-in-the-middle between your client and a server out there on the internet? They basically impersonate the server, and create a server cert on the fly.
Many corporations use these nowadays.
'HTTPS Everywhere' is a PITA Posted Feb 29, 2012 1:46 UTC (Wed) by smadu2 (subscriber, #54943) [Link]
I do understand - in that case I have to trust my organization's root certificate at which I point I know whats going on. I would certainly not expect this when I am browsing at home.
Google chrome issues me a waring that the site's certificate is not trusted and I have to import my organizations "root certificate"). It even refuses to allow me further with out importing.
I would ask PITA or be secure? Posted Feb 29, 2012 9:55 UTC (Wed) by puchalakd (guest, #28036) [Link]
Please remember, that when you are viewing something that isn't encrypted someone can simply modify that traffic and for example add an exploit designed for your web browser, or plug-in.
It's not only about "this information is public, or private" it's about your security.
I have strong believe that LWN editors wouldn't include anything malicious. But the problem is that I'm using internet in a lot of different places and I don't have so strong confidence that owners (real ones, or the ones that "hack" into it) would not modify my traffic just because they can.
Please, take a look at the funny way to modify internet web access:
But someone can make that modifies more malicious. Include whatever thay want! And there is a pretty high chance that your browser will run this.
Another problem is that even if I browse my favorite web site using HTTPS, there can still be some connections which are not secure.
If only one of this connection is not encrypted someone can modify that traffic and change it to something malicious. And even this famous Green bar with https would help you.
If someone want to protect himself/herself or is just curious what is really loaded with webpage please install and try to use RequestPolicy firefox add-on.
So it's not just a problem - Do I have something to hide when I'm browsing net?
The real problem is I don't want to be infected, lose control over my account @..., let someone post something that will make me look stupid, etc.
I would ask PITA or be secure? Posted Feb 29, 2012 14:44 UTC (Wed) by ewan (subscriber, #5533) [Link]
"rotate images in webpages, or make them blurry :)"
This is not always done as a result of people being funny; a significant fraction of mobile network operators will intercept requests for JPEG files and re-compress them to lower quality to save over-the-air bandwidth; this is a recurring source of complaints about poor image quality being posted to Flickr's help forum. Using HTTPS everywhere prevents that sort of misbehaviour.
'HTTPS Everywhere' is a PITA Posted Feb 29, 2012 1:09 UTC (Wed) by gioele (subscriber, #61675) [Link]
> I disagree with you. It is utterly pointless to encrypt, say, the traffic between lwn.net and my machine, as all information I'm retrieving is publicly viewable or can be obtained for a small amount of money.
If you are logged in to lwn.net, your cookies will be sent in plain text as well. Once the attacker knows your session cookie, they can hijack your session.
OWASP has a page about it [1]. Small tools like Firesheep make session hijacking a point-and-click task.
Another reason to want encrypted traffic everywhere, is that your browsing habits can be monitored. Google already have you search history, do you want your ISP to have it as well? (Yes, your ISP is collecting it [2].)
[1] https://www.owasp.org/index.php/Session_hijacking_attack
'HTTPS Everywhere' is a PITA Posted Feb 29, 2012 2:09 UTC (Wed) by HelloWorld (guest, #56129) [Link]
OK, I must admit that you have a point there.
'HTTPS Everywhere' is a PITA Posted Mar 3, 2012 12:17 UTC (Sat) by spiv (subscriber, #9031) [Link] Are you really saying that, or did someone hijack your session? :)
'HTTPS Everywhere' is a PITA Posted Feb 29, 2012 5:15 UTC (Wed) by Kit (guest, #55925) [Link]
Here's a major reason everything should be encrypted by default: Iran.
Right now, Iran is blocking any encrypted connections (HTTPS is dead, so is SSH, as well as many other things). They're using Deep Packet Inspection to monitor, and once they detect the usage of anything like SSL, the connection is terminated. Iran does this, any pretty much nobody cares, because the Internet is still working there (it's just completely insecure now).
'HTTPS Everywhere' is a PITA Posted Feb 29, 2012 7:16 UTC (Wed) by josh (subscriber, #17465) [Link]
Exactly. Making all traffic encrypted makes "blocking encrypted traffic" synonymous with "turning off the Internet", and it should.
'HTTPS Everywhere' is a PITA Posted Feb 29, 2012 8:16 UTC (Wed) by ekj (guest, #1524) [Link]
Indeed. Insisiting on encrpyting everything, everywhere, always is simply good architecture in a world where there are a lot of bad actors with the power to snoop. The government of Iran is just a single example.
Forcing them to either block access completely, or allow encrypted (i.e. uncontrolled) communication, would be a major step forward. Because it's easy for people to ignore that https://google.com/ ain't working, but the moment google.com isn't working at *ALL* a lot more pressure is put on the regime. i.e. it would raise the *cost* of monitoring and/or censorship, and that's a good thing.
|
|||||||||||||||||||