The limitations of HTTPS in a public space

[qubit]

This is probably old news to the experienced, but it's worth reading, especially for those less familiar with computer security and who are using public Wi-Fi or work computers - https encryption won't necessarily keep you safe from snooping.

In short, don't trust your browser's padlock symbol.


Have you ever bothered to look at who your browser trusts? The padlock of a HTTPS connection doesn't mean anything if you can't trust the other end of the connection and its upstream signatories. Do you trust CNNIC (China Internet Network Information Centre). What about Turkistan trust or many other “who are they” type certificate authorities?

Even if you do trust whoever issued the certificate it doesn't mean much if the network cannot be trusted. A lot of experts claim “HTTPS is broken” and here is one small example of why. If you sit in a coffee shop and go surfing you can quite easily end up being the victim of a man-in-the-middle (MitM) attack. All a potential attacker needs is a copy of Kali Linux, a reasonably powerful laptop and coffee!

www.theregister.co.uk/2016/05/20/https_wifi_trust_in_a_public_place

 

[dorsetknob]

All a potential attacker needs is a copy of Kali Linux, a reasonably powerful laptop and coffee!

Got the coffee got the Torrent Dell XPS17 lap top powerfull enough ?
just joking

 

[Kursah]

Here's another good and recent article about HTTPS to compare how it's viewed and marketed versus what it actually is and isn't.

http://arstechnica.com/security/2016/07/https-is-not-a-magic-bullet-for-web-security/

Kali Linux is fun to mess around with, especially if you like to test your own network security or someone that thinks their network or site is secure.

 

[Nobody99]

That is exactly why we need IPv6 and the IPsec that comes with it.

 

[remixedcat]

people trust FB with anything and they have that pretty padlock

 

[Easy Rhino]

Another awful article from Register. You didn't get hacked because of HTTPS, you got hacked because a hacker broke into the weak ass security coffee shop router.

 

[qubit]

You didn't get hacked because of HTTPS, you got hacked because a hacker broke into the weak ass security coffee shop router.

Yes, the article says that the coffee shop router has to be hacked for this to work... what don't you understand?

Nothing wrong with this article or I wouldn't have put it up.

 

[Easy Rhino]

Yes, the article says that the coffee shop router has to be hacked for this to work... what don't you understand?

Nothing wrong with this article or I wouldn't have put it up.

The article's title implies there is a problem with HTTPS but that is not the case.

Hacked in a public space? Thanks, HTTPS

 

[qubit]

K, see what you mean. Still, it's only the title and the rest of the article is good, no need to be so harsh dude!

I figured the one I made for this thread was more appropriate to the actual issue and didn't click-bait it like the original.

I think we can compare this problem to the one with chip and pin cards and compromised terminals where you stick the card in: once the hacks get down to that level, no technology can keep you safe regardless of the encryption. The kinds of places which tend to have those hacks are some nightclubs and other places which could be seen as dodgy (can't think of any other examples now) but I read an article on how it's done a while back. Basically stick to your regular shopping malls, supermarkets, petrol stations etc and you'll most likely be safe.

 

[lorraine walsh]

Nice read. Just by reading the HTTPS:, normal tech users think that their connection is cent percent encrypted. However the reality is different and even the web is not a safe place now. Last year the internet community witnessed the same threat, the Heratbleed shock, when the data including passwords of millions of tech users were compromised due SSL flaw.

 

[qubit]

Nice read. Just by reading the HTTPS:, normal tech users think that their connection is cent percent encrypted. However the reality is different and even the web is not a safe place now. Last year the internet community witnessed the same threat, the Heratbleed shock, when the data including passwords of millions of tech users were compromised due SSL flaw.

Thankyou and welcome to TPU.

For the experienced user, there's still one way to detect this attack. Every encrypted website has a fingerprint, which is shown in the cert details. For example, TPU has one, see screenshot. A MITM attack can fake the cert, but it can't fake the fingerprint as this will be be generated with a private (secret) key. The site admin would know what it is and will hopefully not let on what it is... So the fake cert will have a different fingerprint, thus revealing the attack. Detecting this, requires that the web browser have previously accessed the encrypted website without a MITM attack and will have stored that fingerprint. It can then compare the fingerprint of the MITM cert with the real one and flag up a mismatch, allowing the user to view the website or not.

GRC has a great article about it, here: https://www.grc.com/fingerprints.htm

TPU's fingerprints are shown at the bottom of this cert:

 

[R-T-B]

That is exactly why we need IPv6 and the IPsec that comes with it.

1.) IPSec is available for IPv4.

2.) It's not on by default in either IPv4, or IPv6. In short, it does nothing because it's not widely deployed. IPv6 will solve nothing there.

 

[qubit]

1.) IPSec is available for IPv4.

2.) It's not on by default in either IPv4, or IPv6. In short, it does nothing because it's not widely deployed. IPv6 will solve nothing there.

Isn't the IPv6 version supposed to be more robust, including things like DNSSEC as part of the spec rather than as an addon?

Agreed the lack of deployment for IPv4 is hamstringing it.

 

[R-T-B]

Isn't the IPv6 version supposed to be more robust, including things like DNSSEC as part of the spec rather than as an addon?

Agreed the lack of deployment for IPv4 is hamstringing it.

I'm running native dualstack right now with comcast and if anything like that was added I missed the bus.