On Wed, 19 Jan 2011 05:52:47 -0800, Kelly Clowers wrote:
> On Wed, Jan 19, 2011 at 04:57, Camaleón wrote:
>> On Wed, 19 Jan 2011 03:29:15 -0800, S Mathias wrote:
>>
>>> 3) Can someone trust this Add-on? Is it safe to install/use?
>>
>> I don't like/trust anoymous (even encrypted) proxy sites.
>
> Why don't you like them (I get not trusting them), and what does that
> have to do with https everywhere?
As I already said, I thought Tor (a multi-proxy and encrypted network)
was somehow being used with this addon.
>>> What's youre opinion? Or answer? :
>>
>> My opinion is that I don't want to encrypt all the traffic, at least
>> not with the slow DSL connections/hosts we have now (loading a single
>> page will take seconds). I prefer to leave the SSL/TLS for sensitive
>> data (logins, etc...).
>
> SSL/TLS isn't going to add enough overhead to the packets to make a real
> difference unless you are something slower than DSL.
>
> As far as the encryption/decryption goes, unless you are on a smartphone
> or netbook or a really old computer, it will not matter to you. If
> enough people do it, it will matter to the servers, but that is what
> capacity planning and NICs with encryption offloading engines are for.
I tried many times to use Google services via https (the search engine
and Gmail's webmail) but finally left it because I experience a bit of
delay when running all the javascript and their dynamic stuff. This is
just an example, I know, but encrypted sites has to be very well
configured to avoid noticeable delays.
>> Or better yet, provide a "hardware" solution for transparently encrypt
>> all the data and its transport. Software is slow >:-)
>
> See "NICs with encryption offloading engines" above.
That's interesing, I have read more on this.
Greetings,
--
Camaleón
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: pan.2011.01.19.15.02.57@gmail.com">http://lists.debian.org/pan.2011.01.19.15.02.57@gmail.com
01-19-2011, 02:53 PM
Curt Howland
Let's talk about HTTPS Everywhere
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wednesday 19 January 2011, Camaleón <noelamac@gmail.com> was heard
to say:
> Data stored in cookies is not what I understand for "sensitive".
> What kind of information do you think are cookies managing?
Maybe this would be enlightening:
http://codebutler.com/firesheep
FTA:
"It's extremely common for websites to protect your password by
encrypting the initial login, but surprisingly uncommon for websites
to encrypt everything else. This leaves the cookie (and the user)
vulnerable. HTTP session hijacking (sometimes called "sidejacking")
is when an attacker gets a hold of a user's cookie, allowing them to
do anything the user can do on a particular website. On an open
wireless network, cookies are basically shouted through the air,
making these attacks extremely easy."
- --
Those who torment us for our own good will torment us without end,
for they do so with the approval of their consciences.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201101191053.50768.Howland@priss.com">http://lists.debian.org/201101191053.50768.Howland@priss.com
01-19-2011, 03:46 PM
Camaleón
Let's talk about HTTPS Everywhere
On Wed, 19 Jan 2011 10:53:50 -0500, Curt Howland wrote:
> On Wednesday 19 January 2011, Camaleón was heard to
> say:
>> Data stored in cookies is not what I understand for "sensitive". What
>> kind of information do you think are cookies managing?
>
> Maybe this would be enlightening:
>
> http://codebutler.com/firesheep
>
> FTA:
> "It's extremely common for websites to protect your password by
> encrypting the initial login, but surprisingly uncommon for websites to
> encrypt everything else. This leaves the cookie (and the user)
> vulnerable. HTTP session hijacking (sometimes called "sidejacking") is
> when an attacker gets a hold of a user's cookie, allowing them to do
> anything the user can do on a particular website. On an open wireless
> network, cookies are basically shouted through the air, making these
> attacks extremely easy."
Maybe I have not expressed myself properly.
Any data passing through an unencrypted channel is vulnerable to be
fetched and reviewed by anyone and we all know that.
My point here is that I don't mind about _that kind of data_ to be
disclosed because is public and easily gathered by other means (anyone
reading my e-mail headers can see my IP address and/or e-mail client) and
tracking cookies (session cookies) do not contain sensible information
(by "sensible information" I mean passwords or username logins for
gaining access to online services, like banking, shopping or such).
In brief:
- Does the cookie contain sensitive/private information? → set/get the
cookie using ssl
- Does the cookie contain standard/publicly available information → no
need to be encrypted
What I fear, most than "unencrypted" browsing, is e-mail/ftp logins using
clear text passwords.
Greetings,
--
Camaleón
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: pan.2011.01.19.16.46.10@gmail.com">http://lists.debian.org/pan.2011.01.19.16.46.10@gmail.com
01-19-2011, 04:07 PM
"tv.debian@googlemail.com"
Let's talk about HTTPS Everywhere
On the 19/01/2011 17:46, Camaleón wrote:
> On Wed, 19 Jan 2011 10:53:50 -0500, Curt Howland wrote:
>
>> On Wednesday 19 January 2011, Camaleón was heard to
>> say:
>
>>> Data stored in cookies is not what I understand for "sensitive". What
>>> kind of information do you think are cookies managing?
>>
>> Maybe this would be enlightening:
>>
>> http://codebutler.com/firesheep
>>
>> FTA:
>> "It's extremely common for websites to protect your password by
>> encrypting the initial login, but surprisingly uncommon for websites to
>> encrypt everything else. This leaves the cookie (and the user)
>> vulnerable. HTTP session hijacking (sometimes called "sidejacking") is
>> when an attacker gets a hold of a user's cookie, allowing them to do
>> anything the user can do on a particular website. On an open wireless
>> network, cookies are basically shouted through the air, making these
>> attacks extremely easy."
>
> Maybe I have not expressed myself properly.
>
> Any data passing through an unencrypted channel is vulnerable to be
> fetched and reviewed by anyone and we all know that.
>
> My point here is that I don't mind about _that kind of data_ to be
> disclosed because is public and easily gathered by other means (anyone
> reading my e-mail headers can see my IP address and/or e-mail client) and
> tracking cookies (session cookies) do not contain sensible information
> (by "sensible information" I mean passwords or username logins for
> gaining access to online services, like banking, shopping or such).
>
> In brief:
>
> - Does the cookie contain sensitive/private information? → set/get the
> cookie using ssl
>
> - Does the cookie contain standard/publicly available information → no
> need to be encrypted
>
> What I fear, most than "unencrypted" browsing, is e-mail/ftp logins using
> clear text passwords.
>
> Greetings,
>
It is not only the data enclosed inside the cookie which are at risk
here, but the entire session on the website you are logged in. Say you
log into your "friendface" account, and someone near your catch your
unencrypted session cookie, then he is YOU on YOUR "friendface" account...
Enjoy.
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4D371A58.9060804@googlemail.com">http://lists.debian.org/4D371A58.9060804@googlemail.com
01-19-2011, 04:35 PM
shawn wilson
Let's talk about HTTPS Everywhere
this might be interesting reading for anyone wondering about https (ssl/tls) overhead / speed:
http://www.cs.ucr.edu/~bhuyan/papers/ssl.pdf
>> In brief:
>>
>> - Does the cookie contain sensitive/private information? → set/get the
>> cookie using ssl
that depends on the web site.
>>
>> - Does the cookie contain standard/publicly available information → no
>> need to be encrypted
>>
generally not - the point of a cookie is to retain information about you between the client and the server. here, this should give you some general information. but unless you've worked with this stuff, you're not going to really grasp the full implication of 'name' and 'value' and what not:
http://www.cookiecentral.com/faq/#3.3
there's also the wikipedia run down (look at the 'see also' section - it's got some pretty good stuff):
http://en.wikipedia.org/wiki/HTTP_cookie
if you want to know what can be in a cookie, look at things like httpfox (there's a more popular ff extension that has some of the same features as well that i can't think of too).
>> What I fear, most than "unencrypted" browsing, is e-mail/ftp logins using
>> clear text passwords.
>>
email is not secure. it never was. don't send unencrypted sensitive information over email. than again, if you use a big enough email service (gmail, yahoo, etc) and have nothing to hide from your government (i'm in the us, so here that would include fbi, cia, dhs, dos) i don't think too many people are going to filter through l3 and verizon's data for your message.per ftp, use scp (ftp+ssh, sftp).
fact of the matter is, unless you have information that others might profit by, or unless you're popular enough that someone might care enough to defame you, or you don't put yourself out there to be a target, you probably don't have much to worry about. point is, i can walk around my building and capture enough encrypted wifi packets to then go back home, and run aircrack on them all and have fun with everyone (as i'm sure they all surf the web with http and could be exploited in many other ways as well). i don't because, well, why? what would i gain? on the other hand, if i'm hanging around at a library or starbucks with a laptop, i'll pop out wireshark and firesheep just for the hell of it (i'm not often 'hanging around' with nothing better to do).
so, fwiw
01-19-2011, 04:50 PM
Camaleón
Let's talk about HTTPS Everywhere
On Wed, 19 Jan 2011 18:07:36 +0100, tv.debian@googlemail.com wrote:
> On the 19/01/2011 17:46, Camaleón wrote:
(...)
>> In brief:
>>
>> - Does the cookie contain sensitive/private information? → set/get the
>> cookie using ssl
>>
>> - Does the cookie contain standard/publicly available information → no
>> need to be encrypted
>>
>> What I fear, most than "unencrypted" browsing, is e-mail/ftp logins
>> using clear text passwords.
>>
>>
>>
> It is not only the data enclosed inside the cookie which are at risk
> here, but the entire session on the website you are logged in. Say you
> log into your "friendface" account, and someone near your catch your
> unencrypted session cookie, then he is YOU on YOUR "friendface"
> account...
That sounds like bad programming or a buggy site. There are methods to
prevent such attacks on the server side that involves no encrypted
sessions, but sometimes it is easier (and cheaper) for companies to rely
on completely encrypted sessions and not implement another
countermeasures.
Greetings,
--
Camaleón
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: pan.2011.01.19.17.50.57@gmail.com">http://lists.debian.org/pan.2011.01.19.17.50.57@gmail.com
01-19-2011, 04:55 PM
Eduardo M KALINOWSKI
Let's talk about HTTPS Everywhere
On Qua, 19 Jan 2011, Camaleón wrote:
That sounds like bad programming or a buggy site.
True
There are methods to
prevent such attacks on the server side that involves no encrypted
sessions,
True
but sometimes it is easier (and cheaper) for companies to rely
on completely encrypted sessions and not implement another
countermeasures.
However, SSL has the added benefit that no one will be spying on your
traffic, even if it's basically public information that is available
via other means. And it's overhead is minimal, to the point that it
should not be noticeable unless the computer (client or server) and/or
internet connection are very slow.
--
Computers are not intelligent. They only think they are.
Eduardo M KALINOWSKI
eduardo@kalinowski.com.br
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110119155553.14402bt31wb6fgzk@mail.kalinowski.co m.br">http://lists.debian.org/20110119155553.14402bt31wb6fgzk@mail.kalinowski.co m.br
01-19-2011, 05:33 PM
Mark
Let's talk about HTTPS Everywhere
Let's talk about CentOS on this list, shall we?
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
01-19-2011, 05:34 PM
MR ZenWiz
Let's talk about HTTPS Everywhere
On Wed, Jan 19, 2011 at 3:29 AM, S Mathias <smathias1972@yahoo.com> wrote:
> Ok. It's a Firefox Add-on:
>
> https://www.eff.org/https-everywhere
>
And this has what, exactly, to do with Ubuntu?
--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
01-19-2011, 05:42 PM
"John R. Dennison"
Let's talk about HTTPS Everywhere
On Wed, Jan 19, 2011 at 10:33:59AM -0800, Mark wrote:
> Let's talk about CentOS on this list, shall we?
Presumably the OP is running firefox on CentOS. So... how it this
not about CentOS?
John
--
A man or woman is seldom happy unless he or she is sustaining him or herself
and making a contribution to others.
-- Hilary Hinton "Zig" Ziglar (1926-), American self-help author and speaker,
See You at the Top (2000)
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Let's talk about HTTPS Everywhere
