Comments

vas pup September 18, 2018 10:09 AM

“You see, they knew this process sucked – any reasonable person with half an idea about security did – but the internal security team alone telling management this was not cool wasn’t enough to drive change. Negative media coverage, however, is something management actually listens to.”
Exactly! I just want to remind ALL management Steve’s Jobs statement: “We hire smart people in order they tell us what to do, no we tell them want to do.”

Impossibly Stupid September 18, 2018 10:10 AM

The real shame is that some companies need widespread bad publicity before they’ll begrudgingly follow basic security guidelines. That’s just poor management, and unless those people get boot out the door with much fanfare, any issue that gets an isolated fix only addresses the tip of an iceberg. People just need to stop doing business with any company that needs to be shamed into doing the right thing.

echo September 18, 2018 11:17 AM

Reading through the link and comments underneath I read this kind of thing in the same way as abuse and failure of standards which isn’t too far removed from #metoo. There are lots of ways organisations can double down and unfortunately things aren’t always resolveable without either litigation or public shaming. Things are so bad in the UK at least that failures with organisations like the Home Office are not proeprly responded to until the media are involved. Management are now so cynical they even have a five star fast track pat you on the back policy if an incident reaches the media to make the story go away as quickly as possible while failure contines as usual behind the scenes. In larger commerical organisations management go through the motions and believe staff who are covering up their mistakes then instantly lose interest.

There are questions you can ask yourself. Is this incident a genuine one off? Is therea run of incidents? Has this effected more people? What is their history and reputation? If there is something rotten you can bet your bottom dollar you are dealing with abusive management or an abusive company. This can be exacerbated with monopoly situations because alternatives may not be possible.

People need to decide for themselves where the tipping point is but abuse is abuse and it ends in one of two ways: jail and/or an expensive divorce.

Whodathunk September 18, 2018 1:37 PM

There are questions you can ask yourself: Is this topic gender discrimination or the home office? Was it about shaming companies into better security products, or expensive divorce? Was anyone else talking about divorce or the culture in the home office, or just you? Do you have a history of hijacking the topic for that focus instead? Can you literally turn any topic into an exploration of unrelated personal anecdotes? Should we try to address your unrelated anecdotes or just return to the topic of discussion? People need to decide for themselves what the topic is I suppose, but this is a bit ridiculous.

echo September 18, 2018 1:45 PM

@Whodathunk

Oh, don’t be daft. There is no difference at all between one form of abuse and another. The same lessons and mitigations apply whether you perceive this as simply a technical issue or a relationship issue. It’s entirely your decision where the emphasis applies for you.

You are of course free to make your own positive contribution too instead of sockpuppetry.

Whodathunk September 18, 2018 1:57 PM

Shall we change the topic to beehive maintenance, or police abuses of minorities?
Basic unrelated truths also apply to those unrelated topics too, since we’re meandering.

Clive Robinson September 18, 2018 2:28 PM

@ Troy Hunt,

If you are reading this a little test for you 😉

On your web page you say,

… and am a Microsoft Regional Director …

I know English is an ever changing language but “and am a” is one of those things that reads badly “and I am a” or “and I’m a” tends to read better.

That aside, shaming should be good humoured on both sides the point is to achive an objective as painlessly as possible.

As for “feeling sorry” for the support staff, don’t. I worked a minimum wage call center job between jobs and the type of people that stay for more than a few weeks have hides thicker than a rhino, and a “don’t care” mentality.

You may not know but a certain Conservative PM called David Cameron used to do “first line call taker” work. He is known to have lied out rageously on the phone to people rather than actually deal with simple issues.

Any way, I enjoyed the blog thread so keep up the good work.

echo September 18, 2018 2:51 PM

@Clive

This is a long time agobut I interviewed once for a call centre (none telephone job) and discovered they were a bit demanding. The call centre room didn’t have decent windows or any at all from what I can remember. A few years later I read in the local newspaper they were done for fraud. I had a simialrly bad experience when I enquired with another company who expected total commitment for as little as they could get away with paying (which may have been import-export but I can’t honestly remember) and they were later done too. There is nothing “scientific” about my observations other than perhaps bad people will cheat and exploit as much as they believe they can get away with.

I don’t know i it’s because i’m getting older or standards are slipping or perhaps recently have been exposed more to services over telephones but I have found the initiative and attitude of a lot of state sector call handlers is pretty atrocious in some cases outright negligent.

Reatilc an be lacking too which reminds me of an anecdote my mother told me when I was small. She was old enough to remember visiting a haberashery and the young woman assisting the senior member of staff wasn’t even allowed to speak to a customer until she had been in the job for five years?

Mercantile September 18, 2018 3:27 PM

“Whether those rejecting shaming of the likes I’ve shared above agree with the practice or not, they can’t argue with the outcome. I’m sure there’ll be those that apply motherhood statements such as “the end doesn’t justify the means”, but that would imply that the means is detrimental in some way which it simply isn’t. Keep it polite, use shaming constructively to leverage social pressure and we’re all better off for it.”

But you’d better be on point as you can be sued for false statements that damage a company.

Nobody September 18, 2018 5:14 PM

Can anyone pls explain to me why it is a good idea to enable blanket https? Why does, e.g. bankofamerica.com needs to be https? I understand about login pages and such…

Given that most of the discussed blog deals with bad ™ companies who don’t have https, I’d say it’s silly.

Jesse Thompson September 18, 2018 7:04 PM

@Nobody

It’s simple: same reason as blanket SSH in preference to “sometimes Telnet/rsh”. It’s easier to maintain a security standard with scale: if everybody’s doing it then when somethings broken it gets fixed faster. When it’s only used “when you have to” then it remains obscure enough to be largely unusable.

That, and for encrypted network traffic the more innocuous traffic using the encryption the less suspicious and concentrated traffic-that-needs-it is.

It’s why I shred a majority of documents that I dispose of whether or not they have sensitive data on them: whoever’s going to piece together sensitive documents will have a harder time with a lot of red-herring pieces thrown into the mix.

Kim September 18, 2018 9:15 PM

Does anyone know of a reason for not making laws which would send those responsible for serious security lapses (I’m talking CTOs and managers more than ‘lowly’ tech workers) that result in personal data exfiltrations, etc., to jail?

There don’t seem to be any. Despite the OPM breach which happened to the government. In other words, there’s no strong incentive to be secure in many cases. Seems like a massive oversight on the part of legislators. Isn’t it?

solaric September 18, 2018 9:18 PM

@Nobody & @Jesse Thompson

There are actually some other more directly substantial reasons for HTTPS specifically beyond general good practices, habits, dogfooding and so forth, and a big one is authenticity, which is separate from secrecy. Encryption and authentication both depend on crypto but are not equivalent inherently, with the former offering “this can’t be read raw” while the latter is “it can be determined what key signed this and that it has not been modified since then”. It is quite standard for example for software updates, including open source packages, to be signed but not encrypted. Obviously there is nothing secret about them, but equally obviously users want to know that they haven’t been messed with after release by the original authors.

On the web though these two concepts are essentially merged together, with HTTP being pure plain text while HTTPS offers both signing and encryption. So to take @Nobody’s question, if bankofamerica.com was served over HTTP then the served page itself could be trivially modified by anyone along the chain between BOA’s servers/CDN and end users with no one (trivially and automatically) the wiser. The phishing potential there should be pretty obvious, if a customer visits the site they expect it to be genuine, even if the “login” page was https how are customers getting there? Are they entering a URL directly, or are they clicking a button from the main page, which if served over HTTP could be compromised so the button does something else? In principle HTTPS isn’t the only way to manage that, where information transmitted is not secret but it must be authentic, but on the web in practice HTTPS is the only way to do that.

Somebody September 18, 2018 10:12 PM

@Nobody

If you’re looking for a comprehensive list of the why’s… Troy himself has several blog posts about that, each with full lists…

Here are a couple important ones off the top of my head:

  1. Without HTTPS everywhere, non-easily-detectable man-in-the-middle attacks are easy for evil countries, for evil internet companies, and for general evildoers who have hacked into internet infrastructure. Have a look at https://citizenlab.ca/2015/04/chinas-great-cannon/ for an example of this actually being used as a “weapon” to attack GitHub and take it offline for everyone! The best solution to prevent this from getting a lot worse and much more common, is to use HTTPS on every page of every public site, worldwide, with no exceptions.

  2. HTTPS protects privacy better than HTTP… even for static content that doesn’t have a login. Non-encrypted communication lets ISP’s and governments build a mass database of every single word every single person reads online, whereas when it’s encrypted they can only build a mass list of servers everyone connects to (which is a lot less information, since it’s not at the individual page and content level any longer). Even letting the browser headers go by unencrypted lets everyone be fingerprinted to a high degree of accuracy. So we need HTTPS everywhere.

  3. HTTPS (version 2) is actually faster than HTTP now, due to several technology improvements over the past few years… Who doesn’t want websites to load faster?

  4. HTTPS used to be expensive and difficult. It’s no longer expensive, it’s totally free. We’re working on making it less difficult to implement (it’s much easier for website maintainers to set up than it used to be, but there’s still some ways to go to make it as easy as HTTP for everyone)

  5. For all the above reasons (and maybe some more I forgot), browsers have been deprecating HTTP, and even have begun actively flagging it as “insecure” to warn people that it’s dangerous… If you don’t want the connection to your site to be flagged to your website visitors as “insecure” then use a more secure protocol, like HTTPS 😉

MrC September 18, 2018 11:23 PM

@ Nobody:

To offer a brief, “TL;DR” version to supplement the more detailed comments above, if bankofamerica.com is served over plain http, then the following attack works:
1. MitM the http connection;
2. In the served page, replace the link to the secure login page with a link to a phishing domain under your control;
3. Profit!

Somebody September 18, 2018 11:41 PM

@Nobody

You said, “most of the discussed blog deals with bad ™ companies who don’t have https”

Here’s a list of what was covered in the blog post:

  1. Tesco claiming they’re “storing passwords in a secure way” when they’re able to put them in plaintext “into a password reminder email”
  2. British Gas claiming they’d “lose [their] security certificate” if they allowed people to paste in passwords from password managers…
  3. Betfair claiming that it’s great security to allow anyone anywhere in the world to reset anyone else’s password, merely by knowing their email and date of birth… when pointed out that these are both commonly shared pieces of information, the company then claimed it’s a breach of terms to share them… It’s so ridiculous for a company to claim to ban everyone from ever celebrating birthdays or ever emailing anyone ever again (you know, for “security” reasons), that Troy orated for a while on this… and how later on he was actually thanked by a guy in Betfair security for sparking the public shaming that finally got through to management.
  4. Some other unnamed bank who also could not get things fixed until they were publicly shamed.

  5. NatWest‘s home page is insecure. Which means it can be attacked, and changed (man-in-the-middle), to change the login link…. (which of course the login page is secure, but if you can’t trust the link to it, how can you know you went to the right place when navigating there, maybe you went to a phishing site login instead…) This is the whole HTTP vs HTTPS debate, which Troy discourses on for some time.

  6. Santander UK claiming nobody should use password managers for “security reasons”…

  7. Someone claiming it’s wrong to shame companies (like Santander), because all it accomplishes is harassing some “poor clueless customer service rep”…

  8. Others making the same claim when T-Mobile Austria defended storing passwords in plain text (and they claimed their security is “amazingly good”)… Troy then sermonizes for quite a while how these social media accounts are the public face representing the company, and how they should act…

  9. Medibank also disallows pasting passwords from password managers… but fairly quickly fixes it (as an example of good response from customer service)

  10. TV Licensing site not using HTTPS even when collecting sensitive data from millions of customers! They claim it’s “safe… despite messages from some browsers” saying it’s not.

  11. Two people shaming the shaming of TV Licensing again… but it works anyway, the site is fixed.

  12. Someone saying they are “fed up [with] social media managers/comms teams taking control and making erroneous statements”… Take responsibility for what you do, and fix it, is the conclusion!

Any way you slice it, whether by number of incidents named, or by number of companies mentioned, or by number of social media posts shown, or by literal space taken, HTTPS doesn’t look like the majority of it to me… (just #5 and #10 in my list)

Hmm September 19, 2018 12:19 AM

“3. HTTPS (version 2) is actually faster than HTTP now, due to several technology improvements over the past few years…”

Technically correct but for the wrong reason implied.

-https://www.tunetheweb.com/blog/http-versus-https-versus-http2/

“the reason it’s faster is not due to HTTPS but due to that fact it is using HTTP/2”

I did have to google it to find out if that were true and how that could be. Now I know.

Weather September 19, 2018 1:06 AM

Its really old by now but “sslstipe” for mitm attacks against https, but like someone mentioned link redirects “x-forward”, loses source routing with blind attacks(same as HTML etc),between the db sever, ad server,asp,php server, that can lervage ssl

Weather September 19, 2018 1:23 AM

@Somebody
Nice post,the value isn’t in the names of the company, but company policy in general, like you posted 🙂

Denton Scratch September 19, 2018 2:50 AM

@Kim
“Does anyone know of a reason for not making laws which would send those responsible for serious security lapses (I’m talking CTOs and managers more than ‘lowly’ tech workers) that result in personal data exfiltrations, etc., to jail?”

Troy’s examples are egregious, and mostly inexcusable. But there’s a belief that society can prevent bad stuff from happening by criminalising it. So we get 600-odd legislators per country, engaged more-or-less full-time in making new laws. Does less bad stuff happen?

Security lapses are a fact of life – it’s not possible to build anything non-trivial that is proof against attack. Sending people to jail because they failed to prevent a fact of life would be nuts.

Hmm September 19, 2018 3:37 AM

“Does less bad stuff happen?”

On some levels the answer is a resounding YES. Some laws have a non-zero effect.

But I agree with you that there’s no sense criminalizing minor security fails, they happen.
Conspiracy to hide a known vulnerability from investors/customers however, that’s a crime.

I think you enforce best practices affirmatively rather than criminalizing breaches expost facto.

Clive Robinson September 19, 2018 4:04 AM

@ Kim,

Does anyone know of a reason for not making laws which would send those responsible for serious security lapses (I’m talking CTOs and managers more than ‘lowly’ tech workers) that result in personal data exfiltrations, etc., to jail?

Yes “Turkeys don’t vote for Xmas”.

Or a little more accurately “If you are paying for laws you want to keep yourself exempt from the harmful laws, or keep others exempt from the beneficial laws”.

Thus the Trump give away gave one group of people tax cuts for ever whihst the normal voting citizens only got them for a time limited period.

As for harmful laws, consider that a few hundred years ago some one came up with an idea. There are “natural entities” like the citizens and there are “legal entities” like companies. Thus you make a company an aproximate equivalent under law to a voting citizen.

But there is a catch which is the theory of the directing mind…

If I was to shot you which part of me would be guilty? The skin on my finger, the bone in my finger, the tendons that go from the bone to the muscle in my forearm, the muscle in my forearm, the nerves that drive the muscle, the brain that drives the nerves? But what part of the brain produces the concious thought?

It does not make sense to decide it’s one part and lock that up, so we lock the whole “natural entity up” and punish all parts.

But one of the golden rules of law is that no innocent man should be incarcerated. Thus the law errs on the side of caution, saying it is better to let ten guilty men go free than jail one innocent man.

So when it comes to “legal entities” where the parts are men it does not make sense to lock up all the parts…

So the guilty parts walk free. But the “whole” is punished with fines, because it is assumed that depriving a company of finance will set it back in time, thus is the equivalent of jail time.

But… There are various tricks that other laws alow, where by losses are deductable from tax. Thus if you structure your companies, what one part losses in fines, another gains in tax deductions so the real cost is putting a different mark in a ledger. Other tricks alow the “loss” to be passed on to individuals who thus get a tax free sum in their personal finances as a reward for the companies failings they created…

Thus from their point of view there is no down side to taking risks, so no disincentive, just a real financial incentive… So why play it safe or let morals get in the way?

But even if they wanted to play it safe there are other laws, where a directors duty is actually not to the company but to the share holders. So they can actually be sued by shareholders for not taking significant risks…

I know it sounds crazy but that is pretty much the way it is. The EU kind of woke up to that fact and thought “hmm we can make money here”. The GDPR has what those in the US claim are swingeing fines, way beyond anything that a tax deduction would solve. But it’s a little more complex than that. Most US companies like US citizens are treated as though any money they make is in the US thus subject to US tax rules. The exception is when they have “off shore” arrangements. The problem with that is once “off shore” it stays “off shore”, thus tax deductable losses should likewise stay off shore. The thing is when it is off shore it’s usually financially engineered to stay out of any taxation. Thus you get hit by a big EU fine it does hurt and it “hurts bad” because you can not off-set it against something you are not paying. But even if it was taxed in the US the deductions would be in the US not the EU so US corporate bad behaviour would hit the US econony not the EU economy. Thus the EU economy benifits from the fines atleast once if not twice and if you apply the usuall churn rules it will be a ten times effect twice. That is the EU economy benifits by ten times the value of the fine whilst the US economy looses by ten times the value of the fine…

I would expect to see more legislation like this as other countries effectively either “tax US privacy legislation into existance” or “effectively box US companies back to the US mainland”.

If you want to know why this has been done go and look at the Trade agreements Pres Obama alowed US Companies to influence in the form of increased “cuckoo in the nest” Investor-state dispute settlement (ISDS) terms,

https://en.m.wikipedia.org/wiki/Investor-state_dispute_settlement

I suspect that China will start thinking along these lines in the near future if Pres Trump carries on the way he is and it won’t just be the US Squid Industry that gets hit. It is most likely this trade tarriff stupidity is what will get him out of office than anything else. Because job losses in the US effect voters, in China job losses do not have voter issues in the same way. Thus whilst Trump may make short term gains whilst China “plays nicely” China could start to play “not nice” and they have sufficient controling investment in the US where they realy could influance the outcome of the next US Presidential election.

As Generals generaly know, you need to defend not just your flanks but your rear as well when you make an attack. Politicians however often don’t grasp this point and suffer the usuall consequences of rash actions.

Hmm September 19, 2018 5:14 AM

“saying it is better to let ten guilty men go free than jail one innocent man.”

A saying not actually enshrouded in law we might note. Or practice.

“So they can actually be sued by shareholders for not taking significant risks…”

Meh, rarely if ever. Has it happened that you could point to it without some driving scandal?

“So the guilty parts walk free. But the “whole” is punished with fines, because it is assumed that depriving a company of finance will set it back in time, thus is the equivalent of jail time.”

Interesting. But I think corporate officers can still face jail time, if actually caught.

https://www.nytimes.com/2017/01/11/business/volkswagen-diesel-vw-settlement-charges-criminal.html

“That is the EU economy benifits by ten times the value of the fine whilst the US economy looses by ten times the value of the fine…”

But.. ten times? That’s an awfully round number although I think we see the gist.
ISDS looks tricky to pull off, I don’t know how realistic that would be in practice.

“Thus whilst Trump may make short term gains whilst China “plays nicely” China could start to play “not nice” and they have sufficient controling investment in the US where they realy could influance the outcome of the next US Presidential election.”

China(!) can dump enough money to SuperPACs right now to influence elections, no question.

Hell, if China promised reasonable generic drug costs and pension investments, there’s a whole generation of America that would happily defect. To understate it, Trump is far beyond “rash politicians” when it comes to starting foolish campaigns he can’t win.

And yet I find his insane trade policy the most defensible aspect of his administration in total.
It’s coherently insane. He’s playing chicken, so long as he wins on chicken rules, it’s still a win.
If however he miscalculates and China outgrows the US into other markets, (as they are)…

The US will still be a job creator, teaching retirees how to speak mandarin to get their pension checks.

Hmm September 19, 2018 5:20 AM

Sorry, that was depressing. Everything’s fine here, we’re all fine.

How’s the Brexit coming along? That good.

#Reckoning

Clive Robinson September 19, 2018 8:41 AM

@ Hmm,

How’s the Brexit coming along? That good.

Lets just say my views on Brexit, both those who voted for it and those politicians currently sparing over it, would not pass this sites “naughty words filter”.

Mind you it’s been pointed out to me by more than a couole of people that “Article 13” is kind of “The second signpost to disaster” and the EU political project has effectively cut it’s own throat.

I’m guessing the security implications on it have been missed by nearly every one as they are Layer 7 and up issues.

I guess time will tell.

As for the “emmisions technology” there is to little to say on it currently. As an engineer I know that if you try to optomize in one direction you loose out in most other directions. The trick is to find the “sweet spot” and stay there as the technology and other considerations change.

For instance the article goes on about failing in Europe but it actually does not say if the technology is in cars etc in other countries.

To show the interconectedness of things, due to Pres Trumps trade war China has put restrictions on bullion metals. Which includes the likes of silver and platinum, both of which have important idustrial uses. Not least is the platinum used in CAT Converters some of which are manufactured in part or whole in China. So the 25% price hike on what is actually a very expensive item in the first place will not be swallowed by manufacturers for long, so the price of new cars is going to go up beyond inflation on that alone. So it’s the consumers that get hurt.

With regards churn or circulation in the money supply” the 10:1 figure is I suspect an aproximation to what might be an average over time or as you might say “an educated guess”. However part of it is the deposit multiplier effect. Banks are alowed to loan out the deposits they take in less what they are required to keep as reserves. The assumption is that what is loaned out gets deposited in another bank and so on around and around,

The multipler effect is usually given as,

Mul = deposits / reserve

Thus 100 dollars deposited with a reserve of 10% gives you a ten times multiplication.

But this is only a part of it, the same loaned money is assumed to also create economic activity thus you have another multiplier of price / cost on top of that. Yes I know it looks like double counting but it’s more complicated than that (see things like the “velocity of money). There are also other multipliers based on “goods and services” and “time of year”. That is at Xmas more base money is put into the money supply to meet the coinage demand, however this is accompanied by high spending thus high deposits. So the figures change all the time.

If you want to have your head “rinsed” there are various types of money in the money supply. Ranging from “Narrow Money” / M0 through M4 and L “broad money” and a few other things, just to measure the current state and charecter of the money supply.

That said each country kind of has it’s own definitions on the “M’s” and which ones they use and publish. But as a broad guide, the money supply multiplier is broad money / narrow money.

Confused don’t worry, I get the feeling these are all “thumb on the scale” measures.

echo September 19, 2018 12:21 PM

Speaking of Brexit isn’t Dominic Raab on the Westminister sex pest list? He denies everything of course but he is a bit on the shouty side. There have been at least a handful of cases where denials and support from women not in the know or affected themselves have hidden abuse and in some cases serious abuse for many years. Reports are that Dominic Raab can be difficult to work with and he is aggressive which I imagine might create an impression in the moment at the very least.

https://www.huffingtonpost.co.uk/entry/dominic-raab-denies-claims_uk_59f9c69be4b0d1cf6e91c433

Moving on. “Fair comment” was replaced by “honest opinion” in the Defamation Act 2013. A defence is privilged if an opinion is honestly held and it is in the public interest, or based on peer reviewed science, or protected by court proceedings or other reports protected by qualified privilege. With regard to namign and shaming of poor security practices, and the potentials for covering up malpractice espeically if they are deeply ingrained it doesn’t seem unreasonable that companies or individuals shouldn’t be singled out and the means for effective redress are otherwise limited. As long as responsibility is exercised and the thresholds are maintained it would seem any campaign is in the clear.

http://www.legislation.gov.uk/ukpga/2013/26/section/3/enacted

Hmm September 19, 2018 12:32 PM

“But as a broad guide, the money supply multiplier is broad money / narrow money.”

That part makes sense enough. Most inclusive estimate of value / actual hard cash in hand.
I just found the 10x figure odd.

vas pup September 19, 2018 12:33 PM

@all:
I found couple quotes related to privacy and secrets which kind of related to psychology of security:

“Without privacy there was no point in being an individual.”
Jonathan Franzen, The Corrections

“There’s the imperative to keep secrets, and the imperative to have them known. How do you know that you’re a person, distinct from other people? By keeping certain things to yourself. You guard them inside you, because, if you don’t, there’s no distinction between inside and outside. Secrets are the way you know you even have an inside. A radical exhibitionist is a person who has forfeited his identity. But identity in a vacuum is also meaningless. Sooner or later, the inside of you needs a witness. Otherwise you’re just a cow, a cat, a stone, a thing in the world, trapped in your thingness. To have an identity, you have to believe that other identities equally exist. You need closeness with other people. And how is closeness built? By sharing secrets. . . . Your identity exists at the intersection of these lines of trust.”
Jonathan Franzen, Purity

Somebody September 20, 2018 12:44 AM

@Hmm

With regards to HTTPS being “faster” now than HTTP….

Right.. I wasn’t very specific or explanatory about this… Here, let me explain in more detail. First, see this:

https://http2.github.io/faq/#does-http2-require-encryption

The important bit is the last part of the answer, where it says:

However, some implementations have stated that they will only support HTTP/2 when it is used over an encrypted connection, and currently no browser supports HTTP/2 unencrypted.

Thus, even though the standards bodies could not get the consensus to make HTTP/2 require encryption, the browser makers did an end-run around that… Since no browser in existence now supports HTTP/2 without it being encrypted, effectively all encryption now that uses the newer protocol (which is a lot of it by now) is way faster than old fashioned non-encrypted web traffic. Thus, the net result is effectively, all newer HTTPS in use (with any reasonably recent browser and server using the new HTTP/2 protocol) is much faster than HTTP.

So, therefore, use HTTPS. It’s now faster than HTTP. (this statement is true in all practical terms, due to the way real modern web browsers actually work, not due to what’s technically possible in a lab)

echo September 20, 2018 11:35 AM

https://www.theguardian.com/us-news/2018/sep/20/brett-kavanaugh-supreme-court-yale-amy-chua

A top professor at Yale Law School who strongly endorsed supreme court nominee Brett Kavanaugh as a “mentor to women” privately told a group of law students last year that it was “not an accident” that Kavanaugh’s female law clerks all “looked like models” and would provide advice to students about their physical appearance if they wanted to work for him, the Guardian has learned.

I have experienced this pressure in a professional environment. It is always denied but it does happen and I know I am not the only women who experienced this. It was an open secret and the establishment people who drove this are known. The staff who pressured this, including other women, did collude and will never admit it either because they would be done for professional misconduct too.

This goes to the top. I can name at least one establishment figure with a position of instititional influence who has given a speech at the Mansion House who is guilty.

Some of these people at times come over as outright misogynists.

I have hardcopy evidence of this. It needs some explaining ebcause most people would miss the critical information while reading through documents but if you know whatto look for it leaps off the page. I have discussed this with other people in an activist roles and they are fully aware too of what is happening. The problem as always is to get the courts to take allegations seriously and gather enough women to give testimony. This is very difficult when issues are swept under the carpet and no potential leads are followed up because a prosecuting authority or regulator is too “busy” or it would cost a lot. Sadly this has been going on for so long they know what they can get away with.

Hmm September 20, 2018 11:46 AM

@somebody

Yes it didn’t make sense at first read, HTTPS adds overhead, how could that be faster?

It’s taken for granted how quickly we can “google” things and find out such minutia.

Nobody September 21, 2018 6:34 AM

@Somebody:
3. HTTPS (version 2) is actually faster than HTTP now, due to several technology improvements over the past few years… Who doesn’t want websites to load faster?

Ok, so my lynx works faster over dialup than firefox over 10Gbps fiber optic wire. Therefore, dialup is faster than fiberoptic!

Nobody September 21, 2018 7:42 AM

@Somebody:
2. British Gas claiming they’d “lose [their] security certificate” if they allowed people to paste in passwords from password managers…

I agree with them. Do you really trust your clipboard? Of course, if ppl could be trusted to use dedicated keyboards thaf come with passwd managers, e.g. keepass2android. FWIW, it’s not their fault, but a deficiency in Web browsers. In principle, users should be able to control how they enter information.

I’d say, Troy Hunt should learn that there exist many wonderful browsers beyond FF and Chrome.

Nobody September 21, 2018 7:46 AM

@Jesse Thompson:
It’s why I shred a majority of documents that I dispose of whether or not they have sensitive data on them: whoever’s going to piece together sensitive documents will have a harder time with a lot of red-herring pieces thrown into the mix.

Would you keep doing it if you needed to pay 10 cents per document? Or if the electricity suddenly became more expensive, so you’d have to pay more for operating your shredder?

Https incurs concrete costs in terms of electric bill, as well as bandwidth. This is the same reason why I’d be against blanket usage of pgp signed email…

Kim September 21, 2018 10:01 AM

@Denton Scratch: Thanks for your reply. Some security lapses are egregious AND somebody’s fault. Eg. refusal to patch after several dire warnings – these things do happen. Ofc jail is not a panacea. Can you think of NO example of a publicized security lapse that was caused by a single person’s failure to respond to warnings? I have read of such things.

vas pup September 21, 2018 11:59 AM

@echo:
Please take a look at this link:
https://en.wikipedia.org/wiki/Charlie_Wilson_(Texas_politician)#“Good_Time_Charlie”
You may find it very informative on a subject in your recent post. He did a lot of business with IC – that why his example is interesting here.

My point on that is:
1. Any unconsented violence is not acceptable.
2. Presumption of innocence applied to ALL type of crimes.
3. Memory is not curved in stone. The far you are from event the less memory is reliable. You may search on that forensic psychologist with last name Loftus.
Respectfully,
VP

echo September 21, 2018 1:41 PM

@vas pup

The point I forgot to mention was I was drawign a generic comparsion between security implementations and behaviour implementations and suggesting the approach to addressing failures with both is essentially similar.

My focus in this topic is mostly on current to recent cases with a reasonable body of evidence and community support.

Clive Robinson September 21, 2018 1:52 PM

@ Nobody,

whoever’s going to piece together [shreded] sensitive documents will have a harder time with a lot of red-herring pieces thrown into the mix.

Actually not so much as you would think, as the US Intel entities found out when the Iranian students not just kicked the US Diplomats out, but also pieced together and published thousands of shreded documents.

The reason is the bag in your shreader is a little bit like the bottom of a swamp / bog. Things settle in chronological order of when they fell in. Even easier when you shread several sheets together.

Strip cutters are a compleat waste of time children can put together pages just for fun and still do so to pass a rainy afternoon with no computer, smart phone, games machine or other electronic entertainment.

Quarrel, Diamond, or cross-cut shredders are marginaly better provided the size is less than 2-3mm and you shake/stir the bag contents.

The more secure systems are “ball mill” systems that not just break the paper down to individual fibres they also mix and mix back / recirculate often compressing the thoroughly mixed fibres into brickets for burning in the local furnace etc, optionaly adding a mixed accelerant such as paraffin wax or lamp oil with a temprature raising component so they burn like fire lighters but much faster and more thoroughly producing “clean white ash”.

If you have to use a strip shreder don’t just mix the strips up, also add lots of unpleasantness like “pet poop” or “used nappies” or worse, that is “crap / piss on your enemies endeavors”.

For small quanities of shreaded waste I find acid (hydraclorhic) drain cleaner is quite effective at encoraging the destruction process. After a little while it can be neutralized with alkaline (costic soda) drain cleaner to give “mush in brine”. There are however solvents that will quickly lift laser printer and photocopier “plastic” toner off of paper.

Jesse Thompson September 22, 2018 5:02 AM

@Nobody

What added cost in terms of electricity, bandwidth or maintenance effort does HTTPS really incur though? As a fraction of effort its several orders of magnitude less than the effort I spend feeding individual pages into a shredder. And @Clive Robinson, yeah I know my strip-and-clip shredder is not NSA-proof but it ought to at least increase the effort required for any actor to read an account number off of a bill.. especially when only 1 in 50 sheets or so even is a bill.. 😛 Deterrence vs expected asset value, friend.

@Nobody If you’re worried about scale, any enterprise level servers ought to be running AES-NI or similar cryptographic hardware acceleration which would decimate that concern.

But ultimately, security costs a premium up front while insecurity costs an unbounded, stochastic premium out the back-end after you get pwnt. Security’s just part of hygiene and “always encrypting” is no more outrageous than changing your clothes every day or always washing one’s hands before meals. Especially preparing meals for other people…

Clive Robinson September 22, 2018 9:38 PM

@ echo,

I think we have mentioned this before 😉

But just to be safe, I’m not into having lumps of uranium around –that have their own fire issues– which I have a “burning” desire to convert to uranium hexafloride.

Nor do I wish to poison people in strange and frankly quite an appaling way, especially as handling it can at the very least be problematic…

As those experimenting with using new and exciting ways of proppeling mass around at rather more than the usuall kinetic energies you get from howitzers or 20in Naval guns for that matter.

As John Drury Clark summarized in his sardonicaly dry way in his book, ClF3 has a few minor difficulties,

    It is, of course, extremely toxic, but that’s the least of the problem. It is hypergolic with every known fuel, and so rapidly hypergolic that no ignition delay has ever been measured. It is also hypergolic with such things as cloth, wood, and test engineers, not to mention asbestos, sand, and water—with which it reacts explosively. It can be kept in some of the ordinary structural metals –steel, copper, aluminum, etc.– because of the formation of a thin film of insoluble metal fluoride that protects the bulk of the metal, just as the invisible coat of oxide on aluminum keeps it from burning up in the atmosphere. If, however, this coat is melted or scrubbed off, and has no chance to reform, the operator is confronted with the problem of coping with a metal-fluorine fire. For dealing with this situation, I have always recommended a good pair of running shoes.

But it’s not just sand and asbestos, it chews fire bricks as snacks along with concrete and most other traditional materials used for making firewalls…

It’s a bit of a beast when it comes to glass and semiprecious gems as well. To say it does not play nicely, is a tads understated.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.