Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

User generated content sites are some of the most important that need to implement HTTPS.

Consider reddit for example. The entire site is HTTP. That means your ISP can pull up a list of your entire reddit browsing history. They can see every post you read, every comment you wrote, etc. Collectively this data could form quite an accurate picture of a person's mental makeup. Is that the kind of data you want floating around?

HTTPS encrypts query strings so upstream providers cannot see which specific pages you browse.

Of course, HTTPS still shows domain names... but it's a start. Next step is DNSSEC for everybody!

p.s. Anyone interested going down the rabbithole exploring mass tracking of individuals, should google "entity mapping llc" and poke around the results...



https://www.reddit.com/prefs/security/

You can force it to https only for your user account.


Thanks for that tip. I just enabled it for my account. I wonder why they don't redirect to https by default.


from what I remember reading is that when they first started with HTTPS, they weren't able to easily deal with the added overhead. They switched to cloudflare and are working on rolling out HTTPS across the site. One of the changes involves removing the reddit bar.


For what it's worth, Reddit supports HTTPS but doesn't enforce it or enable it by default.


Our HTTPS Everywhere software will change that default (in your browser) for Reddit and thousands of other sites.

https://www.eff.org/https-everywhere


I am a fan of the sentiment behind HTTPS Everywhere but I wish you would spend more time educating people on root certificates and trusted CA's.

Why are there 200 root certificates in my Apple key chain? That is at least 200 entities who can MITM my SSL connection without my knowledge.

The trust assignment protocol is a vital aspect of communication security. What good is end-to-end encryption if I don't know which "ends" to trust?


The main EFF contribution to this problem right now is the SSL Observatory.

https://www.eff.org/observatory

You can allow your copy of HTTPS Everywhere to send us certs, which can help researchers understand what CAs are doing and potentially detect misissued certs.

Two other important mechanisms are Certificate Transparency and HPKP.

http://www.certificate-transparency.org/

https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning

The former is a way -- I hope! -- to eventually require the open publication of all issued certs that the public is expected to trust. The latter is a way for sites that you successfully connect to at one point to prevent other CAs that they don't have any relationship with from helping to MITM your future connections.


Maybe I'm mistaken, but what does SSH have to do with certificates in the trust store?


Yeah that was a typo sorry.

For the answer to what SSL has to do with certificates in the trust store, the best demonstration is by example. Try to setup mitmproxy on EC2 to MITM your own HTTPS connections. In order to do so, you will need to install a trusted root certificate on your device.


That should probably read "SSL".




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: