Site-Related => News => Topic started by: Spectere on March 29, 2017, 02:43:58 PM

Title: SSL'd!
Post by: Spectere on March 29, 2017, 02:43:58 PM
As some of my fellow US-ians probably know, a bill recently passed allowing ISPs to sell browsing history. Fuck that shit. As of today, spectere.net will strictly enforce secure connections via HTTPS. We're just a tiny, tiny speck in the grand scheme of things, but if I can prevent even a few megabytes of metrics and browsing data from appearing in a collection of marketing data then it'll be worth it.

If you run into any issues (things not loading, security warnings getting displayed, etc) feel free to either PM me or ping me over on Twitter (https://twitter.com/Spectere/).

Many thanks to Let's Encrypt (https://letsencrypt.org/) and the EFF (https://www.eff.org/) (specifically, their Certbot (https://certbot.eff.org/) script) for making this both possible and surprisingly easy. If you have a few bucks to spare, please please please support those organizations. Their contributions to security and privacy cannot be understated.
Title: Re: SSL'd!
Post by: Bobbias on March 31, 2017, 12:25:40 AM
congrats on the SSL. I'm still having difficulty believing that actually happened... then again everything lately feels like a nightmare.
Title: Re: SSL'd!
Post by: Spectere on March 31, 2017, 04:11:19 AM
What slays me more is the justification for it. They claimed that if Google is allowed to sell your data than ISPs should as well. The point that those idiots apparently don't understand is that you choose to use Google. You could always use DuckDuckGo for search, something like Lavabit for e-mail, etc. If you want to get on the Internet, you don't have a choice but to use an ISP.

The implications of this are staggering. Plain old HTTP is even less safe than it ever was. With ISPs allowed to gather traffic, there is just so much that they can do. Most web forms have very clearly named fields to make it easier on web developers. If they want to scrape e-mail addresses, all they need to do is look for an HTTP POST request with an "email" field. They can do the same thing for address fields and, hell, even password fields if they're feeling particularly dickish. It's basically a legitimized man in the middle attack.

Fortunately, most of the sites that I go to use SSL. I'm considering seeking out a secure, private VPN for any outliers, though finding one that truly does what they promise can be a bit tricky. How can you trust a system without seeing it in person, after all?

Also, saying that this feels like a nightmare is somewhat inaccurate. At least when I have a nightmare I can take solace in the fact that I can wake up from it. I've been trying to do that for the past several months and it hasn't worked so far.
Title: Re: SSL'd!
Post by: Zephlar on March 31, 2017, 12:39:07 PM
I feel like it's not really much different than before though. The only exception is it's actually legal now. The stipulation according to Snowden was that every time data moved to a server outside of the US (which Google has TONS of), the US had the right to intercept that data. Google apparently makes it a common practice to move batches of data internationally all the time so the government is consistently picking up data in that fashion.
Title: Re: SSL'd!
Post by: Spectere on March 31, 2017, 07:43:08 PM
Government spying is a different can of worms entirely. The Snowden revelations are what prompted Microsoft, Google, et al, to secure the links between their servers. Now, whether or not they're complicit in the government spying on their citizens is another argument (he who holds the private keys holds the data, after all). That kind of touches on the point I made about trust earlier.

I see this scenario as being a bit different. This allows ISPs to sell your browsing data for profit (as if they aren't already making enough of that, but I digress). Unlike before, where it was illegal for ISPs to lift data from, say, online form submissions, now it's back to being fair game for them. Considering how competent some of these companies are when it comes to securing marketing data, I think it's safe to say that if ISPs actually start doing that, we can see the number of personal information leaks drastically increase. Things get worse when you realize that there's the possibility that they could be slurping up passwords that you type into non-secure web forms. Who knows what happens to that data? And what happens if some script kiddie manages to lift the database that stores all of this stuff?

I don't like the smell of any of this. As much as I dislike government spying, at least that data stays more or less in one place. With this it can spread like wildfire, and you'd be surprised how much people can fuck with you if they have your name, address, and e-mail address, let alone any passwords that happen to inadvertently get stored.
Title: Re: SSL'd!
Post by: Bobbias on April 01, 2017, 03:30:10 AM
As a non us citizen things are also kinda freaky. Snowden showed that anything outside the us is fair game so the nsa could be spying on me at any time.  What's scary about this is that it normalizes that kind of invasion of privacy for the rest of the world to see. :/
Title: Re: SSL'd!
Post by: Spectere on April 01, 2017, 05:46:10 PM
"Canadian?" More like "terrorist," am I right? Why are you so worried about the NSA? I mean, surely you have nothing to hide, right?

In all seriousness, yeah, it's completely ridiculous, not to mention that it's a great way of breeding distrust and malcontent. The really scary part is that there are people who actually think that these sort of measures are beneficial, as if they're actually going to stop attacks. Then again, these are probably the same worthless shitstains that think that a Muslim ban is a good thing.