NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/
Mostly accurate, but you missed one critical thing - some (a lot of) sites reject NoScript's Force HTTPS. There have been several sites I tried using it on, and either A. I got a different page than the HTTP one (different as in unusably different) or B. the HTTPS request was rejected and the "secure" page was redirected to a HTTP page.Tom T. wrote:It's been a while since I read that episode, but IIRC, Gibson said not to panic just yet. The main example was at an open Wi-Fi hotspot, where a third party (MITM) could insert themselves into the network, and manipulate the page sent to you for login. (Or if your home wireless network is unsecured. Or any other way that a man-in-the-middle can get between you and the site.) The other issue is that some sites serve their *login* pages by http, even though your credentials are returned to them by https.
So: 1) Don't do your online banking at Starbucks or the library. Do it at home from your own *secure* network, and
2) Use NoScript Force HTTPS feature for lazy sites that send you the login page via HTTP. And complain to that webmaster!
I haven't re-read the whole article, so if I've missed anything, let me know.
But for sites that don't provide a secure page, and in fact reject client-side attempts to negotiate a secure connection, we're definitely vulnerable.If you've got - and if you're getting a secure page, then the buttons on that secure page cannot have been modified because nobody is able to intercept that. So if you're using an eCommerce system like mine, where the form you're filling out is SSL secured, then everything that follows on from that is also going to be wrapped in the SSL security because all of the Submit buttons will still be secure because no one could have changed them. The vulnerability is using a site that doesn't put you into SSL first because then the buttons that you're using to submit could have had that edited out. And that's the problem.
<snip>
It's possible to be safe, like I said, like if you - my eCommerce site insists on giving you a secure form. But if the user sees that the form they're filling out is secure, you're safe. Otherwise you don't know what, you don't know where that page came from because it's only SSL that protects you against spoofing. So somebody who inserts themselves in the middle anywhere, may not even just in your own WiFi caf, but in a hotel scenario, or maybe somebody spliced into the line downstream of the ISP. I mean, the potential for exploitation is huge.
Um, Mr. Gibson, over here!Well, and to deal with the problem of vigilance, I mean, that's really, I mean, it comes down to the user being responsible, at this point. And I'd really like to offload that to the browser. So that if there was a way, like for example imagine a Firefox add-in which, if it was possible for sites that we use a lot, like PayPal, Amazon, Facebook, Twitter and so forth, if it's possible for them to accept https for everything, then we want to tell the browser, good. Make every URL I submit to this site, please add the "s" for me. Make it secure so I don't have to worry about it constantly any longer. Because it's so easy. I mean, you're distracted. You're in a hurry. And all it takes is one situation where you slip up, and your information has escaped.
)I sent him a message to that effect shortly after that episode came out, and it was ignored. They have a TWIT Wiki, where I've made several other comments on matters pertinent to the show, but the comments there don't seem to reach Steve, either.computerfreaker wrote:(Side note, after re-reading the article I noticed he's looking for NoScript:
Um, Mr. Gibson, over here!
You're an ISP; you should be browser-neutral, make your site work with the world's second-most popular browser. They said they "were working on it". That was a couple of months ago... (sigh). Maybe he's too busy to look at his e-mails... although he sure puts out a lot of SpinRite e-mails on his shows, eh?Tom T. wrote:I sent him a message to that effect shortly after that episode came out, and it was ignored. They have a TWIT Wiki, where I've made several other comments on matters pertinent to the show, but the comments there don't seem to reach Steve, either.computerfreaker wrote:(Side note, after re-reading the article I noticed he's looking for NoScript:
Um, Mr. Gibson, over here!
Well, he seems to have had a sort of mental block about Firefox itself until finally the need for security drove him to the wall. He's happy with Fx now, but not NoScript... maybe this "Force HTTPS" thing will drive him to the wall again, this time in NS's favor.Tom T. wrote:He favors NS, but has some kind of mental block about it. He shut it off at first, because of the "annoying pop-ups all the time". Uh, read the FAQ, Sir, and disable them in Notifications. Someone finally told him that, and then he was enthusiastic again. Now I tried to tell him about Force HTTPS, and no luck.
Oh, n i c e. Especially nice about BOA... I'd think a bank would behave in a more intelligent way, and I doubt any padlock pictures will stop the black-hats... or is this some magic new protection scheme, BOA?Tom T. wrote:The MITM and other attacks were much of the impetus for the Force HTTPS feature in the first place. Bank of America was one of the largest examples -- serving the login page insecurely, but with a big, phony *black* padlock *next to the u/p boxes* -- none in the lower-right of the browser, of course. Most banks have fixed that issue -- possibly because of the publicity generated by NS <blush>, but some less-sensitive sites still haven't.
There's two medium-value sites I go to and several low-value sites... nothing high enough to go somewhere else.Tom T. wrote:If I were at one of those sites, and they refused to fix it, I'd weigh the sensitivity of the information, and if it were something of high value, go somewhere else.
I know it's none of my business, but maybe it's time for a change of ISP?Tom T. wrote:BTW, my login to administer my own personal site, hosted by my ISP, won't secure the login page. I complained -- I'm paying them a fair chunk of money each month for a high-speed cable connection -- and they said, "It works with IE. So just log in with IE." .. Uh, thanks, but no thanks.
Quite annoying, and risky as well...Tom T. wrote:But it's a low-value, rather obscure, target. Just annoying that even your own ISP won't do things right.
No, it *encouraged* the bad guys, as it was easy to duplicate the BA page and its phony padlock. It was to give users a false sense of security -- which is worse than no security at all. As mentioned, it's been fixed by most. But banks seem to be the *least* security-conscious around. Fun game: Go to all the banks and other financial sites, 2-click the padlock icon, and observe how many are still using the 20-year-old RC4-128 encryption, while even my teensy little long-distance provider uses state-of-the-art AES-256 encryption -- which the US Govt. uses for encrypting Top Secret classified material. Go figure....computerfreaker wrote:Oh, n i c e. Especially nice about BOA... I'd think a bank would behave in a more intelligent way, and I doubt any padlock pictures will stop the black-hats... or is this some magic new protection scheme, BOA?
My options for high-speed cable are very limited...computerfreaker wrote:I know it's none of my business, but maybe it's time for a change of ISP?
computerfreaker wrote:Oh, n i c e. Especially nice about BOA... I'd think a bank would behave in a more intelligent way, and I doubt any padlock pictures will stop the black-hats... or is this some magic new protection scheme, BOA?
That's what I meant - I was being heavily sarcastic. Sometimes I don't do it right and people think I'm serious...Tom T. wrote:No, it *encouraged* the bad guys, as it was easy to duplicate the BA page and its phony padlock.
Go figure.Tom T. wrote:It was to give users a false sense of security -- which is worse than no security at all. As mentioned, it's been fixed by most. But banks seem to be the *least* security-conscious around. Fun game: Go to all the banks and other financial sites, 2-click the padlock icon, and observe how many are still using the 20-year-old RC4-128 encryption, while even my teensy little long-distance provider uses state-of-the-art AES-256 encryption -- which the US Govt. uses for encrypting Top Secret classified material. Go figure....
Too bad...Tom T. wrote:(ISP-hosted web site insecure login)My options for high-speed cable are very limited...computerfreaker wrote:I know it's none of my business, but maybe it's time for a change of ISP?
