HTTP Must Die, Security Experts Tell Hackers

[Guest]

All Web data needs to be encrypted, two technology activists tell the crowd at the HOPE X hacker conference.

HTTP Must Die, Security Experts Tell Hackers : Read more

 

[jasonelmore]

meh they just wanna sell more SSL certificates

 

[velocityg4]

Not sure if the Google analogy is apt. Since you can simply go to https/www.google.com

 

[techguy911]

https is still not safe and can be still hacked security certificates can be stolen and used for bad purposes.

 

[Christopher1]

meh they just wanna sell more SSL certificates

No, they want to make sure that it is not trivial to intercept someone's private communications over the internet.

 

[Haravikk]

While I agree in theory, it's worth mentioning that encrypting e-mail server connections only matters because so much e-mail is still sent as plaintext; it doesn't necessarily protect you against malicious servers, if you want secure e-mail you need to setup and use S/MIME. It's actually fairly easy, the difficult bit is trading public keys (or rather, convincing others to setup S/MIME for two-way encryption).

 

[Pherule]

Finally. This should have happened years ago. There was no reason not to have the entire Internet going over secure protocols back in 2008, let alone 2014. This move should have been accelerated years ago.

 

[eriko]

Well, the sites have to start USING https too!

I run 'https everywhere', and have done for ages. Every site I access is first attempted via https, and if ssl is not negotiated, a http page then opens instead.

Just like this site.

 

[DRtheNerd]

I surveyed Alexa Top 50 results for HTTPS-only functionality and published those results here: https/www.dnsthingy.com/blog/2014/06/alexa-top-50-https-results

 

[ddpruitt]

Or you only encrypt the portions of the connection you need to. No one ever said that you have to encrypt the entire site, http wasn't built that way. Encrypt what you need to forward the rest.

 

[Pherule]

@ddpruitt: why is there any reason to have a portion unencrypted? To allow your ISP to spy on you? They can already see which sites you go to, which is bad enough, even if they can't see what content you view on a secure site.

Yeah yeah, what ISP spies on their users, I get it, it probably won't happen, and I don't care. I don't want to give them the possibility, whether they choose to use it or not.

 

[waethorn]

Or you only encrypt the portions of the connection you need to. No one ever said that you have to encrypt the entire site, http wasn't built that way. Encrypt what you need to forward the rest.

Every security expert will tell you that mixing encrypted with unencrypted content is bad for security.

 

[ddpruitt]

@ddpruitt: why is there any reason to have a portion unencrypted? To allow your ISP to spy on you? They can already see which sites you go to, which is bad enough, even if they can't see what content you view on a secure site.

Yeah yeah, what ISP spies on their users, I get it, it probably won't happen, and I don't care. I don't want to give them the possibility, whether they choose to use it or not.

Stream compression, CDNs, Proxies to name a few reasons.

 

[ddpruitt]

Every security expert will tell you that mixing encrypted with unencrypted content is bad for security.

And yet websites do it all the time. If it's done properly the encrypted portion is no less, or more secure, than the if the entire page is encrypted.

 

[LORD_ORION]

All SIP traffic for VoIP needs to be encrypted by default with TLS, as well the actually RTPs in VoiP needs to be secured with SRTP by default.

Disabling TLS. SRTP and HTTPS should be for diagnostic purposes only.

 

[Guest]

Well, the sites have to start USING https too!

I run 'https everywhere', and have done for ages. Every site I access is first attempted via https, and if ssl is not negotiated, a http page then opens instead.

Just like this site.

How do you do that?

 

[back_by_demand]

More security = good
Less security = bad

Bit of a no-brainer, why are we even discussing this?