HTTP Must Die, Security Experts Tell Hackers

Status
Not open for further replies.

Haravikk

Honorable
Sep 14, 2013
21
0
10,560
While I agree in theory, it's worth mentioning that encrypting e-mail server connections only matters because so much e-mail is still sent as plaintext; it doesn't necessarily protect you against malicious servers, if you want secure e-mail you need to setup and use S/MIME. It's actually fairly easy, the difficult bit is trading public keys (or rather, convincing others to setup S/MIME for two-way encryption).
 

Pherule

Distinguished
Aug 26, 2010
110
1
18,640
Finally. This should have happened years ago. There was no reason not to have the entire Internet going over secure protocols back in 2008, let alone 2014. This move should have been accelerated years ago.
 

eriko

Distinguished
Mar 12, 2008
29
0
18,580
Well, the sites have to start USING https too!

I run 'https everywhere', and have done for ages. Every site I access is first attempted via https, and if ssl is not negotiated, a http page then opens instead.

Just like this site.
 

ddpruitt

Honorable
Jun 4, 2012
226
0
10,860
Or you only encrypt the portions of the connection you need to. No one ever said that you have to encrypt the entire site, http wasn't built that way. Encrypt what you need to forward the rest.
 

Pherule

Distinguished
Aug 26, 2010
110
1
18,640
@ddpruitt: why is there any reason to have a portion unencrypted? To allow your ISP to spy on you? They can already see which sites you go to, which is bad enough, even if they can't see what content you view on a secure site.

Yeah yeah, what ISP spies on their users, I get it, it probably won't happen, and I don't care. I don't want to give them the possibility, whether they choose to use it or not.
 

waethorn

Distinguished
Sep 29, 2009
54
0
18,580
Or you only encrypt the portions of the connection you need to. No one ever said that you have to encrypt the entire site, http wasn't built that way. Encrypt what you need to forward the rest.

Every security expert will tell you that mixing encrypted with unencrypted content is bad for security.
 

ddpruitt

Honorable
Jun 4, 2012
226
0
10,860
@ddpruitt: why is there any reason to have a portion unencrypted? To allow your ISP to spy on you? They can already see which sites you go to, which is bad enough, even if they can't see what content you view on a secure site.

Yeah yeah, what ISP spies on their users, I get it, it probably won't happen, and I don't care. I don't want to give them the possibility, whether they choose to use it or not.

Stream compression, CDNs, Proxies to name a few reasons.
 

ddpruitt

Honorable
Jun 4, 2012
226
0
10,860
Every security expert will tell you that mixing encrypted with unencrypted content is bad for security.

And yet websites do it all the time. If it's done properly the encrypted portion is no less, or more secure, than the if the entire page is encrypted.
 

LORD_ORION

Distinguished
Sep 12, 2007
330
1
18,930
All SIP traffic for VoIP needs to be encrypted by default with TLS, as well the actually RTPs in VoiP needs to be secured with SRTP by default.

Disabling TLS. SRTP and HTTPS should be for diagnostic purposes only.
 
G

Guest

Guest
Well, the sites have to start USING https too!

I run 'https everywhere', and have done for ages. Every site I access is first attempted via https, and if ssl is not negotiated, a http page then opens instead.

Just like this site.
How do you do that?
 
Status
Not open for further replies.