{"id":632,"date":"2018-07-16T10:50:46","date_gmt":"2018-07-16T14:20:46","guid":{"rendered":"http:\/\/blog.pelleys.com\/?p=632"},"modified":"2018-07-16T11:03:03","modified_gmt":"2018-07-16T14:33:03","slug":"https-everwhere-is-a-good-thing-sort-of","status":"publish","type":"post","link":"https:\/\/blog.pelleys.com\/?p=632","title":{"rendered":"HTTPS Everwhere is a good thing… Sort of…\u00a0"},"content":{"rendered":"

One of the “big” things of late is the push to have all websites use HTTPS to encrypt traffic to websites. As Stefan Stienne of\u00a0The Verge<\/em> noted in the may May 2018 article Google Chrome is removing the secure indicator from HTTPS sites in September<\/a>:<\/p>\n

Here\u2019s a quick HTTPS refresher course: it\u2019s a more secure \r\nversion of HTTP, acting as a secure communication \r\nprotocol for users and websites, making it harder for \r\neavesdroppers to snoop on your packets. Your data is \r\nkept secure from third parties, so most modern sites are \r\nemploying this technology, using Transport Layer \r\nSecurity (TLS) the underlying tech behind HTTPS, to do this.<\/em><\/pre>\n
What this means is that the URL bar (or omnibar, or whatever a web browser calls it) will change (using Google Chrome as the example):<\/p>\n
\"\"<\/p>\n
Eventually it will be:<\/p>\n
\"\"<\/p>\n
In on sense, this is somewhat agreeable. It will ensure that no one can\u00a0easily\u00a0<\/em>snoop what is going back and forth when you connect to a website. That being said, nothing will stop an organisation\u00a0breaking<\/em> the TLS chain using a proxy and installing\u00a0their valid<\/em> SSL certificate in your browser’s certificate store. Since this certificate is self-signed, the client would receive an SSL warning message. Once the client installs the proxy’s certificate to let the browser trust the certificate, browsing websites with HTTPS will look normal and have the green padlock or no warning in the future (secure connection) in the URL bar.\u00a0\u00a0This works<\/a> by:<\/p>\n
client <===HTTPS===> proxy <===HTTPS===> server\r\n             ^                   ^\r\n    proxy certificate      server certificate<\/pre>\n
So, unless you actually go and validate the certificate source you can\u00a0still<\/strong>\u00a0have your traffic sniffed. Many companies use SSL proxies to ensure that confidential information is not being leaked (assuming SSL decryption is being used for moral, lawful purposes). Of course I, for one, would not be surprised if something like the “Great Firewall of China” is not doing this (of course, law – and culture in some ways – comes into play here, too).<\/p>\n
Of course, DNS servers will still know\u00a0where<\/em> you are going – you need to resolve an address to an IP address.<\/p>\n
Secure Does Not Mean Trusted<\/h2>\n
All this does\u00a0not<\/strong> mean that you should\u00a0trust<\/em> a website just because communications are encrypted! Anyone can get a Domain Validated (DV) certificate.That’s the way that\u00a0Let’s Encrypt<\/a>\u00a0works. Now, I am\u00a0not\u00a0<\/em>knocking Let’s Encrypt – I use it myself (see URL bar above).<\/p>\n
This<\/a> article on the types of certificates. Higher level certificates such as Organisation Validation (OV) and Extended Validation (EV) are a help. OV has more human intervention in the Certificate Authority (CA) validating that an actual business\/organisation is reputable. This puts the organisation’s name in the certificate information. This costs money. EV certificates includes the most effort in validating a business\/organisation reputation including extra documentation (See EV SSL Requirements<\/a>). This costs more money and time. Chrome\u00a0used<\/em> to include the organisation’s name in the URL bar (it stopped doing so – I haven’t spent time finding out when but it was before Chrome 66) but Firefox, Internet Explorer and Microsoft Edge still do.<\/p>\n
The problem is:<\/p>\n
HTTPS\u00a0\u2260 TRUSTED<\/strong><\/p>\n
The website your are connecting must be trusted. Is the site trying to steal your credit card information? Is the site trying to get your personal information for spear phishing purposes? Just because the connection is encrypted (and may be doing so for other purposes than trying to make you think that their site is “trusted” – they may also be encrypting traffic to keep people from knowing what they are up to) does\u00a0not<\/strong> mean you should trust the site!<\/p>\n
That responsibility is up to\u00a0you<\/strong><\/em>,\u00a0<\/em>dear reader.\u00a0You<\/strong><\/em>\u00a0<\/em>need to determine if the site you are entering your credit card or other information is trustworthy. This means, for Chrome at least, you need to look at the certificate and determine if it is truly trustworthy. You need to look at the URL and make sure that it is\u00a0really\u00a0<\/em>the website you are intending to visit – making sure that mybank.com isn’t actually mybonk.com.<\/p>\n
Summing Up<\/h2>\n
Some of the good things about HTTPS everywhere is that it can (not<\/em> will) help in keeping others from sniffing credit card or other personal information from your connection. Google’s eventual change of not identifying HTTPS and highlighting HTTP should help people understand when their communications can be read by other (or, maybe not so easily read is more accurate).<\/p>\n
All that said the trust, the reputation, of where you are connecting is still up to you.<\/p>\n","protected":false},"excerpt":{"rendered":"
One of the “big” things of late is the push to have all websites use HTTPS to encrypt traffic to websites. As Stefan Stienne of\u00a0The Verge noted in the may May 2018 article Google Chrome is removing the secure indicator … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-632","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blog.pelleys.com\/index.php?rest_route=\/wp\/v2\/posts\/632","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.pelleys.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.pelleys.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.pelleys.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.pelleys.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=632"}],"version-history":[{"count":0,"href":"https:\/\/blog.pelleys.com\/index.php?rest_route=\/wp\/v2\/posts\/632\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.pelleys.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=632"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.pelleys.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=632"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.pelleys.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=632"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}