Miscellaneous Tech News
-
@scottalanmiller said in Miscellaneous Tech News:
@kelly said in Miscellaneous Tech News:
@travisdh1 said in Miscellaneous Tech News:
@kelly said in Miscellaneous Tech News:
If your marketing people start complaining about the number of hits their sites are getting falling through the floor, this might be the culprit: https://thehackernews.com/2018/07/google-chrome-not-secure.html. (Since the link is not helpful, here is the headline from the article: "From today, Google Chrome starts marking all non-HTTPS sites 'Not Secure'".
Who doesn't have a site running HTTPS now? Before Letsencrypt made it free, maybe, but no excuse now! Even my home lab box runs everything over secured connections now.
Everyone should be, but we still run into computers without AV or passwords, so it is unsurprising to me that there are sites that neglect this basic responsibility.
For static sites, it's not irresponsible in any way. If you have no user data moving, there's nothing wrong with plain text. There are good reasons to do HTTPS everywhere today, but security is not always it.
No user data doesn't mean you don't need HTTPS. MITM with fake login forms, DNS hijacking, etc is still a big vulnerability for static sites on HTTP.
-
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@kelly said in Miscellaneous Tech News:
@travisdh1 said in Miscellaneous Tech News:
@kelly said in Miscellaneous Tech News:
If your marketing people start complaining about the number of hits their sites are getting falling through the floor, this might be the culprit: https://thehackernews.com/2018/07/google-chrome-not-secure.html. (Since the link is not helpful, here is the headline from the article: "From today, Google Chrome starts marking all non-HTTPS sites 'Not Secure'".
Who doesn't have a site running HTTPS now? Before Letsencrypt made it free, maybe, but no excuse now! Even my home lab box runs everything over secured connections now.
Everyone should be, but we still run into computers without AV or passwords, so it is unsurprising to me that there are sites that neglect this basic responsibility.
For static sites, it's not irresponsible in any way. If you have no user data moving, there's nothing wrong with plain text. There are good reasons to do HTTPS everywhere today, but security is not always it.
No user data doesn't mean you don't need HTTPS. MITM with fake login forms, DNS hijacking, etc is still a big vulnerability for static sites on HTTP.
Right, but if you have a login or form, it's got user data. There are many sites that don't have those. MITM, DNS hijacking, aren't really risky if you don't transmit data.
-
@scottalanmiller said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@kelly said in Miscellaneous Tech News:
@travisdh1 said in Miscellaneous Tech News:
@kelly said in Miscellaneous Tech News:
If your marketing people start complaining about the number of hits their sites are getting falling through the floor, this might be the culprit: https://thehackernews.com/2018/07/google-chrome-not-secure.html. (Since the link is not helpful, here is the headline from the article: "From today, Google Chrome starts marking all non-HTTPS sites 'Not Secure'".
Who doesn't have a site running HTTPS now? Before Letsencrypt made it free, maybe, but no excuse now! Even my home lab box runs everything over secured connections now.
Everyone should be, but we still run into computers without AV or passwords, so it is unsurprising to me that there are sites that neglect this basic responsibility.
For static sites, it's not irresponsible in any way. If you have no user data moving, there's nothing wrong with plain text. There are good reasons to do HTTPS everywhere today, but security is not always it.
No user data doesn't mean you don't need HTTPS. MITM with fake login forms, DNS hijacking, etc is still a big vulnerability for static sites on HTTP.
Right, but if you have a login or form, it's got user data. There are many sites that don't have those. MITM, DNS hijacking, aren't really risky if you don't transmit data.
No, fake login forms that don't exist on your site but are injected.
MITM, DNS hijacking, aren't really risky if you don't transmit data.
They most definitely are. Cryptominers are a good example.
-
With DNS hijacking it doesn't matter.
Nobody is going to pay attention to the warnings anyways.
If I hijacked your DNS and redirected wellsfargo.com to my own server, and presented you with http://wellsfargo.com (non-https), perhaps you'd notice the non-https warning in Chrome, perhaps not, and you'd enter your credentials.
If I hijacked your DNS and redirected your static-HTML site (http://staticsite.com) to my server, and suddenly presented to you a form... why would you fill out some random form? If I go to someone's static-html blog, and my DNS is hijacked, and now when i get to their blog i'm presented with some login... why woudl i attempt to log in to some random static-html blog site with credentials I would never have made or knwo in the first place?
-
@obsolesce said in Miscellaneous Tech News:
With DNS hijacking it doesn't matter.
Nobody is going to pay attention to the warnings anyways.
If I hijacked your DNS and redirected wellsfargo.com to my own server, and presented you with http://wellsfargo.com (non-https), perhaps you'd notice the non-https warning in Chrome, perhaps not, and you'd enter your credentials.
This proves my point exactly? I don't know what you're arguing here. People don't pay attention unless it's in their face. They (Google) want to get to the point where you click through to an HTTP site (like with self signed certs).
If I hijacked your DNS and redirected your static-HTML site (http://staticsite.com) to my server, and suddenly presented to you a form... why would you fill out some random form? If I go to someone's static-html blog, and my DNS is hijacked, and now when i get to their blog i'm presented with some login... why woudl i attempt to log in to some random static-html blog site with credentials I would never have made or knwo in the first place?
If you present people with real looking OAUTH forms to sign in with gmail or whatever, people will log in. Just like in the sentence above, they don't pay attention. DNS hijacking isn't just for redirecting the whole site. I'm talking also about things like redirecting JS embedded in the page.
-
@obsolesce said in Miscellaneous Tech News:
If I hijacked your DNS and redirected wellsfargo.com to my own server, and presented you with http://wellsfargo.com (non-https), perhaps you'd notice the non-https warning in Chrome, perhaps not, and you'd enter your credentials.
Sure, but what if you hijacked a site that does NOT have a reason for you to log in? Your example requires that the site have had a login in the past to make sense. Do it for a brochure site and think about how silly this is as a risk.
-
@stacksofplates said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
With DNS hijacking it doesn't matter.
Nobody is going to pay attention to the warnings anyways.
If I hijacked your DNS and redirected wellsfargo.com to my own server, and presented you with http://wellsfargo.com (non-https), perhaps you'd notice the non-https warning in Chrome, perhaps not, and you'd enter your credentials.
This proves my point exactly? I don't know what you're arguing here. People don't pay attention unless it's in their face. They (Google) want to get to the point where you click through to an HTTP site (like with self signed certs).
I think they are just driving people to workarounds.
-
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
If I hijacked your DNS and redirected wellsfargo.com to my own server, and presented you with http://wellsfargo.com (non-https), perhaps you'd notice the non-https warning in Chrome, perhaps not, and you'd enter your credentials.
Sure, but what if you hijacked a site that does NOT have a reason for you to log in? Your example requires that the site have had a login in the past to make sense. Do it for a brochure site and think about how silly this is as a risk.
yeah, that was my second point.... if i access a site in which I have no reason to use a form, why would I?
-
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
If I hijacked your DNS and redirected wellsfargo.com to my own server, and presented you with http://wellsfargo.com (non-https), perhaps you'd notice the non-https warning in Chrome, perhaps not, and you'd enter your credentials.
Sure, but what if you hijacked a site that does NOT have a reason for you to log in? Your example requires that the site have had a login in the past to make sense. Do it for a brochure site and think about how silly this is as a risk.
No it doesn't. If you click a link to a site you've never been to, how would you know if it's had a login form before? That makes no sense.
-
@stacksofplates said in Miscellaneous Tech News:
If you present people with real looking OAUTH forms to sign in with gmail or whatever, people will log in. Just like in the sentence above, they don't pay attention. DNS hijacking isn't just for redirecting the whole site. I'm talking also about things like redirecting JS embedded in the page.
That's fine, but I'm talking about pages where none of that can apply.
-
@scottalanmiller said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
If you present people with real looking OAUTH forms to sign in with gmail or whatever, people will log in. Just like in the sentence above, they don't pay attention. DNS hijacking isn't just for redirecting the whole site. I'm talking also about things like redirecting JS embedded in the page.
That's fine, but I'm talking about pages where none of that can apply.
You can't guarantee none of that will apply because you can't guarantee what the end user will see over plain text. That's the whole point.
-
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
If I hijacked your DNS and redirected wellsfargo.com to my own server, and presented you with http://wellsfargo.com (non-https), perhaps you'd notice the non-https warning in Chrome, perhaps not, and you'd enter your credentials.
Sure, but what if you hijacked a site that does NOT have a reason for you to log in? Your example requires that the site have had a login in the past to make sense. Do it for a brochure site and think about how silly this is as a risk.
No it doesn't. If you click a link to a site you've never been to, how would you know if it's had a login form before? That makes no sense.
It doesn't matter if you know or not, you would know that you had no login, and you'd have no reason to log in. Why would you go to a fake site that has no purpose for a login, and create an account?
-
@scottalanmiller said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
If I hijacked your DNS and redirected wellsfargo.com to my own server, and presented you with http://wellsfargo.com (non-https), perhaps you'd notice the non-https warning in Chrome, perhaps not, and you'd enter your credentials.
Sure, but what if you hijacked a site that does NOT have a reason for you to log in? Your example requires that the site have had a login in the past to make sense. Do it for a brochure site and think about how silly this is as a risk.
No it doesn't. If you click a link to a site you've never been to, how would you know if it's had a login form before? That makes no sense.
It doesn't matter if you know or not, you would know that you had no login, and you'd have no reason to log in. Why would you go to a fake site that has no purpose for a login, and create an account?
You clearly didn't read my response above. If you present people with a real OAUTH login form, people will sign in. It literally takes one person out of how many for this to be proven false.
-
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
If you present people with real looking OAUTH forms to sign in with gmail or whatever, people will log in. Just like in the sentence above, they don't pay attention. DNS hijacking isn't just for redirecting the whole site. I'm talking also about things like redirecting JS embedded in the page.
That's fine, but I'm talking about pages where none of that can apply.
You can't guarantee none of that will apply because you can't guarantee what the end user will see over plain text. That's the whole point.
I can, because it doesn't matter what they see. It makes no sense regardless.
If you think this makes sense, give me an example. What new site could I go to that's totally static that, when going to a fake site, would realistically make me generate a new account?
-
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
If you present people with real looking OAUTH forms to sign in with gmail or whatever, people will log in. Just like in the sentence above, they don't pay attention. DNS hijacking isn't just for redirecting the whole site. I'm talking also about things like redirecting JS embedded in the page.
That's fine, but I'm talking about pages where none of that can apply.
You can't guarantee none of that will apply because you can't guarantee what the end user will see over plain text. That's the whole point.
Let's use a real example... your blog is static html, yes? No login forms? Even so, lets pretend there isn't.
What if I browse to your blog, but my DNS is hijacked, and then suddenly I'm on your blog website, but now I see a login form. Why the hell woudl I attempt to log in to your blog, knowing I do not even have an account there?
-
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
If I hijacked your DNS and redirected wellsfargo.com to my own server, and presented you with http://wellsfargo.com (non-https), perhaps you'd notice the non-https warning in Chrome, perhaps not, and you'd enter your credentials.
Sure, but what if you hijacked a site that does NOT have a reason for you to log in? Your example requires that the site have had a login in the past to make sense. Do it for a brochure site and think about how silly this is as a risk.
No it doesn't. If you click a link to a site you've never been to, how would you know if it's had a login form before? That makes no sense.
It doesn't matter if you know or not, you would know that you had no login, and you'd have no reason to log in. Why would you go to a fake site that has no purpose for a login, and create an account?
You clearly didn't read my response above. If you present people with a real OAUTH login form, people will sign in. It literally takes one person out of how many for this to be proven false.
You're saying they will sign in, just automatically, without having any reason or clue what the site is about?
-
@obsolesce said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
If you present people with real looking OAUTH forms to sign in with gmail or whatever, people will log in. Just like in the sentence above, they don't pay attention. DNS hijacking isn't just for redirecting the whole site. I'm talking also about things like redirecting JS embedded in the page.
That's fine, but I'm talking about pages where none of that can apply.
You can't guarantee none of that will apply because you can't guarantee what the end user will see over plain text. That's the whole point.
Let's use a real example... your blog is static html, yes? No login forms? Even so, lets pretend there isn't.
All blogs I know have logins.
-
@obsolesce said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
If you present people with real looking OAUTH forms to sign in with gmail or whatever, people will log in. Just like in the sentence above, they don't pay attention. DNS hijacking isn't just for redirecting the whole site. I'm talking also about things like redirecting JS embedded in the page.
That's fine, but I'm talking about pages where none of that can apply.
You can't guarantee none of that will apply because you can't guarantee what the end user will see over plain text. That's the whole point.
Let's use a real example... your blog is static html, yes? No login forms? Even so, lets pretend there isn't.
What if I browse to your blog, but my DNS is hijacked, and then suddenly I'm on your blog website, but now I see a login form. Why the hell woudl I attempt to log in to your blog, knowing I do not even have an account there?
I do not even have an account there?
That's not how oauth works.
-
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
If you present people with real looking OAUTH forms to sign in with gmail or whatever, people will log in. Just like in the sentence above, they don't pay attention. DNS hijacking isn't just for redirecting the whole site. I'm talking also about things like redirecting JS embedded in the page.
That's fine, but I'm talking about pages where none of that can apply.
You can't guarantee none of that will apply because you can't guarantee what the end user will see over plain text. That's the whole point.
Let's use a real example... your blog is static html, yes? No login forms? Even so, lets pretend there isn't.
All blogs I know have logins.
Still, that's besides the point. Even so, why woudl i attempt to log in to HIS blog, knowing i do not have an account there?
-
@obsolesce said in Miscellaneous Tech News:
What if I browse to your blog, but my DNS is hijacked, and then suddenly I'm on your blog website, but now I see a login form. Why the hell woudl I attempt to log in to your blog, knowing I do not even have an account there?
Exactly, that's my feeling. If I don't have an account somewhere, and the site is not one that would have a purpose for logging into it, it seems far fetched that people will log in anyway. Even "legit" sites would use that for data harvesting if that was really how people behaved.
But I see his point of present a central OAUTH and people might actually do that stupid thing.
