Sign in with
Sign up | Sign in
Your question
Closed

HTTP Must Die, Security Experts Tell Hackers

Tags:
  • Security
Last response: in Home Theatre
Share
July 18, 2014 7:10:11 PM

meh they just wanna sell more SSL certificates
Score
-4
July 18, 2014 8:42:33 PM

https is still not safe and can be still hacked security certificates can be stolen and used for bad purposes.
Score
0
July 18, 2014 10:47:10 PM

Quote:
meh they just wanna sell more SSL certificates


No, they want to make sure that it is not trivial to intercept someone's private communications over the internet.
Score
5
July 19, 2014 1:04:01 AM

While I agree in theory, it's worth mentioning that encrypting e-mail server connections only matters because so much e-mail is still sent as plaintext; it doesn't necessarily protect you against malicious servers, if you want secure e-mail you need to setup and use S/MIME. It's actually fairly easy, the difficult bit is trading public keys (or rather, convincing others to setup S/MIME for two-way encryption).
Score
1
July 19, 2014 3:38:59 AM

Finally. This should have happened years ago. There was no reason not to have the entire Internet going over secure protocols back in 2008, let alone 2014. This move should have been accelerated years ago.
Score
1
July 19, 2014 3:55:06 AM

Well, the sites have to start USING https too!

I run 'https everywhere', and have done for ages. Every site I access is first attempted via https, and if ssl is not negotiated, a http page then opens instead.

Just like this site.
Score
2
July 19, 2014 9:09:54 AM

Or you only encrypt the portions of the connection you need to. No one ever said that you have to encrypt the entire site, http wasn't built that way. Encrypt what you need to forward the rest.
Score
0
July 19, 2014 11:45:46 AM

@ddpruitt: why is there any reason to have a portion unencrypted? To allow your ISP to spy on you? They can already see which sites you go to, which is bad enough, even if they can't see what content you view on a secure site.

Yeah yeah, what ISP spies on their users, I get it, it probably won't happen, and I don't care. I don't want to give them the possibility, whether they choose to use it or not.
Score
0
July 19, 2014 12:42:17 PM

Quote:
Or you only encrypt the portions of the connection you need to. No one ever said that you have to encrypt the entire site, http wasn't built that way. Encrypt what you need to forward the rest.


Every security expert will tell you that mixing encrypted with unencrypted content is bad for security.
Score
2
July 19, 2014 1:47:24 PM

Quote:
@ddpruitt: why is there any reason to have a portion unencrypted? To allow your ISP to spy on you? They can already see which sites you go to, which is bad enough, even if they can't see what content you view on a secure site.

Yeah yeah, what ISP spies on their users, I get it, it probably won't happen, and I don't care. I don't want to give them the possibility, whether they choose to use it or not.


Stream compression, CDNs, Proxies to name a few reasons.
Score
0
July 19, 2014 1:47:47 PM

Quote:
Every security expert will tell you that mixing encrypted with unencrypted content is bad for security.


And yet websites do it all the time. If it's done properly the encrypted portion is no less, or more secure, than the if the entire page is encrypted.
Score
-1
July 19, 2014 3:00:40 PM

All SIP traffic for VoIP needs to be encrypted by default with TLS, as well the actually RTPs in VoiP needs to be secured with SRTP by default.

Disabling TLS. SRTP and HTTPS should be for diagnostic purposes only.
Score
0
July 20, 2014 3:03:06 AM

Quote:
Well, the sites have to start USING https too!

I run 'https everywhere', and have done for ages. Every site I access is first attempted via https, and if ssl is not negotiated, a http page then opens instead.

Just like this site.

Quote:


How do you do that?
Score
0
July 21, 2014 4:28:06 AM

More security = good
Less security = bad

Bit of a no-brainer, why are we even discussing this?
Score
0
!