from the ow!-my-foot!-shot-it-right-off! dept
In fact, as many quickly noted, Roskomnadzor's own website happens to be secured with a certificate from... Comodo:
by Mike Masnick
Tue, Jul 26th 2016 7:04am
by Mike Masnick
Mon, Mar 23rd 2015 11:30am
by Tim Cushing
Wed, Mar 18th 2015 9:03pm
The American people expect government websites to be secure and their interactions with those websites to be private. Hypertext Transfer Protocol Secure (HTTPS) offers the strongest privacy protection available for public web connections with today’s internet technology. The use of HTTPS reduces the risk of interception or modification of user interactions with government online services.In a statement that clashes with the NSA's activities and the FBI's push for pre-compromised encryption, the CIO asserts that when people engage with government websites, these interactions should be no one's business but their own.
This proposed initiative, “The HTTPS-Only Standard,” would require the use of HTTPS on all publicly accessible Federal websites and web services.
All browsing activity should be considered private and sensitive.The proposed standard would eliminate agencies' options, forcing them to move to HTTPS, both for their safety and the safety of their sites' visitors. To be sure, many cats will still need to be shepherded if this goes into effect, but hopefully there won't be too many details to trifle over. HTTPS or else is the CIO Council's goal -- something that shouldn't be open to too much interpretation.
Federal websites that do not use HTTPS will not keep pace with privacy and security practices used by commercial organizations, or with current and upcoming Internet standards. This leaves Americans vulnerable to known threats, and reduces their confidence in their government. Although some Federal websites currently use HTTPS, there has not been a consistent policy in this area. The proposed HTTPS-only standard will provide the public with a consistent, private browsing experience and position the Federal government as a leader in Internet security.The CIO's short, but informative, explanatory page lists the pros of this proposed move, as well as spells out what HTTPS doesn't protect against. It also notes that while most sites should actually see a performance boost from switching to HTTPS, sites that gather elements for other parties will be the most difficult to migrate. And, it notes, the move won't necessarily be inexpensive.
The administrative and financial burden of universal HTTPS adoption on all Federal websites includes development time, the financial cost of procuring a certificate and the administrative burden of maintenance over time. The development burden will vary substantially based on the size and technical infrastructure of a site. The proposed compliance timeline provides sufficient flexibility for project planning and resource alignment.But, it assures us (at least as much as any government entity can...), the money will be well-spent.
The tangible benefits to the American public outweigh the cost to the taxpayer. Even a small number of unofficial or malicious websites claiming to be Federal services, or a small amount of eavesdropping on communication with official US government sites could result in substantial losses to citizens.The CIO is also taking input from the public, at Github no less.
by Mike Masnick
Wed, Mar 4th 2015 10:50am
There’s a much more important moral to this story.Let's repeat that last line, because it still seems that the powers that be don't get it:
The export-grade RSA ciphers are the remains of a 1980s-vintage effort to weaken cryptography so that intelligence agencies would be able to monitor. This was done badly. So badly, that while the policies were ultimately scrapped, they’re still hurting us today.
This might be academic if it was just a history lesson — but for the past several months, U.S. and European politicians have been publicly mooting the notion of a new set of cryptographic backdoors in systems we use today. This would involve deliberately weakening technology so that governments can intercept and read our conversations. While officials are carefully avoiding the term “back door” — or any suggestion of weakening our encryption systems — this is wishful thinking. Our systems are already so complex that even normal issues stress them to the breaking point. There's no room for new backdoors.
To be blunt about it, the moral of this story is pretty simple:Encryption backdoors will always turn around and bite you in the ass. They are never worth it.
by Tim Cushing
Mon, Jan 5th 2015 10:14am
When you're flying, your internet connection is completely in the hands of a single company. There's no searching around for another signal. So, however the provider decides to handle your connection, that's what you're stuck with. A captive audience usually results in fun things like high prices and connection throttling. And, if you're Gogo Inflight, it means compromising the security of every traveler who chooses to use the service, just because you can.
Gogo Inflight Internet seems to believe that they are justified in performing a man-in-the-middle attack on their users. Adrienne Porter Felt, an engineer that is a part of the Google Chrome security team, discovered while on a flight that she was being served SSL certificates from Gogo when she was requesting Google sites. Looking at the issuer of the certificate, rather than being issued by Google, it was being issued by Gogo.The bogus certificate was captured in a screenshot tweeted out by Felt.
The airlines on whose planes the Services are available do not collect any information through your use of the Services, but we may share certain types of information with such airlines, as described below. Please remember that this policy only covers your activities while on the Gogo Domains; to the extent you visit third party websites, including the websites of our airline partners, the privacy policies of those websites will govern.Except that those policies can't govern, not when their underlying security has been compromised by fake Gogo SSL certificates.
Gogo does support secure Virtual Private Network (VPN) and Secure Shell (SSH) access. If you have VPN, Gogo recommends that you use secure VPN protocols for greater security. SSL-encrypted websites or pages, typically indicated by “https” in the address field and a “lock” icon, can also generally be accessed through the Gogo Services. You should be aware, however, that data packets from un-encrypted Wi-Fi connections can be captured by technically advanced means when they are transmitted between a user’s Device and the Wi-Fi access point. You should therefore take precautions to lower your security risks.Again, precautions are moot if Gogo deliberately inserts itself into the transmission with bogus certificates.
by Mike Masnick
Mon, Dec 29th 2014 3:30pm
Experts agree it is far more difficult for intelligence agencies to manipulate open source software programs than many of the closed systems developed by companies like Apple and Microsoft. Since anyone can view free and open source software, it becomes difficult to insert secret back doors without it being noticed. Transcripts of intercepted chats using OTR encryption handed over to the intelligence agency by a partner in Prism -- an NSA program that accesses data from at least nine American internet companies such as Google, Facebook and Apple -- show that the NSA's efforts appear to have been thwarted in these cases: "No decrypt available for this OTR message." This shows that OTR at least sometimes makes communications impossible to read for the NSA.When it comes to non-open source systems, well, there the NSA has its ways in. In fact, the NSA seems rather proud of the fact that it can make "cryptographic modifications to commercial or indigenous cryptographic information security devices or systems in order to make them exploitable."
The NSA and its allies routinely intercept such connections -- by the millions. According to an NSA document, the agency intended to crack 10 million intercepted https connections a day by late 2012. The intelligence services are particularly interested in the moment when a user types his or her password. By the end of 2012, the system was supposed to be able to "detect the presence of at least 100 password based encryption applications" in each instance some 20,000 times a month.HTTPS is still a lot more secure against non-NSA-level hackers, but it certainly shows that it's not a perfect solution.
by Mike Masnick
Mon, Dec 15th 2014 1:20pm
We, the Chrome Security Team, propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure. We intend to devise and begin deploying a transition plan for Chrome in 2015.More specifically:
The goal of this proposal is to more clearly display to users that HTTP provides no data security.
UA vendors who agree with this proposal should decide how best to phase in the UX changes given the needs of their users and their product design constraints. Generally, we suggest a phased approach to marking non-secure origins as non-secure. For example, a UA vendor might decide that in the medium term, they will represent non-secure origins in the same way that they represent Dubious origins. Then, in the long term, the vendor might decide to represent non-secure origins in the same way that they represent Bad origins.This seems like it could have quite an impact in driving more sites to finally realize that they should start going to HTTPS by default. There's really no excuse not to do so these days, and it's good to see the Chrome Security Team make this push. The more encrypted traffic there is, the better.
by Leigh Beadon
Mon, Nov 24th 2014 2:36pm
As some of you know, Techdirt recently completed the process of protecting all Techdirt traffic with full SSL encryption — something we believe every internet company should do. Part of this process involved seeking a sponsor to help us offset the money and time spent getting everything switched over, and today we're happy to announce that Namecheap has stepped up to that role.
We're very happy to work with Namecheap, as the company has established itself as a defender of user rights and an open and secure internet, sharing many of the same values that we espouse here at Techdirt. They were among the first domain registrars to speak up against SOPA, they contributed heavily to the matching funds in our Beacon campaign to raise money for net neutrality reporting, and they do frequent fundraising for groups like the EFF and Fight For The Future.
As part of our sponsorship deal, you'll notice a message from Namecheap at the top of Techdirt, and see a couple more posts highlighting work the company has done and the services it offers — including SSLs.com, Namecheap's SSL certificate shop. We're grateful to Namecheap for its support, which helps our small team keep turning out quality content while juggling important technical upgrades like this one. We hope our readers will take a moment to support Namecheap in return, and check out its services for your needs when it comes to domain names, hosting and security certificates.
by Mike Masnick
Tue, Nov 18th 2014 12:40pm
by Mike Masnick
Fri, Nov 14th 2014 1:25pm
Explore some core concepts:
|06:37||Comcast/NBC Tone Deafness, Not 'Millennials' To Blame For Olympics Ratings Drop (76)|
|03:33||Canadian Law Enforcement Want Government To Force People To Turn Over Their Passwords (36)|
|22:36||Engineers Say If Automated Cars Experience 'The Trolley Problem,' They've Already Screwed Up (76)|
|16:07||FISA Court: Government Can Collect Content Along With Dialing Data Using Pen Register Orders (16)|
|14:32||Arrest Warrant Issued For District Attorney Involved In DEA's California Wiretap Warrant Mill (23)|
|13:05||Baltimore PD Can Keep Tabs On The Entire City, Thanks To Privately-Donated Aerial Surveillance System (36)|
|11:45||Nice Officials Say They'll Sue Internet Users Who Share Photos Of French Fashion Police Fining Women In Burkinis (106)|
|10:39||Bogus Defamation Lawsuit With Fake Defendant Results In Negative Reviews Of Dentist Being Taken Down (30)|
|10:34||Daily Deal: Ultimate PC Data Security Suite Bundle (0)|
|09:30||Copyright Group, In Arguing Against FCC's Set Top Box Proposal, Appears To Argue That VCRs & DVRs Are Also Illegal (50)|
|08:31||Tempting Fate: Pittsburgh Election Officials Insist Their E-Voting Machines Can't Be Hacked (40)|
|06:29||One More Time With Feeling: Net Neutrality Didn't Hurt Broadband Investment In The Slightest (20)|
|03:22||Russia's Hackathon Continues, Targeting The New York Times And Other News Agencies (26)|
|22:30||Little Tree Air Freshener Company Sues Non-Profit For Making Tree Shaped Ornaments (27)|
|16:26||The EFF Calls Out Microsoft's Ongoing Bullshit On Windows 10 Privacy Concerns (64)|
|14:37||And Just Like That, The Dumbest Trademark Suit Over Saying 'Thank You' Disappears (15)|
|13:00||Techdirt Podcast Episode 87: An Interview With Kim Dotcom's Lawyer (10)|
|11:45||FBI Apparently Made Darkweb Child Porn Site Faster During Its Hosting Of Seized Server (39)|
|10:47||Sony Apparently Issuing Takedowns To Facebook For News Articles About PS4 Slim Leak (14)|
|10:42||Daily Deal: SaferVPN Basic Subscription (0)|
|09:43||Think Tank That First Proposed SOPA Now Claims 'Proof' That SOPA Would Have Been Great (12)|
|08:40||Peter Thiel's Lawyer Now Sending Questionable Defamation Threat Letters To Media On Behalf Of Melania Trump (24)|
|06:32||Your 'Smart' Power Outlets Are Now Botnets Thanks To The Internet Of Broken Things (45)|
|03:25||What It Looks Like When The Terrorists Win: The JFK Stampede Over Fans Cheering For Usain Bolt (30)|
|23:27||Police Unions To City Officials: If You Want Good, Accountable Cops, You'll Need To Pay Them More (44)|
|16:02||With Both Presidential Candidates Claiming To Be Against The TPP, President Obama Kicks Off Campaign To Ratify It (30)|
|14:35||Why Are The Congressional Intelligence Committees So Quiet On The NSA Malware Leaks? (16)|
|13:07||Anti-Piracy Operations Are Fabricating Links To Non-Existent Torrents In DMCA Notices (32)|
|11:55||Did The NY Times Give Up Its Journalism Standards The Second Facebook Threw A Few Million Its Way? (13)|
|10:54||Donald Trump Has Freed Up Journalists' Ability To Call Bullshit; But It Won't Last, Nor Extend To Others (93)|