from the ow!-my-foot!-shot-it-right-off! dept
In fact, as many quickly noted, Roskomnadzor's own website happens to be secured with a certificate from... Comodo:
by Mike Masnick
Tue, Jul 26th 2016 7:04am
by Mike Masnick
Mon, Mar 23rd 2015 11:30am
by Tim Cushing
Wed, Mar 18th 2015 9:03pm
The American people expect government websites to be secure and their interactions with those websites to be private. Hypertext Transfer Protocol Secure (HTTPS) offers the strongest privacy protection available for public web connections with today’s internet technology. The use of HTTPS reduces the risk of interception or modification of user interactions with government online services.In a statement that clashes with the NSA's activities and the FBI's push for pre-compromised encryption, the CIO asserts that when people engage with government websites, these interactions should be no one's business but their own.
This proposed initiative, “The HTTPS-Only Standard,” would require the use of HTTPS on all publicly accessible Federal websites and web services.
All browsing activity should be considered private and sensitive.The proposed standard would eliminate agencies' options, forcing them to move to HTTPS, both for their safety and the safety of their sites' visitors. To be sure, many cats will still need to be shepherded if this goes into effect, but hopefully there won't be too many details to trifle over. HTTPS or else is the CIO Council's goal -- something that shouldn't be open to too much interpretation.
Federal websites that do not use HTTPS will not keep pace with privacy and security practices used by commercial organizations, or with current and upcoming Internet standards. This leaves Americans vulnerable to known threats, and reduces their confidence in their government. Although some Federal websites currently use HTTPS, there has not been a consistent policy in this area. The proposed HTTPS-only standard will provide the public with a consistent, private browsing experience and position the Federal government as a leader in Internet security.The CIO's short, but informative, explanatory page lists the pros of this proposed move, as well as spells out what HTTPS doesn't protect against. It also notes that while most sites should actually see a performance boost from switching to HTTPS, sites that gather elements for other parties will be the most difficult to migrate. And, it notes, the move won't necessarily be inexpensive.
The administrative and financial burden of universal HTTPS adoption on all Federal websites includes development time, the financial cost of procuring a certificate and the administrative burden of maintenance over time. The development burden will vary substantially based on the size and technical infrastructure of a site. The proposed compliance timeline provides sufficient flexibility for project planning and resource alignment.But, it assures us (at least as much as any government entity can...), the money will be well-spent.
The tangible benefits to the American public outweigh the cost to the taxpayer. Even a small number of unofficial or malicious websites claiming to be Federal services, or a small amount of eavesdropping on communication with official US government sites could result in substantial losses to citizens.The CIO is also taking input from the public, at Github no less.
by Mike Masnick
Wed, Mar 4th 2015 10:50am
There’s a much more important moral to this story.Let's repeat that last line, because it still seems that the powers that be don't get it:
The export-grade RSA ciphers are the remains of a 1980s-vintage effort to weaken cryptography so that intelligence agencies would be able to monitor. This was done badly. So badly, that while the policies were ultimately scrapped, they’re still hurting us today.
This might be academic if it was just a history lesson — but for the past several months, U.S. and European politicians have been publicly mooting the notion of a new set of cryptographic backdoors in systems we use today. This would involve deliberately weakening technology so that governments can intercept and read our conversations. While officials are carefully avoiding the term “back door” — or any suggestion of weakening our encryption systems — this is wishful thinking. Our systems are already so complex that even normal issues stress them to the breaking point. There's no room for new backdoors.
To be blunt about it, the moral of this story is pretty simple:Encryption backdoors will always turn around and bite you in the ass. They are never worth it.
by Tim Cushing
Mon, Jan 5th 2015 10:14am
When you're flying, your internet connection is completely in the hands of a single company. There's no searching around for another signal. So, however the provider decides to handle your connection, that's what you're stuck with. A captive audience usually results in fun things like high prices and connection throttling. And, if you're Gogo Inflight, it means compromising the security of every traveler who chooses to use the service, just because you can.
Gogo Inflight Internet seems to believe that they are justified in performing a man-in-the-middle attack on their users. Adrienne Porter Felt, an engineer that is a part of the Google Chrome security team, discovered while on a flight that she was being served SSL certificates from Gogo when she was requesting Google sites. Looking at the issuer of the certificate, rather than being issued by Google, it was being issued by Gogo.The bogus certificate was captured in a screenshot tweeted out by Felt.
The airlines on whose planes the Services are available do not collect any information through your use of the Services, but we may share certain types of information with such airlines, as described below. Please remember that this policy only covers your activities while on the Gogo Domains; to the extent you visit third party websites, including the websites of our airline partners, the privacy policies of those websites will govern.Except that those policies can't govern, not when their underlying security has been compromised by fake Gogo SSL certificates.
Gogo does support secure Virtual Private Network (VPN) and Secure Shell (SSH) access. If you have VPN, Gogo recommends that you use secure VPN protocols for greater security. SSL-encrypted websites or pages, typically indicated by “https” in the address field and a “lock” icon, can also generally be accessed through the Gogo Services. You should be aware, however, that data packets from un-encrypted Wi-Fi connections can be captured by technically advanced means when they are transmitted between a user’s Device and the Wi-Fi access point. You should therefore take precautions to lower your security risks.Again, precautions are moot if Gogo deliberately inserts itself into the transmission with bogus certificates.
by Mike Masnick
Mon, Dec 29th 2014 3:30pm
Experts agree it is far more difficult for intelligence agencies to manipulate open source software programs than many of the closed systems developed by companies like Apple and Microsoft. Since anyone can view free and open source software, it becomes difficult to insert secret back doors without it being noticed. Transcripts of intercepted chats using OTR encryption handed over to the intelligence agency by a partner in Prism -- an NSA program that accesses data from at least nine American internet companies such as Google, Facebook and Apple -- show that the NSA's efforts appear to have been thwarted in these cases: "No decrypt available for this OTR message." This shows that OTR at least sometimes makes communications impossible to read for the NSA.When it comes to non-open source systems, well, there the NSA has its ways in. In fact, the NSA seems rather proud of the fact that it can make "cryptographic modifications to commercial or indigenous cryptographic information security devices or systems in order to make them exploitable."
The NSA and its allies routinely intercept such connections -- by the millions. According to an NSA document, the agency intended to crack 10 million intercepted https connections a day by late 2012. The intelligence services are particularly interested in the moment when a user types his or her password. By the end of 2012, the system was supposed to be able to "detect the presence of at least 100 password based encryption applications" in each instance some 20,000 times a month.HTTPS is still a lot more secure against non-NSA-level hackers, but it certainly shows that it's not a perfect solution.
by Mike Masnick
Mon, Dec 15th 2014 1:20pm
We, the Chrome Security Team, propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure. We intend to devise and begin deploying a transition plan for Chrome in 2015.More specifically:
The goal of this proposal is to more clearly display to users that HTTP provides no data security.
UA vendors who agree with this proposal should decide how best to phase in the UX changes given the needs of their users and their product design constraints. Generally, we suggest a phased approach to marking non-secure origins as non-secure. For example, a UA vendor might decide that in the medium term, they will represent non-secure origins in the same way that they represent Dubious origins. Then, in the long term, the vendor might decide to represent non-secure origins in the same way that they represent Bad origins.This seems like it could have quite an impact in driving more sites to finally realize that they should start going to HTTPS by default. There's really no excuse not to do so these days, and it's good to see the Chrome Security Team make this push. The more encrypted traffic there is, the better.
by Leigh Beadon
Mon, Nov 24th 2014 2:36pm
As some of you know, Techdirt recently completed the process of protecting all Techdirt traffic with full SSL encryption — something we believe every internet company should do. Part of this process involved seeking a sponsor to help us offset the money and time spent getting everything switched over, and today we're happy to announce that Namecheap has stepped up to that role.
We're very happy to work with Namecheap, as the company has established itself as a defender of user rights and an open and secure internet, sharing many of the same values that we espouse here at Techdirt. They were among the first domain registrars to speak up against SOPA, they contributed heavily to the matching funds in our Beacon campaign to raise money for net neutrality reporting, and they do frequent fundraising for groups like the EFF and Fight For The Future.
As part of our sponsorship deal, you'll notice a message from Namecheap at the top of Techdirt, and see a couple more posts highlighting work the company has done and the services it offers — including SSLs.com, Namecheap's SSL certificate shop. We're grateful to Namecheap for its support, which helps our small team keep turning out quality content while juggling important technical upgrades like this one. We hope our readers will take a moment to support Namecheap in return, and check out its services for your needs when it comes to domain names, hosting and security certificates.
by Mike Masnick
Tue, Nov 18th 2014 12:40pm
by Mike Masnick
Fri, Nov 14th 2014 1:25pm
Explore some core concepts:
|08:34||Photographer Sues Getty Images For $1 Billion For Claiming Copyright On Photos She Donated To The Public (48)|
|06:29||After Ripping Off Cities, States For Years, Verizon Makes Some Familiar Broadband Promises To Boston (37)|
|03:25||Not Just In The US: TPP Meeting More Resistance In Australia And Japan, Too (23)|
|23:09||How The EU Might Keep Internet Access Open To The Public (3)|
|15:49||'Wish I Had The Power' To Hack Enemies' Emails, Says Man Very Close To Having Such Power (123)|
|14:36||Court Says Bugs The FBI Planted Around California Courthouses Did Not Violate Anyone's Expectation Of Privacy (30)|
|13:03||Federal Prosecutors Use All Writs Order To Compel Suspect To Unlock Phone With His Fingerprint (25)|
|11:50||Russian Copyright Law Allows Entire News Site To Be Shut Down Over A Single Copied Article (3)|
|10:43||Clinton Friend Admits What Everyone Knows Is True: Clinton Still Supports TPP & Will Back It (58)|
|10:38||Daily Deal: Project Management Certification Training 2016 Bundle (0)|
|09:34||Colorado Republican Committee Tries To Use CFAA To Get Even With A Bogus Tweeter, Fails Completely (10)|
|08:34||IP Lawyers Tell Copyright Office To Stop Screwing The Public By Opposing Cable Box Reform (12)|
|06:58||Putin's Internet Trolls Are Stoking The Vitriolic Fire By Posing As Trump Supporters (57)|
|03:56||This Is What It Was Like To Take Part In The Failed Turkish Coup, In The Words Of The Plotters (15)|
|23:59||EU Data Protection Official Says Revised Privacy Laws Should Ban Backdooring Encryption (17)|
|16:14||MIT Media Lab Launched Disobedience Award, Funded By Reid Hoffman (12)|
|14:33||Anti-Vax Film Distributors Threaten Critic And Autistic Rights Advocate With Defamation (157)|
|13:13||Techdirt Podcast Episode 83: 'Disruption' Is Not An Excuse For Lying (0)|
|11:53||Those Viral Trump Supporting Singing, Dancing 'Freedom Kids' Now Plan To Sue Trump Campaign (11)|
|10:46||But Wait: Copyright Law Is So Screwed Up, Perhaps The Rolling Stones Are Right That Donald Trump Needed Their Permission (38)|
|10:41||Daily Deal: Titan Travel Charging Cable (0)|
|09:32||Declaring Cyberwar On Russia Because Of The DNC Hack Is A Bad Idea (38)|
|08:34||The Internet Of Things Is a Security And Privacy Dumpster Fire And The Check Is About To Come Due (49)|
|07:04||Russian Censor Bans Comodo... Doesn't Realize Its Own Security Certificate Is From Comodo (19)|
|04:06||Will The FTC Investigate People & Companies Paid By Facebook To Use Facebook Live? (17)|
|00:02||How A Supreme Court Case On Cheerleader Costumes & Copyright Could Impact Prosthetic Hands And Much, Much More (28)|
|16:10||Appeals Court Rejects Silly Case Against Google Over Search Results Summary (21)|
|14:42||[Updated] Wikileaks Leak Of Turkish Emails Reveals Private Details; Raises Ethical Questions; Or Not... (19)|
|13:09||IsoHunt Settles The Last Of Its Lawsuits, Laughably Agrees To 'Pay' Recording Industry $66 Million (10)|
|11:47||John Oliver's Story On Campaign Music And Copyright Is... Wrong (89)|