Thread replies: 21
Thread images: 2
Thread images: 2
does it even matter any more?
>>
>>59523063
what does that question even mean?
>>
>>59523063
Yesss. Because you cannot trust a network.
It won't stop the government from spying at you but it will make it harder for others to steal your passwords.
>>
>>59523063
Not to some people:
https://arstechnica.com/security/2017/03/firefox-gets-complaint-for-labeling-unencrypted-login-page-insecure/
>The operator of a website that accepts subscriber logins only over unencrypted HTTP pages has taken to Mozilla's Bugzilla bug-reporting service to complain that the Firefox browser is warning that the page isn't suitable for the transmission of passwords.
>"Your notice of insecure password and/or log-in automatically appearing on the log-in for my website, Oil and Gas International, is not wanted and was put there without our permission," a person with the user name dgeorge wrote here (the link was made private shortly after this post went live). "Please remove it immediately. We have our own security system, and it has never been breached in more than 15 years. Your notice is causing concern by our subscribers and is detrimental to our business."
>Around the same time this post was going live, participants of this Reddit thread claimed to hack the site using what's known as a SQL injection exploit. Multiple people claimed that passwords were stored in plaintext rather than the standard practice of using cryptographic hashes. A few minutes after the insecurity first came up in the online discussion, a user reported the database was deleted.
>As several commenters have pointed out, the site's subscription page transmits credit card information over plain-vanilla HTTP pages as well. The lack of protection is made worse by the assurance on the same page that: "All credit card information is encrypted using our Secure Transaction Server." Making matters worse still: the login page is returning error messages that indicate it may be vulnerable to SQL injection attacks.
>>
>>59523117
Browsers should default to https and these people should burn.
>>
File: 1465683986933.jpg (175KB, 1920x1541px) Image search:
[Google]
175KB, 1920x1541px
>>59523063
Did it ever matter?
>>
>>59523129
If you don't pay the CAs, firefox also flags your site and turns off your encryption. The entire certificate scam is getting old. HTTPS should be mandatory and separate from authenticity.
>>
>>59523149
>HTTPS should be mandatory and separate from authenticity.
> separate from authenticity.
wot
>>
>>59523149
Let's Encrypt?
>>
>>59523275
>>59523246
LE is getting there but doesn't solve the CA problem. Authenticity != encrypted, two separate problems and CAs don't even solve authenticity. They're just a cash grab.
>>
>>59523246
Well, it looks like he thinks encryption alone is enough and verifying who you are actually talking to is an unrelated story.
Of course he makes a huge mistake.
>>
>>59523063
https://encrypted.google.com/
nothing is secure
>>
>>59523117
Keks were had.
>user table dropped
>inline JS sql calls
>using outdated ASP.net with a known CVE from 2008
>form open to sql injection
>Never breached 15 years
L M A O KEK HAS BLESSED GEORGE WITH HIS DIVINE PUNISHMENT
>>
>>59523286
>Lets encrypt
>cash grab
mane, you dont know what are you talking about
I'll grant you that the CA model needs to change, but until the industry find something better, then you stick with it.
FYI Lets encrypt is free, like in free beer
>>59523288
It seems that way
>>
>>59523374
Self-signed certificates are the best solution, LE is just propping up the dying institutions. Then you use something like a better dnssec to manage authenticity separately.
>>
>>59523063
Of course it does.
Because international standards require it for many services of trust.
So even if it "does nothing", it's still a massive money sink, hence "it matters".
Ask a stupid question get a stupid answer.
>>
Against TLAs? No.
Against your everyday h4x0r? Yes.
>>
>>59523063
>panacea
SSL isn't named after Gandalf's eagle.
>>
It's one of the only things that matters now more than ever.
Plaintext HTTP should be banned. SSL tunnels should be mandatory.
>>
>>59524989
Why would you want HTTPS for non-private data? HTTPS creates extra overhead cant be cached which means larger expenses for content providers and shittier experience for users in remote locations.
>>
>>59525172
HTTPS also ensures that you get the content the server has actually sent and has not been modified.
Thread posts: 21
Thread images: 2
Thread images: 2