ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Miscellaneous Tech News

    Scheduled Pinned Locked Moved News
    7.4k Posts 83 Posters 3.8m Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @Obsolesce
      last edited by

      @obsolesce said in Miscellaneous Tech News:

      @obsolesce said in Miscellaneous Tech News:

      @stacksofplates said in Miscellaneous Tech News:

      @scottalanmiller said in Miscellaneous Tech News:

      @stacksofplates said in Miscellaneous Tech News:

      @scottalanmiller said in Miscellaneous Tech News:

      @stacksofplates said in Miscellaneous Tech News:

      @scottalanmiller said in Miscellaneous Tech News:

      @obsolesce said in Miscellaneous Tech News:

      If I hijacked your DNS and redirected wellsfargo.com to my own server, and presented you with http://wellsfargo.com (non-https), perhaps you'd notice the non-https warning in Chrome, perhaps not, and you'd enter your credentials.

      Sure, but what if you hijacked a site that does NOT have a reason for you to log in? Your example requires that the site have had a login in the past to make sense. Do it for a brochure site and think about how silly this is as a risk.

      No it doesn't. If you click a link to a site you've never been to, how would you know if it's had a login form before? That makes no sense.

      It doesn't matter if you know or not, you would know that you had no login, and you'd have no reason to log in. Why would you go to a fake site that has no purpose for a login, and create an account?

      You clearly didn't read my response above. If you present people with a real OAUTH login form, people will sign in. It literally takes one person out of how many for this to be proven false.

      You're saying they will sign in, just automatically, without having any reason or clue what the site is about?

      No. I'm saying people will do it without thinking. If they see this on a page whether it has anything to do with the site or not, you will have people who will log in. Again, it only takes one person to do this for it to be effective.

      0_1532629148200_login.png

      blurred for obvious reasons.

      Yeah that i can agree with 100%.

      But even using https doesn't protect against that. Http or https... it doesn't matter, if someone's DNS is hijacked, they get the non-https warning in Chrome, and then they are presented with that fake oauth thing, they'll still log in.

      Correct. You need HSTS as well. And even then, it's only partial protection.

      ObsolesceO 1 Reply Last reply Reply Quote 1
      • scottalanmillerS
        scottalanmiller
        last edited by

        One could argue that having HTTPS in this authoritative way from Google is meant to produce fake "warm and fuzzies" that make people stop paying attention and assume all is well and ignore risks that might still be there.

        1 Reply Last reply Reply Quote 0
        • ObsolesceO
          Obsolesce @scottalanmiller
          last edited by Obsolesce

          @scottalanmiller said in Miscellaneous Tech News:

          @obsolesce said in Miscellaneous Tech News:

          @obsolesce said in Miscellaneous Tech News:

          @stacksofplates said in Miscellaneous Tech News:

          @scottalanmiller said in Miscellaneous Tech News:

          @stacksofplates said in Miscellaneous Tech News:

          @scottalanmiller said in Miscellaneous Tech News:

          @stacksofplates said in Miscellaneous Tech News:

          @scottalanmiller said in Miscellaneous Tech News:

          @obsolesce said in Miscellaneous Tech News:

          If I hijacked your DNS and redirected wellsfargo.com to my own server, and presented you with http://wellsfargo.com (non-https), perhaps you'd notice the non-https warning in Chrome, perhaps not, and you'd enter your credentials.

          Sure, but what if you hijacked a site that does NOT have a reason for you to log in? Your example requires that the site have had a login in the past to make sense. Do it for a brochure site and think about how silly this is as a risk.

          No it doesn't. If you click a link to a site you've never been to, how would you know if it's had a login form before? That makes no sense.

          It doesn't matter if you know or not, you would know that you had no login, and you'd have no reason to log in. Why would you go to a fake site that has no purpose for a login, and create an account?

          You clearly didn't read my response above. If you present people with a real OAUTH login form, people will sign in. It literally takes one person out of how many for this to be proven false.

          You're saying they will sign in, just automatically, without having any reason or clue what the site is about?

          No. I'm saying people will do it without thinking. If they see this on a page whether it has anything to do with the site or not, you will have people who will log in. Again, it only takes one person to do this for it to be effective.

          0_1532629148200_login.png

          blurred for obvious reasons.

          Yeah that i can agree with 100%.

          But even using https doesn't protect against that. Http or https... it doesn't matter, if someone's DNS is hijacked, they get the non-https warning in Chrome, and then they are presented with that fake oauth thing, they'll still log in.

          Correct. You need HSTS as well. And even then, it's only partial protection.

          Yeah, the benefit of using HTTPS is when legit websites use it to encrypt the transmission sensitive information, not for security purposes IMO.

          1 Reply Last reply Reply Quote 1
          • KellyK
            Kelly
            last edited by

            I'd like to have all my traffic encrypted so that the service providers that handle it along the way cannot perform analytics on me other than my source and destination.

            ObsolesceO 1 Reply Last reply Reply Quote 0
            • ObsolesceO
              Obsolesce @Kelly
              last edited by Obsolesce

              @kelly said in Miscellaneous Tech News:

              I'd like to have all my traffic encrypted so that the service providers that handle it along the way cannot perform analytics on me other than my source and destination.

              That what a VPN is for, like FrootVPN.

              KellyK stacksofplatesS 2 Replies Last reply Reply Quote 0
              • KellyK
                Kelly @Obsolesce
                last edited by

                @obsolesce said in Miscellaneous Tech News:

                @kelly said in Miscellaneous Tech News:

                I'd like to have all my traffic encrypted so that the service providers that handle it along the way cannot perform analytics on me other than my source and destination.

                That what a VPN is for.

                VPN has a handoff at some point where it will be crossing into unencrypted land before it hits the end point. I can prevent my ISP from analyzing my immediate traffic, but I have no control over who can after it leaves the VPN provider.

                ObsolesceO 1 Reply Last reply Reply Quote 0
                • ObsolesceO
                  Obsolesce @Kelly
                  last edited by

                  @kelly said in Miscellaneous Tech News:

                  @obsolesce said in Miscellaneous Tech News:

                  @kelly said in Miscellaneous Tech News:

                  I'd like to have all my traffic encrypted so that the service providers that handle it along the way cannot perform analytics on me other than my source and destination.

                  That what a VPN is for.

                  VPN has a handoff at some point where it will be crossing into unencrypted land before it hits the end point. I can prevent my ISP from analyzing my immediate traffic, but I have no control over who can after it leaves the VPN provider.

                  At that point it doesn't matter because it's not YOU it's coming from. So they analytics will be against the VPN server, not you.

                  1 Reply Last reply Reply Quote 0
                  • stacksofplatesS
                    stacksofplates @Obsolesce
                    last edited by

                    @obsolesce said in Miscellaneous Tech News:

                    @kelly said in Miscellaneous Tech News:

                    I'd like to have all my traffic encrypted so that the service providers that handle it along the way cannot perform analytics on me other than my source and destination.

                    That what a VPN is for, like FrootVPN.

                    Which is also exactly what HTTPS is.

                    1 Reply Last reply Reply Quote 1
                    • KellyK
                      Kelly
                      last edited by

                      @Obsolesce and @scottalanmiller I'm not sure why the two of you seem to be arguing that this is a bad thing. That may not be your point, but all the negative feedback relating to this topic is giving that impression. HTTPS is not a panacea and it will not create whirled peas, but it is better than not having it for a variety of reasons. There are edge cases where it is unnecessary, but is it necessary to automatically go there whenever something is brought up?

                      This is a trend that has bothered me about the tone here on ML. There are quite a few (what I think) are unnecessary arguments about things that are not important to the topic at hand. I've kept quiet about it thus far, but this discussion has prompted me to say something.

                      ObsolesceO 1 Reply Last reply Reply Quote 1
                      • ObsolesceO
                        Obsolesce @Kelly
                        last edited by

                        @kelly said in Miscellaneous Tech News:

                        @Obsolesce and @scottalanmiller I'm not sure why the two of you seem to be arguing that this is a bad thing.

                        Nobody said it's a bad thing...

                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @Obsolesce
                          last edited by

                          @obsolesce said in Miscellaneous Tech News:

                          @kelly said in Miscellaneous Tech News:

                          @Obsolesce and @scottalanmiller I'm not sure why the two of you seem to be arguing that this is a bad thing.

                          Nobody said it's a bad thing...

                          Agreed. Just arguing that using HTTP in some cases wasn't irresponsible.

                          KellyK 1 Reply Last reply Reply Quote 0
                          • KellyK
                            Kelly @scottalanmiller
                            last edited by

                            @scottalanmiller said in Miscellaneous Tech News:

                            @obsolesce said in Miscellaneous Tech News:

                            @kelly said in Miscellaneous Tech News:

                            @Obsolesce and @scottalanmiller I'm not sure why the two of you seem to be arguing that this is a bad thing.

                            Nobody said it's a bad thing...

                            Agreed. Just arguing that using HTTP in some cases wasn't irresponsible.

                            To what end? There are a lot nits that get picked on this site that cause the discussion to go off the rails for no real purpose that I can perceive. You're not wrong, but did that improve the discussion in any way? I'm not pointing fingers at you in particular, this thread is just one of many where this has happened. I don't know that anything will change, but it bothers me how quality discussions devolve into a back and forth about one point that is tangential to the main focus, and not in a healthy discussion way.

                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @Kelly
                              last edited by

                              @kelly said in Miscellaneous Tech News:

                              @scottalanmiller said in Miscellaneous Tech News:

                              @obsolesce said in Miscellaneous Tech News:

                              @kelly said in Miscellaneous Tech News:

                              @Obsolesce and @scottalanmiller I'm not sure why the two of you seem to be arguing that this is a bad thing.

                              Nobody said it's a bad thing...

                              Agreed. Just arguing that using HTTP in some cases wasn't irresponsible.

                              To what end? There are a lot nits that get picked on this site that cause the discussion to go off the rails for no real purpose that I can perceive. You're not wrong, but did that improve the discussion in any way? I'm not pointing fingers at you in particular, this thread is just one of many where this has happened. I don't know that anything will change, but it bothers me how quality discussions devolve into a back and forth about one point that is tangential to the main focus, and not in a healthy discussion way.

                              Not to make this one of those, but I feel like, for me at least, this was productive. Because while it took a bit of back and forth, @stacksofplates exposed the OAUTH "style" risk that is very real and had not been considered. And then the HSTS necessity was brought up. WHich I think was good additional stuff.

                              Maybe it's too much back and forth, but isn't that how you test concepts to see what is useful and find nuances that were missed? We could skip all that, but wouldn't the discussion have less if we did?

                              KellyK 1 Reply Last reply Reply Quote 0
                              • KellyK
                                Kelly @scottalanmiller
                                last edited by

                                @scottalanmiller said in Miscellaneous Tech News:

                                @kelly said in Miscellaneous Tech News:

                                @scottalanmiller said in Miscellaneous Tech News:

                                @obsolesce said in Miscellaneous Tech News:

                                @kelly said in Miscellaneous Tech News:

                                @Obsolesce and @scottalanmiller I'm not sure why the two of you seem to be arguing that this is a bad thing.

                                Nobody said it's a bad thing...

                                Agreed. Just arguing that using HTTP in some cases wasn't irresponsible.

                                To what end? There are a lot nits that get picked on this site that cause the discussion to go off the rails for no real purpose that I can perceive. You're not wrong, but did that improve the discussion in any way? I'm not pointing fingers at you in particular, this thread is just one of many where this has happened. I don't know that anything will change, but it bothers me how quality discussions devolve into a back and forth about one point that is tangential to the main focus, and not in a healthy discussion way.

                                Not to make this one of those, but I feel like, for me at least, this was productive. Because while it took a bit of back and forth, @stacksofplates exposed the OAUTH "style" risk that is very real and had not been considered. And then the HSTS necessity was brought up. WHich I think was good additional stuff.

                                Maybe it's too much back and forth, but isn't that how you test concepts to see what is useful and find nuances that were missed? We could skip all that, but wouldn't the discussion have less if we did?

                                If value is derived from the discussion, then I'm all for it. I did not have the impression from the responses that the respondents to @stacksofplates posts were getting anything from them aside from more things to "discuss". This current discussion is not alone in my opinion. But, perhaps I'm being overly sensitive and am reading too much into things.

                                ObsolesceO 1 Reply Last reply Reply Quote 0
                                • ObsolesceO
                                  Obsolesce @Kelly
                                  last edited by

                                  @kelly said in Miscellaneous Tech News:

                                  But, perhaps I'm being overly sensitive and am reading too much into things.

                                  Probably this IMO.

                                  Valid points were made, additional considerations were brought to light, more understanding and concepts came from it... that's how things progress.

                                  If only a single aspect of something is talked about, and all else is not considered, well I think that's dangerous and how misconceptions and misinformation can form.

                                  1 Reply Last reply Reply Quote 2
                                  • KellyK
                                    Kelly
                                    last edited by

                                    <opinion>Twitter: We don't shadow ban, but we make it so people's tweets don't show up in feeds if we don't like them</opinion>

                                    https://blog.twitter.com/official/en_us/topics/company/2018/Setting-the-record-straight-on-shadow-banning.html

                                    scottalanmillerS 1 Reply Last reply Reply Quote 2
                                    • scottalanmillerS
                                      scottalanmiller @Kelly
                                      last edited by

                                      @kelly said in Miscellaneous Tech News:

                                      <opinion>Twitter: We don't shadow ban, but we make it so people's tweets don't show up in feeds if we don't like them</opinion>

                                      https://blog.twitter.com/official/en_us/topics/company/2018/Setting-the-record-straight-on-shadow-banning.html

                                      Ha

                                      And... their stock is falling.

                                      1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller
                                        last edited by

                                        Facebook loss this week is a staggering amount of market cap.

                                        1 Reply Last reply Reply Quote 3
                                        • scottalanmillerS
                                          scottalanmiller
                                          last edited by

                                          Slack has purchased HipChat, from Atlassian.

                                          HipChat effectively built this form of instant messaging platform, but Slack made the big money from it.

                                          1 Reply Last reply Reply Quote 2
                                          • dbeatoD
                                            dbeato
                                            last edited by

                                            Wow, what a HTTPS discussion that I missed lol. Vulnerabilities will be always there no matter what HTTP or HTTPS you have. I always have argued that having a proxy is still not secure end to end for internal traffic (I know, if anything is internal to your network we have more problems).

                                            1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 7
                                            • 8
                                            • 372
                                            • 373
                                            • 6 / 373
                                            • First post
                                              Last post