http://wiki.ctyme.com/index.php?title=Special:Contributions&feed=atom&limit=100&target=Marc&year=&month=Computer Tyme Support Wiki - User contributions [en]2024-03-29T15:24:26ZFrom Computer Tyme Support WikiMediaWiki 1.16.2http://wiki.ctyme.com/index.php/DNS-InfoDNS-Info2022-09-03T21:32:17Z<p>Marc: /* Outbound SPF settings */</p>
<hr />
<div>== Name Server Settings ==<br />
<br />
This section is for customers where we host everything. If you are here for spam filtering see the MX record section below.<br />
<br />
DNS stands for Domain Name Service. That is the Internet service that allows the world to find your web site when they type in your domain. It translates you domain name into and IP address. The name servers for Computer Tyme are:<br />
<br />
ns.reality-dns.com<br />
ns.reality-dns.net<br />
ns.reality-dns.org<br />
<br />
Ordinarilly Computer Tyme will provide DNS services for your domain. If you are new to Computer Tyme you need to go to your registrar and set your name servers with the above information. This gives us control to set the IP addresses of all your hosts and mail exchange records. With three servers in different locations we can ensure that no matter what happens, the world will be able to find where the servers that host your site are.<br />
<br />
== MX Record Settings ==<br />
<br />
Normally most users don't have to mess with the MX records. But if we are providing front end spam filtering services for you and you are managing your own name server then these are the settings for the MX (Mail eXchange) records:<br />
<br />
mx.junkemailfilter.com - Priority 10<br />
mx.junkemailfilter.net - Priority 20<br />
mx.junkemailfilter.org - Priority 30<br />
<br />
Ordering and numbering is important. It is also important that you not add any of your existing MX records or and other MX record to the list as it will defeat the way the spam filter works. If your DNS for asks for a "host" enter "@" in that field which is a reference to your current domain.<br />
<br />
Here's the instructions if you are [[Changing your MX records with cPanel]].<br />
<br />
== Outbound SPF settings ==<br />
<br />
If we host your email or you are using our outbound filtering service, it will help your mail deliverability if you add our systems to your SPF record:<br />
<br />
include:spf.junkemailfilter.com<br />
<br />
If you don't send mail from anywhere else, your SPF record can look like this:<br />
<br />
v=spf1 include:spf.junkemailfilter.com ~all<br />
<br />
In your DNS settings, a SPF record is a TXT type record that is entered against your root-level domain.<br />
<br />
That tells the world that Junk Email Filter is the legitimate source for your outbound email. Please consider, however, if you send or have mail sent for your domain through any other services or locations that you '''MUST''' include those locations in the record (think office scanner, third party marketing or newsletter services, mailing lists, etc.)<br />
<br />
== DNS Tools ==<br />
<br />
* [http://mailboxtools.com Mailbox Tools (Check MX records)]<br />
* [http://www.intodns.com Into DNS]<br />
* [http://www.dnsstuff.com DNS Stuff]<br />
* [http://openrbl.org Open RBL]<br />
* [http://www.senderbase.org Sender Base]<br />
<br />
== DNS Registrar Management ==<br />
<br />
For those of you who have an account at Computer Tyme DNS Services you can [https://manage.opensrs.net/ Manage Your Account].</div>Marchttp://wiki.ctyme.com/index.php/DNS-InfoDNS-Info2022-09-03T21:31:24Z<p>Marc: /* Outbound SPF settings */</p>
<hr />
<div>== Name Server Settings ==<br />
<br />
This section is for customers where we host everything. If you are here for spam filtering see the MX record section below.<br />
<br />
DNS stands for Domain Name Service. That is the Internet service that allows the world to find your web site when they type in your domain. It translates you domain name into and IP address. The name servers for Computer Tyme are:<br />
<br />
ns.reality-dns.com<br />
ns.reality-dns.net<br />
ns.reality-dns.org<br />
<br />
Ordinarilly Computer Tyme will provide DNS services for your domain. If you are new to Computer Tyme you need to go to your registrar and set your name servers with the above information. This gives us control to set the IP addresses of all your hosts and mail exchange records. With three servers in different locations we can ensure that no matter what happens, the world will be able to find where the servers that host your site are.<br />
<br />
== MX Record Settings ==<br />
<br />
Normally most users don't have to mess with the MX records. But if we are providing front end spam filtering services for you and you are managing your own name server then these are the settings for the MX (Mail eXchange) records:<br />
<br />
mx.junkemailfilter.com - Priority 10<br />
mx.junkemailfilter.net - Priority 20<br />
mx.junkemailfilter.org - Priority 30<br />
<br />
Ordering and numbering is important. It is also important that you not add any of your existing MX records or and other MX record to the list as it will defeat the way the spam filter works. If your DNS for asks for a "host" enter "@" in that field which is a reference to your current domain.<br />
<br />
Here's the instructions if you are [[Changing your MX records with cPanel]].<br />
<br />
== Outbound SPF settings ==<br />
<br />
If we host your email or you are using our outbound filtering service, it will help your mail deliverability if you add our systems to your SPF record:<br />
<br />
include:spf.junkemailfilter.com<br />
<br />
If you don't send mail from anywhere else, your SPF record can look like this:<br />
<br />
v=spf1 include:spf.junkemailfilter.com ~all<br />
<br />
In your DNS settings, a SPF record is a TXT type record that is entered against your root-level domain.<br />
<br />
That tells the world that Junk Email Filter is the legitimate source for your outbound email. Please consider, however, if you send or have mail sent for your domain through any other services or locations that you **MUST** include those locations in the record (think office scanner, third party marketing or newsletter services, mailing lists, etc.)<br />
<br />
== DNS Tools ==<br />
<br />
* [http://mailboxtools.com Mailbox Tools (Check MX records)]<br />
* [http://www.intodns.com Into DNS]<br />
* [http://www.dnsstuff.com DNS Stuff]<br />
* [http://openrbl.org Open RBL]<br />
* [http://www.senderbase.org Sender Base]<br />
<br />
== DNS Registrar Management ==<br />
<br />
For those of you who have an account at Computer Tyme DNS Services you can [https://manage.opensrs.net/ Manage Your Account].</div>Marchttp://wiki.ctyme.com/index.php/DNS-InfoDNS-Info2022-09-03T21:30:00Z<p>Marc: /* Outbound SPF settings */</p>
<hr />
<div>== Name Server Settings ==<br />
<br />
This section is for customers where we host everything. If you are here for spam filtering see the MX record section below.<br />
<br />
DNS stands for Domain Name Service. That is the Internet service that allows the world to find your web site when they type in your domain. It translates you domain name into and IP address. The name servers for Computer Tyme are:<br />
<br />
ns.reality-dns.com<br />
ns.reality-dns.net<br />
ns.reality-dns.org<br />
<br />
Ordinarilly Computer Tyme will provide DNS services for your domain. If you are new to Computer Tyme you need to go to your registrar and set your name servers with the above information. This gives us control to set the IP addresses of all your hosts and mail exchange records. With three servers in different locations we can ensure that no matter what happens, the world will be able to find where the servers that host your site are.<br />
<br />
== MX Record Settings ==<br />
<br />
Normally most users don't have to mess with the MX records. But if we are providing front end spam filtering services for you and you are managing your own name server then these are the settings for the MX (Mail eXchange) records:<br />
<br />
mx.junkemailfilter.com - Priority 10<br />
mx.junkemailfilter.net - Priority 20<br />
mx.junkemailfilter.org - Priority 30<br />
<br />
Ordering and numbering is important. It is also important that you not add any of your existing MX records or and other MX record to the list as it will defeat the way the spam filter works. If your DNS for asks for a "host" enter "@" in that field which is a reference to your current domain.<br />
<br />
Here's the instructions if you are [[Changing your MX records with cPanel]].<br />
<br />
== Outbound SPF settings ==<br />
<br />
If we host your email or you are using our outbound filtering service, it will help your mail deliverability if you add our systems to your SPF record:<br />
<br />
include:spf.junkemailfilter.com<br />
<br />
If you don't send mail from anywhere else, your SPF record can look like this:<br />
<br />
v=spf1 include:spf.junkemailfilter.com ~all<br />
<br />
That tells the world that Junk Email Filter is the legitimate source for your outbound email. Please consider, however, if you send or have mail sent for your domain through any other services or locations that you *MUST* include those locations in the record (think office scanner, third party marketing or newsletter services, mailing lists, etc.)<br />
<br />
== DNS Tools ==<br />
<br />
* [http://mailboxtools.com Mailbox Tools (Check MX records)]<br />
* [http://www.intodns.com Into DNS]<br />
* [http://www.dnsstuff.com DNS Stuff]<br />
* [http://openrbl.org Open RBL]<br />
* [http://www.senderbase.org Sender Base]<br />
<br />
== DNS Registrar Management ==<br />
<br />
For those of you who have an account at Computer Tyme DNS Services you can [https://manage.opensrs.net/ Manage Your Account].</div>Marchttp://wiki.ctyme.com/index.php/Project_TarProject Tar2019-04-28T04:00:16Z<p>Marc: </p>
<hr />
<div>== What is Project Tar? ==<br />
<br />
Project Tar helps you reduce spam and helps us at [https://www.junkemailfilter.com Junk Email Filter] build our [[Spam_DNS_Lists|blacklist]]. This is done by adding a fake MX record to your existing MX lists. The fake MX record will be your highest numbered MX and it will point to one of our servers. We will not actually receive any of your email under any circumstances. We will return a 451 temporary error immediately after the DATA command. This tells the sender to come back later and try again. Good email is never lost using this method. Here's what a connection to tar looks like:<br />
<br />
helo example.com<br />
250 tar.junkemailfilter.com Hello mail.example.com [1.2.3.4]<br />
mail from:<spammer@spamdomain.com><br />
250 OK<br />
rcpt to:you@yourdomain.com<br />
250 Accepted<br />
data<br />
451 DEFER - Try a lower numbered MX record - http://www.junkemailfilter.com<br />
quit<br />
221 tar.junkemailfilter.com closing connection<br />
<br />
== How Project Tar Works ==<br />
<br />
Spammers however often try to go in the "back door" thinking that your backup servers hae less spam filtering than your main email server. So they send email to the highest numbered MX record first. And spammers don't retry so they make an attempt, it fails, and they go on to the next victim. In the process if we detect a spam bot signature then the IP address of the spam bot is added to our DNS blacklist. If you are also using our blacklist then there is an added bonus in that our blacklist will tune itself to your spam so that if the spam bots later try your main server then they will be caught.<br />
<br />
Generally real messages would never hit this server, but if all your servers are down there is still no harm done. We can tell the difference between real email and virus infected spam bots. Although some spam bots are missed, there are no false positives.<br />
<br />
== How much spam will be eliminated using Tar? ==<br />
<br />
That depends on how much of your spam come from virus infected spam bots. This has no effect on spam comping from Google, Yahoo, or Hotmail. But it might eliminate 40% of your virus infected spam bot spam just using the fake MX record and if you also use the blacklist you might get more than 80% spam reduction in spam bot spam.<br />
<br />
== Setting up your MX records to use Project Tar ==<br />
<br />
Lets assume you have two MX records now and that your domain is example.com. Your MX might look like this.<br />
<br />
mail.example.com 10<br />
backup.example.com 20<br />
<br />
What you would do is add a third MX record as follows:<br />
<br />
mail.example.com 10<br />
backup.example.com 20<br />
tar.junkemailfilter.com 30<br />
<br />
And that's all you have to do.<br />
<br />
== Using Tar with Dead Domains ==<br />
<br />
Do you have dead domains that still get a lot of spam? We are interested in harvesting them as well. If your domain is dead, especially if it's been dead for some time then you can help us build our blacklist by pointing your dead domain to our tar server. Just set your MX record as follows:<br />
<br />
tar.junkemailfilter.com 10<br />
<br />
If we detect that tar.junkemailfilter.com is your lowest MX record we will reject the email with a 550 response. This lets innocent email such as old email lists be cleanly rejected. And we are careful not to list any false positives.<br />
<br />
== Additional Technical Details ==<br />
<br />
Virus infected spam bots are optimized for delivering as much spam as possible. So after sending email they don't wait around and politely close the connection the way normal email servers do. They just leave it open and let it time out. To be polite would be a waste of time and bandwidth. And this is especially true with a few well timed response delays that would slow them down if they played by the rules. What we look for is the lack of using the QUIT command. So if they are on a high numbered MX that generally they should not be sending to AND they don't issue QUIT, and they commit a few other sins that we track we can usually identify them on the first attempt without false positives. This method has proven to be very effective in quickly identifying virus infected spam bots and getting them listed in 2 minutes from the spam attempt.<br />
<br />
== Punishing Spammers ==<br />
<br />
We also put in significant delays at each stage of the SMTP transaction (a few seconds) that tends to trip up and slow down spam bots. This keeps their connections open longer and slows them down making them less effective. It increases accuracy and causes spammers pain.<br />
<br />
== Why are we doing this for free? ==<br />
<br />
Because it helps us at [https://www.junkemailfilter.com Junk Email Filter] build a larger list. It help us block spam in our front end spam filtering operation making for happier customers. We also sell rsync access to our lists and it makes our lists more valuable. And if you like the results from this free service you might want to buy our full service. And we just hate spam in general and we get a thrill out of stopping it. So this is win/win.<br />
<br />
== About the Name ==<br />
<br />
Project Tar was originally known as Project Tarbaby, but that term is known to be racially charged to some. The intention behind the name was per [https://en.wikipedia.org/wiki/Tar-Baby the character (doll) that the book] was named for - where Br'er Rabbit (spammers) would get ensnared upon contact, and indeed, [https://newrepublic.com/article/93088/tar-baby-racist-slur many people seem unaware that to some there are racist overtones to the name]. But, unlike politicians who can't ever seem to admit something they said was misleading, uninformed or otherwise offensive to other people, we decided that even if it was arguable whether or not the name is inherently racist, what's the point of using a name that *might* be offensive to some people? We don't want to add to a culture of questionable references and inferences, since there's enough of that without adding something that's totally unnecessary. In order not to break various incoming links to this project, we will still support the old "tarbaby" links and we'll continue to support the tarbaby.junkemailfitler.com DNS name, but encourage users to migrate to tar.junkemailfilter.com.<br />
<br />
== Feedback ==<br />
<br />
We'd like to hear how well this is working for you and your comments and suggestions. Send your thoughts to [mailto:support@junkemailfilter.com support@junkemailfilter.com].</div>Marchttp://wiki.ctyme.com/index.php/Project_TarProject Tar2019-04-28T03:59:31Z<p>Marc: </p>
<hr />
<div>== What is Project Tar? ==<br />
<br />
Project Tar helps you reduce spam and helps us at [www.junkemailfilter.com Junk Email Filter] build our [[Spam_DNS_Lists|blacklist]]. This is done by adding a fake MX record to your existing MX lists. The fake MX record will be your highest numbered MX and it will point to one of our servers. We will not actually receive any of your email under any circumstances. We will return a 451 temporary error immediately after the DATA command. This tells the sender to come back later and try again. Good email is never lost using this method. Here's what a connection to tar looks like:<br />
<br />
helo example.com<br />
250 tar.junkemailfilter.com Hello mail.example.com [1.2.3.4]<br />
mail from:<spammer@spamdomain.com><br />
250 OK<br />
rcpt to:you@yourdomain.com<br />
250 Accepted<br />
data<br />
451 DEFER - Try a lower numbered MX record - http://www.junkemailfilter.com<br />
quit<br />
221 tar.junkemailfilter.com closing connection<br />
<br />
== How Project Tar Works ==<br />
<br />
Spammers however often try to go in the "back door" thinking that your backup servers hae less spam filtering than your main email server. So they send email to the highest numbered MX record first. And spammers don't retry so they make an attempt, it fails, and they go on to the next victim. In the process if we detect a spam bot signature then the IP address of the spam bot is added to our DNS blacklist. If you are also using our blacklist then there is an added bonus in that our blacklist will tune itself to your spam so that if the spam bots later try your main server then they will be caught.<br />
<br />
Generally real messages would never hit this server, but if all your servers are down there is still no harm done. We can tell the difference between real email and virus infected spam bots. Although some spam bots are missed, there are no false positives.<br />
<br />
== How much spam will be eliminated using Tar? ==<br />
<br />
That depends on how much of your spam come from virus infected spam bots. This has no effect on spam comping from Google, Yahoo, or Hotmail. But it might eliminate 40% of your virus infected spam bot spam just using the fake MX record and if you also use the blacklist you might get more than 80% spam reduction in spam bot spam.<br />
<br />
== Setting up your MX records to use Project Tar ==<br />
<br />
Lets assume you have two MX records now and that your domain is example.com. Your MX might look like this.<br />
<br />
mail.example.com 10<br />
backup.example.com 20<br />
<br />
What you would do is add a third MX record as follows:<br />
<br />
mail.example.com 10<br />
backup.example.com 20<br />
tar.junkemailfilter.com 30<br />
<br />
And that's all you have to do.<br />
<br />
== Using Tar with Dead Domains ==<br />
<br />
Do you have dead domains that still get a lot of spam? We are interested in harvesting them as well. If your domain is dead, especially if it's been dead for some time then you can help us build our blacklist by pointing your dead domain to our tar server. Just set your MX record as follows:<br />
<br />
tar.junkemailfilter.com 10<br />
<br />
If we detect that tar.junkemailfilter.com is your lowest MX record we will reject the email with a 550 response. This lets innocent email such as old email lists be cleanly rejected. And we are careful not to list any false positives.<br />
<br />
== Additional Technical Details ==<br />
<br />
Virus infected spam bots are optimized for delivering as much spam as possible. So after sending email they don't wait around and politely close the connection the way normal email servers do. They just leave it open and let it time out. To be polite would be a waste of time and bandwidth. And this is especially true with a few well timed response delays that would slow them down if they played by the rules. What we look for is the lack of using the QUIT command. So if they are on a high numbered MX that generally they should not be sending to AND they don't issue QUIT, and they commit a few other sins that we track we can usually identify them on the first attempt without false positives. This method has proven to be very effective in quickly identifying virus infected spam bots and getting them listed in 2 minutes from the spam attempt.<br />
<br />
== Punishing Spammers ==<br />
<br />
We also put in significant delays at each stage of the SMTP transaction (a few seconds) that tends to trip up and slow down spam bots. This keeps their connections open longer and slows them down making them less effective. It increases accuracy and causes spammers pain.<br />
<br />
== Why are we doing this for free? ==<br />
<br />
Because it helps us at [www.junkemailfilter.com Junk Email Filter] build a larger list. It help us block spam in our front end spam filtering operation making for happier customers. We also sell rsync access to our lists and it makes our lists more valuable. And if you like the results from this free service you might want to buy our full service. And we just hate spam in general and we get a thrill out of stopping it. So this is win/win.<br />
<br />
== About the Name ==<br />
<br />
Project Tar was originally known as Project Tarbaby, but that term is known to be racially charged to some. The intention behind the name was per [https://en.wikipedia.org/wiki/Tar-Baby the character (doll) that the book] was named for - where Br'er Rabbit (spammers) would get ensnared upon contact, and indeed, [https://newrepublic.com/article/93088/tar-baby-racist-slur many people seem unaware that to some there are racist overtones to the name]. But, unlike politicians who can't ever seem to admit something they said was misleading, uninformed or otherwise offensive to other people, we decided that even if it was arguable whether or not the name is inherently racist, what's the point of using a name that *might* be offensive to some people? We don't want to add to a culture of questionable references and inferences, since there's enough of that without adding something that's totally unnecessary. In order not to break various incoming links to this project, we will still support the old "tarbaby" links and we'll continue to support the tarbaby.junkemailfitler.com DNS name, but encourage users to migrate to tar.junkemailfilter.com.<br />
<br />
== Feedback ==<br />
<br />
We'd like to hear how well this is working for you and your comments and suggestions. Send your thoughts to [mailto:support@junkemailfilter.com support@junkemailfilter.com].</div>Marchttp://wiki.ctyme.com/index.php/Main_PageMain Page2019-04-28T02:53:06Z<p>Marc: /* DNS List Services */</p>
<hr />
<div>= Computer Tyme / Junk Email Filter Support Wiki =<br />
<br />
Welcome to Computer Tyme/Junk Email Filter Support. This wiki will (hopefully) answer your technical questions about using the Computer Tyme Hosting system.<br />
<br />
== DNS Information ==<br />
<br />
* [[DNS-Info]] - Moving in for web hosting and email? This is where you find out how to change your name servers.<br />
<br />
* [[DNS Hosting Services]] Let us host your name servers.<br />
<br />
== Email System ==<br />
<br />
* [[Email Users Guide]] - Configuring your email program<br />
* [[Email Advanced Features ]] - Advanced Features for users<br />
* [[Email Administrator Guide]] - Creating Email Accounts and Aliases<br />
* [[Switching Over to our Hosted Email]] - Understanding the Migration Path<br />
* [http://www.junkemailfilter.com/spam/how_it_works.html How the Spam Filter Works] - Under the hood of our spam filter.<br />
* [[Changing_your_MX_records_with_cPanel]] - If you're using cPanel select "Local Mail Exchanger"<br />
* [[Changing_your_MX_records_with_Direct Admin]] - Select "Use this server to handle my emails."<br />
<br />
== Spam Filtering ==<br />
* [[Junkemailfilter]] - Main Spam Filtering Support Pages<br />
* [[Bounced Email]] - Why did my email bounce?<br />
* [[Fixing Reverse DNS]] - How to fix your bad Reverse DNS (RDNS)<br />
* [[Keeping Your Server Off Black Lists]] - How to keep your server from being black listed.<br />
* [[When things go wrong]] - What to do and look for if your email stops. Emergency Procedures<br />
* [[The Evolution Spam Filter]] - Our new Patent Pending Spam Filtering Process<br />
* [[Concept Parsing Spam Filter]] - This could be added to other spam filtering systems like SpamAssassin<br />
* [[When things go wrong]] - Problem than can occur when setting up spam filtering through us.<br />
<br />
== System Services ==<br />
<br />
* [http://phpmyadmin.ctyme.com PHP MySQL Administration] - PhpMyAdmin<br />
<br />
== DNS List Services ==<br />
<br />
* [[Spam_DNS_Lists]] - My DNS Spam Blocking Lists and DNS White and Yellow Lists<br />
<br />
* [[Registrar Barrier DNS List]] - Information to return the main domain part of a host name and other lists<br />
<br />
* [[Spam abuse]] - Our message to people receiving our automated abuse reports<br />
<br />
* [[Project Tar]] - Project Tar - Reduce your spam and help us find spambots.<br />
<br />
* [[Email Server Setup Tips]] - Best practices for setting up email servers to get mail delivered and avoid blacklisting.<br />
<br />
= Marc Perkel's Technical Rants =<br />
<br />
This section is opinion and technical issues and various rants about things that I need to talk about.<br />
<br />
* [[GULP]] - How to write a General User Language Parser<br />
<br />
* [[Exim Email Control Specification]] - Email Control Program I need Written.<br />
<br />
* [[UN_Spam_Paper]] - My submission to the United Nations to help solve the spam problem.<br />
<br />
* [[How_to_put_an_end_to_Virus_Infected_Spam_Bots]] - How we can defeat the Spam Bot Army<br />
<br />
* [[How_to_make_Exim_run_a_lot_Faster]]<br />
<br />
* [[How To Reduce Computer Power consumption]]<br />
<br />
* [[How to run a Linux script every few seconds under cron]]<br />
<br />
* [[ICANN_Philosophy]] - Philosophical Basis for ICANN<br />
<br />
= NSA and FBI Spying =<br />
<br />
* [[Alternative to SOPA and PIPA - Make Piracy your Friend]]<br />
<br />
* [[Why the world needs to stop NSA spying]]<br />
<br />
* [[How the NSA makes us less safe]]<br />
<br />
== Contact Information ==<br />
<br />
The main support contact is Marc Perkel at [[mailto:support@junkemailfilter.com support@junkemailfilter.com]]. We prefer email support to phone because you can send us error messages and details more accurately than by voice. Also - if your domain is down don't email us from the non-working domain. Use something like g,ail to contact us so we can reply.<br />
<br />
Our snail mail address is:<br />
<br />
Computer Tyme Hosting / Junk Email Filter<br />
7498 Chestnut St.<br />
Gilroy CA. 95020<br />
415-992-3400<br />
<br />
If you are emailing us about a problem please provide enough information to help us figure it out in your email. You might also want to visit our [http://wiki.junkemailfilter.com/index.php/When_things_go_wrong When Things Go Wrong] page. If you are emailing us that you aren't getting any email, please send us that email from a different domain so that we can reply. If this is an emergency please include your phone number in the email.</div>Marchttp://wiki.ctyme.com/index.php/Spam_DNS_ListsSpam DNS Lists2019-04-28T02:52:06Z<p>Marc: /* You can help us help you by building our list */</p>
<hr />
<div>= Were you Blacklisted and want to be removed? =<br />
<br />
Have you been blacklisted on our Hostkarma list? <font color=red><b>To check or be removed [http://ipadmin.junkemailfilter.com/remove.php Click Here].</b></font><br />
<br />
= Creating White/Yellow/Black DNS lists for email systems in the fight against spam. =<br />
<br />
Free DNS host karma listing servers to provide information to the world about what servers are sending spam, nonspam, or a mix of spam and nonspam. This is a service of [http://www.junkemailfilter.com Junk Email Filter dot com]. One of many technologies used in advanced email filtering.<br><br />
<br />
== LICENSE - Using these Lists is Free ==<br />
<br />
Unless you really load our servers and suck a lot of bandwidth use of these lists are almost free. <br />
<br />
* If you are a non-profit organization usage of this list is free. In fact, if you are a progressive nonprofit you might qualify for free spam filtering service as our way of helping to support progressive causes. (We determine what we consider progressive)<br />
<br />
* If you are a small business you can use it for free. However we ask as a favor for using it for free that you thank us somewhere on your web site. (Not a requirement) Link to [http://www.junkemailfilter.com http://www.junkemailfilter.com].<br />
<br />
* Rsync copies are available in rbldnsd format. Contact [mailto:support@junkemailfilter.com support@junkemailfilter.com] for access and pricing.<br />
<br />
== List Attitude ==<br />
<br />
Different lists have different criteria for listing that to a large extent reflects the personality of the people behind the list. Some lists are angry lists where they list everything and if you got on their list it's your fault. There are also lists that have nothing to do with spam, but try to punish behavior that they don't like, or try to promote technologies that do not work.<br />
<br />
<font color=green><b>This list is not an angry list. We focus on the reality of what really works.</b></font><br />
<br />
Our position is that if you are a spammer we want to block you. If you are not a spammer we want to make sure your email gets delivered. And if you have been hacked or have a virus we want to help you get back to normal and get you off our blacklist as quickly as we can. If your server is misconfigured, we want to help you get it right so that your good email can be delivered as efficiently as possible. And if you never send spam we want you to be on our whitelist. To us it's all about delivering good email and blocking bad email. Our mission is to get it right and to be professional and friendly about it. And because there is so much spam out there, we want to partner with our competitors so that we can all keep our customers happy and the spammers unhappy.<br />
<br />
Our system also sends out automated notices to alert spam sources of problems and to get feedback in case we have a problem rejecting good email so that we can fix problems that we don't know about. This helps ISPs and office network admins find and shut down virus infected computer reducing spam across the planet. Our view is that the best way to fight spam is to stop it at the source.<br />
<br />
[http://www.junkemailfilter.com Junk Email Filter] uses innovative techniques to fight spam. We have been the leader in introducing several new spam fighting technologies. This list is an example of our commitment not just to be accurate but to be efficient. Most lists are just black lists. A few have multiple return codes as to why the IP is blacklisted. There are also a for white lists but most of those white lists are really lists of servers not to blacklist. Our lists go much farther.<br />
<br />
# Besides just black lists and white lists we have yellow lists and NOBL lists. (Our Invention) White on our lists means that anything that comes from the source is good email and needs no further testing. NOBL is like most other's white lists but means this IP or host name should not be black listed. So no need to check the black lists. Yellow listing indicates a mixed source of good email and spam. Sources like Hotmail, Yahoo, and Gmail are yellow sources. Yellow means that the IP address or host name contains no information about if it is good or bad and no reason to check white or black lists.<br />
# Instead of having a lot of separate lists which would require multiple DNS lookups we support a single DNS look up and we return different codes as to the status of the IP. In some cases we return multiple codes indicating the IP meets multiple conditions. At this time we are the only DNS list that does this. However we can not ignore the efficiency of a single call lookup and we think that this is a model for the future.<br />
# Forward Confirmed reverse DNS (FCrDNS) lookup is almost impossible to spoof. We therefore think there is an opportunity to provide host name lookup based on FCrDNS not just for blacklisted names, but for all the other colors to and like the IP lookups we return multiple results in a single DNS call that indicates everything we have that is useful information in a single call.<br />
# Unlike most lists and spam filtering systems who focus on black lists, we focus on white lists as well as NOBL and Yellow lists to actively detect good email and protect good email from being misclassified. It's not just a matter of catching spam and letting everything else pass. We actively detect good email and pass it through as quickly and efficiently as possible. This allows us to pass good email faster by avoiding unnecessary spam tests on email we can easily determine is good. This is a philosophy we have worked hard to instill in the spam fighting community.<br />
<br />
=== Retaliatory Listings ===<br />
<br />
We do everything possible to make sure that legitimate email is not blocked by our lists and we expect those who run lists to do the same. If any other list knowingly blacklists our IP space or fails to remove blacklists against us after being informed of their error we reserve the right to blacklist your IP space.<br />
<br />
=== Types of Listings ===<br />
<br />
Our listings are a little different than some RBLs. Instead of having you make several DNS calls to test for white or black listing we return it in one call and we have different result codes based on the reputation of the host name or IP being looked up. We also provide other general information that isn't black or white but might be useful in determining if something is good or not in combination with other tests. Here's some features of our lists.<br />
<br />
* Black Lists - As with other lists we black list IPs, and host names!<br />
* White Listings - We list good IPs as well as bad<br />
* Yellow Listing - For Google, Outlook, Hotmail, Yahoo - IP contains no useful information.<br />
* Quit / NotQuit - Do they close the connection Properly?<br />
* Name Based Lookups - Not just IPs but host names too!<br />
* Domain Age - If the host name is familiar or not. Can be used to catch spammers using newly registered domains<br />
* TLDs - test for legit Top Level Domains<br />
* Registry Barriers - Test to see where the main domain stops and the subdomain starts.<br />
* Country Codes - Look up what country the IP came from.<br />
<br />
== How to use the Lists ==<br />
<br />
[http://www.junkemailfilter.com Junk Email Filter dot com] provides several public lists -- one is a black list to block spam and the other is a white list to either pass nonspam/ham or to keep sites from being blocked. Blocking is done by IP address which is something spammers can't spoof. We look at email hosts as being one of these kinds:<br />
<br />
* hosts that generate only spam that we blacklist<br />
* hosts that generate a mix which we yellow list.<br />
* hosts that generate only nonspam which we whitelist<br />
<br />
Our list server is <font color=red>hostkarma.junkemailfilter.com</font> - this server returns several different results depending on what kind of listing it is. If the server returns 127.0.0.1 then it is whitelisted. You can accept the email without any further checking. <br />
<br />
If the result is 127.0.0.3 then the host is yellow listed. Yellow listing means that host generates some spam and some nonspam (examples: yahoo.com, hotmail.com). What that means is that this host should never be blacklisted and that other IP based blacklists should be bypassed to prevent false positives.<br />
<br />
If the result is 127.0.0.2 it is blacklisted - if the IP is listed here you can bounce it without further checking. <br />
<br />
And if the result is 127.0.0.4 it is brownlisted which means it is on its way to being blacklisted but hasn't quite got there yet. But it might be worth a few points using SpamAssassin.<br />
<br />
* 127.0.0.1 - whilelist - trusted nonspam<br />
* 127.0.0.2 - blacklist - block spam<br />
* 127.0.0.3 - yellowlist - mix of spam and nonspam<br />
* 127.0.0.4 - brownlist - all spam - but not yet enough to blacklist<br />
* 127.0.0.5 - NOBL - This IP is not a spam only source and no blacklists need to be tested<br />
<br />
Like all IP based lists the tuples of the client's IP address are reversed in order and the blacklist name is appendend. So if you were to look up 1.2.3.4 you would query the DNS for the following hostname:<br />
<br />
4.3.2.1.hostkarma.junkemailfilter.com<br />
<br />
=== Name Based Lookups ===<br />
<br />
In addition to IP based lookups the hostkarma list also supports name based lookups. If you wanted to look up wellsfargo.com, you would query the DNS for the following hostname:<br />
<br />
wellsfargo.com.hostkarma.junkemailfilter.com<br />
<br />
As with the IP lists a 127.0.0.1 is a white listing, 127.0.0.2 is a black listing. The return codes are the same as listed above for IP addresses.<br />
<br />
=== List Logic ===<br />
<br />
The best way to use the lists is to do it in a specific order: <br />
<br />
First you check the white list and see if it is white. If so you accept the message without further processing. Then you see if the list is yellow. If so - you skip all your blacklist tests. Then you check your blacklists and if listed you bounce it. Whatever email is left is then tested with all your other testing methods like [http://www.spamassassin.org Spam Assassin].<br />
<br />
=== Exim Examples ===<br />
<br />
[http://www.exim.org Exim] is an extremely powerful MTA, probably the most powerful MTA on the planet. That's why I like it so much. I want to do what I want to do and Exim allows me to do it.<br />
<br />
# Mark it White <br />
warn dnslists = hostkarma.junkemailfilter.com=127.0.0.1<br />
set acl_c_white = white - dnswl - $sender_fullhost<br />
<br />
# Mark it Yellow <br />
warn dnslists = hostkarma.junkemailfilter.com=127.0.0.3<br />
set acl_c_yellow = yellow - $sender_fullhost<br />
<br />
# Using the Black List<br />
deny dnslists = hostkarma.junkemailfilter.com=127.0.0.2<br />
<br />
# Other Blacklists<br />
deny !dnslists = hostkarma.junkemailfilter.com=127.0.0.1,127.0.0.3<br />
dnslists = zen.spamhaus.org/<;$sender_host_address;$sender_address_domain :\<br />
nomail.rhsbl.sorbs.net/$sender_address_domain : cbl.abuseat.org :\ <br />
list.dsbl.org : web.dnsbl.sorbs.net : socks.dnsbl.sorbs.net :\<br />
http.dnsbl.sorbs.net<br />
<br />
=== Postfix Examples ===<br />
<br />
<b>Postfix For Blacklisting:</b><br />
<br />
smtpd_client_restrictions = reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2 <br />
<br />
<b>Postfix For Whitelisting and Blacklisting:</b><br />
<br />
smtpd_client_restrictions = permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.1,<br />
reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2<br />
<br />
=== Spam Assassin Examples ===<br />
<br />
[http://www.spamassassin.org Spam Assassin] can access the white and black lists for scoring.<br />
<br />
header __RCVD_IN_HOSTKARMA eval:check_rbl('HOSTKARMA-lastexternal','hostkarma.junkemailfilter.com.')<br />
describe __RCVD_IN_HOSTKARMA Sender listed in JunkEmailFilter<br />
tflags __RCVD_IN_HOSTKARMA net<br />
<br />
header RCVD_IN_HOSTKARMA_W eval:check_rbl_sub('HOSTKARMA-lastexternal', '127.0.0.1')<br />
describe RCVD_IN_HOSTKARMA_W Sender listed in HOSTKARMA-WHITE<br />
tflags RCVD_IN_HOSTKARMA_W net nice<br />
score RCVD_IN_HOSTKARMA_W -5<br />
<br />
header RCVD_IN_HOSTKARMA_BL eval:check_rbl_sub('HOSTKARMA-lastexternal', '127.0.0.2')<br />
describe RCVD_IN_HOSTKARMA_BL Sender listed in HOSTKARMA-BLACK<br />
tflags RCVD_IN_HOSTKARMA_BL net<br />
score RCVD_IN_HOSTKARMA_BL 3.0<br />
<br />
header RCVD_IN_HOSTKARMA_BR eval:check_rbl_sub('HOSTKARMA-lastexternal', '127.0.0.4')<br />
describe RCVD_IN_HOSTKARMA_BR Sender listed in HOSTKARMA-BROWN<br />
tflags RCVD_IN_HOSTKARMA_BR net<br />
score RCVD_IN_HOSTKARMA_BR 1.0<br />
<br />
== Implementing Name Based DNS Lookup ==<br />
<br />
The hostkarma DNS list supports name based lookups as well as IP based lookups. <br />
<br />
<hostname>.hostkarma.junkemailfilter.com<br />
<br />
* 127.0.0.1 = whitelisted<br />
* 127.0.0.2 = blacklisted<br />
* 127.0.0.3 = yellowlisted<br />
* 127.0.0.4 = URIBL<br />
* 127.0.0.5 = NOBL listed<br />
<br />
Example:<br />
dig hermes.apache.org.hostkarma.junkemailfilter.com<br />
<br />
Examples using Exim:<br />
<br />
accept dnslists = hostkarma.junkemailfilter.com=127.0.0.1/$sender_host_name<br />
deny dnslists = hostkarma.junkemailfilter.com=127.0.0.2/$sender_host_name<br />
<br />
Examples using Postfix:<br />
<br />
reject_rhsbl_sender hostkarma.junkemailfilter.com=127.0.0.2<br />
<br />
== No Blacklist List ==<br />
<br />
We have also created a No blacklist list of IP and host names that are either white listed, yellow listed, or otherwise determined that these IP addresses should never be in any blacklist.<br />
<br />
The purpose of the list is to avoid false positives. If you are running any kind of DNS list check you can read this list first and if it is listed then you need not test any other blacklists because they will be wrong.<br />
<br />
* 127.0.0.1 = whitelisted - accept as good<br />
* 127.0.0.3 = yellowlisted - mixed source - do not blacklist or whitelist<br />
* 127.0.0.5 = nobl listed - not a spam source - do not blacklist - maybe whitelist<br />
<br />
Any result from this list means do not blacklist. The list is accessed as follows:<br />
<br />
accept dnslists = nobl.junkemailfilter.com<br />
....<br />
blacklist tests<br />
<br />
Both name and IP queries to this list are accepted:<br />
<br />
4.3.2.1.nobl.junkemailfilter.com<br />
mydomain.com.nobl.junkemailfilter.com<br />
<br />
== Country Code List ==<br />
<br />
Junk Email Filter now provides a country code IP lookup. Just used the standard IP lookup (reversed) and read the TXT record and it returns a 2 character country code.<br />
<br />
4.3.2.1.country.junkemailfilter.com TXT<br />
<br />
Return code of "zz" means the country is unknown.<br />
<br />
== Experimental Return Codes ==<br />
<br />
Our lists use a different philosophy than most lists. Instead of making separate calls over and over to separate lists we combine all our information into a single call. The theory is that this is far more efficient to return all the information in a single call reducing bandwidth and increasing speed through reduced number of calls.<br />
<br />
The following are experimental codes that we are using internally. These may not be a list of all the return codes we use and we don't guarantee that we will continue to use these codes. But if we list these codes here it's because we have been using them for a while and finding them somewhat useful. If you want to use this information we would appreciate feedback on anything you find that might be interesting. There are 4 billion possible return codes so I don't think we are ever going to run out. Because we provide a lot of information any software that accesses our lists need to be prepared to receive and parse the multiple return codes. Here's an example of what you might see on a whitelisted domain:<br />
<br />
dig wellsfargo.com.hostkarma.junkemailfilter.com<br />
<br />
;; ANSWER SECTION:<br />
wellsfargo.com.hostkarma.junkemailfilter.com. 2100 IN A 127.0.0.1<br />
wellsfargo.com.hostkarma.junkemailfilter.com. 2100 IN A 127.0.1.1<br />
wellsfargo.com.hostkarma.junkemailfilter.com. 2100 IN A 127.0.2.3<br />
<br />
The results indicate that the domain wellsfargo.com is whitelisted (127.0.0.1), uses QUIT (127.0.1.1), and is familiar to us for over a week (127.0.2.3).<br />
<br />
=== Tracking use of QUIT ===<br />
<br />
Usually virus infected spam bots don't close the connection using the QUIT command. That's because the message is already sent and the spam bot isn't going to hang around and be polite and close the connection. This by itself is not sufficient to indicate a spam bot but it is a very important piece that when combined with other behaviors make spam bot detection both easy and accurate. We track both the host name and IP addresses so you cam use hostkarma to look up either one. The codes are as follows:<br />
<br />
* 127.0.1.1 - QUIT is used<br />
* 127.0.1.2 - No QUIT is used<br />
* 127.0.1.3 - Mixed - Quit is used sometimes<br />
<br />
We do have some mutual exclusion logic and do some counting and other refinements to improve the data. As this is experimental we are not ready to document further details. As with our lists data can be tested as follows:<br />
<br />
4.3.2.1.hostkarma.junkemailfilter.com<br />
example.com.hostkarma.junkemailfilter.com<br />
<br />
=== Familiar Domains ===<br />
<br />
Spammers often register new domain names and use them for spam. Most commonly they are used as links to sites that the spam wants you to click on. Many of these sites are fraud sides pretending to be banks so that they can get your account information and steal your money. But there is no easy way to get a list of new domains. Several people have tried but by the time they process the data the domains have been in operation for some time. <br />
<br />
So instead of listing new domains what we are trying to do is list old domains in what we call our familiar list. The idea being that if the domain isn't listed then it is unfamiliar and thus new domains can be detected instantly upon being used. Of course this detects domains that are familiar to us so if an old domain contacts our servers for the first time they are also unfamiliar. So although we can detect 100% of new domains, not all domains detect as new are actually new. They are just new to us.<br />
<br />
So keeping this in mind being unfamiliar isn't anything you would want to use for blocking but rather as one piece of information that when combined with other sins indicates that the unfamiliar domain is being used for fraud. We also track how long the domain is known to us so that creates an age indication that might be useful.<br />
<br />
* 127.0.2.1 - domains we first saw in the last 24-48 hours<br />
* 127.0.2.2 - domains we first saw in the last 10 days<br />
* 127.0.2.3 - domains that are older than 10 days<br />
<br />
And, of course, if not listed then the domain is totally unfamiliar to us. Domains are read by reading the hostkarma list as follows:<br />
<br />
example.com.hostkarma.junkemailfilter.com<br />
<br />
== Data Life ==<br />
<br />
Blacklist data lives about 5 days so if you are wrongly blacklisted or if you had a virus and fixed he problem you will automatically be delisted 5 days after the spamming stops. White list data lives about 10 days. The exceptions being those who are permanently white listed or black listed.<br />
<br />
== Blacklist Testing and other testing Tools ==<br />
<br />
[[http://multirbl.valli.org/ Valli black list testing tool]]<br />
[[http://www.dnsstuff.com/ DNS Stuff]]<br />
[[http://mailboxtools.com/ Mailbox Tools]]<br />
[[http://dnssy.com/index.php DNSay]]<br />
<br />
== Blacklist Compared ==<br />
<br />
How does our lists compare to other lists. Here's some web sites where lists are compared.<br />
<br />
[[http://www.intra2net.com/en/support/antispam/index.php Intra2net]] <br />
[[http://www.spamcannibal.org/dnsbl_compare.shtml Spam Cannible]]<br />
<br />
== You can help us help you by building our list ==<br />
<br />
If you want to participate in helping to build our lists and further reduce your spam you can participate in our [[Project Tar]]. This will give you a little free spam reduction and allow us to harvest some spam bot data to help build our lists. It involves setting your highest MX to point to our Tar server.<br />
<br />
Just add this as your highest numbered MX record.<br />
<br />
tar.junkemailfilter.com<br />
<br />
That will help us build our list, reduce your spam, and help tune the list to those spamming you making our black list even more effective for you.<br />
<br />
== What Kinds of Spam Does this list Work With? ==<br />
<br />
The black list catches spam only servers. Generally these include virus infected users who are being used as spam servers. The list is generated by honeypot accounts and spammer's behavior where spam is caught be dong things that only spammers do. We have developed a lot of unique methods of detecting spam based on the behavior of the spammer. We can detect spammers by the way they try to deliver email rather than by the content of the message.<br />
<br />
The real power here is in the white lists. Those who are used to spam filtering need to think differently about spam processing in order to really get the idea. You have to understand that we are not just looking for spam. This list is to catch nonspam. Nonspam is actually easier in some ways because the nonspam servers aren't doing any tricks to hide. They consistently send out good mail. All we do is track that and once the server establishes a clean reputation we bless it.<br />
<br />
We also have ways of detecting nonspam that spammers can't duplicate. We use these methods to build our white lists ensuring that good email gets delivered.<br />
<br />
== How the System Works ==<br />
<br />
Telling all my tricks would be too long. But central to the system is tracking hosts by collecting data by IP address and doing an analysis on the information to determine the karma of the host.<br />
<br />
The idea is that multiple trusted servers feed data to a database that tracks IP addresses and counts the number of spams/nonspams sent by these hosts. A spam increments the spam counter. A nonspam increments the nonspam counter. As the counts go up the servers develop a reputation. Those who spew only spam make the blacklist. Those who spew only good email make the white list. And those who spew a mix make the yellow list.<br />
<br />
Other technology is also used. Honeypot can blacklist a virus infected server instantly allowing the system to have a very fast response time to new spam servers. The system can also track good servers over a long time tracking good email and establishing a reputation. Much of the blacklist data comes from using fake low and high MX records. When a host hits only the fake high numbered MX records without hitting the low numbered MX records the host is a virus infected spam zombie.<br />
<br />
White and Yellow listing are also done using a table of domain names that are known to only send good email or are know to send mixed email, (yahoo, hotmail). The RDNS is looked up, the host name is verified to see that it matches the name returned, and if the name ends in a host that is on our list then we add the IP address to our white or yellow lists.<br />
<br />
We are always looking to expand our white and yellow lists so if you send email and your server send only good email and you want to be on our lists, email me at [mailto:marc@perkel.com marc@perkel.com] with your host name information.<br />
<br />
== The Magic is in the White Lists ==<br />
<br />
Think differently. It's not just about blocking spam - it's about accepting good email. The real power in this system is the white and yellow lists, not the black list. Envision this. A bank who sends nothing but good email is communicating with tens of thousands of customers on a regular basis. Their email goes to thousands of servers who host the customer's email. So lets say that 30 of these servers are feeding data to the database. After a few months the IP address of the bank's server has 100,000 good emails recorded and say 20 spams (some people will accidently report spam in error). Thus the bank can be whitelisted. Why bother to check email from a host like that for spam? <br />
<br />
And it's not just banks. It's all institutions that send only good email. No one has to pay a fee to get listed. It's a karma system. You're good reputation gives you a fast pass through the filter.<br />
<br />
Some serves send a mixture of spam and nonspam. Example are AOL, Yahoo, Hotmail, Comcast. People who sell email services or ISPs. They try to get rid of spam, but some people exploit them anyway. These are servers that make the yellow list. The messages still need to be spam tested, but because they have a reputation of sending some good email they can at least bypass blacklisting. Thus - if a Comcast customer starts spamming through Comcast servers and Comcast doesn't detect it, this system will at least keep the Comcast server from being blacklisted which would prevent other Comcast customers from having their email blocked.<br />
<br />
== Can Spammers Out Smart This System? ==<br />
<br />
The short answer is yes - probably some can. However it represents yet another significant hurdle for them to cross. In reality this system will block mostly easy to detect spam sources. But - that's not where the power lies. it doesn't matter if spammers out smart this system. What this system does is protect good email from being falsely identified as spam and blocked. This isn't a spam filter as much as a ham filter. The power is in identifying good email.<br />
<br />
To block spam you would just use this as a frontend to your system to preclassify the easy spam/ham and them pass the rest on to meaner tests. A spammer might be able to fake their way from being blacklisted to yellowlisted. But not all the way to whitelisted.</div>Marchttp://wiki.ctyme.com/index.php/Project_tarbabyProject tarbaby2019-04-28T02:43:14Z<p>Marc: Redirected page to Project Tar</p>
<hr />
<div>#REDIRECT [[Project Tar]]</div>Marchttp://wiki.ctyme.com/index.php/Project_TarProject Tar2019-04-28T02:40:56Z<p>Marc: /* About the Name */</p>
<hr />
<div>== What is Project Tar? ==<br />
<br />
Project Tar helps you reduce spam and helps us at [http://www.junkemailfilter.com Junk Email Filter] build our [[Spam_DNS_Lists|blacklist]]. This is done by adding a fake MX record to your existing MX lists. The fake MX record will be your highest numbered MX and it will point to one of our servers. We will not actually receive any of your email under any circumstances. We will return a 451 temporary error immediately after the DATA command. This tells the sender to come back later and try again. Good email is never lost using this method. Here's what a connection to tar looks like:<br />
<br />
helo example.com<br />
250 tar.junkemailfilter.com Hello mail.example.com [1.2.3.4]<br />
mail from:<spammer@spamdomain.com><br />
250 OK<br />
rcpt to:you@yourdomain.com<br />
250 Accepted<br />
data<br />
451 DEFER - Try a lower numbered MX record - http://www.junkemailfilter.com<br />
quit<br />
221 tar.junkemailfilter.com closing connection<br />
<br />
== How Project Tar Works ==<br />
<br />
Spammers however often try to go in the "back door" thinking that your backup servers hae less spam filtering than your main email server. So they send email to the highest numbered MX record first. And spammers don't retry so they make an attempt, it fails, and they go on to the next victim. In the process if we detect a spam bot signature then the IP address of the spam bot is added to our DNS blacklist. If you are also using our blacklist then there is an added bonus in that our blacklist will tune itself to your spam so that if the spam bots later try your main server then they will be caught.<br />
<br />
Generally real messages would never hit this server, but if all your servers are down there is still no harm done. We can tell the difference between real email and virus infected spam bots. Although some spam bots are missed, there are no false positives.<br />
<br />
== How much spam will be eliminated using Tar? ==<br />
<br />
That depends on how much of your spam come from virus infected spam bots. This has no effect on spam comping from Google, Yahoo, or Hotmail. But it might eliminate 40% of your virus infected spam bot spam just using the fake MX record and if you also use the blacklist you might get more than 80% spam reduction in spam bot spam.<br />
<br />
== Setting up your MX records to use Project Tar ==<br />
<br />
Lets assume you have two MX records now and that your domain is example.com. Your MX might look like this.<br />
<br />
mail.example.com 10<br />
backup.example.com 20<br />
<br />
What you would do is add a third MX record as follows:<br />
<br />
mail.example.com 10<br />
backup.example.com 20<br />
tar.junkemailfilter.com 30<br />
<br />
And that's all you have to do.<br />
<br />
== Using Tar with Dead Domains ==<br />
<br />
Do you have dead domains that still get a lot of spam? We are interested in harvesting them as well. If your domain is dead, especially if it's been dead for some time then you can help us build our blacklist by pointing your dead domain to our tar server. Just set your MX record as follows:<br />
<br />
tar.junkemailfilter.com 10<br />
<br />
If we detect that tar.junkemailfilter.com is your lowest MX record we will reject the email with a 550 response. This lets innocent email such as old email lists be cleanly rejected. And we are careful not to list any false positives.<br />
<br />
== Additional Technical Details ==<br />
<br />
Virus infected spam bots are optimized for delivering as much spam as possible. So after sending email they don't wait around and politely close the connection the way normal email servers do. They just leave it open and let it time out. To be polite would be a waste of time and bandwidth. And this is especially true with a few well timed response delays that would slow them down if they played by the rules. What we look for is the lack of using the QUIT command. So if they are on a high numbered MX that generally they should not be sending to AND they don't issue QUIT, and they commit a few other sins that we track we can usually identify them on the first attempt without false positives. This method has proven to be very effective in quickly identifying virus infected spam bots and getting them listed in 2 minutes from the spam attempt.<br />
<br />
== Punishing Spammers ==<br />
<br />
We also put in significant delays at each stage of the SMTP transaction (a few seconds) that tends to trip up and slow down spam bots. This keeps their connections open longer and slows them down making them less effective. It increases accuracy and causes spammers pain.<br />
<br />
== Why are we doing this for free? ==<br />
<br />
Because it helps us at [http://www.junkemailfilter.com Junk Email Filter] build a larger list. It help us block spam in our front end spam filtering operation making for happier customers. We also sell rsync access to our lists and it makes our lists more valuable. And if you like the results from this free service you might want to buy our full service. And we just hate spam in general and we get a thrill out of stopping it. So this is win/win.<br />
<br />
== About the Name ==<br />
<br />
Project Tar was originally known as Project Tarbaby, but that term is known to be racially charged to some. The intention behind the name was per [https://en.wikipedia.org/wiki/Tar-Baby the character (doll) that the book] was named for - where Br'er Rabbit (spammers) would get ensnared upon contact, and indeed, [https://newrepublic.com/article/93088/tar-baby-racist-slur many people seem unaware that to some there are racist overtones to the name]. But, unlike politicians who can't ever seem to admit something they said was misleading, uninformed or otherwise offensive to other people, we decided that even if it was arguable whether or not the name is inherently racist, what's the point of using a name that *might* be offensive to some people? We don't want to add to a culture of questionable references and inferences, since there's enough of that without adding something that's totally unnecessary. In order not to break various incoming links to this project, we will still support the old "tarbaby" links and we'll continue to support the tarbaby.junkemailfitler.com DNS name, but encourage users to migrate to tar.junkemailfilter.com.<br />
<br />
== Feedback ==<br />
<br />
We'd like to hear how well this is working for you and your comments and suggestions. Send your thoughts to [mailto:support@junkemailfilter.com support@junkemailfilter.com].</div>Marchttp://wiki.ctyme.com/index.php/Project_TarProject Tar2019-04-28T02:39:40Z<p>Marc: Created page with "== What is Project Tar? == Project Tar helps you reduce spam and helps us at [http://www.junkemailfilter.com Junk Email Filter] build our blacklist. This is d..."</p>
<hr />
<div>== What is Project Tar? ==<br />
<br />
Project Tar helps you reduce spam and helps us at [http://www.junkemailfilter.com Junk Email Filter] build our [[Spam_DNS_Lists|blacklist]]. This is done by adding a fake MX record to your existing MX lists. The fake MX record will be your highest numbered MX and it will point to one of our servers. We will not actually receive any of your email under any circumstances. We will return a 451 temporary error immediately after the DATA command. This tells the sender to come back later and try again. Good email is never lost using this method. Here's what a connection to tar looks like:<br />
<br />
helo example.com<br />
250 tar.junkemailfilter.com Hello mail.example.com [1.2.3.4]<br />
mail from:<spammer@spamdomain.com><br />
250 OK<br />
rcpt to:you@yourdomain.com<br />
250 Accepted<br />
data<br />
451 DEFER - Try a lower numbered MX record - http://www.junkemailfilter.com<br />
quit<br />
221 tar.junkemailfilter.com closing connection<br />
<br />
== How Project Tar Works ==<br />
<br />
Spammers however often try to go in the "back door" thinking that your backup servers hae less spam filtering than your main email server. So they send email to the highest numbered MX record first. And spammers don't retry so they make an attempt, it fails, and they go on to the next victim. In the process if we detect a spam bot signature then the IP address of the spam bot is added to our DNS blacklist. If you are also using our blacklist then there is an added bonus in that our blacklist will tune itself to your spam so that if the spam bots later try your main server then they will be caught.<br />
<br />
Generally real messages would never hit this server, but if all your servers are down there is still no harm done. We can tell the difference between real email and virus infected spam bots. Although some spam bots are missed, there are no false positives.<br />
<br />
== How much spam will be eliminated using Tar? ==<br />
<br />
That depends on how much of your spam come from virus infected spam bots. This has no effect on spam comping from Google, Yahoo, or Hotmail. But it might eliminate 40% of your virus infected spam bot spam just using the fake MX record and if you also use the blacklist you might get more than 80% spam reduction in spam bot spam.<br />
<br />
== Setting up your MX records to use Project Tar ==<br />
<br />
Lets assume you have two MX records now and that your domain is example.com. Your MX might look like this.<br />
<br />
mail.example.com 10<br />
backup.example.com 20<br />
<br />
What you would do is add a third MX record as follows:<br />
<br />
mail.example.com 10<br />
backup.example.com 20<br />
tar.junkemailfilter.com 30<br />
<br />
And that's all you have to do.<br />
<br />
== Using Tar with Dead Domains ==<br />
<br />
Do you have dead domains that still get a lot of spam? We are interested in harvesting them as well. If your domain is dead, especially if it's been dead for some time then you can help us build our blacklist by pointing your dead domain to our tar server. Just set your MX record as follows:<br />
<br />
tar.junkemailfilter.com 10<br />
<br />
If we detect that tar.junkemailfilter.com is your lowest MX record we will reject the email with a 550 response. This lets innocent email such as old email lists be cleanly rejected. And we are careful not to list any false positives.<br />
<br />
== Additional Technical Details ==<br />
<br />
Virus infected spam bots are optimized for delivering as much spam as possible. So after sending email they don't wait around and politely close the connection the way normal email servers do. They just leave it open and let it time out. To be polite would be a waste of time and bandwidth. And this is especially true with a few well timed response delays that would slow them down if they played by the rules. What we look for is the lack of using the QUIT command. So if they are on a high numbered MX that generally they should not be sending to AND they don't issue QUIT, and they commit a few other sins that we track we can usually identify them on the first attempt without false positives. This method has proven to be very effective in quickly identifying virus infected spam bots and getting them listed in 2 minutes from the spam attempt.<br />
<br />
== Punishing Spammers ==<br />
<br />
We also put in significant delays at each stage of the SMTP transaction (a few seconds) that tends to trip up and slow down spam bots. This keeps their connections open longer and slows them down making them less effective. It increases accuracy and causes spammers pain.<br />
<br />
== Why are we doing this for free? ==<br />
<br />
Because it helps us at [http://www.junkemailfilter.com Junk Email Filter] build a larger list. It help us block spam in our front end spam filtering operation making for happier customers. We also sell rsync access to our lists and it makes our lists more valuable. And if you like the results from this free service you might want to buy our full service. And we just hate spam in general and we get a thrill out of stopping it. So this is win/win.<br />
<br />
== About the Name ==<br />
<br />
Project Tar was originally known as Project Tarbaby, but that term is known to be racially charged to some. The intention behind the name was per [https://en.wikipedia.org/wiki/Tar-Baby the character (doll) that the book] was named for - where Br'er Rabbit (spammers) would get ensnared upon contact, and indeed, [https://newrepublic.com/article/93088/tar-baby-racist-slur many people seem unaware that to some there are racist overtones to the name]. But, unlike politicians who can't ever seem to admit something they said was misleading, uninformed or otherwise offensive to other people, we decided that even if it was arguable whether or not the name is inherently racist, what's the point of using a name that *might* be offensive to some people? We don't want to add to a culture of questionable references and inferences, since there's enough of that without adding something that's totally unnecessary. In order not to break various incoming links to this project, the page name unfortunately will remain for now as it was, and to any who are offended, we do apologize for that. We'll continue to support the tarbaby.junkemailfitler.com DNS name, but encourage users to migrate to tar.junkemailfilter.com.<br />
<br />
== Feedback ==<br />
<br />
We'd like to hear how well this is working for you and your comments and suggestions. Send your thoughts to [mailto:support@junkemailfilter.com support@junkemailfilter.com].</div>Marchttp://wiki.ctyme.com/index.php/Project_tarbabyProject tarbaby2019-04-28T01:45:00Z<p>Marc: /* About the Name */</p>
<hr />
<div>== What is Project Tar? ==<br />
<br />
Project Tar helps you reduce spam and helps us at [http://www.junkemailfilter.com Junk Email Filter] build our [[Spam_DNS_Lists|blacklist]]. This is done by adding a fake MX record to your existing MX lists. The fake MX record will be your highest numbered MX and it will point to one of our servers. We will not actually receive any of your email under any circumstances. We will return a 451 temporary error immediately after the DATA command. This tells the sender to come back later and try again. Good email is never lost using this method. Here's what a connection to tar looks like:<br />
<br />
helo example.com<br />
250 tar.junkemailfilter.com Hello mail.example.com [1.2.3.4]<br />
mail from:<spammer@spamdomain.com><br />
250 OK<br />
rcpt to:you@yourdomain.com<br />
250 Accepted<br />
data<br />
451 DEFER - Try a lower numbered MX record - http://www.junkemailfilter.com<br />
quit<br />
221 tar.junkemailfilter.com closing connection<br />
<br />
== How Project Tar Works ==<br />
<br />
Spammers however often try to go in the "back door" thinking that your backup servers hae less spam filtering than your main email server. So they send email to the highest numbered MX record first. And spammers don't retry so they make an attempt, it fails, and they go on to the next victim. In the process if we detect a spam bot signature then the IP address of the spam bot is added to our DNS blacklist. If you are also using our blacklist then there is an added bonus in that our blacklist will tune itself to your spam so that if the spam bots later try your main server then they will be caught.<br />
<br />
Generally real messages would never hit this server, but if all your servers are down there is still no harm done. We can tell the difference between real email and virus infected spam bots. Although some spam bots are missed, there are no false positives.<br />
<br />
== How much spam will be eliminated using Tar? ==<br />
<br />
That depends on how much of your spam come from virus infected spam bots. This has no effect on spam comping from Google, Yahoo, or Hotmail. But it might eliminate 40% of your virus infected spam bot spam just using the fake MX record and if you also use the blacklist you might get more than 80% spam reduction in spam bot spam.<br />
<br />
== Setting up your MX records to use Project Tar ==<br />
<br />
Lets assume you have two MX records now and that your domain is example.com. Your MX might look like this.<br />
<br />
mail.example.com 10<br />
backup.example.com 20<br />
<br />
What you would do is add a third MX record as follows:<br />
<br />
mail.example.com 10<br />
backup.example.com 20<br />
tar.junkemailfilter.com 30<br />
<br />
And that's all you have to do.<br />
<br />
== Using Tar with Dead Domains ==<br />
<br />
Do you have dead domains that still get a lot of spam? We are interested in harvesting them as well. If your domain is dead, especially if it's been dead for some time then you can help us build our blacklist by pointing your dead domain to our tar server. Just set your MX record as follows:<br />
<br />
tar.junkemailfilter.com 10<br />
<br />
If we detect that tar.junkemailfilter.com is your lowest MX record we will reject the email with a 550 response. This lets innocent email such as old email lists be cleanly rejected. And we are careful not to list any false positives.<br />
<br />
== Additional Technical Details ==<br />
<br />
Virus infected spam bots are optimized for delivering as much spam as possible. So after sending email they don't wait around and politely close the connection the way normal email servers do. They just leave it open and let it time out. To be polite would be a waste of time and bandwidth. And this is especially true with a few well timed response delays that would slow them down if they played by the rules. What we look for is the lack of using the QUIT command. So if they are on a high numbered MX that generally they should not be sending to AND they don't issue QUIT, and they commit a few other sins that we track we can usually identify them on the first attempt without false positives. This method has proven to be very effective in quickly identifying virus infected spam bots and getting them listed in 2 minutes from the spam attempt.<br />
<br />
== Punishing Spammers ==<br />
<br />
We also put in significant delays at each stage of the SMTP transaction (a few seconds) that tends to trip up and slow down spam bots. This keeps their connections open longer and slows them down making them less effective. It increases accuracy and causes spammers pain.<br />
<br />
== Why are we doing this for free? ==<br />
<br />
Because it helps us at [http://www.junkemailfilter.com Junk Email Filter] build a larger list. It help us block spam in our front end spam filtering operation making for happier customers. We also sell rsync access to our lists and it makes our lists more valuable. And if you like the results from this free service you might want to buy our full service. And we just hate spam in general and we get a thrill out of stopping it. So this is win/win.<br />
<br />
== About the Name ==<br />
<br />
Project Tar was originally known as Project Tarbaby, but that term is known to be racially charged to some. The intention behind the name was per [https://en.wikipedia.org/wiki/Tar-Baby the character (doll) that the book] was named for - where Br'er Rabbit (spammers) would get ensnared upon contact, and indeed, [https://newrepublic.com/article/93088/tar-baby-racist-slur many people seem unaware that to some there are racist overtones to the name]. But, unlike politicians who can't ever seem to admit something they said was misleading, uninformed or otherwise offensive to other people, we decided that even if it was arguable whether or not the name is inherently racist, what's the point of using a name that *might* be offensive to some people? We don't want to add to a culture of questionable references and inferences, since there's enough of that without adding something that's totally unnecessary. In order not to break various incoming links to this project, the page name unfortunately will remain for now as it was, and to any who are offended, we do apologize for that. We'll continue to support the tarbaby.junkemailfitler.com DNS name, but encourage users to migrate to tar.junkemailfilter.com.<br />
<br />
== Feedback ==<br />
<br />
We'd like to hear how well this is working for you and your comments and suggestions. Send your thoughts to [mailto:support@junkemailfilter.com support@junkemailfilter.com].</div>Marchttp://wiki.ctyme.com/index.php/Project_tarbabyProject tarbaby2019-04-28T01:41:19Z<p>Marc: /* About the Name */</p>
<hr />
<div>== What is Project Tar? ==<br />
<br />
Project Tar helps you reduce spam and helps us at [http://www.junkemailfilter.com Junk Email Filter] build our [[Spam_DNS_Lists|blacklist]]. This is done by adding a fake MX record to your existing MX lists. The fake MX record will be your highest numbered MX and it will point to one of our servers. We will not actually receive any of your email under any circumstances. We will return a 451 temporary error immediately after the DATA command. This tells the sender to come back later and try again. Good email is never lost using this method. Here's what a connection to tar looks like:<br />
<br />
helo example.com<br />
250 tar.junkemailfilter.com Hello mail.example.com [1.2.3.4]<br />
mail from:<spammer@spamdomain.com><br />
250 OK<br />
rcpt to:you@yourdomain.com<br />
250 Accepted<br />
data<br />
451 DEFER - Try a lower numbered MX record - http://www.junkemailfilter.com<br />
quit<br />
221 tar.junkemailfilter.com closing connection<br />
<br />
== How Project Tar Works ==<br />
<br />
Spammers however often try to go in the "back door" thinking that your backup servers hae less spam filtering than your main email server. So they send email to the highest numbered MX record first. And spammers don't retry so they make an attempt, it fails, and they go on to the next victim. In the process if we detect a spam bot signature then the IP address of the spam bot is added to our DNS blacklist. If you are also using our blacklist then there is an added bonus in that our blacklist will tune itself to your spam so that if the spam bots later try your main server then they will be caught.<br />
<br />
Generally real messages would never hit this server, but if all your servers are down there is still no harm done. We can tell the difference between real email and virus infected spam bots. Although some spam bots are missed, there are no false positives.<br />
<br />
== How much spam will be eliminated using Tar? ==<br />
<br />
That depends on how much of your spam come from virus infected spam bots. This has no effect on spam comping from Google, Yahoo, or Hotmail. But it might eliminate 40% of your virus infected spam bot spam just using the fake MX record and if you also use the blacklist you might get more than 80% spam reduction in spam bot spam.<br />
<br />
== Setting up your MX records to use Project Tar ==<br />
<br />
Lets assume you have two MX records now and that your domain is example.com. Your MX might look like this.<br />
<br />
mail.example.com 10<br />
backup.example.com 20<br />
<br />
What you would do is add a third MX record as follows:<br />
<br />
mail.example.com 10<br />
backup.example.com 20<br />
tar.junkemailfilter.com 30<br />
<br />
And that's all you have to do.<br />
<br />
== Using Tar with Dead Domains ==<br />
<br />
Do you have dead domains that still get a lot of spam? We are interested in harvesting them as well. If your domain is dead, especially if it's been dead for some time then you can help us build our blacklist by pointing your dead domain to our tar server. Just set your MX record as follows:<br />
<br />
tar.junkemailfilter.com 10<br />
<br />
If we detect that tar.junkemailfilter.com is your lowest MX record we will reject the email with a 550 response. This lets innocent email such as old email lists be cleanly rejected. And we are careful not to list any false positives.<br />
<br />
== Additional Technical Details ==<br />
<br />
Virus infected spam bots are optimized for delivering as much spam as possible. So after sending email they don't wait around and politely close the connection the way normal email servers do. They just leave it open and let it time out. To be polite would be a waste of time and bandwidth. And this is especially true with a few well timed response delays that would slow them down if they played by the rules. What we look for is the lack of using the QUIT command. So if they are on a high numbered MX that generally they should not be sending to AND they don't issue QUIT, and they commit a few other sins that we track we can usually identify them on the first attempt without false positives. This method has proven to be very effective in quickly identifying virus infected spam bots and getting them listed in 2 minutes from the spam attempt.<br />
<br />
== Punishing Spammers ==<br />
<br />
We also put in significant delays at each stage of the SMTP transaction (a few seconds) that tends to trip up and slow down spam bots. This keeps their connections open longer and slows them down making them less effective. It increases accuracy and causes spammers pain.<br />
<br />
== Why are we doing this for free? ==<br />
<br />
Because it helps us at [http://www.junkemailfilter.com Junk Email Filter] build a larger list. It help us block spam in our front end spam filtering operation making for happier customers. We also sell rsync access to our lists and it makes our lists more valuable. And if you like the results from this free service you might want to buy our full service. And we just hate spam in general and we get a thrill out of stopping it. So this is win/win.<br />
<br />
== About the Name ==<br />
<br />
Project Tar was originally known as Project Tarbaby, but that term is known to be racially charged to some. The intention behind the name was per [https://en.wikipedia.org/wiki/Tar-Baby the character (doll) that the book] was named for - where Br'er Rabbit (spammers) would get ensnared upon contact, and indeed, [https://newrepublic.com/article/93088/tar-baby-racist-slur many people seem unaware that to some there are racist overtones to the name]. But, unlike politicians who can't ever seem to admit something they said was misleading, uninformed or otherwise offensive to other people, we decided that even if it was arguable whether or not the name is inherently racist, what's the point of using a name that *might* be offensive to some people? We don't want to add to a culture of questionable references and inferences, since there's enough of that without adding something that's totally unnecessary. In order not to break various incoming links to this project, the page name unfortunately will remain for now as it was, and to any who are offended, we do apologize for that.<br />
<br />
== Feedback ==<br />
<br />
We'd like to hear how well this is working for you and your comments and suggestions. Send your thoughts to [mailto:support@junkemailfilter.com support@junkemailfilter.com].</div>Marchttp://wiki.ctyme.com/index.php/Project_tarbabyProject tarbaby2019-04-28T01:35:48Z<p>Marc: </p>
<hr />
<div>== What is Project Tar? ==<br />
<br />
Project Tar helps you reduce spam and helps us at [http://www.junkemailfilter.com Junk Email Filter] build our [[Spam_DNS_Lists|blacklist]]. This is done by adding a fake MX record to your existing MX lists. The fake MX record will be your highest numbered MX and it will point to one of our servers. We will not actually receive any of your email under any circumstances. We will return a 451 temporary error immediately after the DATA command. This tells the sender to come back later and try again. Good email is never lost using this method. Here's what a connection to tar looks like:<br />
<br />
helo example.com<br />
250 tar.junkemailfilter.com Hello mail.example.com [1.2.3.4]<br />
mail from:<spammer@spamdomain.com><br />
250 OK<br />
rcpt to:you@yourdomain.com<br />
250 Accepted<br />
data<br />
451 DEFER - Try a lower numbered MX record - http://www.junkemailfilter.com<br />
quit<br />
221 tar.junkemailfilter.com closing connection<br />
<br />
== How Project Tar Works ==<br />
<br />
Spammers however often try to go in the "back door" thinking that your backup servers hae less spam filtering than your main email server. So they send email to the highest numbered MX record first. And spammers don't retry so they make an attempt, it fails, and they go on to the next victim. In the process if we detect a spam bot signature then the IP address of the spam bot is added to our DNS blacklist. If you are also using our blacklist then there is an added bonus in that our blacklist will tune itself to your spam so that if the spam bots later try your main server then they will be caught.<br />
<br />
Generally real messages would never hit this server, but if all your servers are down there is still no harm done. We can tell the difference between real email and virus infected spam bots. Although some spam bots are missed, there are no false positives.<br />
<br />
== How much spam will be eliminated using Tar? ==<br />
<br />
That depends on how much of your spam come from virus infected spam bots. This has no effect on spam comping from Google, Yahoo, or Hotmail. But it might eliminate 40% of your virus infected spam bot spam just using the fake MX record and if you also use the blacklist you might get more than 80% spam reduction in spam bot spam.<br />
<br />
== Setting up your MX records to use Project Tar ==<br />
<br />
Lets assume you have two MX records now and that your domain is example.com. Your MX might look like this.<br />
<br />
mail.example.com 10<br />
backup.example.com 20<br />
<br />
What you would do is add a third MX record as follows:<br />
<br />
mail.example.com 10<br />
backup.example.com 20<br />
tar.junkemailfilter.com 30<br />
<br />
And that's all you have to do.<br />
<br />
== Using Tar with Dead Domains ==<br />
<br />
Do you have dead domains that still get a lot of spam? We are interested in harvesting them as well. If your domain is dead, especially if it's been dead for some time then you can help us build our blacklist by pointing your dead domain to our tar server. Just set your MX record as follows:<br />
<br />
tar.junkemailfilter.com 10<br />
<br />
If we detect that tar.junkemailfilter.com is your lowest MX record we will reject the email with a 550 response. This lets innocent email such as old email lists be cleanly rejected. And we are careful not to list any false positives.<br />
<br />
== Additional Technical Details ==<br />
<br />
Virus infected spam bots are optimized for delivering as much spam as possible. So after sending email they don't wait around and politely close the connection the way normal email servers do. They just leave it open and let it time out. To be polite would be a waste of time and bandwidth. And this is especially true with a few well timed response delays that would slow them down if they played by the rules. What we look for is the lack of using the QUIT command. So if they are on a high numbered MX that generally they should not be sending to AND they don't issue QUIT, and they commit a few other sins that we track we can usually identify them on the first attempt without false positives. This method has proven to be very effective in quickly identifying virus infected spam bots and getting them listed in 2 minutes from the spam attempt.<br />
<br />
== Punishing Spammers ==<br />
<br />
We also put in significant delays at each stage of the SMTP transaction (a few seconds) that tends to trip up and slow down spam bots. This keeps their connections open longer and slows them down making them less effective. It increases accuracy and causes spammers pain.<br />
<br />
== Why are we doing this for free? ==<br />
<br />
Because it helps us at [http://www.junkemailfilter.com Junk Email Filter] build a larger list. It help us block spam in our front end spam filtering operation making for happier customers. We also sell rsync access to our lists and it makes our lists more valuable. And if you like the results from this free service you might want to buy our full service. And we just hate spam in general and we get a thrill out of stopping it. So this is win/win.<br />
<br />
== About the Name ==<br />
<br />
Project Tar was originally known as Project Tarbaby, but that term is known to be racially charged to some. The intention behind the name was per the character (doll) that the [https://en.wikipedia.org/wiki/Tar-Baby book] was named for - where Br'er Rabbit (spammers) would get ensnared upon contact, and indeed, [https://newrepublic.com/article/93088/tar-baby-racist-slur many people seem unaware that to some there are racist overtones to the name]. But, unlike politicians who can't ever seem to admit something they said was misleading, uninformed or otherwise offensive to other people, we decided that even if it was arguable whether or not the name is inherently racist, what's the point of using a name that *might* be offensive to some people? We don't want to add to a culture of questionable references and inferences, since there's enough of that without adding something that's totally unnecessary. <br />
<br />
== Feedback ==<br />
<br />
We'd like to hear how well this is working for you and your comments and suggestions. Send your thoughts to [mailto:support@junkemailfilter.com support@junkemailfilter.com].</div>Marchttp://wiki.ctyme.com/index.php/Email_Users_GuideEmail Users Guide2019-04-23T22:08:39Z<p>Marc: /* Web Mail Interface */</p>
<hr />
<div>= Email Client Setup =<br />
<br />
== Incoming Email ==<br />
<br />
Our email systems work with a variety of email clients and operating systems. All you have to do is talk to it using standard email protocols. We support IMAP, and POP and we support encrypted secure protocols. The basic configuration to RECEIVE email is:<br />
<br />
Server: mail.ctyme.com<br />
User: you@domain.com - IMPORTANT - Include your domain name.<br />
Password: your password<br />
<br />
Do NOT user "secure authentication". Instead use SSL or TLS encryption. That encrypts everything, not just the password.<br />
<br />
We support both POP and IMAP connections. IMAP is newer and far more powerful than POP. POP gives you access only to your INBOX folder on the email server and lets you download your emait to your local computer. IMAP allows you to have server side folders which leave the messages on the server. This allows you to access your email from multiple computers as well as the [[https://mail.ctyme.com Web Interface]]. If you are configuring email for your phone or tablet then definitely select IMAP.<br />
<br />
We also support SSL and TLS encryption. For inbound email select SSL and for IMAP it will shown port 993 (995 for POP). By default port 25 is used for outbound on most setups but we also support and recommend the new port 587 for outbound. In the future this may be a required setting.<br />
<br />
== Outgoing Email ==<br />
<br />
For sending email we support authenticated SMTP. That means that you need a username and password to send email through our servers. The username and password are the same as the ones you use to receive your email. We support SSL and TLS encrypted connections so if you have the option to use encryption, I suggest you turn it on.<br />
<br />
You do not have to user our SMTP server for outgoing email. You can use your local Internet Service provider as well. It is often faster to send email through your local ISP because it is a "shorter" connection. But you will need to follow their instructions as to how to set that up.<br />
<br />
The proper configuration for outgoing email using our server is:<br />
<br />
Server: smtp.ctyme.com<br />
User: you@domain.com - IMPORTANT - Include your domain, not just your name.<br />
Password: your password<br />
Use port 587 for sending email<br />
<br />
=== Alternative Outgoing Ports ===<br />
<br />
Some ISPs block port 25 to keep virus infected spam zombies from spewing spam on the net. This has a bad side effect of cutting off access to our outgoing SMTP ports unsing standard port 25. We also support sending mail on ports 465 and 587. Port 465 is for SSL encryption only. 587 can be used without encryption or with optional encryption.<br />
<br />
Outbound email is authenticated so it requires a username and password. It's the same as the inbound setting. Your setup might have a option, "use same login for outbound" or something like that. If it does - select that.<br />
<br />
== Web Mail Interface ==<br />
<br />
* [https://mail.ctyme.com Email Web Interface - Squirrelmail]<br />
* [https://mail.ctyme.com/mobile Mobile Email Web Interface - Squirrelmail]<br />
<br />
The Web mail interface allows you to set up personal white lists, bounce lists, blackhole lists, vacation messages, and more. When you get into the web mail select "options" and customize it. You can change your email password through the web mail interface.<br />
<br />
== Changing your Password ==<br />
<br />
You can change your password and personalize your email experience using the [https://mail.ctyme.com/admin/index.php Settings] page.<br />
<br />
== Advanced Features ==<br />
<br />
Check our our advanced features page. [[Email Advanced Features ]]</div>Marchttp://wiki.ctyme.com/index.php/Switching_Over_to_our_Hosted_EmailSwitching Over to our Hosted Email2019-04-04T18:39:39Z<p>Marc: /* Outbound SPF settings */</p>
<hr />
<div>If you have email hosted elsewhere and you are switching over to our hosted email there are a number of steps in the process. Depending on what you are switching over from you might be able to skip some of these steps. Let's assume for now that you have an existing email system and you want to switch over to our system.<br />
<br />
== Your current email system ==<br />
<br />
If you are not hosted with us or using our spam filtering system the easiest way to start is to have us do front end filtering for your domain first, let the MX records propagate, and then switch over to our hosted system. First - your email reaches your current server as follows:<br />
<br />
+-----------+ +-------------------+<br />
| Internet |---->----| Your email server |<br />
+-----------+ +-------------------+<br />
<br />
The Internet knows to sent email for your domain because your domain has MX records (Mail eXchange) set. MX records are DNS records (Domain Name Services) that is like a directory for the Internet. These MX records tell the world to send email from your domain to your server.<br />
<br />
If you change your MX records you can direct your email to a different location. However the switchover doesn't happen immediately because servers that recently emailed you "remember" your old MX records for often up to a day. During this time some of your email might go to the old location and some to the new location and this can make the transition difficult. But we have a solution.<br />
<br />
== Using our Front End Spam Filter ==<br />
<br />
What we recommend is that you use our front end filtering first. That way your email comes to us first, we clean it, and send it on to you. The important point of this is that it gives us direct control of your email stream and we can switch it over instantly. When your email is routed through us the flow is as follows:<br />
<br />
<br />
+-----------+ +-----------------+ +-------------------+<br />
| Internet |---->----| Our Spam Filter |---->----| Your email server |<br />
+-----------+ +-----------------+ +-------------------+<br />
<br />
== Preparing to use our email server ==<br />
<br />
While the MX records are updating and your email is migrating to our spam filter our server need to be able to receive your email. To do that we need to create user accounts and aliases. User accounts are real email boxes where your user's email is received and stored until they get online and read it. Aliases are fake names for real email accounts so that when the fake name is used email is sent to the real email account.<br />
<br />
Real email accounts need user names and passwords. Our system can create multiple accounts at once if the data is in this format.<br />
<br />
joe joes-password<br />
mary marys-password<br />
jane janes-password<br />
<br />
If the password is missing the account will be created with a default password. The default password needs to be changed before it can be used. The [[https://mail.ctyme.com/admin/index.php Management Interface]] can be used to set passwords.<br />
<br />
Aliases don't require passwords because they are not real email accounts. Aliases can be local accounts or other domains. An alias file looks like this:<br />
<br />
info: mary<br />
sales: mary, jane<br />
merry: mary<br />
dan: dan@yahoo.com<br />
janitor: joe<br />
all: mary, jane, dan, joe<br />
<br />
These real accounts and aliases need to be created in order to receive email on our servers. If this isn't done then email that is not defined will be rejected as an unknown user.<br />
<br />
== Switching Over ==<br />
<br />
Once the MX records have propagated and email is flowing through our servers, and your users and aliases are ready, it is time to make the switch. This is something that we control. One you tell us to switch over we stop forwarding email to your old server and forward you email to our server. Then you would reconfigure your email clients to read email from our server instead of your old server.<br />
<br />
<font color="red">'''VERY IMPORTANT!'''</font> - Once we switch over we can no longer email you at your old server. So unless you start reading your email from us, we can not communicate with you by email. If there is a problem then email us from an external email account like Yahoo or Gmail so that we can work out any confusion.<br />
<br />
Once we switch you over your email flows as follows:<br />
<br />
+-----------+ +-----------------+ +------------------+<br />
| Internet |---->----| Our Spam Filter |---->----| Our email server |<br />
+-----------+ +-----------------+ +------------------+<br />
<br />
Once the switch occurs then you have to change your user's email setting to read your email from us. You can find the settings in our [[Email Users Guide]].<br />
<br />
== Outbound SPF settings ==<br />
<br />
If you are using our outbound filtering service and you feel you need an SPF record you will need to use this setting.<br />
<br />
v=spf1 include:spf.junkemailfilter.com ~all<br />
<br />
That tells the world that Junk Email Filter is the legitimate source for your outbound email.<br />
<br />
== Migrating your old Email ==<br />
<br />
If you are using IMAP and all your folders are on your old server and you want to move them over - it's fairly easy. All you have to do is use an IMAP email client that can log into two servers at once. Thunderbird will do that. Then you create new folders on the new account and then drag and drop the messages from your old account to the new account. If you have thousands of emails and/or large attachments it will take a long time to move everything. It has to download to your computer and then upload to ours. But it will move.</div>Marchttp://wiki.ctyme.com/index.php/DNS-InfoDNS-Info2019-04-04T18:35:06Z<p>Marc: /* Outbound SPF settings */</p>
<hr />
<div>== Name Server Settings ==<br />
<br />
This section is for customers where we host everything. If you are here for spam filtering see the MX record section below.<br />
<br />
DNS stands for Domain Name Service. That is the Internet service that allows the world to find your web site when they type in your domain. It translates you domain name into and IP address. The name servers for Computer Tyme are:<br />
<br />
ns.reality-dns.com<br />
ns.reality-dns.net<br />
ns.reality-dns.org<br />
<br />
Ordinarilly Computer Tyme will provide DNS services for your domain. If you are new to Computer Tyme you need to go to your registrar and set your name servers with the above information. This gives us control to set the IP addresses of all your hosts and mail exchange records. With three servers in different locations we can ensure that no matter what happens, the world will be able to find where the servers that host your site are.<br />
<br />
== MX Record Settings ==<br />
<br />
Normally most users don't have to mess with the MX records. But if we are providing front end spam filtering services for you and you are managing your own name server then these are the settings for the MX (Mail eXchange) records:<br />
<br />
mx.junkemailfilter.com - Priority 10<br />
mx.junkemailfilter.net - Priority 20<br />
mx.junkemailfilter.org - Priority 30<br />
<br />
Ordering and numbering is important. It is also important that you not add any of your existing MX records or and other MX record to the list as it will defeat the way the spam filter works. If your DNS for asks for a "host" enter "@" in that field which is a reference to your current domain.<br />
<br />
Here's the instructions if you are [[Changing your MX records with cPanel]].<br />
<br />
== Outbound SPF settings ==<br />
<br />
If you are using our outbound filtering service and you feel you need an SPF record you will need to use this setting.<br />
<br />
v=spf1 include:spf.junkemailfilter.com ~all<br />
<br />
That tells the world that Junk Email Filter is the legitimate source for your outbound email.<br />
<br />
== DNS Tools ==<br />
<br />
* [http://mailboxtools.com Mailbox Tools (Check MX records)]<br />
* [http://www.intodns.com Into DNS]<br />
* [http://www.dnsstuff.com DNS Stuff]<br />
* [http://openrbl.org Open RBL]<br />
* [http://www.senderbase.org Sender Base]<br />
<br />
== DNS Registrar Management ==<br />
<br />
For those of you who have an account at Computer Tyme DNS Services you can [https://manage.opensrs.net/ Manage Your Account].</div>Marchttp://wiki.ctyme.com/index.php/Letter13Letter132018-05-29T19:43:01Z<p>Marc: Created page with "Hello everyone, This email is going to be difficult because I've been very optimistic about my lung cancer over the last 22 months, but I got a PET scan and the results are not ..."</p>
<hr />
<div>Hello everyone,<br />
<br />
This email is going to be difficult because I've been very optimistic about my lung cancer over the last 22 months, but I got a PET scan and the results are not good. As usual the images inside the lungs is confusing but it looks like there's some growth there. But the disturbing part is there is a new metastasis to a muscle in my back. So the cancer has spread, and that's never good.<br />
<br />
As you know I've been experimenting trying to trigger what is know as the abscopal effect and about a year ago I thought I had succeeded. In fact I do think that I did trigger an immune response against the cancer, but I couldn't sustain that response. Perhaps that's part of why so few people actually manage to clear their cancer completely. I still think it was a good idea and everything I tried might work for other people. But it would seem that my cancer can't be cured using this technique. I could go on about technical details but the possibility that I had managed to figure out a cure is now gone. I had gotten to the point of thinking that I might not have a terminal disease anymore, but that is now gone.<br />
<br />
No one can tell how much time I have left but one of my oncologists said I have months, not years, but also not weeks. But the time scale is very fuzzy and "months" is a very imprecise average with a wide latitude. Much less precise than my original prognosis. So don't buy plane tickets to my funeral yet.<br />
<br />
I have managed to cheat death somehow so far and I'm now about 3X my expected lifespan and probably 5X my expected healthspan. I'm still feeling pretty good still, although going from expecting a Nobel prize in medicine to back on death row is not an easy transition to make. But I suppose since I've done so well so far I have little room to complain overall. At the time I was diagnosed I thought if I was lucky enough to get 2 years, that would be fantastic.<br />
<br />
One thing I want to say this time however is that just because I managed to cheat death so far doesn't mean that will continue to happen. I'm feeling a lot of pressure from people to stay alive and be some sort of comic book super hero. But I don't want that expectation. If the time comes where I need to die then that's something you're going to have to deal with. Everyone needs to lower their expectations because this doesn't look good. But I'm not ruling out comic book super hero, so don't give up either. It's not about expectations, it's about working the problem. The Reality however is that there may not be a solution available to me.<br />
<br />
It is very unusual for cancer to jump from lungs to back muscle tissue without going first to many more usual places. All the oncologists in my world are completely confused by what's happening so I'm in an environment where answers are not going to be coming from them. And I too am confused. But I'm trying to figure this out and my assumption is that it's a clue, not an anomaly. And the question of "Why am I still alive if the abscopal effect didn't work?", is also a clue.<br />
<br />
I have a working hypothesis that explains both and I'm working on a plan that, if I'm correct, might at least buy me more time, possibly a lot more time. It's based on the idea that cancer is a metabolic disease and not a genetic disease, and there's an overwhelming about of evidence that supports this model. It explains that the reason I'm still here is that my supplement cocktail is was has been keeping me alive and I can enhance that with a no carb diet, to starve the cancer of sugar, and hyperbaric oxygen to screw up the fermentation metabolism of cancer cells. But it's a work in progress.<br />
<br />
To that end I have decided not to get radiation to my back muscle. I do have soreness there and it is a reminder that this is really happening. But it also gives me a way to test different treatments and determine their effectiveness by how sore my back is. I'm going to use it as an opportunity to monitor progress.<br />
<br />
People have asked me what they can do for me at this time. And right now I'm fine. Obviously I'm not happy about this and I'm still adjusting to the news myself. At this point don't ask me a lot of questions because the answer to almost anything is "I don't know.", Including ever questions like "How are you doing?". Don't pray for me either because the religious world is working to take away my right to terminate my own life when the time comes and I'm not the least bit interested in people's invisible imaginary friends. Good wishes is fine. Doing medical research and helping me work the problem is even better. It's like the movie "The Martian" where I'm going to have to science the hell out of this situation.<br />
<br />
So - I feel strange again bringing bad news after good news. And there might be good news again at some point and that will be eventually followed by bad news as well. But at least I'm still on the roller coaster.<br />
<br />
I do want to thank all my friends who have supported me for the last 22 months and the fantastic staff at Kaiser who have given me all the weird treatments I've asked for. And I thank them in advance for giving me all the weird treatments I'm going to ask for, and that is coming soon.<br />
<br />
But - I need to stop rambling on and I'll let everyone know something when I know something.<br />
<br />
Marc Perkel</div>Marchttp://wiki.ctyme.com/index.php/CancerCancer2018-05-29T19:42:47Z<p>Marc: /* Letters I've sent out about my status */</p>
<hr />
<div>= Cancer Information =<br />
<br />
This is an information page on the progress of my cancer fight. At this point the first treatment is working and the cancer has stopped progressing for now.<br />
<br />
== Letters I've sent out about my status ==<br />
* [[letter1]] - Letter to EFF Staff<br />
* [[letter2]] - Letter to Church of Reality<br />
* [[letter3]] - Phase 1 trial drugs Caprelsa and Affinitor<br />
* [[letter4]] - Announcing work on my own cure using immunotherapy<br />
* [[letter5]] - My first treatment plan is working - cancer has stopped progressing for now<br />
* [[letter6]] - Treatment plan stopped working - no treatment at this time<br />
* [[letter7]] - Starting a custom immunotherapy treatment<br />
* [[letter8]] - Did I just cure my Cancer?<br />
* [[letter9]] - Made it one year so far<br />
* [[letter10]] - PET Scan - somewhat inconclusive but mostly good news<br />
* [[letter11]] - PET scan results - not cured yet<br />
* [[letter12]] - 18 months and still alive<br />
* [[letter13]] - The cancer has spread<br />
<br />
== Cancer Treatment Strategies ==<br />
<br />
* Current Cancer Meds [[ Current Meds ]]<br />
* My next plan to treat my cancer [[ Immune Strategy ]]<br />
* Putting together a specific custom [[ immunotherapy plan ]]<br />
* How to implement it [[ Oncologists Guide to Curing Cancer using Abscopal Effect ]]<br />
* A new understanding of [[ How the Immune System Works ]]<br />
<br />
== Links ==<br />
<br />
[https://academic.oup.com/jnci/article/105/4/256/926146/Combining-Radiotherapy-and-Cancer-Immunotherapy-A Combining Radiotherapy and Immunotherapy ]<br />
<br />
[http://www.ascopost.com/News/4188 Adding GM-CSF to Ipilimumab]<br />
<br />
[http://www.pbs.org/wgbh/nova/next/body/abscopal-response/?utm_source=FBPAGE&utm_medium=social&utm_term=20170721&utm_content=991602471&linkId=39994766 The ‘Quantum Theory’ of Cancer Treatment]</div>Marchttp://wiki.ctyme.com/index.php/Email_Advanced_FeaturesEmail Advanced Features2018-04-25T19:42:10Z<p>Marc: /* Personal Blacklist / Whitelist - Advanced Settings */</p>
<hr />
<div>== Direct Server Side Folder Delivery ==<br />
<br />
The email server has the ability to deliver email directly into server side folders other than your INBOX. Suppose you are user@domain.com and you have a folder called "ebay". To send email directly to your ebay folder, send the email to:<br />
<br />
user-ebay@domain.com<br />
<br />
This will deliver it directly into your server side ebay folder. So you set your Ebay account to user-ebay@domain.com then your email from Ebay will go directly into your ebay folder on the server.<br />
Note that the folder name must be all lower case.<br />
<br />
== Spam Folders ==<br />
<br />
In order to use the spam folders option you have to be using IMAP and not POP. Only IMAP allows you to control server side folders.<br />
<br />
The Computer Tyme email system allows for direct delivery to server side IMAP folders. If you create the folders using these special preassigned names then your spam will be classified and delivered into these folders (The folder names must be all lower-case). The creation of these folders signals the email system to deliver spam into the folders. Deleting these folders turns off this feature. The folders are:<br />
<br />
spam-low - for low scoring spam<br />
<br />
The spam-low folder is for low scoring spam. These are messages that are probably spam, but if the system makes a mistake, the mistakes will end up here. Check your spam-low for false positives. If you get real spam in spam-low, please drag it to your spam-missed folder so the system can learn it.<br />
<br />
These spam folders do not have to be emptied out. Any email left in these folders for 7 days is automatically deleted. So if you do nothing they clean themselves out.<br />
<br />
== Spam Learning Folders ==<br />
<br />
We also have two feedback folders called:<br />
<br />
spam-missed<br />
spam-notspam<br />
<br />
Spam missed lets the system learn any spam that sneaks through the filter. If you get spam in your inbox or spam-low then drag it into spam missed. Every 5 minutes the learn bot comes by and learns the spam. This educates the system so that the next time that spam might be rejected. The learner is common to everyone so when you let the system know about spam it helps keep everyone else from getting it.<br />
<br />
Don't drag messages from spam-high or spam-veryhigh into spam-missed. These messages are automatically learned and drapping them into spam-missed just loads down the server.<br />
<br />
The spam-notspam tells the system to learn what isn't spam. But message put in this folder are deleted so don't put anything in there you want to keep.<br />
As the server processes and clears this folder every five minutes, it is a good idea to copy any false-positive messages from your spam-low folder to your inbox *before* moving the original message from spam-low to spam-notspam.<br />
<br />
== Personal Blacklist / Whitelist - Advanced Settings ==<br />
<br />
You can log into the [https://mail.ctyme.com/admin/index.php web control panel] and set all kinds of features. We have white listing and black listing based on the sender, subject, headers, host addresses, and message content. You can change your password there, set vacation messages/auto responder, set up sender based routing for folder delivery, set up automatic expiration of email in folders, and create magnetic folders for automatic folder routing.</div>Marchttp://wiki.ctyme.com/index.php/Email_Advanced_FeaturesEmail Advanced Features2018-04-25T19:41:45Z<p>Marc: /* Personal Blacklist / Whitelist */</p>
<hr />
<div>== Direct Server Side Folder Delivery ==<br />
<br />
The email server has the ability to deliver email directly into server side folders other than your INBOX. Suppose you are user@domain.com and you have a folder called "ebay". To send email directly to your ebay folder, send the email to:<br />
<br />
user-ebay@domain.com<br />
<br />
This will deliver it directly into your server side ebay folder. So you set your Ebay account to user-ebay@domain.com then your email from Ebay will go directly into your ebay folder on the server.<br />
Note that the folder name must be all lower case.<br />
<br />
== Spam Folders ==<br />
<br />
In order to use the spam folders option you have to be using IMAP and not POP. Only IMAP allows you to control server side folders.<br />
<br />
The Computer Tyme email system allows for direct delivery to server side IMAP folders. If you create the folders using these special preassigned names then your spam will be classified and delivered into these folders (The folder names must be all lower-case). The creation of these folders signals the email system to deliver spam into the folders. Deleting these folders turns off this feature. The folders are:<br />
<br />
spam-low - for low scoring spam<br />
<br />
The spam-low folder is for low scoring spam. These are messages that are probably spam, but if the system makes a mistake, the mistakes will end up here. Check your spam-low for false positives. If you get real spam in spam-low, please drag it to your spam-missed folder so the system can learn it.<br />
<br />
These spam folders do not have to be emptied out. Any email left in these folders for 7 days is automatically deleted. So if you do nothing they clean themselves out.<br />
<br />
== Spam Learning Folders ==<br />
<br />
We also have two feedback folders called:<br />
<br />
spam-missed<br />
spam-notspam<br />
<br />
Spam missed lets the system learn any spam that sneaks through the filter. If you get spam in your inbox or spam-low then drag it into spam missed. Every 5 minutes the learn bot comes by and learns the spam. This educates the system so that the next time that spam might be rejected. The learner is common to everyone so when you let the system know about spam it helps keep everyone else from getting it.<br />
<br />
Don't drag messages from spam-high or spam-veryhigh into spam-missed. These messages are automatically learned and drapping them into spam-missed just loads down the server.<br />
<br />
The spam-notspam tells the system to learn what isn't spam. But message put in this folder are deleted so don't put anything in there you want to keep.<br />
As the server processes and clears this folder every five minutes, it is a good idea to copy any false-positive messages from your spam-low folder to your inbox *before* moving the original message from spam-low to spam-notspam.<br />
<br />
== Personal Blacklist / Whitelist - Advanced Settings ==<br />
<br />
You can log into the [https://mail.ctyme.com/admin/index.php web control pane] l and set all kinds of features. We have white listing and black listing based on the sender, subject, headers, host addresses, and message content. You can change your password there, set vacation messages/auto responder, set up sender based routing for folder delivery, set up automatic expiration of email in folders, and create magnetic folders for automatic folder routing.</div>Marchttp://wiki.ctyme.com/index.php/Email_Users_GuideEmail Users Guide2018-04-25T19:39:54Z<p>Marc: /* Changing your Password */</p>
<hr />
<div>= Email Client Setup =<br />
<br />
== Incoming Email ==<br />
<br />
Our email systems work with a variety of email clients and operating systems. All you have to do is talk to it using standard email protocols. We support IMAP, and POP and we support encrypted secure protocols. The basic configuration to RECEIVE email is:<br />
<br />
Server: mail.ctyme.com<br />
User: you@domain.com - IMPORTANT - Include your domain name.<br />
Password: your password<br />
<br />
Do NOT user "secure authentication". Instead use SSL or TLS encryption. That encrypts everything, not just the password.<br />
<br />
We support both POP and IMAP connections. IMAP is newer and far more powerful than POP. POP gives you access only to your INBOX folder on the email server and lets you download your emait to your local computer. IMAP allows you to have server side folders which leave the messages on the server. This allows you to access your email from multiple computers as well as the [[https://mail.ctyme.com Web Interface]]. If you are configuring email for your phone or tablet then definitely select IMAP.<br />
<br />
We also support SSL and TLS encryption. For inbound email select SSL and for IMAP it will shown port 993 (995 for POP). By default port 25 is used for outbound on most setups but we also support and recommend the new port 587 for outbound. In the future this may be a required setting.<br />
<br />
== Outgoing Email ==<br />
<br />
For sending email we support authenticated SMTP. That means that you need a username and password to send email through our servers. The username and password are the same as the ones you use to receive your email. We support SSL and TLS encrypted connections so if you have the option to use encryption, I suggest you turn it on.<br />
<br />
You do not have to user our SMTP server for outgoing email. You can use your local Internet Service provider as well. It is often faster to send email through your local ISP because it is a "shorter" connection. But you will need to follow their instructions as to how to set that up.<br />
<br />
The proper configuration for outgoing email using our server is:<br />
<br />
Server: smtp.ctyme.com<br />
User: you@domain.com - IMPORTANT - Include your domain, not just your name.<br />
Password: your password<br />
Use port 587 for sending email<br />
<br />
=== Alternative Outgoing Ports ===<br />
<br />
Some ISPs block port 25 to keep virus infected spam zombies from spewing spam on the net. This has a bad side effect of cutting off access to our outgoing SMTP ports unsing standard port 25. We also support sending mail on ports 465 and 587. Port 465 is for SSL encryption only. 587 can be used without encryption or with optional encryption.<br />
<br />
Outbound email is authenticated so it requires a username and password. It's the same as the inbound setting. Your setup might have a option, "use same login for outbound" or something like that. If it does - select that.<br />
<br />
== Web Mail Interface ==<br />
<br />
* [https://mail.ctyme.com Email Web Interface - Squirrelmail]<br />
<br />
The Web mail interface allows you to set up personal white lists, bounce lists, blackhole lists, vacation messages, and more. When you get into the web mail select "options" and customize it. You can change your email password through the web mail interface.<br />
<br />
== Changing your Password ==<br />
<br />
You can change your password and personalize your email experience using the [https://mail.ctyme.com/admin/index.php Settings] page.<br />
<br />
== Advanced Features ==<br />
<br />
Check our our advanced features page. [[Email Advanced Features ]]</div>Marchttp://wiki.ctyme.com/index.php/Email_Advanced_FeaturesEmail Advanced Features2018-04-25T19:37:42Z<p>Marc: /* Personal Blacklist / Whitelist */</p>
<hr />
<div>== Direct Server Side Folder Delivery ==<br />
<br />
The email server has the ability to deliver email directly into server side folders other than your INBOX. Suppose you are user@domain.com and you have a folder called "ebay". To send email directly to your ebay folder, send the email to:<br />
<br />
user-ebay@domain.com<br />
<br />
This will deliver it directly into your server side ebay folder. So you set your Ebay account to user-ebay@domain.com then your email from Ebay will go directly into your ebay folder on the server.<br />
Note that the folder name must be all lower case.<br />
<br />
== Spam Folders ==<br />
<br />
In order to use the spam folders option you have to be using IMAP and not POP. Only IMAP allows you to control server side folders.<br />
<br />
The Computer Tyme email system allows for direct delivery to server side IMAP folders. If you create the folders using these special preassigned names then your spam will be classified and delivered into these folders (The folder names must be all lower-case). The creation of these folders signals the email system to deliver spam into the folders. Deleting these folders turns off this feature. The folders are:<br />
<br />
spam-low - for low scoring spam<br />
<br />
The spam-low folder is for low scoring spam. These are messages that are probably spam, but if the system makes a mistake, the mistakes will end up here. Check your spam-low for false positives. If you get real spam in spam-low, please drag it to your spam-missed folder so the system can learn it.<br />
<br />
These spam folders do not have to be emptied out. Any email left in these folders for 7 days is automatically deleted. So if you do nothing they clean themselves out.<br />
<br />
== Spam Learning Folders ==<br />
<br />
We also have two feedback folders called:<br />
<br />
spam-missed<br />
spam-notspam<br />
<br />
Spam missed lets the system learn any spam that sneaks through the filter. If you get spam in your inbox or spam-low then drag it into spam missed. Every 5 minutes the learn bot comes by and learns the spam. This educates the system so that the next time that spam might be rejected. The learner is common to everyone so when you let the system know about spam it helps keep everyone else from getting it.<br />
<br />
Don't drag messages from spam-high or spam-veryhigh into spam-missed. These messages are automatically learned and drapping them into spam-missed just loads down the server.<br />
<br />
The spam-notspam tells the system to learn what isn't spam. But message put in this folder are deleted so don't put anything in there you want to keep.<br />
As the server processes and clears this folder every five minutes, it is a good idea to copy any false-positive messages from your spam-low folder to your inbox *before* moving the original message from spam-low to spam-notspam.<br />
<br />
== Personal Blacklist / Whitelist ==<br />
<br />
You can log into the web control panel and set all kinds of features. We have white listing and black listing based on the sender, subject, headers, host addresses, and message content. You can change your password there, set vacation messages/auto responder, set up sender based routing for folder delivery, set up automatic expiration of email in folders, and create magnetic folders for automatic folder routing.</div>Marchttp://wiki.ctyme.com/index.php/Email_Advanced_FeaturesEmail Advanced Features2018-04-25T19:33:40Z<p>Marc: /* Spam Folders */</p>
<hr />
<div>== Direct Server Side Folder Delivery ==<br />
<br />
The email server has the ability to deliver email directly into server side folders other than your INBOX. Suppose you are user@domain.com and you have a folder called "ebay". To send email directly to your ebay folder, send the email to:<br />
<br />
user-ebay@domain.com<br />
<br />
This will deliver it directly into your server side ebay folder. So you set your Ebay account to user-ebay@domain.com then your email from Ebay will go directly into your ebay folder on the server.<br />
Note that the folder name must be all lower case.<br />
<br />
== Spam Folders ==<br />
<br />
In order to use the spam folders option you have to be using IMAP and not POP. Only IMAP allows you to control server side folders.<br />
<br />
The Computer Tyme email system allows for direct delivery to server side IMAP folders. If you create the folders using these special preassigned names then your spam will be classified and delivered into these folders (The folder names must be all lower-case). The creation of these folders signals the email system to deliver spam into the folders. Deleting these folders turns off this feature. The folders are:<br />
<br />
spam-low - for low scoring spam<br />
<br />
The spam-low folder is for low scoring spam. These are messages that are probably spam, but if the system makes a mistake, the mistakes will end up here. Check your spam-low for false positives. If you get real spam in spam-low, please drag it to your spam-missed folder so the system can learn it.<br />
<br />
These spam folders do not have to be emptied out. Any email left in these folders for 7 days is automatically deleted. So if you do nothing they clean themselves out.<br />
<br />
== Spam Learning Folders ==<br />
<br />
We also have two feedback folders called:<br />
<br />
spam-missed<br />
spam-notspam<br />
<br />
Spam missed lets the system learn any spam that sneaks through the filter. If you get spam in your inbox or spam-low then drag it into spam missed. Every 5 minutes the learn bot comes by and learns the spam. This educates the system so that the next time that spam might be rejected. The learner is common to everyone so when you let the system know about spam it helps keep everyone else from getting it.<br />
<br />
Don't drag messages from spam-high or spam-veryhigh into spam-missed. These messages are automatically learned and drapping them into spam-missed just loads down the server.<br />
<br />
The spam-notspam tells the system to learn what isn't spam. But message put in this folder are deleted so don't put anything in there you want to keep.<br />
As the server processes and clears this folder every five minutes, it is a good idea to copy any false-positive messages from your spam-low folder to your inbox *before* moving the original message from spam-low to spam-notspam.<br />
<br />
== Personal Blacklist / Whitelist ==<br />
<br />
Users can configure their own personal whitelists and blacklists using the [https://mail.ctyme.com web mail interface]. Click on "options" and you will see whitelists and blacklists that you can edit. Additionally, if you are reading a message with the web interface, you can click on links to blacklist the sender or whitelist the sender.<br />
<br />
Whitelisting isn't foolproof. If you aren't receiving email because there is a problem with the senders server, then whitelisting doesn't fix that. But if you are getting messages in spam-low that should be in your inbox then whitelist it.</div>Marchttp://wiki.ctyme.com/index.php/Email_Users_GuideEmail Users Guide2018-03-30T22:20:57Z<p>Marc: /* Outgoing Email */</p>
<hr />
<div>= Email Client Setup =<br />
<br />
== Incoming Email ==<br />
<br />
Our email systems work with a variety of email clients and operating systems. All you have to do is talk to it using standard email protocols. We support IMAP, and POP and we support encrypted secure protocols. The basic configuration to RECEIVE email is:<br />
<br />
Server: mail.ctyme.com<br />
User: you@domain.com - IMPORTANT - Include your domain name.<br />
Password: your password<br />
<br />
Do NOT user "secure authentication". Instead use SSL or TLS encryption. That encrypts everything, not just the password.<br />
<br />
We support both POP and IMAP connections. IMAP is newer and far more powerful than POP. POP gives you access only to your INBOX folder on the email server and lets you download your emait to your local computer. IMAP allows you to have server side folders which leave the messages on the server. This allows you to access your email from multiple computers as well as the [[https://mail.ctyme.com Web Interface]]. If you are configuring email for your phone or tablet then definitely select IMAP.<br />
<br />
We also support SSL and TLS encryption. For inbound email select SSL and for IMAP it will shown port 993 (995 for POP). By default port 25 is used for outbound on most setups but we also support and recommend the new port 587 for outbound. In the future this may be a required setting.<br />
<br />
== Outgoing Email ==<br />
<br />
For sending email we support authenticated SMTP. That means that you need a username and password to send email through our servers. The username and password are the same as the ones you use to receive your email. We support SSL and TLS encrypted connections so if you have the option to use encryption, I suggest you turn it on.<br />
<br />
You do not have to user our SMTP server for outgoing email. You can use your local Internet Service provider as well. It is often faster to send email through your local ISP because it is a "shorter" connection. But you will need to follow their instructions as to how to set that up.<br />
<br />
The proper configuration for outgoing email using our server is:<br />
<br />
Server: smtp.ctyme.com<br />
User: you@domain.com - IMPORTANT - Include your domain, not just your name.<br />
Password: your password<br />
Use port 587 for sending email<br />
<br />
=== Alternative Outgoing Ports ===<br />
<br />
Some ISPs block port 25 to keep virus infected spam zombies from spewing spam on the net. This has a bad side effect of cutting off access to our outgoing SMTP ports unsing standard port 25. We also support sending mail on ports 465 and 587. Port 465 is for SSL encryption only. 587 can be used without encryption or with optional encryption.<br />
<br />
Outbound email is authenticated so it requires a username and password. It's the same as the inbound setting. Your setup might have a option, "use same login for outbound" or something like that. If it does - select that.<br />
<br />
== Web Mail Interface ==<br />
<br />
* [https://mail.ctyme.com Email Web Interface - Squirrelmail]<br />
<br />
The Web mail interface allows you to set up personal white lists, bounce lists, blackhole lists, vacation messages, and more. When you get into the web mail select "options" and customize it. You can change your email password through the web mail interface.<br />
<br />
== Changing your Password ==<br />
<br />
You can change your password and personalize your email experience using the [https://mail.ctyme.com/admin/index.php Settings] page.</div>Marchttp://wiki.ctyme.com/index.php/Email_Users_GuideEmail Users Guide2018-03-30T22:20:44Z<p>Marc: /* Incoming Email */</p>
<hr />
<div>= Email Client Setup =<br />
<br />
== Incoming Email ==<br />
<br />
Our email systems work with a variety of email clients and operating systems. All you have to do is talk to it using standard email protocols. We support IMAP, and POP and we support encrypted secure protocols. The basic configuration to RECEIVE email is:<br />
<br />
Server: mail.ctyme.com<br />
User: you@domain.com - IMPORTANT - Include your domain name.<br />
Password: your password<br />
<br />
Do NOT user "secure authentication". Instead use SSL or TLS encryption. That encrypts everything, not just the password.<br />
<br />
We support both POP and IMAP connections. IMAP is newer and far more powerful than POP. POP gives you access only to your INBOX folder on the email server and lets you download your emait to your local computer. IMAP allows you to have server side folders which leave the messages on the server. This allows you to access your email from multiple computers as well as the [[https://mail.ctyme.com Web Interface]]. If you are configuring email for your phone or tablet then definitely select IMAP.<br />
<br />
We also support SSL and TLS encryption. For inbound email select SSL and for IMAP it will shown port 993 (995 for POP). By default port 25 is used for outbound on most setups but we also support and recommend the new port 587 for outbound. In the future this may be a required setting.<br />
<br />
== Outgoing Email ==<br />
<br />
For sending email we support authenticated SMTP. That means that you need a username and password to send email through our servers. The username and password are the same as the ones you use to receive your email. We support SSL and TLS encrypted connections so if you have the option to use encryption, I suggest you turn it on.<br />
<br />
You do not have to user our SMTP server for outgoing email. You can use your local Internet Service provider as well. It is often faster to send email through your local ISP because it is a "shorter" connection. But you will need to follow their instructions as to how to set that up.<br />
<br />
The proper configuration for outgoing email using our server is:<br />
<br />
Server: smtp.ctyme.com<br />
User: you@domain.com - IMPORTANT - Include your domain, not just your name.<br />
Password: your password<br />
<br />
=== Alternative Outgoing Ports ===<br />
<br />
Some ISPs block port 25 to keep virus infected spam zombies from spewing spam on the net. This has a bad side effect of cutting off access to our outgoing SMTP ports unsing standard port 25. We also support sending mail on ports 465 and 587. Port 465 is for SSL encryption only. 587 can be used without encryption or with optional encryption.<br />
<br />
Outbound email is authenticated so it requires a username and password. It's the same as the inbound setting. Your setup might have a option, "use same login for outbound" or something like that. If it does - select that.<br />
<br />
== Web Mail Interface ==<br />
<br />
* [https://mail.ctyme.com Email Web Interface - Squirrelmail]<br />
<br />
The Web mail interface allows you to set up personal white lists, bounce lists, blackhole lists, vacation messages, and more. When you get into the web mail select "options" and customize it. You can change your email password through the web mail interface.<br />
<br />
== Changing your Password ==<br />
<br />
You can change your password and personalize your email experience using the [https://mail.ctyme.com/admin/index.php Settings] page.</div>Marchttp://wiki.ctyme.com/index.php/Email_Users_GuideEmail Users Guide2018-03-30T22:20:18Z<p>Marc: /* Incoming Email */</p>
<hr />
<div>= Email Client Setup =<br />
<br />
== Incoming Email ==<br />
<br />
Our email systems work with a variety of email clients and operating systems. All you have to do is talk to it using standard email protocols. We support IMAP, and POP and we support encrypted secure protocols. The basic configuration to RECEIVE email is:<br />
<br />
Server: mail.ctyme.com<br />
User: you@domain.com - IMPORTANT - Include your domain name.<br />
Password: your password<br />
Use port 587 for sending email<br />
<br />
Do NOT user "secure authentication". Instead use SSL or TLS encryption. That encrypts everything, not just the password.<br />
<br />
We support both POP and IMAP connections. IMAP is newer and far more powerful than POP. POP gives you access only to your INBOX folder on the email server and lets you download your emait to your local computer. IMAP allows you to have server side folders which leave the messages on the server. This allows you to access your email from multiple computers as well as the [[https://mail.ctyme.com Web Interface]]. If you are configuring email for your phone or tablet then definitely select IMAP.<br />
<br />
We also support SSL and TLS encryption. For inbound email select SSL and for IMAP it will shown port 993 (995 for POP). By default port 25 is used for outbound on most setups but we also support and recommend the new port 587 for outbound. In the future this may be a required setting.<br />
<br />
== Outgoing Email ==<br />
<br />
For sending email we support authenticated SMTP. That means that you need a username and password to send email through our servers. The username and password are the same as the ones you use to receive your email. We support SSL and TLS encrypted connections so if you have the option to use encryption, I suggest you turn it on.<br />
<br />
You do not have to user our SMTP server for outgoing email. You can use your local Internet Service provider as well. It is often faster to send email through your local ISP because it is a "shorter" connection. But you will need to follow their instructions as to how to set that up.<br />
<br />
The proper configuration for outgoing email using our server is:<br />
<br />
Server: smtp.ctyme.com<br />
User: you@domain.com - IMPORTANT - Include your domain, not just your name.<br />
Password: your password<br />
<br />
=== Alternative Outgoing Ports ===<br />
<br />
Some ISPs block port 25 to keep virus infected spam zombies from spewing spam on the net. This has a bad side effect of cutting off access to our outgoing SMTP ports unsing standard port 25. We also support sending mail on ports 465 and 587. Port 465 is for SSL encryption only. 587 can be used without encryption or with optional encryption.<br />
<br />
Outbound email is authenticated so it requires a username and password. It's the same as the inbound setting. Your setup might have a option, "use same login for outbound" or something like that. If it does - select that.<br />
<br />
== Web Mail Interface ==<br />
<br />
* [https://mail.ctyme.com Email Web Interface - Squirrelmail]<br />
<br />
The Web mail interface allows you to set up personal white lists, bounce lists, blackhole lists, vacation messages, and more. When you get into the web mail select "options" and customize it. You can change your email password through the web mail interface.<br />
<br />
== Changing your Password ==<br />
<br />
You can change your password and personalize your email experience using the [https://mail.ctyme.com/admin/index.php Settings] page.</div>Marchttp://wiki.ctyme.com/index.php/Email_Users_GuideEmail Users Guide2018-03-29T15:55:13Z<p>Marc: /* Incoming Email */</p>
<hr />
<div>= Email Client Setup =<br />
<br />
== Incoming Email ==<br />
<br />
Our email systems work with a variety of email clients and operating systems. All you have to do is talk to it using standard email protocols. We support IMAP, and POP and we support encrypted secure protocols. The basic configuration to RECEIVE email is:<br />
<br />
Server: mail.ctyme.com<br />
User: you@domain.com - IMPORTANT - Include your domain name.<br />
Password: your password<br />
Use port 587 for sending e,ail<br />
<br />
Do NOT user "secure authentication". Instead use SSL or TLS encryption. That encrypts everything, not just the password.<br />
<br />
We support both POP and IMAP connections. IMAP is newer and far more powerful than POP. POP gives you access only to your INBOX folder on the email server and lets you download your emait to your local computer. IMAP allows you to have server side folders which leave the messages on the server. This allows you to access your email from multiple computers as well as the [[https://mail.ctyme.com Web Interface]]. If you are configuring email for your phone or tablet then definitely select IMAP.<br />
<br />
We also support SSL and TLS encryption. For inbound email select SSL and for IMAP it will shown port 993 (995 for POP). By default port 25 is used for outbound on most setups but we also support and recommend the new port 587 for outbound. In the future this may be a required setting.<br />
<br />
== Outgoing Email ==<br />
<br />
For sending email we support authenticated SMTP. That means that you need a username and password to send email through our servers. The username and password are the same as the ones you use to receive your email. We support SSL and TLS encrypted connections so if you have the option to use encryption, I suggest you turn it on.<br />
<br />
You do not have to user our SMTP server for outgoing email. You can use your local Internet Service provider as well. It is often faster to send email through your local ISP because it is a "shorter" connection. But you will need to follow their instructions as to how to set that up.<br />
<br />
The proper configuration for outgoing email using our server is:<br />
<br />
Server: smtp.ctyme.com<br />
User: you@domain.com - IMPORTANT - Include your domain, not just your name.<br />
Password: your password<br />
<br />
=== Alternative Outgoing Ports ===<br />
<br />
Some ISPs block port 25 to keep virus infected spam zombies from spewing spam on the net. This has a bad side effect of cutting off access to our outgoing SMTP ports unsing standard port 25. We also support sending mail on ports 465 and 587. Port 465 is for SSL encryption only. 587 can be used without encryption or with optional encryption.<br />
<br />
Outbound email is authenticated so it requires a username and password. It's the same as the inbound setting. Your setup might have a option, "use same login for outbound" or something like that. If it does - select that.<br />
<br />
== Web Mail Interface ==<br />
<br />
* [https://mail.ctyme.com Email Web Interface - Squirrelmail]<br />
<br />
The Web mail interface allows you to set up personal white lists, bounce lists, blackhole lists, vacation messages, and more. When you get into the web mail select "options" and customize it. You can change your email password through the web mail interface.<br />
<br />
== Changing your Password ==<br />
<br />
You can change your password and personalize your email experience using the [https://mail.ctyme.com/admin/index.php Settings] page.</div>Marchttp://wiki.ctyme.com/index.php/HttpsHttps2018-03-06T16:37:57Z<p>Marc: /* This problem can be easily solved */</p>
<hr />
<div>= Why HTTPS everywhere is a really really bad idea =<br />
<br />
== Introduction ==<br />
<br />
HTTPS Everywhere sounds like a good idea, but as they say, the devil is in the details. The idea, supported primarily by the Electronic Frontier Foundation (https://eff.org) is to get all traffic on the internet to be encrypted. If everything is encrypted, as promoted, then no one can tap in and spy on your communication. This includes NSA spying and other government spying that is both illegal and immoral where third parties and government track you to create a digital profile of who you are that can be used against you, profile you, steal your passwords, invade your privacy, blackmail you, and round you up to put you and your freinds and family in concentration camps. Imaging if you will what would have happened if Adolf Hitler had today's technology. There would be no Jews left hiding in attics!<br />
<br />
And as we know from the revelation of Edward Snowden, my second favorite person in the world after Elon Musk, we know the government is actually doing a lot of the things that the EFF is paranoid about. Snowden confirmed what all paranoid schizophrenics new was true all along, the government(s) is spying on them. The nightmare, as it turns out, is actually real.<br />
<br />
So on it's face it would seem as if making it harder for these problems to occur would be a great idea. And - quite frankly, if it were done right it would be a great idea that I would support. However, the way it is being implemented through "Let's Encrypt" (https://letsencrypt.org) and Google strong arming the public to force everyone into it. By doing it wrong EFF's good intentions are actually making the problem worse. Forcing encryption on everyone, as it is being implemented, creates more problems than it solves and will inhibit freedom and privacy, not enhance it. Rather than making it harder for the NSA to track you, it makes it easier. Rather than enhancing free speech, it inhibits free speech, and rather that making the internet safer from criminals, it actually reduces internet security making it easier for the bad guys to take advantage of you.<br />
<br />
As someone who used to work for EFF as their first full time system administrator you would think I would be on EFF's side on this. And over the years there have been a number of issues EFF has got wrong. But this is a very serious issue that will negatively affect the entire internet and have a huge negative impact on EFF if they are successful in what they are trying to do. EFF sometimes has a habit of latching onto an idea like a bulldog without carefully thinking things through and is sometimes cult like in their opinion in spite of evidence that their position fails to make objective sense. I still support EFF as no organization is perfect and they get it right most of the time. But this time is not one of them.<br />
<br />
== Encryption / Authentication - Understanding the Basics ==<br />
<br />
HTTPS has 2 separate function, not one, that are artificially bound together into the HTTPS standards. These 2 functions are:<br />
<br />
# Encryption - making the data unreadable to 3rd parties<br />
# Authentication - making sure that the website you connect to is actually the real web site.<br />
<br />
And it is because of the binding together of there to unrelated functions that cause the problem. '''If these two protocols were unbundled, where you could have encryption without authentication, then my objections to encrypting everything goes away.''' The encrypting side is the easy part, the authenticating side is the part that is hard and expensive and causes all the problems. All this could be easily solved by allowing encryption without authentication. But modern browsers do not allow self signed certificates without dire warnings that would scare the average person to back away immediately. If they changed that it would solve the issues that I'm about to describe.<br />
<br />
=== How Encryption Works ===<br />
<br />
The actual process is long and complicated so I'm going to limit my explanation to the simple stuff you need to know. Encryption relies on a pair of keys, both keys are very large numbers. If you encrypt a message with one key you can only decrypt it with the other key. It doesn't matter which key you encrypt with as long as you use the other one to decrypt. <br />
<br />
One of the keys is know as the '''public key''', and the other is know as the '''private key'''. As the names imply, one key you make public, the other key you keep private. When someone wants to establish a secure connection with you they download your public key which is furnished by opening a connection. When you get the public key you can then encrypt a message that can only be read by the server which is usually a set of new keys to establish a secure connection. Because only the other end can read it you then have the keys to establish a secure connection that no person in the middle can break into.<br />
<br />
==== Vulnerabilities ====<br />
<br />
The encryption used in HTTPS is pretty good. It isn't easily broken. One of the main vulnerabilities is what's called a "man in the middle" attack. The attack isn't generally easy to do and usually requires hardware access to be in the middle of that connection which very few people have. However, when I used to fly more often I used to provide a free wifi access point using my cell phone to allow other travelers around me to access the internet without paying high fees. But if a were nefarious and evil I could create a fake certificate pretending to be their bank and steal their passwords. And I would need a fake cert for every domain I wanted to steal. Someone smarter than me could accomplish this. <br />
<br />
To make sure this doesn't happen we use authentication so that only the real certificate works. the real certificate is varified by the certificate authority issuing the certificate as real so if you are connecting to your bank, you can be (somewhat) confident there's no one in the middle stealing your information. <br />
<br />
There are other ways you're vulnerable. You could have someone looking over your shoulder when typing your username and password. You could have spyware on your computer that is logging your keystrokes and grabbing the display text on your web pages. Or the site you are logging into has been hacked. Remember Equifax? It was an encrypted site. And while your data was being stolen it was sent to the hackers over an encrypted connection.<br />
<br />
=== How Authentication Works ===<br />
<br />
Authentication is the other leg of the HTTPS security protocol. Authentication helps ensure that when you connect to a site using HTTPS that it is really the site you are connected to. Using certificates and certificate chains your web browser (is supposed to) verify that you are actually connected to the web site you think you are connecting to. This makes it much harder for someone to impersonate your bank to steal your passwords. A detailed explanation of this process is complicated so I will try to make the important concepts as easy as possible.<br />
<br />
When you connect through HTTPS it established an encrypted connection. It sends the sites certificate which was generated in unison with your '''certificate authority''' who validates your certificate. The web server not only sends your certificate, but also the chain of certificates leading back to the '''root certificates''' which are highly trusted certs that came with your browser. Using these certificates one can verify that the cert is authentic and can be trusted. You then see the green padlock and all is good.<br />
<br />
==== The down side of Authentication ====<br />
<br />
There is one step however that exposes your privacy. In order to fully verify the cert the web browser has to check to see if your certificate has been revoked. To check if the cert was revoked your browser has to ask the certificate authority through a "revocation request" if the cert is still valid. The reason for this is, if I'm running a web site and my private keys make it into the wild, hacker or government can decrypt your connection and steal your data. So if I'm a bank and I fire the head admin, I might want to change my keys by revoking my cert and getting a new one.<br />
<br />
Sounds simple but the process slows down browser performance a lot. Many commercial sites include content, usually advertising content, from many other websites. So when you go to localnewspaper.com, for example, you might see content from Walgreens, Safeway, Amazon, Verizon, etc. All these sites require a separate encrypted and separate verification and revocation request. Thus your visit might involve 50 separate connections to display the web page. Ever notice all those slow ads popping up, that's why.<br />
<br />
The problem is, as everyone goes to HTTPS then all websites are slow. Some browsers therefore cheat on the rules and they skip the revocation check in the interest of speed and the expense of security. Gibson Research has set up a test page to identify browsers who cheat. Click on https://revoked.grc.com to test your browser. If you see the page, your browser is insecure.<br />
<br />
The problem with skipping revocation checking is that, for example, if if I'm a bank and the keys were stolen and someone is impersonating my bank, if you are running Google's Chrome browser, you would never know you were on the fake site. So in order to get performance in your Chrome browser experience, security has been eliminated.<br />
<br />
Certificates are expensive and difficult to maintain. Installing certs is a hassle and certificates expire and have to be replaced on a regular basis. Unlike HTTP which you can set up knowing 20 years later everything is going to just keep working, HTTPS requires both effort and money to keep going. If you get it set up it will die on it's own if you don't maintain it.<br />
<br />
But - EFF and other like minded organizations have created an organization called "Let's Encrypt" to make HTTPS easier. But is it a solution or just to get you addicted and draw you in?<br />
<br />
==== Privacy Exposure of Authentication ====<br />
<br />
Another problem with certificates is the privacy exposure of checking certificate revocation. If your certificate is verified, for example, by Let's Encrypt, then every revocation request goes to one server that responds to revocation requests. If someone like the NSA were to intercept these requests, which are not encrypted, then the NSA could track the activity of every site verified through Let's Encrypt. That means the NSA doesn't have to wiretap 100 million sites. All the have to do it tap Let's Encrypt and it's one stop shopping for the NSA. They just made the job of the NSA millions of times easier.<br />
<br />
Granted that the NSA doesn't see the content, but if you go to some site like free-child-porn.online the NSA has a pretty good idea what you're doing there.<br />
<br />
=== Let's Encrypt - making HTTPS free and easy ===<br />
<br />
Let's Encrypt is a non-profit org created by EFF and friends to help solve the problems of making certificates easy and free. The supply not only free certs but provides scripts to install and configure certs easily. Certificates however are only good for 90 days and have to be replaced before the 90 days runs out. But the renewal scripts are also automated so, in theroy you should be able to set it up and forget about it, making it almost as easy as HTTP. Let's Encrypt claim is to have issued over 100 million certificates.<br />
<br />
Making it free and easy is a critical argument in EFF's and Google's war to force the internet to encrypt everything. Google, for example is downgrading your search visibility if you refuse to convert. But they say that converting is easy and that takes the sting out of it. But is that really true?<br />
<br />
==== The down side of Let's Encrypt ====<br />
<br />
There's a major problem with Let's Encrypt in that it's not a real business with real employees and a staff with tech support. All their verification is done using algorithms and scripts and they will give certificates away to anyone, and all for free. For example, if I get the domain name wellsfarg0.com, which looks like I'm Wells Fargo Bank, Let's encrypt will issue me a certificate for it and users who go to the fraudulent site will get a green light in their chrome browser. And even if someone points it out that this is a fraud site, they can revoke the cert, but if you used the Chrome browser you will never know because it doesn't use revocation checks.<br />
<br />
There is a down side to being free. Because it used to have cost criminals wouldn't bother to get certificates. But now that it's free every criminal site now has a valid cert and the browser give it the green light and users trust it because the browser is giving it the seal of approval. Because of this the original function of certificates has been compromised and the security of the internet has been diminished.<br />
<br />
==== Will Let's Encrypt always be there and be free? ====<br />
<br />
So, let's say I convert all my web sites to HTTPS and I'm using their scripts to maintain my web sites and one day I get an email saying the changes have been made. Perhaps people stop donating and they can't afford to operate? Perhaps they fail security standard and are decertified. Perhaps they get hacked and all their information is stolen. What do all these 100 million web sites do then?<br />
<br />
There's explicitly no guarantee that this service will give you free certificates forever. And once you go HTTPS, there's no easy path back to HTTP. In order to even redirect back to your old setup you need a valid certificate to redirect. All these people who thought they were going to get free certs forever are totally screwed and will have to start buying certs and might not have the nice scripts that maintain it automatically.<br />
<br />
Call me paranoid but when some organization offers me free service forever I don't tend to rely on that. I can't be in a position where keeping my web sites online depends on a shell organization that might not be there tomorrow.<br />
<br />
=== Let's Encrypt is a Fake Organization ===<br />
<br />
Normally a certificate authority is a real business that has round the clock staff, a support line, employees, and a phone number. If you got to their web site's contact page there's no phone number. There's no support email. There's no employee list. All there is is a community support page where EFF staff answer question in a discussion forum. Let's Encrypt is just a front organization for EFF and a small group of like minded hackers who are employed elsewhere and do it on the side. My opinion is that the rest of the certificate community will likely pull their certification at some date and all those millions of web are going to have to go buy millions of certificates from a real certificate authority and that's going to be expensive and a lot of good free speech web sites are going to come down due to the cost and maintenance burden.<br />
<br />
== NSA and Government Tracking ==<br />
<br />
The intent behind HTTPS everywhere is in part to thwart NSA spying. And let's not kid ourselves, NSA tracking is unconstitutional, illegal, and immoral. EFF has played a major role in protecting our online liberties in this matter. Sometimes when I see Snowden I notice that the back of his lap top has an EFF sticker. <br />
<br />
But - although well intentioned - does HTTPS solve the problem? No - it makes it worse.<br />
<br />
Although HTTPS makes it harder to read the content of your communication, it doesn't mask what web sites you are going to. So if you're married and trying to hook up on AsleyMadison.com the NSA doesn't know what woman you are hooking up with, but they do know you're cheating on your wife. And - using revocation requests tracking EFF has actually make it much easier for them to track your connections.<br />
<br />
== Now you need more permissions to stay on the web ==<br />
<br />
With HTTP all you need to do is register a domain name to have your own site online. ICANN is an international organization and has been very good at staying out of the clutches of government controls. However, with HTTPS you need to get a certificate authority to issue you a cert. That makes 2 orgs that have to give you permission instead of one and now your domain activity it trackable through revocation requests. If Congress were to pass laws regulating who can get certificates or requiring extensive personal information they can prevent you from getting online the way you can now with just HTTP. Every step you are forced into doing creates another chokepoint to free speech and free expression.<br />
<br />
== Freedom of Choice ==<br />
<br />
One thing I really object to is being forced and strong armed into doing things I choose not to do. I'm perfectly happy with my HTTP servers and I really resent EFF and Google trying to force me to participate in their cult like paranoia. My servers work fine. I've been online for 22 years now. I was online 3 years before Google. I choose not to encrypt and that my choice.<br />
<br />
EFF is supposed to be about freedom. They are supposed to be protecting me from people who would force me to change against my will, They believe it's for a higher cause, but it really isn't. If it were I might go along with it but HTTP has advantages over HTTPS that I like and want to stick with. many of my sites are static and informational. If the NSA can read the traffic - so what. Everything is on the site in plain text anyhow so where's the secret? If the traffic were encrypted the NSA would still know who is connecting and would assume what they are reading is what's on the site to be read by anyone. And HTTP doesn't make NSA tracking easier like HPPS does by generating revocation request.<br />
<br />
The bottom like is it's MY CHOICE! And EFF and Google doesn't have the right to take my choice away from me.<br />
<br />
== Do you need encryption? ==<br />
<br />
Whether or not you need encryption depends on who you are and what you are doing. If you are a bank clearly the answer is yes. However, if you have a static web site with no forms, do you need encryption? No - you don't.<br />
<br />
Let's say you have a static web site that tells people how to bake cookies. All the information is there for anyone to see. So if your connection is encrypted then anyone tracking knows you connected to the site and can infer you are reading about baking cookies. Even if there is a form on the site for you to subscribe to their newsletter and some 3rd party hacker captured your email address, so what? If you're accessing your bank then, yes definitely encrypt. But for an unimportant site, encryption make is slower and makes maintenance on the server side a hassle, a big hassle. Especially if the free cert goes away.<br />
<br />
== Is HTTPS secure? - Is HTTP insecure? ==<br />
<br />
One myth I want to bust is that HTTPS has increased security. In fact HTTPS has reduced overall security. HTTPS adds encryption you sites that don't heed encryption and that doesn't increase security. Let's look at the facts.<br />
<br />
There are 3 places where your information is vulnerable to attack, the server, your computer, and the connection between your computer and the server. HTTPS only provides encryption between your device and the web site but does nothing for either your device or the web server you are connected to. The connection is actually the hardest part to intercept even without encryption. Generally you have to have access to the internet infrastructure to tap communications even if it's not encrypted. But all you need is spyware to tap the communication on a device. And the spyware works if you are encrypted or not.<br />
<br />
But the best place to steal your data if if a hacker steals your information directly from the server side where your data is stored. Remember Equifax, the company that stores all your credit data? Encrypted didn't help them. In fact the people who hacked them did it over an HTTPS connection.<br />
<br />
=== Let's Encrypt Actually Reduces Security ===<br />
<br />
You would think that the internet is more secure because of Let's Encrypt, and you would be wrong. Surprisingly Let's Encrypt makes the net less secure.<br />
<br />
Before Let's Encrypt certificate were expensive and required work to maintain. Now it free and somewhat easy. And - I do want to thank Let's Encrypt for making it easier part. But in making it free the make it easy for phishing sites to go HTTPS and the consumer, who doesn't know much about how the web works, gets the green padlock and assumes all is good. The then type their username and password into wellsfarg0.com and 5 minutes later all their money is gone. All thanks to Let's Encrypt.<br />
<br />
EFF and Google, who is the major funder of Let's Encrypt, have been very successful claiming millions of web sites, have slowed the internet down because HTTPS is slower and more complex than HTTP. In order to compensate for the slowness browsers like Google Chrome no longer to certificate revocation to make sure the cert is still valid. So because of Let's Encrypt you can't really trust that the green padlock on the site can be relied on. So if Wells Fargo bank revokes their cert due to a security breach you would never know it using the Google Chrome browser. In fact if that ever happened Google would be partially liable for damages giving a green light to a revoked certificate. <br />
<br />
So a green indicator in your browser no longer means you are on a safe site. It really means nothing at all. Between Google and EFF they are making security that has worked in the past useless.<br />
<br />
And although HTTPS creates the illusion that the government can't spy on the data on the internet, through certificate revocation request it makes it far easier, not harder, to track what sites you are going to, which is the exact opposite of what you think you are getting. HTTPS reduces privacy.<br />
<br />
== The Culture of Paranoia ==<br />
<br />
In many ways the EFF/hacker community is similar to the National Rifle Association (NRA) in the one component is a culture of paranoia. Not that a lot of that paranoia if fully justified because the government is actually trying to spy on you.<br />
<br />
The NRA envisions a world where the government is going to take your guns and then turn Nazi and people won't be ably to overthrow the government to take America back for freedom. And it creates an inflated sense of importance to carry a gun. (Is that a gun in your pocket, Big Boy, or are you just glad to see me? It's a gun in my pocket.) Why shouldn't a law abiding citizen be able to buy a nuke to protect themselves? It's cultural where like minded people get their us vs. them experience.<br />
<br />
EFF is much closer to reality than the NRA. They do a lot of things that actually do protect our freedom from real government treats that are actually occurring. They were 7 years ahead of Snowden suing the NSA over spying. So I'm not going to beat up on them too badly here.<br />
<br />
But ....<br />
<br />
There are 3 areas where EFF/the hacker culture is totally clueless.<br />
<br />
1. They have absolutely no concept the intellectual property has any value.<br />
<br />
2. The concept that law enforcement has a role on the internet is mostly ignored. That crime is the price you pay for freedom. Their TOR project is the backbone for the ransomeware industry as well as an incredible amount of serious online crime, but the value of privacy is more important to the extent that they don't care about criminal issues at all.<br />
<br />
3. Sometimes EFF doesn't think things through. The get fixated on a solution with almost a cult like attachment without fully exploring the consequences. In this case they have a very strong mental block on this. I remember discussing this with them back when I worked there and it was a bad idea then as it is now. I never expected them to be successful with it. But unfortunately, the have.<br />
<br />
=== Hacker Culture Values ===<br />
<br />
To some extent I can identify with that culture. The spying that Snowden revealed is a prelude to to a modern day dictatorship where the government knows everything you say and everything you do. A world where AI figures put who you are and if it decides you are too free thinking that it executes you by activating a death chip in your brain. What Snowden revealed actually makes that plausible.<br />
<br />
I have personally been kidnapped by law enforcement 3 times. Not arrested - kidnapped. But there are good cops and bad cops and although law enforcement is far less than perfect they keep us safe. The police are not our enemy. The hacker community is excessively against law enforcement and sees aiding criminals as a measure of expanding personal freedom. TOR, for example, is 99% criminal traffic with a small amount of protecting the good guys from government persecution. There are steps TOR could do to reduce crime without compromising the freedom mission, like shutting down ransomware sites. But they are oblivious to that. TOR doesn't care about crime at all, and that's wrong.<br />
<br />
In the case of HTTPS the hacker community has a shared fantasy that they are getting even with the NSA for what Snowden revealed. They imagine that the NSA can't track what you're doing if everyone uses HTTPS. In actuality, they are making it easier for the NSA to track you using revocation requests but that's a reality they choose to somewhat ignore. Except that browsers are now trending to skip the certificate revocation checks to increase browser response and to plug this obvious privacy hole, but at the expense of good verification that the web site's keys haven't been stolen. In the hacker world security and safety of the public mean nothing, where fighting NSA spying mean everything. <br />
<br />
=== Google as Internet Bully ===<br />
<br />
Google has traditionally been the good guy. But now Google is the internet bully. EFF and Google are trying to force the end of HTTP protocol and force everyone into encryption through force and bullying. If you don't do what EFF and Google says Google will degrade the search results for your web site. And they are going to start falsely labeling web sites insecure which use HTTP in order to scare people away from going to your web site. What Google and EFF are doing is illegal and I'm contemplating suing them over this to get an injunction to stop them. <br />
<br />
Traditionally the Internet Engineering Task Force (IETF) sets the internet protocol specification to create communication standards for the world so that everyone can use those standards to be compatible. But Google and EFF have usurped the powers of the IETF and are trying to force a new standard to conform to their delusional view of reality.<br />
<br />
=== EFF exceeding the scope of their mandate ===<br />
<br />
EFF is really going down the wrong rabbit hole on trying to force the world to follow their paranoid fantasy by partnering with Google and push HTTP off the web. EFF is supposed to be about freedom and free speech but in this case EFF is putting a technological burden of freedom and free expression. EFF believes that through Let's Encrypt that they have eliminated that burden, but that's just dead wrong. And if you believe it then you also have to believe that Let's Encrypt will be around forever and that it will always give away free certificates and make it easy. Believing that takes a lot of faith and I'm not a man of faith.<br />
<br />
== This problem can be easily solved ==<br />
<br />
There actually is an incredibly easy solution to all of this that will make all these problems go away. All they have to do is uncouple encryption from authentication. If these weren't tied together then you would be able to generate a self signed certificate and you would have your encryption but without the hard part of verifying that your site is real. While phishers are likely to spoof Bank of America, they aren't likely to spoof CuteKittensAndBunnies.com. Most sites aren't emportant enough to spoof. So you can have your encryption fantasy experience without and burden.<br />
<br />
And - if they added some easy tricks like a DNS hash for verification or perhaps a block chain they might get some reasonable authentication. But people who really do need good authentication can go get the real thing and provide secure services to the world without their security being downgraded by people who don't really need it.<br />
<br />
What would we need to do to make self signed certificates happen? Just a change in browser policy. The self signed site would get the green light like an authorized site, it would be black like an HTTP site with maybe an encrypted listing. And there would be no revocation check for the NSA to track. Self signed certs used to work just fine but browser policy changed to reject them. However a DNS fingerprint check could prevent spoofing so that a self signed fake site can't impersonate a real site with a signed cert.<br />
<br />
This solution is easy, it accomplishes the EFF's goals, and it doesn't ruin the internet and get EFF in trouble for creating a fake certificate authority.<br />
<br />
== Conclusion ==<br />
<br />
Google and EFF are creating a real mess on the internet. This is a serious disaster and is likely to get both organization sued for forcing the structure of the internet to change over their shared paranoid fantasy. Let's Encrypt is going to eventually get decertified the first time they screw up and the world finding out they don't really have a staff and can't handle the real responsibilities of a certificate authority. <br />
<br />
There is an easy solution which is to allow self signed certificates by changing browser policy to allow them but not give them the same green light status and a real certificate. That would allow those with a paranoid delusion to have encryption and privacy without the NSA tracking side effect.</div>Marchttp://wiki.ctyme.com/index.php/HttpsHttps2018-03-06T16:29:59Z<p>Marc: /* This problem can be easily solved */</p>
<hr />
<div>= Why HTTPS everywhere is a really really bad idea =<br />
<br />
== Introduction ==<br />
<br />
HTTPS Everywhere sounds like a good idea, but as they say, the devil is in the details. The idea, supported primarily by the Electronic Frontier Foundation (https://eff.org) is to get all traffic on the internet to be encrypted. If everything is encrypted, as promoted, then no one can tap in and spy on your communication. This includes NSA spying and other government spying that is both illegal and immoral where third parties and government track you to create a digital profile of who you are that can be used against you, profile you, steal your passwords, invade your privacy, blackmail you, and round you up to put you and your freinds and family in concentration camps. Imaging if you will what would have happened if Adolf Hitler had today's technology. There would be no Jews left hiding in attics!<br />
<br />
And as we know from the revelation of Edward Snowden, my second favorite person in the world after Elon Musk, we know the government is actually doing a lot of the things that the EFF is paranoid about. Snowden confirmed what all paranoid schizophrenics new was true all along, the government(s) is spying on them. The nightmare, as it turns out, is actually real.<br />
<br />
So on it's face it would seem as if making it harder for these problems to occur would be a great idea. And - quite frankly, if it were done right it would be a great idea that I would support. However, the way it is being implemented through "Let's Encrypt" (https://letsencrypt.org) and Google strong arming the public to force everyone into it. By doing it wrong EFF's good intentions are actually making the problem worse. Forcing encryption on everyone, as it is being implemented, creates more problems than it solves and will inhibit freedom and privacy, not enhance it. Rather than making it harder for the NSA to track you, it makes it easier. Rather than enhancing free speech, it inhibits free speech, and rather that making the internet safer from criminals, it actually reduces internet security making it easier for the bad guys to take advantage of you.<br />
<br />
As someone who used to work for EFF as their first full time system administrator you would think I would be on EFF's side on this. And over the years there have been a number of issues EFF has got wrong. But this is a very serious issue that will negatively affect the entire internet and have a huge negative impact on EFF if they are successful in what they are trying to do. EFF sometimes has a habit of latching onto an idea like a bulldog without carefully thinking things through and is sometimes cult like in their opinion in spite of evidence that their position fails to make objective sense. I still support EFF as no organization is perfect and they get it right most of the time. But this time is not one of them.<br />
<br />
== Encryption / Authentication - Understanding the Basics ==<br />
<br />
HTTPS has 2 separate function, not one, that are artificially bound together into the HTTPS standards. These 2 functions are:<br />
<br />
# Encryption - making the data unreadable to 3rd parties<br />
# Authentication - making sure that the website you connect to is actually the real web site.<br />
<br />
And it is because of the binding together of there to unrelated functions that cause the problem. '''If these two protocols were unbundled, where you could have encryption without authentication, then my objections to encrypting everything goes away.''' The encrypting side is the easy part, the authenticating side is the part that is hard and expensive and causes all the problems. All this could be easily solved by allowing encryption without authentication. But modern browsers do not allow self signed certificates without dire warnings that would scare the average person to back away immediately. If they changed that it would solve the issues that I'm about to describe.<br />
<br />
=== How Encryption Works ===<br />
<br />
The actual process is long and complicated so I'm going to limit my explanation to the simple stuff you need to know. Encryption relies on a pair of keys, both keys are very large numbers. If you encrypt a message with one key you can only decrypt it with the other key. It doesn't matter which key you encrypt with as long as you use the other one to decrypt. <br />
<br />
One of the keys is know as the '''public key''', and the other is know as the '''private key'''. As the names imply, one key you make public, the other key you keep private. When someone wants to establish a secure connection with you they download your public key which is furnished by opening a connection. When you get the public key you can then encrypt a message that can only be read by the server which is usually a set of new keys to establish a secure connection. Because only the other end can read it you then have the keys to establish a secure connection that no person in the middle can break into.<br />
<br />
==== Vulnerabilities ====<br />
<br />
The encryption used in HTTPS is pretty good. It isn't easily broken. One of the main vulnerabilities is what's called a "man in the middle" attack. The attack isn't generally easy to do and usually requires hardware access to be in the middle of that connection which very few people have. However, when I used to fly more often I used to provide a free wifi access point using my cell phone to allow other travelers around me to access the internet without paying high fees. But if a were nefarious and evil I could create a fake certificate pretending to be their bank and steal their passwords. And I would need a fake cert for every domain I wanted to steal. Someone smarter than me could accomplish this. <br />
<br />
To make sure this doesn't happen we use authentication so that only the real certificate works. the real certificate is varified by the certificate authority issuing the certificate as real so if you are connecting to your bank, you can be (somewhat) confident there's no one in the middle stealing your information. <br />
<br />
There are other ways you're vulnerable. You could have someone looking over your shoulder when typing your username and password. You could have spyware on your computer that is logging your keystrokes and grabbing the display text on your web pages. Or the site you are logging into has been hacked. Remember Equifax? It was an encrypted site. And while your data was being stolen it was sent to the hackers over an encrypted connection.<br />
<br />
=== How Authentication Works ===<br />
<br />
Authentication is the other leg of the HTTPS security protocol. Authentication helps ensure that when you connect to a site using HTTPS that it is really the site you are connected to. Using certificates and certificate chains your web browser (is supposed to) verify that you are actually connected to the web site you think you are connecting to. This makes it much harder for someone to impersonate your bank to steal your passwords. A detailed explanation of this process is complicated so I will try to make the important concepts as easy as possible.<br />
<br />
When you connect through HTTPS it established an encrypted connection. It sends the sites certificate which was generated in unison with your '''certificate authority''' who validates your certificate. The web server not only sends your certificate, but also the chain of certificates leading back to the '''root certificates''' which are highly trusted certs that came with your browser. Using these certificates one can verify that the cert is authentic and can be trusted. You then see the green padlock and all is good.<br />
<br />
==== The down side of Authentication ====<br />
<br />
There is one step however that exposes your privacy. In order to fully verify the cert the web browser has to check to see if your certificate has been revoked. To check if the cert was revoked your browser has to ask the certificate authority through a "revocation request" if the cert is still valid. The reason for this is, if I'm running a web site and my private keys make it into the wild, hacker or government can decrypt your connection and steal your data. So if I'm a bank and I fire the head admin, I might want to change my keys by revoking my cert and getting a new one.<br />
<br />
Sounds simple but the process slows down browser performance a lot. Many commercial sites include content, usually advertising content, from many other websites. So when you go to localnewspaper.com, for example, you might see content from Walgreens, Safeway, Amazon, Verizon, etc. All these sites require a separate encrypted and separate verification and revocation request. Thus your visit might involve 50 separate connections to display the web page. Ever notice all those slow ads popping up, that's why.<br />
<br />
The problem is, as everyone goes to HTTPS then all websites are slow. Some browsers therefore cheat on the rules and they skip the revocation check in the interest of speed and the expense of security. Gibson Research has set up a test page to identify browsers who cheat. Click on https://revoked.grc.com to test your browser. If you see the page, your browser is insecure.<br />
<br />
The problem with skipping revocation checking is that, for example, if if I'm a bank and the keys were stolen and someone is impersonating my bank, if you are running Google's Chrome browser, you would never know you were on the fake site. So in order to get performance in your Chrome browser experience, security has been eliminated.<br />
<br />
Certificates are expensive and difficult to maintain. Installing certs is a hassle and certificates expire and have to be replaced on a regular basis. Unlike HTTP which you can set up knowing 20 years later everything is going to just keep working, HTTPS requires both effort and money to keep going. If you get it set up it will die on it's own if you don't maintain it.<br />
<br />
But - EFF and other like minded organizations have created an organization called "Let's Encrypt" to make HTTPS easier. But is it a solution or just to get you addicted and draw you in?<br />
<br />
==== Privacy Exposure of Authentication ====<br />
<br />
Another problem with certificates is the privacy exposure of checking certificate revocation. If your certificate is verified, for example, by Let's Encrypt, then every revocation request goes to one server that responds to revocation requests. If someone like the NSA were to intercept these requests, which are not encrypted, then the NSA could track the activity of every site verified through Let's Encrypt. That means the NSA doesn't have to wiretap 100 million sites. All the have to do it tap Let's Encrypt and it's one stop shopping for the NSA. They just made the job of the NSA millions of times easier.<br />
<br />
Granted that the NSA doesn't see the content, but if you go to some site like free-child-porn.online the NSA has a pretty good idea what you're doing there.<br />
<br />
=== Let's Encrypt - making HTTPS free and easy ===<br />
<br />
Let's Encrypt is a non-profit org created by EFF and friends to help solve the problems of making certificates easy and free. The supply not only free certs but provides scripts to install and configure certs easily. Certificates however are only good for 90 days and have to be replaced before the 90 days runs out. But the renewal scripts are also automated so, in theroy you should be able to set it up and forget about it, making it almost as easy as HTTP. Let's Encrypt claim is to have issued over 100 million certificates.<br />
<br />
Making it free and easy is a critical argument in EFF's and Google's war to force the internet to encrypt everything. Google, for example is downgrading your search visibility if you refuse to convert. But they say that converting is easy and that takes the sting out of it. But is that really true?<br />
<br />
==== The down side of Let's Encrypt ====<br />
<br />
There's a major problem with Let's Encrypt in that it's not a real business with real employees and a staff with tech support. All their verification is done using algorithms and scripts and they will give certificates away to anyone, and all for free. For example, if I get the domain name wellsfarg0.com, which looks like I'm Wells Fargo Bank, Let's encrypt will issue me a certificate for it and users who go to the fraudulent site will get a green light in their chrome browser. And even if someone points it out that this is a fraud site, they can revoke the cert, but if you used the Chrome browser you will never know because it doesn't use revocation checks.<br />
<br />
There is a down side to being free. Because it used to have cost criminals wouldn't bother to get certificates. But now that it's free every criminal site now has a valid cert and the browser give it the green light and users trust it because the browser is giving it the seal of approval. Because of this the original function of certificates has been compromised and the security of the internet has been diminished.<br />
<br />
==== Will Let's Encrypt always be there and be free? ====<br />
<br />
So, let's say I convert all my web sites to HTTPS and I'm using their scripts to maintain my web sites and one day I get an email saying the changes have been made. Perhaps people stop donating and they can't afford to operate? Perhaps they fail security standard and are decertified. Perhaps they get hacked and all their information is stolen. What do all these 100 million web sites do then?<br />
<br />
There's explicitly no guarantee that this service will give you free certificates forever. And once you go HTTPS, there's no easy path back to HTTP. In order to even redirect back to your old setup you need a valid certificate to redirect. All these people who thought they were going to get free certs forever are totally screwed and will have to start buying certs and might not have the nice scripts that maintain it automatically.<br />
<br />
Call me paranoid but when some organization offers me free service forever I don't tend to rely on that. I can't be in a position where keeping my web sites online depends on a shell organization that might not be there tomorrow.<br />
<br />
=== Let's Encrypt is a Fake Organization ===<br />
<br />
Normally a certificate authority is a real business that has round the clock staff, a support line, employees, and a phone number. If you got to their web site's contact page there's no phone number. There's no support email. There's no employee list. All there is is a community support page where EFF staff answer question in a discussion forum. Let's Encrypt is just a front organization for EFF and a small group of like minded hackers who are employed elsewhere and do it on the side. My opinion is that the rest of the certificate community will likely pull their certification at some date and all those millions of web are going to have to go buy millions of certificates from a real certificate authority and that's going to be expensive and a lot of good free speech web sites are going to come down due to the cost and maintenance burden.<br />
<br />
== NSA and Government Tracking ==<br />
<br />
The intent behind HTTPS everywhere is in part to thwart NSA spying. And let's not kid ourselves, NSA tracking is unconstitutional, illegal, and immoral. EFF has played a major role in protecting our online liberties in this matter. Sometimes when I see Snowden I notice that the back of his lap top has an EFF sticker. <br />
<br />
But - although well intentioned - does HTTPS solve the problem? No - it makes it worse.<br />
<br />
Although HTTPS makes it harder to read the content of your communication, it doesn't mask what web sites you are going to. So if you're married and trying to hook up on AsleyMadison.com the NSA doesn't know what woman you are hooking up with, but they do know you're cheating on your wife. And - using revocation requests tracking EFF has actually make it much easier for them to track your connections.<br />
<br />
== Now you need more permissions to stay on the web ==<br />
<br />
With HTTP all you need to do is register a domain name to have your own site online. ICANN is an international organization and has been very good at staying out of the clutches of government controls. However, with HTTPS you need to get a certificate authority to issue you a cert. That makes 2 orgs that have to give you permission instead of one and now your domain activity it trackable through revocation requests. If Congress were to pass laws regulating who can get certificates or requiring extensive personal information they can prevent you from getting online the way you can now with just HTTP. Every step you are forced into doing creates another chokepoint to free speech and free expression.<br />
<br />
== Freedom of Choice ==<br />
<br />
One thing I really object to is being forced and strong armed into doing things I choose not to do. I'm perfectly happy with my HTTP servers and I really resent EFF and Google trying to force me to participate in their cult like paranoia. My servers work fine. I've been online for 22 years now. I was online 3 years before Google. I choose not to encrypt and that my choice.<br />
<br />
EFF is supposed to be about freedom. They are supposed to be protecting me from people who would force me to change against my will, They believe it's for a higher cause, but it really isn't. If it were I might go along with it but HTTP has advantages over HTTPS that I like and want to stick with. many of my sites are static and informational. If the NSA can read the traffic - so what. Everything is on the site in plain text anyhow so where's the secret? If the traffic were encrypted the NSA would still know who is connecting and would assume what they are reading is what's on the site to be read by anyone. And HTTP doesn't make NSA tracking easier like HPPS does by generating revocation request.<br />
<br />
The bottom like is it's MY CHOICE! And EFF and Google doesn't have the right to take my choice away from me.<br />
<br />
== Do you need encryption? ==<br />
<br />
Whether or not you need encryption depends on who you are and what you are doing. If you are a bank clearly the answer is yes. However, if you have a static web site with no forms, do you need encryption? No - you don't.<br />
<br />
Let's say you have a static web site that tells people how to bake cookies. All the information is there for anyone to see. So if your connection is encrypted then anyone tracking knows you connected to the site and can infer you are reading about baking cookies. Even if there is a form on the site for you to subscribe to their newsletter and some 3rd party hacker captured your email address, so what? If you're accessing your bank then, yes definitely encrypt. But for an unimportant site, encryption make is slower and makes maintenance on the server side a hassle, a big hassle. Especially if the free cert goes away.<br />
<br />
== Is HTTPS secure? - Is HTTP insecure? ==<br />
<br />
One myth I want to bust is that HTTPS has increased security. In fact HTTPS has reduced overall security. HTTPS adds encryption you sites that don't heed encryption and that doesn't increase security. Let's look at the facts.<br />
<br />
There are 3 places where your information is vulnerable to attack, the server, your computer, and the connection between your computer and the server. HTTPS only provides encryption between your device and the web site but does nothing for either your device or the web server you are connected to. The connection is actually the hardest part to intercept even without encryption. Generally you have to have access to the internet infrastructure to tap communications even if it's not encrypted. But all you need is spyware to tap the communication on a device. And the spyware works if you are encrypted or not.<br />
<br />
But the best place to steal your data if if a hacker steals your information directly from the server side where your data is stored. Remember Equifax, the company that stores all your credit data? Encrypted didn't help them. In fact the people who hacked them did it over an HTTPS connection.<br />
<br />
=== Let's Encrypt Actually Reduces Security ===<br />
<br />
You would think that the internet is more secure because of Let's Encrypt, and you would be wrong. Surprisingly Let's Encrypt makes the net less secure.<br />
<br />
Before Let's Encrypt certificate were expensive and required work to maintain. Now it free and somewhat easy. And - I do want to thank Let's Encrypt for making it easier part. But in making it free the make it easy for phishing sites to go HTTPS and the consumer, who doesn't know much about how the web works, gets the green padlock and assumes all is good. The then type their username and password into wellsfarg0.com and 5 minutes later all their money is gone. All thanks to Let's Encrypt.<br />
<br />
EFF and Google, who is the major funder of Let's Encrypt, have been very successful claiming millions of web sites, have slowed the internet down because HTTPS is slower and more complex than HTTP. In order to compensate for the slowness browsers like Google Chrome no longer to certificate revocation to make sure the cert is still valid. So because of Let's Encrypt you can't really trust that the green padlock on the site can be relied on. So if Wells Fargo bank revokes their cert due to a security breach you would never know it using the Google Chrome browser. In fact if that ever happened Google would be partially liable for damages giving a green light to a revoked certificate. <br />
<br />
So a green indicator in your browser no longer means you are on a safe site. It really means nothing at all. Between Google and EFF they are making security that has worked in the past useless.<br />
<br />
And although HTTPS creates the illusion that the government can't spy on the data on the internet, through certificate revocation request it makes it far easier, not harder, to track what sites you are going to, which is the exact opposite of what you think you are getting. HTTPS reduces privacy.<br />
<br />
== The Culture of Paranoia ==<br />
<br />
In many ways the EFF/hacker community is similar to the National Rifle Association (NRA) in the one component is a culture of paranoia. Not that a lot of that paranoia if fully justified because the government is actually trying to spy on you.<br />
<br />
The NRA envisions a world where the government is going to take your guns and then turn Nazi and people won't be ably to overthrow the government to take America back for freedom. And it creates an inflated sense of importance to carry a gun. (Is that a gun in your pocket, Big Boy, or are you just glad to see me? It's a gun in my pocket.) Why shouldn't a law abiding citizen be able to buy a nuke to protect themselves? It's cultural where like minded people get their us vs. them experience.<br />
<br />
EFF is much closer to reality than the NRA. They do a lot of things that actually do protect our freedom from real government treats that are actually occurring. They were 7 years ahead of Snowden suing the NSA over spying. So I'm not going to beat up on them too badly here.<br />
<br />
But ....<br />
<br />
There are 3 areas where EFF/the hacker culture is totally clueless.<br />
<br />
1. They have absolutely no concept the intellectual property has any value.<br />
<br />
2. The concept that law enforcement has a role on the internet is mostly ignored. That crime is the price you pay for freedom. Their TOR project is the backbone for the ransomeware industry as well as an incredible amount of serious online crime, but the value of privacy is more important to the extent that they don't care about criminal issues at all.<br />
<br />
3. Sometimes EFF doesn't think things through. The get fixated on a solution with almost a cult like attachment without fully exploring the consequences. In this case they have a very strong mental block on this. I remember discussing this with them back when I worked there and it was a bad idea then as it is now. I never expected them to be successful with it. But unfortunately, the have.<br />
<br />
=== Hacker Culture Values ===<br />
<br />
To some extent I can identify with that culture. The spying that Snowden revealed is a prelude to to a modern day dictatorship where the government knows everything you say and everything you do. A world where AI figures put who you are and if it decides you are too free thinking that it executes you by activating a death chip in your brain. What Snowden revealed actually makes that plausible.<br />
<br />
I have personally been kidnapped by law enforcement 3 times. Not arrested - kidnapped. But there are good cops and bad cops and although law enforcement is far less than perfect they keep us safe. The police are not our enemy. The hacker community is excessively against law enforcement and sees aiding criminals as a measure of expanding personal freedom. TOR, for example, is 99% criminal traffic with a small amount of protecting the good guys from government persecution. There are steps TOR could do to reduce crime without compromising the freedom mission, like shutting down ransomware sites. But they are oblivious to that. TOR doesn't care about crime at all, and that's wrong.<br />
<br />
In the case of HTTPS the hacker community has a shared fantasy that they are getting even with the NSA for what Snowden revealed. They imagine that the NSA can't track what you're doing if everyone uses HTTPS. In actuality, they are making it easier for the NSA to track you using revocation requests but that's a reality they choose to somewhat ignore. Except that browsers are now trending to skip the certificate revocation checks to increase browser response and to plug this obvious privacy hole, but at the expense of good verification that the web site's keys haven't been stolen. In the hacker world security and safety of the public mean nothing, where fighting NSA spying mean everything. <br />
<br />
=== Google as Internet Bully ===<br />
<br />
Google has traditionally been the good guy. But now Google is the internet bully. EFF and Google are trying to force the end of HTTP protocol and force everyone into encryption through force and bullying. If you don't do what EFF and Google says Google will degrade the search results for your web site. And they are going to start falsely labeling web sites insecure which use HTTP in order to scare people away from going to your web site. What Google and EFF are doing is illegal and I'm contemplating suing them over this to get an injunction to stop them. <br />
<br />
Traditionally the Internet Engineering Task Force (IETF) sets the internet protocol specification to create communication standards for the world so that everyone can use those standards to be compatible. But Google and EFF have usurped the powers of the IETF and are trying to force a new standard to conform to their delusional view of reality.<br />
<br />
=== EFF exceeding the scope of their mandate ===<br />
<br />
EFF is really going down the wrong rabbit hole on trying to force the world to follow their paranoid fantasy by partnering with Google and push HTTP off the web. EFF is supposed to be about freedom and free speech but in this case EFF is putting a technological burden of freedom and free expression. EFF believes that through Let's Encrypt that they have eliminated that burden, but that's just dead wrong. And if you believe it then you also have to believe that Let's Encrypt will be around forever and that it will always give away free certificates and make it easy. Believing that takes a lot of faith and I'm not a man of faith.<br />
<br />
== This problem can be easily solved ==<br />
<br />
There actually is an incredibly easy solution to all of this that will make all these problems go away. All they have to do is uncouple encryption from authentication. If these weren't tied together then you would be able to generate a self signed certificate and you would have your encryption but without the hard part of verifying that your site is real. While phishers are likely to spoof Bank of America, they aren't likely to spoof CuteKittensAndBunnies.com. Most sites aren't emportant enough to spoof. So you can have your encryption fantasy experience without and burden.<br />
<br />
And - if they added some easy tricks like a DNS hash for verification or perhaps a block chain they might get some reasonable authentication. But people who really do need good authentication can go get the real thing and provide secure services to the world without their security being downgraded by people who don't really need it.<br />
<br />
What would we need to do to make self signed certificates happen? Just a change in browser policy. The self signed site would get the green light like an authorized site, it would be black like an HTTP site with maybe an encrypted listing. And there would be no revocation check for the NSA to track. Self signed certs used to work just fine but browser policy changed to reject them. However a DNS fingerprint check could prevent spoofing so that a self signed fake site can't impersonate a real site with a signed cert.<br />
<br />
This solution is easy, it accomplishes the EFF's goals, and it doesn't ruin the internet and get EFF in trouble for creating a fake certificate authority.</div>Marchttp://wiki.ctyme.com/index.php/HttpsHttps2018-03-06T16:12:29Z<p>Marc: /* EFF exceeding the scope of their mandate */</p>
<hr />
<div>= Why HTTPS everywhere is a really really bad idea =<br />
<br />
== Introduction ==<br />
<br />
HTTPS Everywhere sounds like a good idea, but as they say, the devil is in the details. The idea, supported primarily by the Electronic Frontier Foundation (https://eff.org) is to get all traffic on the internet to be encrypted. If everything is encrypted, as promoted, then no one can tap in and spy on your communication. This includes NSA spying and other government spying that is both illegal and immoral where third parties and government track you to create a digital profile of who you are that can be used against you, profile you, steal your passwords, invade your privacy, blackmail you, and round you up to put you and your freinds and family in concentration camps. Imaging if you will what would have happened if Adolf Hitler had today's technology. There would be no Jews left hiding in attics!<br />
<br />
And as we know from the revelation of Edward Snowden, my second favorite person in the world after Elon Musk, we know the government is actually doing a lot of the things that the EFF is paranoid about. Snowden confirmed what all paranoid schizophrenics new was true all along, the government(s) is spying on them. The nightmare, as it turns out, is actually real.<br />
<br />
So on it's face it would seem as if making it harder for these problems to occur would be a great idea. And - quite frankly, if it were done right it would be a great idea that I would support. However, the way it is being implemented through "Let's Encrypt" (https://letsencrypt.org) and Google strong arming the public to force everyone into it. By doing it wrong EFF's good intentions are actually making the problem worse. Forcing encryption on everyone, as it is being implemented, creates more problems than it solves and will inhibit freedom and privacy, not enhance it. Rather than making it harder for the NSA to track you, it makes it easier. Rather than enhancing free speech, it inhibits free speech, and rather that making the internet safer from criminals, it actually reduces internet security making it easier for the bad guys to take advantage of you.<br />
<br />
As someone who used to work for EFF as their first full time system administrator you would think I would be on EFF's side on this. And over the years there have been a number of issues EFF has got wrong. But this is a very serious issue that will negatively affect the entire internet and have a huge negative impact on EFF if they are successful in what they are trying to do. EFF sometimes has a habit of latching onto an idea like a bulldog without carefully thinking things through and is sometimes cult like in their opinion in spite of evidence that their position fails to make objective sense. I still support EFF as no organization is perfect and they get it right most of the time. But this time is not one of them.<br />
<br />
== Encryption / Authentication - Understanding the Basics ==<br />
<br />
HTTPS has 2 separate function, not one, that are artificially bound together into the HTTPS standards. These 2 functions are:<br />
<br />
# Encryption - making the data unreadable to 3rd parties<br />
# Authentication - making sure that the website you connect to is actually the real web site.<br />
<br />
And it is because of the binding together of there to unrelated functions that cause the problem. '''If these two protocols were unbundled, where you could have encryption without authentication, then my objections to encrypting everything goes away.''' The encrypting side is the easy part, the authenticating side is the part that is hard and expensive and causes all the problems. All this could be easily solved by allowing encryption without authentication. But modern browsers do not allow self signed certificates without dire warnings that would scare the average person to back away immediately. If they changed that it would solve the issues that I'm about to describe.<br />
<br />
=== How Encryption Works ===<br />
<br />
The actual process is long and complicated so I'm going to limit my explanation to the simple stuff you need to know. Encryption relies on a pair of keys, both keys are very large numbers. If you encrypt a message with one key you can only decrypt it with the other key. It doesn't matter which key you encrypt with as long as you use the other one to decrypt. <br />
<br />
One of the keys is know as the '''public key''', and the other is know as the '''private key'''. As the names imply, one key you make public, the other key you keep private. When someone wants to establish a secure connection with you they download your public key which is furnished by opening a connection. When you get the public key you can then encrypt a message that can only be read by the server which is usually a set of new keys to establish a secure connection. Because only the other end can read it you then have the keys to establish a secure connection that no person in the middle can break into.<br />
<br />
==== Vulnerabilities ====<br />
<br />
The encryption used in HTTPS is pretty good. It isn't easily broken. One of the main vulnerabilities is what's called a "man in the middle" attack. The attack isn't generally easy to do and usually requires hardware access to be in the middle of that connection which very few people have. However, when I used to fly more often I used to provide a free wifi access point using my cell phone to allow other travelers around me to access the internet without paying high fees. But if a were nefarious and evil I could create a fake certificate pretending to be their bank and steal their passwords. And I would need a fake cert for every domain I wanted to steal. Someone smarter than me could accomplish this. <br />
<br />
To make sure this doesn't happen we use authentication so that only the real certificate works. the real certificate is varified by the certificate authority issuing the certificate as real so if you are connecting to your bank, you can be (somewhat) confident there's no one in the middle stealing your information. <br />
<br />
There are other ways you're vulnerable. You could have someone looking over your shoulder when typing your username and password. You could have spyware on your computer that is logging your keystrokes and grabbing the display text on your web pages. Or the site you are logging into has been hacked. Remember Equifax? It was an encrypted site. And while your data was being stolen it was sent to the hackers over an encrypted connection.<br />
<br />
=== How Authentication Works ===<br />
<br />
Authentication is the other leg of the HTTPS security protocol. Authentication helps ensure that when you connect to a site using HTTPS that it is really the site you are connected to. Using certificates and certificate chains your web browser (is supposed to) verify that you are actually connected to the web site you think you are connecting to. This makes it much harder for someone to impersonate your bank to steal your passwords. A detailed explanation of this process is complicated so I will try to make the important concepts as easy as possible.<br />
<br />
When you connect through HTTPS it established an encrypted connection. It sends the sites certificate which was generated in unison with your '''certificate authority''' who validates your certificate. The web server not only sends your certificate, but also the chain of certificates leading back to the '''root certificates''' which are highly trusted certs that came with your browser. Using these certificates one can verify that the cert is authentic and can be trusted. You then see the green padlock and all is good.<br />
<br />
==== The down side of Authentication ====<br />
<br />
There is one step however that exposes your privacy. In order to fully verify the cert the web browser has to check to see if your certificate has been revoked. To check if the cert was revoked your browser has to ask the certificate authority through a "revocation request" if the cert is still valid. The reason for this is, if I'm running a web site and my private keys make it into the wild, hacker or government can decrypt your connection and steal your data. So if I'm a bank and I fire the head admin, I might want to change my keys by revoking my cert and getting a new one.<br />
<br />
Sounds simple but the process slows down browser performance a lot. Many commercial sites include content, usually advertising content, from many other websites. So when you go to localnewspaper.com, for example, you might see content from Walgreens, Safeway, Amazon, Verizon, etc. All these sites require a separate encrypted and separate verification and revocation request. Thus your visit might involve 50 separate connections to display the web page. Ever notice all those slow ads popping up, that's why.<br />
<br />
The problem is, as everyone goes to HTTPS then all websites are slow. Some browsers therefore cheat on the rules and they skip the revocation check in the interest of speed and the expense of security. Gibson Research has set up a test page to identify browsers who cheat. Click on https://revoked.grc.com to test your browser. If you see the page, your browser is insecure.<br />
<br />
The problem with skipping revocation checking is that, for example, if if I'm a bank and the keys were stolen and someone is impersonating my bank, if you are running Google's Chrome browser, you would never know you were on the fake site. So in order to get performance in your Chrome browser experience, security has been eliminated.<br />
<br />
Certificates are expensive and difficult to maintain. Installing certs is a hassle and certificates expire and have to be replaced on a regular basis. Unlike HTTP which you can set up knowing 20 years later everything is going to just keep working, HTTPS requires both effort and money to keep going. If you get it set up it will die on it's own if you don't maintain it.<br />
<br />
But - EFF and other like minded organizations have created an organization called "Let's Encrypt" to make HTTPS easier. But is it a solution or just to get you addicted and draw you in?<br />
<br />
==== Privacy Exposure of Authentication ====<br />
<br />
Another problem with certificates is the privacy exposure of checking certificate revocation. If your certificate is verified, for example, by Let's Encrypt, then every revocation request goes to one server that responds to revocation requests. If someone like the NSA were to intercept these requests, which are not encrypted, then the NSA could track the activity of every site verified through Let's Encrypt. That means the NSA doesn't have to wiretap 100 million sites. All the have to do it tap Let's Encrypt and it's one stop shopping for the NSA. They just made the job of the NSA millions of times easier.<br />
<br />
Granted that the NSA doesn't see the content, but if you go to some site like free-child-porn.online the NSA has a pretty good idea what you're doing there.<br />
<br />
=== Let's Encrypt - making HTTPS free and easy ===<br />
<br />
Let's Encrypt is a non-profit org created by EFF and friends to help solve the problems of making certificates easy and free. The supply not only free certs but provides scripts to install and configure certs easily. Certificates however are only good for 90 days and have to be replaced before the 90 days runs out. But the renewal scripts are also automated so, in theroy you should be able to set it up and forget about it, making it almost as easy as HTTP. Let's Encrypt claim is to have issued over 100 million certificates.<br />
<br />
Making it free and easy is a critical argument in EFF's and Google's war to force the internet to encrypt everything. Google, for example is downgrading your search visibility if you refuse to convert. But they say that converting is easy and that takes the sting out of it. But is that really true?<br />
<br />
==== The down side of Let's Encrypt ====<br />
<br />
There's a major problem with Let's Encrypt in that it's not a real business with real employees and a staff with tech support. All their verification is done using algorithms and scripts and they will give certificates away to anyone, and all for free. For example, if I get the domain name wellsfarg0.com, which looks like I'm Wells Fargo Bank, Let's encrypt will issue me a certificate for it and users who go to the fraudulent site will get a green light in their chrome browser. And even if someone points it out that this is a fraud site, they can revoke the cert, but if you used the Chrome browser you will never know because it doesn't use revocation checks.<br />
<br />
There is a down side to being free. Because it used to have cost criminals wouldn't bother to get certificates. But now that it's free every criminal site now has a valid cert and the browser give it the green light and users trust it because the browser is giving it the seal of approval. Because of this the original function of certificates has been compromised and the security of the internet has been diminished.<br />
<br />
==== Will Let's Encrypt always be there and be free? ====<br />
<br />
So, let's say I convert all my web sites to HTTPS and I'm using their scripts to maintain my web sites and one day I get an email saying the changes have been made. Perhaps people stop donating and they can't afford to operate? Perhaps they fail security standard and are decertified. Perhaps they get hacked and all their information is stolen. What do all these 100 million web sites do then?<br />
<br />
There's explicitly no guarantee that this service will give you free certificates forever. And once you go HTTPS, there's no easy path back to HTTP. In order to even redirect back to your old setup you need a valid certificate to redirect. All these people who thought they were going to get free certs forever are totally screwed and will have to start buying certs and might not have the nice scripts that maintain it automatically.<br />
<br />
Call me paranoid but when some organization offers me free service forever I don't tend to rely on that. I can't be in a position where keeping my web sites online depends on a shell organization that might not be there tomorrow.<br />
<br />
=== Let's Encrypt is a Fake Organization ===<br />
<br />
Normally a certificate authority is a real business that has round the clock staff, a support line, employees, and a phone number. If you got to their web site's contact page there's no phone number. There's no support email. There's no employee list. All there is is a community support page where EFF staff answer question in a discussion forum. Let's Encrypt is just a front organization for EFF and a small group of like minded hackers who are employed elsewhere and do it on the side. My opinion is that the rest of the certificate community will likely pull their certification at some date and all those millions of web are going to have to go buy millions of certificates from a real certificate authority and that's going to be expensive and a lot of good free speech web sites are going to come down due to the cost and maintenance burden.<br />
<br />
== NSA and Government Tracking ==<br />
<br />
The intent behind HTTPS everywhere is in part to thwart NSA spying. And let's not kid ourselves, NSA tracking is unconstitutional, illegal, and immoral. EFF has played a major role in protecting our online liberties in this matter. Sometimes when I see Snowden I notice that the back of his lap top has an EFF sticker. <br />
<br />
But - although well intentioned - does HTTPS solve the problem? No - it makes it worse.<br />
<br />
Although HTTPS makes it harder to read the content of your communication, it doesn't mask what web sites you are going to. So if you're married and trying to hook up on AsleyMadison.com the NSA doesn't know what woman you are hooking up with, but they do know you're cheating on your wife. And - using revocation requests tracking EFF has actually make it much easier for them to track your connections.<br />
<br />
== Now you need more permissions to stay on the web ==<br />
<br />
With HTTP all you need to do is register a domain name to have your own site online. ICANN is an international organization and has been very good at staying out of the clutches of government controls. However, with HTTPS you need to get a certificate authority to issue you a cert. That makes 2 orgs that have to give you permission instead of one and now your domain activity it trackable through revocation requests. If Congress were to pass laws regulating who can get certificates or requiring extensive personal information they can prevent you from getting online the way you can now with just HTTP. Every step you are forced into doing creates another chokepoint to free speech and free expression.<br />
<br />
== Freedom of Choice ==<br />
<br />
One thing I really object to is being forced and strong armed into doing things I choose not to do. I'm perfectly happy with my HTTP servers and I really resent EFF and Google trying to force me to participate in their cult like paranoia. My servers work fine. I've been online for 22 years now. I was online 3 years before Google. I choose not to encrypt and that my choice.<br />
<br />
EFF is supposed to be about freedom. They are supposed to be protecting me from people who would force me to change against my will, They believe it's for a higher cause, but it really isn't. If it were I might go along with it but HTTP has advantages over HTTPS that I like and want to stick with. many of my sites are static and informational. If the NSA can read the traffic - so what. Everything is on the site in plain text anyhow so where's the secret? If the traffic were encrypted the NSA would still know who is connecting and would assume what they are reading is what's on the site to be read by anyone. And HTTP doesn't make NSA tracking easier like HPPS does by generating revocation request.<br />
<br />
The bottom like is it's MY CHOICE! And EFF and Google doesn't have the right to take my choice away from me.<br />
<br />
== Do you need encryption? ==<br />
<br />
Whether or not you need encryption depends on who you are and what you are doing. If you are a bank clearly the answer is yes. However, if you have a static web site with no forms, do you need encryption? No - you don't.<br />
<br />
Let's say you have a static web site that tells people how to bake cookies. All the information is there for anyone to see. So if your connection is encrypted then anyone tracking knows you connected to the site and can infer you are reading about baking cookies. Even if there is a form on the site for you to subscribe to their newsletter and some 3rd party hacker captured your email address, so what? If you're accessing your bank then, yes definitely encrypt. But for an unimportant site, encryption make is slower and makes maintenance on the server side a hassle, a big hassle. Especially if the free cert goes away.<br />
<br />
== Is HTTPS secure? - Is HTTP insecure? ==<br />
<br />
One myth I want to bust is that HTTPS has increased security. In fact HTTPS has reduced overall security. HTTPS adds encryption you sites that don't heed encryption and that doesn't increase security. Let's look at the facts.<br />
<br />
There are 3 places where your information is vulnerable to attack, the server, your computer, and the connection between your computer and the server. HTTPS only provides encryption between your device and the web site but does nothing for either your device or the web server you are connected to. The connection is actually the hardest part to intercept even without encryption. Generally you have to have access to the internet infrastructure to tap communications even if it's not encrypted. But all you need is spyware to tap the communication on a device. And the spyware works if you are encrypted or not.<br />
<br />
But the best place to steal your data if if a hacker steals your information directly from the server side where your data is stored. Remember Equifax, the company that stores all your credit data? Encrypted didn't help them. In fact the people who hacked them did it over an HTTPS connection.<br />
<br />
=== Let's Encrypt Actually Reduces Security ===<br />
<br />
You would think that the internet is more secure because of Let's Encrypt, and you would be wrong. Surprisingly Let's Encrypt makes the net less secure.<br />
<br />
Before Let's Encrypt certificate were expensive and required work to maintain. Now it free and somewhat easy. And - I do want to thank Let's Encrypt for making it easier part. But in making it free the make it easy for phishing sites to go HTTPS and the consumer, who doesn't know much about how the web works, gets the green padlock and assumes all is good. The then type their username and password into wellsfarg0.com and 5 minutes later all their money is gone. All thanks to Let's Encrypt.<br />
<br />
EFF and Google, who is the major funder of Let's Encrypt, have been very successful claiming millions of web sites, have slowed the internet down because HTTPS is slower and more complex than HTTP. In order to compensate for the slowness browsers like Google Chrome no longer to certificate revocation to make sure the cert is still valid. So because of Let's Encrypt you can't really trust that the green padlock on the site can be relied on. So if Wells Fargo bank revokes their cert due to a security breach you would never know it using the Google Chrome browser. In fact if that ever happened Google would be partially liable for damages giving a green light to a revoked certificate. <br />
<br />
So a green indicator in your browser no longer means you are on a safe site. It really means nothing at all. Between Google and EFF they are making security that has worked in the past useless.<br />
<br />
And although HTTPS creates the illusion that the government can't spy on the data on the internet, through certificate revocation request it makes it far easier, not harder, to track what sites you are going to, which is the exact opposite of what you think you are getting. HTTPS reduces privacy.<br />
<br />
== The Culture of Paranoia ==<br />
<br />
In many ways the EFF/hacker community is similar to the National Rifle Association (NRA) in the one component is a culture of paranoia. Not that a lot of that paranoia if fully justified because the government is actually trying to spy on you.<br />
<br />
The NRA envisions a world where the government is going to take your guns and then turn Nazi and people won't be ably to overthrow the government to take America back for freedom. And it creates an inflated sense of importance to carry a gun. (Is that a gun in your pocket, Big Boy, or are you just glad to see me? It's a gun in my pocket.) Why shouldn't a law abiding citizen be able to buy a nuke to protect themselves? It's cultural where like minded people get their us vs. them experience.<br />
<br />
EFF is much closer to reality than the NRA. They do a lot of things that actually do protect our freedom from real government treats that are actually occurring. They were 7 years ahead of Snowden suing the NSA over spying. So I'm not going to beat up on them too badly here.<br />
<br />
But ....<br />
<br />
There are 3 areas where EFF/the hacker culture is totally clueless.<br />
<br />
1. They have absolutely no concept the intellectual property has any value.<br />
<br />
2. The concept that law enforcement has a role on the internet is mostly ignored. That crime is the price you pay for freedom. Their TOR project is the backbone for the ransomeware industry as well as an incredible amount of serious online crime, but the value of privacy is more important to the extent that they don't care about criminal issues at all.<br />
<br />
3. Sometimes EFF doesn't think things through. The get fixated on a solution with almost a cult like attachment without fully exploring the consequences. In this case they have a very strong mental block on this. I remember discussing this with them back when I worked there and it was a bad idea then as it is now. I never expected them to be successful with it. But unfortunately, the have.<br />
<br />
=== Hacker Culture Values ===<br />
<br />
To some extent I can identify with that culture. The spying that Snowden revealed is a prelude to to a modern day dictatorship where the government knows everything you say and everything you do. A world where AI figures put who you are and if it decides you are too free thinking that it executes you by activating a death chip in your brain. What Snowden revealed actually makes that plausible.<br />
<br />
I have personally been kidnapped by law enforcement 3 times. Not arrested - kidnapped. But there are good cops and bad cops and although law enforcement is far less than perfect they keep us safe. The police are not our enemy. The hacker community is excessively against law enforcement and sees aiding criminals as a measure of expanding personal freedom. TOR, for example, is 99% criminal traffic with a small amount of protecting the good guys from government persecution. There are steps TOR could do to reduce crime without compromising the freedom mission, like shutting down ransomware sites. But they are oblivious to that. TOR doesn't care about crime at all, and that's wrong.<br />
<br />
In the case of HTTPS the hacker community has a shared fantasy that they are getting even with the NSA for what Snowden revealed. They imagine that the NSA can't track what you're doing if everyone uses HTTPS. In actuality, they are making it easier for the NSA to track you using revocation requests but that's a reality they choose to somewhat ignore. Except that browsers are now trending to skip the certificate revocation checks to increase browser response and to plug this obvious privacy hole, but at the expense of good verification that the web site's keys haven't been stolen. In the hacker world security and safety of the public mean nothing, where fighting NSA spying mean everything. <br />
<br />
=== Google as Internet Bully ===<br />
<br />
Google has traditionally been the good guy. But now Google is the internet bully. EFF and Google are trying to force the end of HTTP protocol and force everyone into encryption through force and bullying. If you don't do what EFF and Google says Google will degrade the search results for your web site. And they are going to start falsely labeling web sites insecure which use HTTP in order to scare people away from going to your web site. What Google and EFF are doing is illegal and I'm contemplating suing them over this to get an injunction to stop them. <br />
<br />
Traditionally the Internet Engineering Task Force (IETF) sets the internet protocol specification to create communication standards for the world so that everyone can use those standards to be compatible. But Google and EFF have usurped the powers of the IETF and are trying to force a new standard to conform to their delusional view of reality.<br />
<br />
=== EFF exceeding the scope of their mandate ===<br />
<br />
EFF is really going down the wrong rabbit hole on trying to force the world to follow their paranoid fantasy by partnering with Google and push HTTP off the web. EFF is supposed to be about freedom and free speech but in this case EFF is putting a technological burden of freedom and free expression. EFF believes that through Let's Encrypt that they have eliminated that burden, but that's just dead wrong. And if you believe it then you also have to believe that Let's Encrypt will be around forever and that it will always give away free certificates and make it easy. Believing that takes a lot of faith and I'm not a man of faith.<br />
<br />
== This problem can be easily solved ==</div>Marchttp://wiki.ctyme.com/index.php/HttpsHttps2018-03-06T16:11:38Z<p>Marc: /* Will Let's Encrypt always be there and be free? */</p>
<hr />
<div>= Why HTTPS everywhere is a really really bad idea =<br />
<br />
== Introduction ==<br />
<br />
HTTPS Everywhere sounds like a good idea, but as they say, the devil is in the details. The idea, supported primarily by the Electronic Frontier Foundation (https://eff.org) is to get all traffic on the internet to be encrypted. If everything is encrypted, as promoted, then no one can tap in and spy on your communication. This includes NSA spying and other government spying that is both illegal and immoral where third parties and government track you to create a digital profile of who you are that can be used against you, profile you, steal your passwords, invade your privacy, blackmail you, and round you up to put you and your freinds and family in concentration camps. Imaging if you will what would have happened if Adolf Hitler had today's technology. There would be no Jews left hiding in attics!<br />
<br />
And as we know from the revelation of Edward Snowden, my second favorite person in the world after Elon Musk, we know the government is actually doing a lot of the things that the EFF is paranoid about. Snowden confirmed what all paranoid schizophrenics new was true all along, the government(s) is spying on them. The nightmare, as it turns out, is actually real.<br />
<br />
So on it's face it would seem as if making it harder for these problems to occur would be a great idea. And - quite frankly, if it were done right it would be a great idea that I would support. However, the way it is being implemented through "Let's Encrypt" (https://letsencrypt.org) and Google strong arming the public to force everyone into it. By doing it wrong EFF's good intentions are actually making the problem worse. Forcing encryption on everyone, as it is being implemented, creates more problems than it solves and will inhibit freedom and privacy, not enhance it. Rather than making it harder for the NSA to track you, it makes it easier. Rather than enhancing free speech, it inhibits free speech, and rather that making the internet safer from criminals, it actually reduces internet security making it easier for the bad guys to take advantage of you.<br />
<br />
As someone who used to work for EFF as their first full time system administrator you would think I would be on EFF's side on this. And over the years there have been a number of issues EFF has got wrong. But this is a very serious issue that will negatively affect the entire internet and have a huge negative impact on EFF if they are successful in what they are trying to do. EFF sometimes has a habit of latching onto an idea like a bulldog without carefully thinking things through and is sometimes cult like in their opinion in spite of evidence that their position fails to make objective sense. I still support EFF as no organization is perfect and they get it right most of the time. But this time is not one of them.<br />
<br />
== Encryption / Authentication - Understanding the Basics ==<br />
<br />
HTTPS has 2 separate function, not one, that are artificially bound together into the HTTPS standards. These 2 functions are:<br />
<br />
# Encryption - making the data unreadable to 3rd parties<br />
# Authentication - making sure that the website you connect to is actually the real web site.<br />
<br />
And it is because of the binding together of there to unrelated functions that cause the problem. '''If these two protocols were unbundled, where you could have encryption without authentication, then my objections to encrypting everything goes away.''' The encrypting side is the easy part, the authenticating side is the part that is hard and expensive and causes all the problems. All this could be easily solved by allowing encryption without authentication. But modern browsers do not allow self signed certificates without dire warnings that would scare the average person to back away immediately. If they changed that it would solve the issues that I'm about to describe.<br />
<br />
=== How Encryption Works ===<br />
<br />
The actual process is long and complicated so I'm going to limit my explanation to the simple stuff you need to know. Encryption relies on a pair of keys, both keys are very large numbers. If you encrypt a message with one key you can only decrypt it with the other key. It doesn't matter which key you encrypt with as long as you use the other one to decrypt. <br />
<br />
One of the keys is know as the '''public key''', and the other is know as the '''private key'''. As the names imply, one key you make public, the other key you keep private. When someone wants to establish a secure connection with you they download your public key which is furnished by opening a connection. When you get the public key you can then encrypt a message that can only be read by the server which is usually a set of new keys to establish a secure connection. Because only the other end can read it you then have the keys to establish a secure connection that no person in the middle can break into.<br />
<br />
==== Vulnerabilities ====<br />
<br />
The encryption used in HTTPS is pretty good. It isn't easily broken. One of the main vulnerabilities is what's called a "man in the middle" attack. The attack isn't generally easy to do and usually requires hardware access to be in the middle of that connection which very few people have. However, when I used to fly more often I used to provide a free wifi access point using my cell phone to allow other travelers around me to access the internet without paying high fees. But if a were nefarious and evil I could create a fake certificate pretending to be their bank and steal their passwords. And I would need a fake cert for every domain I wanted to steal. Someone smarter than me could accomplish this. <br />
<br />
To make sure this doesn't happen we use authentication so that only the real certificate works. the real certificate is varified by the certificate authority issuing the certificate as real so if you are connecting to your bank, you can be (somewhat) confident there's no one in the middle stealing your information. <br />
<br />
There are other ways you're vulnerable. You could have someone looking over your shoulder when typing your username and password. You could have spyware on your computer that is logging your keystrokes and grabbing the display text on your web pages. Or the site you are logging into has been hacked. Remember Equifax? It was an encrypted site. And while your data was being stolen it was sent to the hackers over an encrypted connection.<br />
<br />
=== How Authentication Works ===<br />
<br />
Authentication is the other leg of the HTTPS security protocol. Authentication helps ensure that when you connect to a site using HTTPS that it is really the site you are connected to. Using certificates and certificate chains your web browser (is supposed to) verify that you are actually connected to the web site you think you are connecting to. This makes it much harder for someone to impersonate your bank to steal your passwords. A detailed explanation of this process is complicated so I will try to make the important concepts as easy as possible.<br />
<br />
When you connect through HTTPS it established an encrypted connection. It sends the sites certificate which was generated in unison with your '''certificate authority''' who validates your certificate. The web server not only sends your certificate, but also the chain of certificates leading back to the '''root certificates''' which are highly trusted certs that came with your browser. Using these certificates one can verify that the cert is authentic and can be trusted. You then see the green padlock and all is good.<br />
<br />
==== The down side of Authentication ====<br />
<br />
There is one step however that exposes your privacy. In order to fully verify the cert the web browser has to check to see if your certificate has been revoked. To check if the cert was revoked your browser has to ask the certificate authority through a "revocation request" if the cert is still valid. The reason for this is, if I'm running a web site and my private keys make it into the wild, hacker or government can decrypt your connection and steal your data. So if I'm a bank and I fire the head admin, I might want to change my keys by revoking my cert and getting a new one.<br />
<br />
Sounds simple but the process slows down browser performance a lot. Many commercial sites include content, usually advertising content, from many other websites. So when you go to localnewspaper.com, for example, you might see content from Walgreens, Safeway, Amazon, Verizon, etc. All these sites require a separate encrypted and separate verification and revocation request. Thus your visit might involve 50 separate connections to display the web page. Ever notice all those slow ads popping up, that's why.<br />
<br />
The problem is, as everyone goes to HTTPS then all websites are slow. Some browsers therefore cheat on the rules and they skip the revocation check in the interest of speed and the expense of security. Gibson Research has set up a test page to identify browsers who cheat. Click on https://revoked.grc.com to test your browser. If you see the page, your browser is insecure.<br />
<br />
The problem with skipping revocation checking is that, for example, if if I'm a bank and the keys were stolen and someone is impersonating my bank, if you are running Google's Chrome browser, you would never know you were on the fake site. So in order to get performance in your Chrome browser experience, security has been eliminated.<br />
<br />
Certificates are expensive and difficult to maintain. Installing certs is a hassle and certificates expire and have to be replaced on a regular basis. Unlike HTTP which you can set up knowing 20 years later everything is going to just keep working, HTTPS requires both effort and money to keep going. If you get it set up it will die on it's own if you don't maintain it.<br />
<br />
But - EFF and other like minded organizations have created an organization called "Let's Encrypt" to make HTTPS easier. But is it a solution or just to get you addicted and draw you in?<br />
<br />
==== Privacy Exposure of Authentication ====<br />
<br />
Another problem with certificates is the privacy exposure of checking certificate revocation. If your certificate is verified, for example, by Let's Encrypt, then every revocation request goes to one server that responds to revocation requests. If someone like the NSA were to intercept these requests, which are not encrypted, then the NSA could track the activity of every site verified through Let's Encrypt. That means the NSA doesn't have to wiretap 100 million sites. All the have to do it tap Let's Encrypt and it's one stop shopping for the NSA. They just made the job of the NSA millions of times easier.<br />
<br />
Granted that the NSA doesn't see the content, but if you go to some site like free-child-porn.online the NSA has a pretty good idea what you're doing there.<br />
<br />
=== Let's Encrypt - making HTTPS free and easy ===<br />
<br />
Let's Encrypt is a non-profit org created by EFF and friends to help solve the problems of making certificates easy and free. The supply not only free certs but provides scripts to install and configure certs easily. Certificates however are only good for 90 days and have to be replaced before the 90 days runs out. But the renewal scripts are also automated so, in theroy you should be able to set it up and forget about it, making it almost as easy as HTTP. Let's Encrypt claim is to have issued over 100 million certificates.<br />
<br />
Making it free and easy is a critical argument in EFF's and Google's war to force the internet to encrypt everything. Google, for example is downgrading your search visibility if you refuse to convert. But they say that converting is easy and that takes the sting out of it. But is that really true?<br />
<br />
==== The down side of Let's Encrypt ====<br />
<br />
There's a major problem with Let's Encrypt in that it's not a real business with real employees and a staff with tech support. All their verification is done using algorithms and scripts and they will give certificates away to anyone, and all for free. For example, if I get the domain name wellsfarg0.com, which looks like I'm Wells Fargo Bank, Let's encrypt will issue me a certificate for it and users who go to the fraudulent site will get a green light in their chrome browser. And even if someone points it out that this is a fraud site, they can revoke the cert, but if you used the Chrome browser you will never know because it doesn't use revocation checks.<br />
<br />
There is a down side to being free. Because it used to have cost criminals wouldn't bother to get certificates. But now that it's free every criminal site now has a valid cert and the browser give it the green light and users trust it because the browser is giving it the seal of approval. Because of this the original function of certificates has been compromised and the security of the internet has been diminished.<br />
<br />
==== Will Let's Encrypt always be there and be free? ====<br />
<br />
So, let's say I convert all my web sites to HTTPS and I'm using their scripts to maintain my web sites and one day I get an email saying the changes have been made. Perhaps people stop donating and they can't afford to operate? Perhaps they fail security standard and are decertified. Perhaps they get hacked and all their information is stolen. What do all these 100 million web sites do then?<br />
<br />
There's explicitly no guarantee that this service will give you free certificates forever. And once you go HTTPS, there's no easy path back to HTTP. In order to even redirect back to your old setup you need a valid certificate to redirect. All these people who thought they were going to get free certs forever are totally screwed and will have to start buying certs and might not have the nice scripts that maintain it automatically.<br />
<br />
Call me paranoid but when some organization offers me free service forever I don't tend to rely on that. I can't be in a position where keeping my web sites online depends on a shell organization that might not be there tomorrow.<br />
<br />
=== Let's Encrypt is a Fake Organization ===<br />
<br />
Normally a certificate authority is a real business that has round the clock staff, a support line, employees, and a phone number. If you got to their web site's contact page there's no phone number. There's no support email. There's no employee list. All there is is a community support page where EFF staff answer question in a discussion forum. Let's Encrypt is just a front organization for EFF and a small group of like minded hackers who are employed elsewhere and do it on the side. My opinion is that the rest of the certificate community will likely pull their certification at some date and all those millions of web are going to have to go buy millions of certificates from a real certificate authority and that's going to be expensive and a lot of good free speech web sites are going to come down due to the cost and maintenance burden.<br />
<br />
== NSA and Government Tracking ==<br />
<br />
The intent behind HTTPS everywhere is in part to thwart NSA spying. And let's not kid ourselves, NSA tracking is unconstitutional, illegal, and immoral. EFF has played a major role in protecting our online liberties in this matter. Sometimes when I see Snowden I notice that the back of his lap top has an EFF sticker. <br />
<br />
But - although well intentioned - does HTTPS solve the problem? No - it makes it worse.<br />
<br />
Although HTTPS makes it harder to read the content of your communication, it doesn't mask what web sites you are going to. So if you're married and trying to hook up on AsleyMadison.com the NSA doesn't know what woman you are hooking up with, but they do know you're cheating on your wife. And - using revocation requests tracking EFF has actually make it much easier for them to track your connections.<br />
<br />
== Now you need more permissions to stay on the web ==<br />
<br />
With HTTP all you need to do is register a domain name to have your own site online. ICANN is an international organization and has been very good at staying out of the clutches of government controls. However, with HTTPS you need to get a certificate authority to issue you a cert. That makes 2 orgs that have to give you permission instead of one and now your domain activity it trackable through revocation requests. If Congress were to pass laws regulating who can get certificates or requiring extensive personal information they can prevent you from getting online the way you can now with just HTTP. Every step you are forced into doing creates another chokepoint to free speech and free expression.<br />
<br />
== Freedom of Choice ==<br />
<br />
One thing I really object to is being forced and strong armed into doing things I choose not to do. I'm perfectly happy with my HTTP servers and I really resent EFF and Google trying to force me to participate in their cult like paranoia. My servers work fine. I've been online for 22 years now. I was online 3 years before Google. I choose not to encrypt and that my choice.<br />
<br />
EFF is supposed to be about freedom. They are supposed to be protecting me from people who would force me to change against my will, They believe it's for a higher cause, but it really isn't. If it were I might go along with it but HTTP has advantages over HTTPS that I like and want to stick with. many of my sites are static and informational. If the NSA can read the traffic - so what. Everything is on the site in plain text anyhow so where's the secret? If the traffic were encrypted the NSA would still know who is connecting and would assume what they are reading is what's on the site to be read by anyone. And HTTP doesn't make NSA tracking easier like HPPS does by generating revocation request.<br />
<br />
The bottom like is it's MY CHOICE! And EFF and Google doesn't have the right to take my choice away from me.<br />
<br />
== Do you need encryption? ==<br />
<br />
Whether or not you need encryption depends on who you are and what you are doing. If you are a bank clearly the answer is yes. However, if you have a static web site with no forms, do you need encryption? No - you don't.<br />
<br />
Let's say you have a static web site that tells people how to bake cookies. All the information is there for anyone to see. So if your connection is encrypted then anyone tracking knows you connected to the site and can infer you are reading about baking cookies. Even if there is a form on the site for you to subscribe to their newsletter and some 3rd party hacker captured your email address, so what? If you're accessing your bank then, yes definitely encrypt. But for an unimportant site, encryption make is slower and makes maintenance on the server side a hassle, a big hassle. Especially if the free cert goes away.<br />
<br />
== Is HTTPS secure? - Is HTTP insecure? ==<br />
<br />
One myth I want to bust is that HTTPS has increased security. In fact HTTPS has reduced overall security. HTTPS adds encryption you sites that don't heed encryption and that doesn't increase security. Let's look at the facts.<br />
<br />
There are 3 places where your information is vulnerable to attack, the server, your computer, and the connection between your computer and the server. HTTPS only provides encryption between your device and the web site but does nothing for either your device or the web server you are connected to. The connection is actually the hardest part to intercept even without encryption. Generally you have to have access to the internet infrastructure to tap communications even if it's not encrypted. But all you need is spyware to tap the communication on a device. And the spyware works if you are encrypted or not.<br />
<br />
But the best place to steal your data if if a hacker steals your information directly from the server side where your data is stored. Remember Equifax, the company that stores all your credit data? Encrypted didn't help them. In fact the people who hacked them did it over an HTTPS connection.<br />
<br />
=== Let's Encrypt Actually Reduces Security ===<br />
<br />
You would think that the internet is more secure because of Let's Encrypt, and you would be wrong. Surprisingly Let's Encrypt makes the net less secure.<br />
<br />
Before Let's Encrypt certificate were expensive and required work to maintain. Now it free and somewhat easy. And - I do want to thank Let's Encrypt for making it easier part. But in making it free the make it easy for phishing sites to go HTTPS and the consumer, who doesn't know much about how the web works, gets the green padlock and assumes all is good. The then type their username and password into wellsfarg0.com and 5 minutes later all their money is gone. All thanks to Let's Encrypt.<br />
<br />
EFF and Google, who is the major funder of Let's Encrypt, have been very successful claiming millions of web sites, have slowed the internet down because HTTPS is slower and more complex than HTTP. In order to compensate for the slowness browsers like Google Chrome no longer to certificate revocation to make sure the cert is still valid. So because of Let's Encrypt you can't really trust that the green padlock on the site can be relied on. So if Wells Fargo bank revokes their cert due to a security breach you would never know it using the Google Chrome browser. In fact if that ever happened Google would be partially liable for damages giving a green light to a revoked certificate. <br />
<br />
So a green indicator in your browser no longer means you are on a safe site. It really means nothing at all. Between Google and EFF they are making security that has worked in the past useless.<br />
<br />
And although HTTPS creates the illusion that the government can't spy on the data on the internet, through certificate revocation request it makes it far easier, not harder, to track what sites you are going to, which is the exact opposite of what you think you are getting. HTTPS reduces privacy.<br />
<br />
== The Culture of Paranoia ==<br />
<br />
In many ways the EFF/hacker community is similar to the National Rifle Association (NRA) in the one component is a culture of paranoia. Not that a lot of that paranoia if fully justified because the government is actually trying to spy on you.<br />
<br />
The NRA envisions a world where the government is going to take your guns and then turn Nazi and people won't be ably to overthrow the government to take America back for freedom. And it creates an inflated sense of importance to carry a gun. (Is that a gun in your pocket, Big Boy, or are you just glad to see me? It's a gun in my pocket.) Why shouldn't a law abiding citizen be able to buy a nuke to protect themselves? It's cultural where like minded people get their us vs. them experience.<br />
<br />
EFF is much closer to reality than the NRA. They do a lot of things that actually do protect our freedom from real government treats that are actually occurring. They were 7 years ahead of Snowden suing the NSA over spying. So I'm not going to beat up on them too badly here.<br />
<br />
But ....<br />
<br />
There are 3 areas where EFF/the hacker culture is totally clueless.<br />
<br />
1. They have absolutely no concept the intellectual property has any value.<br />
<br />
2. The concept that law enforcement has a role on the internet is mostly ignored. That crime is the price you pay for freedom. Their TOR project is the backbone for the ransomeware industry as well as an incredible amount of serious online crime, but the value of privacy is more important to the extent that they don't care about criminal issues at all.<br />
<br />
3. Sometimes EFF doesn't think things through. The get fixated on a solution with almost a cult like attachment without fully exploring the consequences. In this case they have a very strong mental block on this. I remember discussing this with them back when I worked there and it was a bad idea then as it is now. I never expected them to be successful with it. But unfortunately, the have.<br />
<br />
=== Hacker Culture Values ===<br />
<br />
To some extent I can identify with that culture. The spying that Snowden revealed is a prelude to to a modern day dictatorship where the government knows everything you say and everything you do. A world where AI figures put who you are and if it decides you are too free thinking that it executes you by activating a death chip in your brain. What Snowden revealed actually makes that plausible.<br />
<br />
I have personally been kidnapped by law enforcement 3 times. Not arrested - kidnapped. But there are good cops and bad cops and although law enforcement is far less than perfect they keep us safe. The police are not our enemy. The hacker community is excessively against law enforcement and sees aiding criminals as a measure of expanding personal freedom. TOR, for example, is 99% criminal traffic with a small amount of protecting the good guys from government persecution. There are steps TOR could do to reduce crime without compromising the freedom mission, like shutting down ransomware sites. But they are oblivious to that. TOR doesn't care about crime at all, and that's wrong.<br />
<br />
In the case of HTTPS the hacker community has a shared fantasy that they are getting even with the NSA for what Snowden revealed. They imagine that the NSA can't track what you're doing if everyone uses HTTPS. In actuality, they are making it easier for the NSA to track you using revocation requests but that's a reality they choose to somewhat ignore. Except that browsers are now trending to skip the certificate revocation checks to increase browser response and to plug this obvious privacy hole, but at the expense of good verification that the web site's keys haven't been stolen. In the hacker world security and safety of the public mean nothing, where fighting NSA spying mean everything. <br />
<br />
=== Google as Internet Bully ===<br />
<br />
Google has traditionally been the good guy. But now Google is the internet bully. EFF and Google are trying to force the end of HTTP protocol and force everyone into encryption through force and bullying. If you don't do what EFF and Google says Google will degrade the search results for your web site. And they are going to start falsely labeling web sites insecure which use HTTP in order to scare people away from going to your web site. What Google and EFF are doing is illegal and I'm contemplating suing them over this to get an injunction to stop them. <br />
<br />
Traditionally the Internet Engineering Task Force (IETF) sets the internet protocol specification to create communication standards for the world so that everyone can use those standards to be compatible. But Google and EFF have usurped the powers of the IETF and are trying to force a new standard to conform to their delusional view of reality.<br />
<br />
=== EFF exceeding the scope of their mandate ===<br />
<br />
EFF is really going down the wrong rabbit hole on trying to force the world to follow their paranoid fantasy by partnering with Google and push HTTP off the web. EFF is supposed to be about freedom and free speech but in this case EFF is putting a technological burden of freedom and free expression. EFF believes that through Let's Encrypt that they have eliminated that burden, but that's just dead wrong. And if you believe it then you also have to believe that Let's Encrypt will be around forever and that it will always give away free certificates and make it easy. Believing that takes a lot of faith and I'm not a man of faith.</div>Marchttp://wiki.ctyme.com/index.php/HttpsHttps2018-03-06T15:57:29Z<p>Marc: /* EFF exceeding the scope of their mandate */</p>
<hr />
<div>= Why HTTPS everywhere is a really really bad idea =<br />
<br />
== Introduction ==<br />
<br />
HTTPS Everywhere sounds like a good idea, but as they say, the devil is in the details. The idea, supported primarily by the Electronic Frontier Foundation (https://eff.org) is to get all traffic on the internet to be encrypted. If everything is encrypted, as promoted, then no one can tap in and spy on your communication. This includes NSA spying and other government spying that is both illegal and immoral where third parties and government track you to create a digital profile of who you are that can be used against you, profile you, steal your passwords, invade your privacy, blackmail you, and round you up to put you and your freinds and family in concentration camps. Imaging if you will what would have happened if Adolf Hitler had today's technology. There would be no Jews left hiding in attics!<br />
<br />
And as we know from the revelation of Edward Snowden, my second favorite person in the world after Elon Musk, we know the government is actually doing a lot of the things that the EFF is paranoid about. Snowden confirmed what all paranoid schizophrenics new was true all along, the government(s) is spying on them. The nightmare, as it turns out, is actually real.<br />
<br />
So on it's face it would seem as if making it harder for these problems to occur would be a great idea. And - quite frankly, if it were done right it would be a great idea that I would support. However, the way it is being implemented through "Let's Encrypt" (https://letsencrypt.org) and Google strong arming the public to force everyone into it. By doing it wrong EFF's good intentions are actually making the problem worse. Forcing encryption on everyone, as it is being implemented, creates more problems than it solves and will inhibit freedom and privacy, not enhance it. Rather than making it harder for the NSA to track you, it makes it easier. Rather than enhancing free speech, it inhibits free speech, and rather that making the internet safer from criminals, it actually reduces internet security making it easier for the bad guys to take advantage of you.<br />
<br />
As someone who used to work for EFF as their first full time system administrator you would think I would be on EFF's side on this. And over the years there have been a number of issues EFF has got wrong. But this is a very serious issue that will negatively affect the entire internet and have a huge negative impact on EFF if they are successful in what they are trying to do. EFF sometimes has a habit of latching onto an idea like a bulldog without carefully thinking things through and is sometimes cult like in their opinion in spite of evidence that their position fails to make objective sense. I still support EFF as no organization is perfect and they get it right most of the time. But this time is not one of them.<br />
<br />
== Encryption / Authentication - Understanding the Basics ==<br />
<br />
HTTPS has 2 separate function, not one, that are artificially bound together into the HTTPS standards. These 2 functions are:<br />
<br />
# Encryption - making the data unreadable to 3rd parties<br />
# Authentication - making sure that the website you connect to is actually the real web site.<br />
<br />
And it is because of the binding together of there to unrelated functions that cause the problem. '''If these two protocols were unbundled, where you could have encryption without authentication, then my objections to encrypting everything goes away.''' The encrypting side is the easy part, the authenticating side is the part that is hard and expensive and causes all the problems. All this could be easily solved by allowing encryption without authentication. But modern browsers do not allow self signed certificates without dire warnings that would scare the average person to back away immediately. If they changed that it would solve the issues that I'm about to describe.<br />
<br />
=== How Encryption Works ===<br />
<br />
The actual process is long and complicated so I'm going to limit my explanation to the simple stuff you need to know. Encryption relies on a pair of keys, both keys are very large numbers. If you encrypt a message with one key you can only decrypt it with the other key. It doesn't matter which key you encrypt with as long as you use the other one to decrypt. <br />
<br />
One of the keys is know as the '''public key''', and the other is know as the '''private key'''. As the names imply, one key you make public, the other key you keep private. When someone wants to establish a secure connection with you they download your public key which is furnished by opening a connection. When you get the public key you can then encrypt a message that can only be read by the server which is usually a set of new keys to establish a secure connection. Because only the other end can read it you then have the keys to establish a secure connection that no person in the middle can break into.<br />
<br />
==== Vulnerabilities ====<br />
<br />
The encryption used in HTTPS is pretty good. It isn't easily broken. One of the main vulnerabilities is what's called a "man in the middle" attack. The attack isn't generally easy to do and usually requires hardware access to be in the middle of that connection which very few people have. However, when I used to fly more often I used to provide a free wifi access point using my cell phone to allow other travelers around me to access the internet without paying high fees. But if a were nefarious and evil I could create a fake certificate pretending to be their bank and steal their passwords. And I would need a fake cert for every domain I wanted to steal. Someone smarter than me could accomplish this. <br />
<br />
To make sure this doesn't happen we use authentication so that only the real certificate works. the real certificate is varified by the certificate authority issuing the certificate as real so if you are connecting to your bank, you can be (somewhat) confident there's no one in the middle stealing your information. <br />
<br />
There are other ways you're vulnerable. You could have someone looking over your shoulder when typing your username and password. You could have spyware on your computer that is logging your keystrokes and grabbing the display text on your web pages. Or the site you are logging into has been hacked. Remember Equifax? It was an encrypted site. And while your data was being stolen it was sent to the hackers over an encrypted connection.<br />
<br />
=== How Authentication Works ===<br />
<br />
Authentication is the other leg of the HTTPS security protocol. Authentication helps ensure that when you connect to a site using HTTPS that it is really the site you are connected to. Using certificates and certificate chains your web browser (is supposed to) verify that you are actually connected to the web site you think you are connecting to. This makes it much harder for someone to impersonate your bank to steal your passwords. A detailed explanation of this process is complicated so I will try to make the important concepts as easy as possible.<br />
<br />
When you connect through HTTPS it established an encrypted connection. It sends the sites certificate which was generated in unison with your '''certificate authority''' who validates your certificate. The web server not only sends your certificate, but also the chain of certificates leading back to the '''root certificates''' which are highly trusted certs that came with your browser. Using these certificates one can verify that the cert is authentic and can be trusted. You then see the green padlock and all is good.<br />
<br />
==== The down side of Authentication ====<br />
<br />
There is one step however that exposes your privacy. In order to fully verify the cert the web browser has to check to see if your certificate has been revoked. To check if the cert was revoked your browser has to ask the certificate authority through a "revocation request" if the cert is still valid. The reason for this is, if I'm running a web site and my private keys make it into the wild, hacker or government can decrypt your connection and steal your data. So if I'm a bank and I fire the head admin, I might want to change my keys by revoking my cert and getting a new one.<br />
<br />
Sounds simple but the process slows down browser performance a lot. Many commercial sites include content, usually advertising content, from many other websites. So when you go to localnewspaper.com, for example, you might see content from Walgreens, Safeway, Amazon, Verizon, etc. All these sites require a separate encrypted and separate verification and revocation request. Thus your visit might involve 50 separate connections to display the web page. Ever notice all those slow ads popping up, that's why.<br />
<br />
The problem is, as everyone goes to HTTPS then all websites are slow. Some browsers therefore cheat on the rules and they skip the revocation check in the interest of speed and the expense of security. Gibson Research has set up a test page to identify browsers who cheat. Click on https://revoked.grc.com to test your browser. If you see the page, your browser is insecure.<br />
<br />
The problem with skipping revocation checking is that, for example, if if I'm a bank and the keys were stolen and someone is impersonating my bank, if you are running Google's Chrome browser, you would never know you were on the fake site. So in order to get performance in your Chrome browser experience, security has been eliminated.<br />
<br />
Certificates are expensive and difficult to maintain. Installing certs is a hassle and certificates expire and have to be replaced on a regular basis. Unlike HTTP which you can set up knowing 20 years later everything is going to just keep working, HTTPS requires both effort and money to keep going. If you get it set up it will die on it's own if you don't maintain it.<br />
<br />
But - EFF and other like minded organizations have created an organization called "Let's Encrypt" to make HTTPS easier. But is it a solution or just to get you addicted and draw you in?<br />
<br />
==== Privacy Exposure of Authentication ====<br />
<br />
Another problem with certificates is the privacy exposure of checking certificate revocation. If your certificate is verified, for example, by Let's Encrypt, then every revocation request goes to one server that responds to revocation requests. If someone like the NSA were to intercept these requests, which are not encrypted, then the NSA could track the activity of every site verified through Let's Encrypt. That means the NSA doesn't have to wiretap 100 million sites. All the have to do it tap Let's Encrypt and it's one stop shopping for the NSA. They just made the job of the NSA millions of times easier.<br />
<br />
Granted that the NSA doesn't see the content, but if you go to some site like free-child-porn.online the NSA has a pretty good idea what you're doing there.<br />
<br />
=== Let's Encrypt - making HTTPS free and easy ===<br />
<br />
Let's Encrypt is a non-profit org created by EFF and friends to help solve the problems of making certificates easy and free. The supply not only free certs but provides scripts to install and configure certs easily. Certificates however are only good for 90 days and have to be replaced before the 90 days runs out. But the renewal scripts are also automated so, in theroy you should be able to set it up and forget about it, making it almost as easy as HTTP. Let's Encrypt claim is to have issued over 100 million certificates.<br />
<br />
Making it free and easy is a critical argument in EFF's and Google's war to force the internet to encrypt everything. Google, for example is downgrading your search visibility if you refuse to convert. But they say that converting is easy and that takes the sting out of it. But is that really true?<br />
<br />
==== The down side of Let's Encrypt ====<br />
<br />
There's a major problem with Let's Encrypt in that it's not a real business with real employees and a staff with tech support. All their verification is done using algorithms and scripts and they will give certificates away to anyone, and all for free. For example, if I get the domain name wellsfarg0.com, which looks like I'm Wells Fargo Bank, Let's encrypt will issue me a certificate for it and users who go to the fraudulent site will get a green light in their chrome browser. And even if someone points it out that this is a fraud site, they can revoke the cert, but if you used the Chrome browser you will never know because it doesn't use revocation checks.<br />
<br />
There is a down side to being free. Because it used to have cost criminals wouldn't bother to get certificates. But now that it's free every criminal site now has a valid cert and the browser give it the green light and users trust it because the browser is giving it the seal of approval. Because of this the original function of certificates has been compromised and the security of the internet has been diminished.<br />
<br />
==== Will Let's Encrypt always be there and be free? ====<br />
<br />
So, let's say I convert all my web sites to HTTPS and I'm using their scripts to maintain my web sites and one day I get an email saying the changes have been made. Perhaps people stop donating and they can't afford to operate? Perhaps they fail security standard and are decertified. Perhaps they get hacked and all their information is stolen. What do all these 100 million web sites do then?<br />
<br />
There's explicitly no guarantee that this service will give you free certificates forever. And once you go HTTPS, there's no easy path back to HTTP. In order to even redirect back to your old setup you need a valid certificate to redirect. All these people who thought they were going to get free certs forever are totally screwed and will have to start buying certs and might not have the nice scripts that maintain it automatically.<br />
<br />
Call me paranoid but when some organization offers me free service forever I don't tend to rely on that. I can't be in a position where keeping my web sites online depends on a shell organization that might not be there tomorrow.<br />
<br />
== NSA and Government Tracking ==<br />
<br />
The intent behind HTTPS everywhere is in part to thwart NSA spying. And let's not kid ourselves, NSA tracking is unconstitutional, illegal, and immoral. EFF has played a major role in protecting our online liberties in this matter. Sometimes when I see Snowden I notice that the back of his lap top has an EFF sticker. <br />
<br />
But - although well intentioned - does HTTPS solve the problem? No - it makes it worse.<br />
<br />
Although HTTPS makes it harder to read the content of your communication, it doesn't mask what web sites you are going to. So if you're married and trying to hook up on AsleyMadison.com the NSA doesn't know what woman you are hooking up with, but they do know you're cheating on your wife. And - using revocation requests tracking EFF has actually make it much easier for them to track your connections.<br />
<br />
== Now you need more permissions to stay on the web ==<br />
<br />
With HTTP all you need to do is register a domain name to have your own site online. ICANN is an international organization and has been very good at staying out of the clutches of government controls. However, with HTTPS you need to get a certificate authority to issue you a cert. That makes 2 orgs that have to give you permission instead of one and now your domain activity it trackable through revocation requests. If Congress were to pass laws regulating who can get certificates or requiring extensive personal information they can prevent you from getting online the way you can now with just HTTP. Every step you are forced into doing creates another chokepoint to free speech and free expression.<br />
<br />
== Freedom of Choice ==<br />
<br />
One thing I really object to is being forced and strong armed into doing things I choose not to do. I'm perfectly happy with my HTTP servers and I really resent EFF and Google trying to force me to participate in their cult like paranoia. My servers work fine. I've been online for 22 years now. I was online 3 years before Google. I choose not to encrypt and that my choice.<br />
<br />
EFF is supposed to be about freedom. They are supposed to be protecting me from people who would force me to change against my will, They believe it's for a higher cause, but it really isn't. If it were I might go along with it but HTTP has advantages over HTTPS that I like and want to stick with. many of my sites are static and informational. If the NSA can read the traffic - so what. Everything is on the site in plain text anyhow so where's the secret? If the traffic were encrypted the NSA would still know who is connecting and would assume what they are reading is what's on the site to be read by anyone. And HTTP doesn't make NSA tracking easier like HPPS does by generating revocation request.<br />
<br />
The bottom like is it's MY CHOICE! And EFF and Google doesn't have the right to take my choice away from me.<br />
<br />
== Do you need encryption? ==<br />
<br />
Whether or not you need encryption depends on who you are and what you are doing. If you are a bank clearly the answer is yes. However, if you have a static web site with no forms, do you need encryption? No - you don't.<br />
<br />
Let's say you have a static web site that tells people how to bake cookies. All the information is there for anyone to see. So if your connection is encrypted then anyone tracking knows you connected to the site and can infer you are reading about baking cookies. Even if there is a form on the site for you to subscribe to their newsletter and some 3rd party hacker captured your email address, so what? If you're accessing your bank then, yes definitely encrypt. But for an unimportant site, encryption make is slower and makes maintenance on the server side a hassle, a big hassle. Especially if the free cert goes away.<br />
<br />
== Is HTTPS secure? - Is HTTP insecure? ==<br />
<br />
One myth I want to bust is that HTTPS has increased security. In fact HTTPS has reduced overall security. HTTPS adds encryption you sites that don't heed encryption and that doesn't increase security. Let's look at the facts.<br />
<br />
There are 3 places where your information is vulnerable to attack, the server, your computer, and the connection between your computer and the server. HTTPS only provides encryption between your device and the web site but does nothing for either your device or the web server you are connected to. The connection is actually the hardest part to intercept even without encryption. Generally you have to have access to the internet infrastructure to tap communications even if it's not encrypted. But all you need is spyware to tap the communication on a device. And the spyware works if you are encrypted or not.<br />
<br />
But the best place to steal your data if if a hacker steals your information directly from the server side where your data is stored. Remember Equifax, the company that stores all your credit data? Encrypted didn't help them. In fact the people who hacked them did it over an HTTPS connection.<br />
<br />
=== Let's Encrypt Actually Reduces Security ===<br />
<br />
You would think that the internet is more secure because of Let's Encrypt, and you would be wrong. Surprisingly Let's Encrypt makes the net less secure.<br />
<br />
Before Let's Encrypt certificate were expensive and required work to maintain. Now it free and somewhat easy. And - I do want to thank Let's Encrypt for making it easier part. But in making it free the make it easy for phishing sites to go HTTPS and the consumer, who doesn't know much about how the web works, gets the green padlock and assumes all is good. The then type their username and password into wellsfarg0.com and 5 minutes later all their money is gone. All thanks to Let's Encrypt.<br />
<br />
EFF and Google, who is the major funder of Let's Encrypt, have been very successful claiming millions of web sites, have slowed the internet down because HTTPS is slower and more complex than HTTP. In order to compensate for the slowness browsers like Google Chrome no longer to certificate revocation to make sure the cert is still valid. So because of Let's Encrypt you can't really trust that the green padlock on the site can be relied on. So if Wells Fargo bank revokes their cert due to a security breach you would never know it using the Google Chrome browser. In fact if that ever happened Google would be partially liable for damages giving a green light to a revoked certificate. <br />
<br />
So a green indicator in your browser no longer means you are on a safe site. It really means nothing at all. Between Google and EFF they are making security that has worked in the past useless.<br />
<br />
And although HTTPS creates the illusion that the government can't spy on the data on the internet, through certificate revocation request it makes it far easier, not harder, to track what sites you are going to, which is the exact opposite of what you think you are getting. HTTPS reduces privacy.<br />
<br />
== The Culture of Paranoia ==<br />
<br />
In many ways the EFF/hacker community is similar to the National Rifle Association (NRA) in the one component is a culture of paranoia. Not that a lot of that paranoia if fully justified because the government is actually trying to spy on you.<br />
<br />
The NRA envisions a world where the government is going to take your guns and then turn Nazi and people won't be ably to overthrow the government to take America back for freedom. And it creates an inflated sense of importance to carry a gun. (Is that a gun in your pocket, Big Boy, or are you just glad to see me? It's a gun in my pocket.) Why shouldn't a law abiding citizen be able to buy a nuke to protect themselves? It's cultural where like minded people get their us vs. them experience.<br />
<br />
EFF is much closer to reality than the NRA. They do a lot of things that actually do protect our freedom from real government treats that are actually occurring. They were 7 years ahead of Snowden suing the NSA over spying. So I'm not going to beat up on them too badly here.<br />
<br />
But ....<br />
<br />
There are 3 areas where EFF/the hacker culture is totally clueless.<br />
<br />
1. They have absolutely no concept the intellectual property has any value.<br />
<br />
2. The concept that law enforcement has a role on the internet is mostly ignored. That crime is the price you pay for freedom. Their TOR project is the backbone for the ransomeware industry as well as an incredible amount of serious online crime, but the value of privacy is more important to the extent that they don't care about criminal issues at all.<br />
<br />
3. Sometimes EFF doesn't think things through. The get fixated on a solution with almost a cult like attachment without fully exploring the consequences. In this case they have a very strong mental block on this. I remember discussing this with them back when I worked there and it was a bad idea then as it is now. I never expected them to be successful with it. But unfortunately, the have.<br />
<br />
=== Hacker Culture Values ===<br />
<br />
To some extent I can identify with that culture. The spying that Snowden revealed is a prelude to to a modern day dictatorship where the government knows everything you say and everything you do. A world where AI figures put who you are and if it decides you are too free thinking that it executes you by activating a death chip in your brain. What Snowden revealed actually makes that plausible.<br />
<br />
I have personally been kidnapped by law enforcement 3 times. Not arrested - kidnapped. But there are good cops and bad cops and although law enforcement is far less than perfect they keep us safe. The police are not our enemy. The hacker community is excessively against law enforcement and sees aiding criminals as a measure of expanding personal freedom. TOR, for example, is 99% criminal traffic with a small amount of protecting the good guys from government persecution. There are steps TOR could do to reduce crime without compromising the freedom mission, like shutting down ransomware sites. But they are oblivious to that. TOR doesn't care about crime at all, and that's wrong.<br />
<br />
In the case of HTTPS the hacker community has a shared fantasy that they are getting even with the NSA for what Snowden revealed. They imagine that the NSA can't track what you're doing if everyone uses HTTPS. In actuality, they are making it easier for the NSA to track you using revocation requests but that's a reality they choose to somewhat ignore. Except that browsers are now trending to skip the certificate revocation checks to increase browser response and to plug this obvious privacy hole, but at the expense of good verification that the web site's keys haven't been stolen. In the hacker world security and safety of the public mean nothing, where fighting NSA spying mean everything. <br />
<br />
=== Google as Internet Bully ===<br />
<br />
Google has traditionally been the good guy. But now Google is the internet bully. EFF and Google are trying to force the end of HTTP protocol and force everyone into encryption through force and bullying. If you don't do what EFF and Google says Google will degrade the search results for your web site. And they are going to start falsely labeling web sites insecure which use HTTP in order to scare people away from going to your web site. What Google and EFF are doing is illegal and I'm contemplating suing them over this to get an injunction to stop them. <br />
<br />
Traditionally the Internet Engineering Task Force (IETF) sets the internet protocol specification to create communication standards for the world so that everyone can use those standards to be compatible. But Google and EFF have usurped the powers of the IETF and are trying to force a new standard to conform to their delusional view of reality.<br />
<br />
=== EFF exceeding the scope of their mandate ===<br />
<br />
EFF is really going down the wrong rabbit hole on trying to force the world to follow their paranoid fantasy by partnering with Google and push HTTP off the web. EFF is supposed to be about freedom and free speech but in this case EFF is putting a technological burden of freedom and free expression. EFF believes that through Let's Encrypt that they have eliminated that burden, but that's just dead wrong. And if you believe it then you also have to believe that Let's Encrypt will be around forever and that it will always give away free certificates and make it easy. Believing that takes a lot of faith and I'm not a man of faith.</div>Marchttp://wiki.ctyme.com/index.php/HttpsHttps2018-03-06T15:48:41Z<p>Marc: /* Google as Internet Bully */</p>
<hr />
<div>= Why HTTPS everywhere is a really really bad idea =<br />
<br />
== Introduction ==<br />
<br />
HTTPS Everywhere sounds like a good idea, but as they say, the devil is in the details. The idea, supported primarily by the Electronic Frontier Foundation (https://eff.org) is to get all traffic on the internet to be encrypted. If everything is encrypted, as promoted, then no one can tap in and spy on your communication. This includes NSA spying and other government spying that is both illegal and immoral where third parties and government track you to create a digital profile of who you are that can be used against you, profile you, steal your passwords, invade your privacy, blackmail you, and round you up to put you and your freinds and family in concentration camps. Imaging if you will what would have happened if Adolf Hitler had today's technology. There would be no Jews left hiding in attics!<br />
<br />
And as we know from the revelation of Edward Snowden, my second favorite person in the world after Elon Musk, we know the government is actually doing a lot of the things that the EFF is paranoid about. Snowden confirmed what all paranoid schizophrenics new was true all along, the government(s) is spying on them. The nightmare, as it turns out, is actually real.<br />
<br />
So on it's face it would seem as if making it harder for these problems to occur would be a great idea. And - quite frankly, if it were done right it would be a great idea that I would support. However, the way it is being implemented through "Let's Encrypt" (https://letsencrypt.org) and Google strong arming the public to force everyone into it. By doing it wrong EFF's good intentions are actually making the problem worse. Forcing encryption on everyone, as it is being implemented, creates more problems than it solves and will inhibit freedom and privacy, not enhance it. Rather than making it harder for the NSA to track you, it makes it easier. Rather than enhancing free speech, it inhibits free speech, and rather that making the internet safer from criminals, it actually reduces internet security making it easier for the bad guys to take advantage of you.<br />
<br />
As someone who used to work for EFF as their first full time system administrator you would think I would be on EFF's side on this. And over the years there have been a number of issues EFF has got wrong. But this is a very serious issue that will negatively affect the entire internet and have a huge negative impact on EFF if they are successful in what they are trying to do. EFF sometimes has a habit of latching onto an idea like a bulldog without carefully thinking things through and is sometimes cult like in their opinion in spite of evidence that their position fails to make objective sense. I still support EFF as no organization is perfect and they get it right most of the time. But this time is not one of them.<br />
<br />
== Encryption / Authentication - Understanding the Basics ==<br />
<br />
HTTPS has 2 separate function, not one, that are artificially bound together into the HTTPS standards. These 2 functions are:<br />
<br />
# Encryption - making the data unreadable to 3rd parties<br />
# Authentication - making sure that the website you connect to is actually the real web site.<br />
<br />
And it is because of the binding together of there to unrelated functions that cause the problem. '''If these two protocols were unbundled, where you could have encryption without authentication, then my objections to encrypting everything goes away.''' The encrypting side is the easy part, the authenticating side is the part that is hard and expensive and causes all the problems. All this could be easily solved by allowing encryption without authentication. But modern browsers do not allow self signed certificates without dire warnings that would scare the average person to back away immediately. If they changed that it would solve the issues that I'm about to describe.<br />
<br />
=== How Encryption Works ===<br />
<br />
The actual process is long and complicated so I'm going to limit my explanation to the simple stuff you need to know. Encryption relies on a pair of keys, both keys are very large numbers. If you encrypt a message with one key you can only decrypt it with the other key. It doesn't matter which key you encrypt with as long as you use the other one to decrypt. <br />
<br />
One of the keys is know as the '''public key''', and the other is know as the '''private key'''. As the names imply, one key you make public, the other key you keep private. When someone wants to establish a secure connection with you they download your public key which is furnished by opening a connection. When you get the public key you can then encrypt a message that can only be read by the server which is usually a set of new keys to establish a secure connection. Because only the other end can read it you then have the keys to establish a secure connection that no person in the middle can break into.<br />
<br />
==== Vulnerabilities ====<br />
<br />
The encryption used in HTTPS is pretty good. It isn't easily broken. One of the main vulnerabilities is what's called a "man in the middle" attack. The attack isn't generally easy to do and usually requires hardware access to be in the middle of that connection which very few people have. However, when I used to fly more often I used to provide a free wifi access point using my cell phone to allow other travelers around me to access the internet without paying high fees. But if a were nefarious and evil I could create a fake certificate pretending to be their bank and steal their passwords. And I would need a fake cert for every domain I wanted to steal. Someone smarter than me could accomplish this. <br />
<br />
To make sure this doesn't happen we use authentication so that only the real certificate works. the real certificate is varified by the certificate authority issuing the certificate as real so if you are connecting to your bank, you can be (somewhat) confident there's no one in the middle stealing your information. <br />
<br />
There are other ways you're vulnerable. You could have someone looking over your shoulder when typing your username and password. You could have spyware on your computer that is logging your keystrokes and grabbing the display text on your web pages. Or the site you are logging into has been hacked. Remember Equifax? It was an encrypted site. And while your data was being stolen it was sent to the hackers over an encrypted connection.<br />
<br />
=== How Authentication Works ===<br />
<br />
Authentication is the other leg of the HTTPS security protocol. Authentication helps ensure that when you connect to a site using HTTPS that it is really the site you are connected to. Using certificates and certificate chains your web browser (is supposed to) verify that you are actually connected to the web site you think you are connecting to. This makes it much harder for someone to impersonate your bank to steal your passwords. A detailed explanation of this process is complicated so I will try to make the important concepts as easy as possible.<br />
<br />
When you connect through HTTPS it established an encrypted connection. It sends the sites certificate which was generated in unison with your '''certificate authority''' who validates your certificate. The web server not only sends your certificate, but also the chain of certificates leading back to the '''root certificates''' which are highly trusted certs that came with your browser. Using these certificates one can verify that the cert is authentic and can be trusted. You then see the green padlock and all is good.<br />
<br />
==== The down side of Authentication ====<br />
<br />
There is one step however that exposes your privacy. In order to fully verify the cert the web browser has to check to see if your certificate has been revoked. To check if the cert was revoked your browser has to ask the certificate authority through a "revocation request" if the cert is still valid. The reason for this is, if I'm running a web site and my private keys make it into the wild, hacker or government can decrypt your connection and steal your data. So if I'm a bank and I fire the head admin, I might want to change my keys by revoking my cert and getting a new one.<br />
<br />
Sounds simple but the process slows down browser performance a lot. Many commercial sites include content, usually advertising content, from many other websites. So when you go to localnewspaper.com, for example, you might see content from Walgreens, Safeway, Amazon, Verizon, etc. All these sites require a separate encrypted and separate verification and revocation request. Thus your visit might involve 50 separate connections to display the web page. Ever notice all those slow ads popping up, that's why.<br />
<br />
The problem is, as everyone goes to HTTPS then all websites are slow. Some browsers therefore cheat on the rules and they skip the revocation check in the interest of speed and the expense of security. Gibson Research has set up a test page to identify browsers who cheat. Click on https://revoked.grc.com to test your browser. If you see the page, your browser is insecure.<br />
<br />
The problem with skipping revocation checking is that, for example, if if I'm a bank and the keys were stolen and someone is impersonating my bank, if you are running Google's Chrome browser, you would never know you were on the fake site. So in order to get performance in your Chrome browser experience, security has been eliminated.<br />
<br />
Certificates are expensive and difficult to maintain. Installing certs is a hassle and certificates expire and have to be replaced on a regular basis. Unlike HTTP which you can set up knowing 20 years later everything is going to just keep working, HTTPS requires both effort and money to keep going. If you get it set up it will die on it's own if you don't maintain it.<br />
<br />
But - EFF and other like minded organizations have created an organization called "Let's Encrypt" to make HTTPS easier. But is it a solution or just to get you addicted and draw you in?<br />
<br />
==== Privacy Exposure of Authentication ====<br />
<br />
Another problem with certificates is the privacy exposure of checking certificate revocation. If your certificate is verified, for example, by Let's Encrypt, then every revocation request goes to one server that responds to revocation requests. If someone like the NSA were to intercept these requests, which are not encrypted, then the NSA could track the activity of every site verified through Let's Encrypt. That means the NSA doesn't have to wiretap 100 million sites. All the have to do it tap Let's Encrypt and it's one stop shopping for the NSA. They just made the job of the NSA millions of times easier.<br />
<br />
Granted that the NSA doesn't see the content, but if you go to some site like free-child-porn.online the NSA has a pretty good idea what you're doing there.<br />
<br />
=== Let's Encrypt - making HTTPS free and easy ===<br />
<br />
Let's Encrypt is a non-profit org created by EFF and friends to help solve the problems of making certificates easy and free. The supply not only free certs but provides scripts to install and configure certs easily. Certificates however are only good for 90 days and have to be replaced before the 90 days runs out. But the renewal scripts are also automated so, in theroy you should be able to set it up and forget about it, making it almost as easy as HTTP. Let's Encrypt claim is to have issued over 100 million certificates.<br />
<br />
Making it free and easy is a critical argument in EFF's and Google's war to force the internet to encrypt everything. Google, for example is downgrading your search visibility if you refuse to convert. But they say that converting is easy and that takes the sting out of it. But is that really true?<br />
<br />
==== The down side of Let's Encrypt ====<br />
<br />
There's a major problem with Let's Encrypt in that it's not a real business with real employees and a staff with tech support. All their verification is done using algorithms and scripts and they will give certificates away to anyone, and all for free. For example, if I get the domain name wellsfarg0.com, which looks like I'm Wells Fargo Bank, Let's encrypt will issue me a certificate for it and users who go to the fraudulent site will get a green light in their chrome browser. And even if someone points it out that this is a fraud site, they can revoke the cert, but if you used the Chrome browser you will never know because it doesn't use revocation checks.<br />
<br />
There is a down side to being free. Because it used to have cost criminals wouldn't bother to get certificates. But now that it's free every criminal site now has a valid cert and the browser give it the green light and users trust it because the browser is giving it the seal of approval. Because of this the original function of certificates has been compromised and the security of the internet has been diminished.<br />
<br />
==== Will Let's Encrypt always be there and be free? ====<br />
<br />
So, let's say I convert all my web sites to HTTPS and I'm using their scripts to maintain my web sites and one day I get an email saying the changes have been made. Perhaps people stop donating and they can't afford to operate? Perhaps they fail security standard and are decertified. Perhaps they get hacked and all their information is stolen. What do all these 100 million web sites do then?<br />
<br />
There's explicitly no guarantee that this service will give you free certificates forever. And once you go HTTPS, there's no easy path back to HTTP. In order to even redirect back to your old setup you need a valid certificate to redirect. All these people who thought they were going to get free certs forever are totally screwed and will have to start buying certs and might not have the nice scripts that maintain it automatically.<br />
<br />
Call me paranoid but when some organization offers me free service forever I don't tend to rely on that. I can't be in a position where keeping my web sites online depends on a shell organization that might not be there tomorrow.<br />
<br />
== NSA and Government Tracking ==<br />
<br />
The intent behind HTTPS everywhere is in part to thwart NSA spying. And let's not kid ourselves, NSA tracking is unconstitutional, illegal, and immoral. EFF has played a major role in protecting our online liberties in this matter. Sometimes when I see Snowden I notice that the back of his lap top has an EFF sticker. <br />
<br />
But - although well intentioned - does HTTPS solve the problem? No - it makes it worse.<br />
<br />
Although HTTPS makes it harder to read the content of your communication, it doesn't mask what web sites you are going to. So if you're married and trying to hook up on AsleyMadison.com the NSA doesn't know what woman you are hooking up with, but they do know you're cheating on your wife. And - using revocation requests tracking EFF has actually make it much easier for them to track your connections.<br />
<br />
== Now you need more permissions to stay on the web ==<br />
<br />
With HTTP all you need to do is register a domain name to have your own site online. ICANN is an international organization and has been very good at staying out of the clutches of government controls. However, with HTTPS you need to get a certificate authority to issue you a cert. That makes 2 orgs that have to give you permission instead of one and now your domain activity it trackable through revocation requests. If Congress were to pass laws regulating who can get certificates or requiring extensive personal information they can prevent you from getting online the way you can now with just HTTP. Every step you are forced into doing creates another chokepoint to free speech and free expression.<br />
<br />
== Freedom of Choice ==<br />
<br />
One thing I really object to is being forced and strong armed into doing things I choose not to do. I'm perfectly happy with my HTTP servers and I really resent EFF and Google trying to force me to participate in their cult like paranoia. My servers work fine. I've been online for 22 years now. I was online 3 years before Google. I choose not to encrypt and that my choice.<br />
<br />
EFF is supposed to be about freedom. They are supposed to be protecting me from people who would force me to change against my will, They believe it's for a higher cause, but it really isn't. If it were I might go along with it but HTTP has advantages over HTTPS that I like and want to stick with. many of my sites are static and informational. If the NSA can read the traffic - so what. Everything is on the site in plain text anyhow so where's the secret? If the traffic were encrypted the NSA would still know who is connecting and would assume what they are reading is what's on the site to be read by anyone. And HTTP doesn't make NSA tracking easier like HPPS does by generating revocation request.<br />
<br />
The bottom like is it's MY CHOICE! And EFF and Google doesn't have the right to take my choice away from me.<br />
<br />
== Do you need encryption? ==<br />
<br />
Whether or not you need encryption depends on who you are and what you are doing. If you are a bank clearly the answer is yes. However, if you have a static web site with no forms, do you need encryption? No - you don't.<br />
<br />
Let's say you have a static web site that tells people how to bake cookies. All the information is there for anyone to see. So if your connection is encrypted then anyone tracking knows you connected to the site and can infer you are reading about baking cookies. Even if there is a form on the site for you to subscribe to their newsletter and some 3rd party hacker captured your email address, so what? If you're accessing your bank then, yes definitely encrypt. But for an unimportant site, encryption make is slower and makes maintenance on the server side a hassle, a big hassle. Especially if the free cert goes away.<br />
<br />
== Is HTTPS secure? - Is HTTP insecure? ==<br />
<br />
One myth I want to bust is that HTTPS has increased security. In fact HTTPS has reduced overall security. HTTPS adds encryption you sites that don't heed encryption and that doesn't increase security. Let's look at the facts.<br />
<br />
There are 3 places where your information is vulnerable to attack, the server, your computer, and the connection between your computer and the server. HTTPS only provides encryption between your device and the web site but does nothing for either your device or the web server you are connected to. The connection is actually the hardest part to intercept even without encryption. Generally you have to have access to the internet infrastructure to tap communications even if it's not encrypted. But all you need is spyware to tap the communication on a device. And the spyware works if you are encrypted or not.<br />
<br />
But the best place to steal your data if if a hacker steals your information directly from the server side where your data is stored. Remember Equifax, the company that stores all your credit data? Encrypted didn't help them. In fact the people who hacked them did it over an HTTPS connection.<br />
<br />
=== Let's Encrypt Actually Reduces Security ===<br />
<br />
You would think that the internet is more secure because of Let's Encrypt, and you would be wrong. Surprisingly Let's Encrypt makes the net less secure.<br />
<br />
Before Let's Encrypt certificate were expensive and required work to maintain. Now it free and somewhat easy. And - I do want to thank Let's Encrypt for making it easier part. But in making it free the make it easy for phishing sites to go HTTPS and the consumer, who doesn't know much about how the web works, gets the green padlock and assumes all is good. The then type their username and password into wellsfarg0.com and 5 minutes later all their money is gone. All thanks to Let's Encrypt.<br />
<br />
EFF and Google, who is the major funder of Let's Encrypt, have been very successful claiming millions of web sites, have slowed the internet down because HTTPS is slower and more complex than HTTP. In order to compensate for the slowness browsers like Google Chrome no longer to certificate revocation to make sure the cert is still valid. So because of Let's Encrypt you can't really trust that the green padlock on the site can be relied on. So if Wells Fargo bank revokes their cert due to a security breach you would never know it using the Google Chrome browser. In fact if that ever happened Google would be partially liable for damages giving a green light to a revoked certificate. <br />
<br />
So a green indicator in your browser no longer means you are on a safe site. It really means nothing at all. Between Google and EFF they are making security that has worked in the past useless.<br />
<br />
And although HTTPS creates the illusion that the government can't spy on the data on the internet, through certificate revocation request it makes it far easier, not harder, to track what sites you are going to, which is the exact opposite of what you think you are getting. HTTPS reduces privacy.<br />
<br />
== The Culture of Paranoia ==<br />
<br />
In many ways the EFF/hacker community is similar to the National Rifle Association (NRA) in the one component is a culture of paranoia. Not that a lot of that paranoia if fully justified because the government is actually trying to spy on you.<br />
<br />
The NRA envisions a world where the government is going to take your guns and then turn Nazi and people won't be ably to overthrow the government to take America back for freedom. And it creates an inflated sense of importance to carry a gun. (Is that a gun in your pocket, Big Boy, or are you just glad to see me? It's a gun in my pocket.) Why shouldn't a law abiding citizen be able to buy a nuke to protect themselves? It's cultural where like minded people get their us vs. them experience.<br />
<br />
EFF is much closer to reality than the NRA. They do a lot of things that actually do protect our freedom from real government treats that are actually occurring. They were 7 years ahead of Snowden suing the NSA over spying. So I'm not going to beat up on them too badly here.<br />
<br />
But ....<br />
<br />
There are 3 areas where EFF/the hacker culture is totally clueless.<br />
<br />
1. They have absolutely no concept the intellectual property has any value.<br />
<br />
2. The concept that law enforcement has a role on the internet is mostly ignored. That crime is the price you pay for freedom. Their TOR project is the backbone for the ransomeware industry as well as an incredible amount of serious online crime, but the value of privacy is more important to the extent that they don't care about criminal issues at all.<br />
<br />
3. Sometimes EFF doesn't think things through. The get fixated on a solution with almost a cult like attachment without fully exploring the consequences. In this case they have a very strong mental block on this. I remember discussing this with them back when I worked there and it was a bad idea then as it is now. I never expected them to be successful with it. But unfortunately, the have.<br />
<br />
=== Hacker Culture Values ===<br />
<br />
To some extent I can identify with that culture. The spying that Snowden revealed is a prelude to to a modern day dictatorship where the government knows everything you say and everything you do. A world where AI figures put who you are and if it decides you are too free thinking that it executes you by activating a death chip in your brain. What Snowden revealed actually makes that plausible.<br />
<br />
I have personally been kidnapped by law enforcement 3 times. Not arrested - kidnapped. But there are good cops and bad cops and although law enforcement is far less than perfect they keep us safe. The police are not our enemy. The hacker community is excessively against law enforcement and sees aiding criminals as a measure of expanding personal freedom. TOR, for example, is 99% criminal traffic with a small amount of protecting the good guys from government persecution. There are steps TOR could do to reduce crime without compromising the freedom mission, like shutting down ransomware sites. But they are oblivious to that. TOR doesn't care about crime at all, and that's wrong.<br />
<br />
In the case of HTTPS the hacker community has a shared fantasy that they are getting even with the NSA for what Snowden revealed. They imagine that the NSA can't track what you're doing if everyone uses HTTPS. In actuality, they are making it easier for the NSA to track you using revocation requests but that's a reality they choose to somewhat ignore. Except that browsers are now trending to skip the certificate revocation checks to increase browser response and to plug this obvious privacy hole, but at the expense of good verification that the web site's keys haven't been stolen. In the hacker world security and safety of the public mean nothing, where fighting NSA spying mean everything. <br />
<br />
=== Google as Internet Bully ===<br />
<br />
Google has traditionally been the good guy. But now Google is the internet bully. EFF and Google are trying to force the end of HTTP protocol and force everyone into encryption through force and bullying. If you don't do what EFF and Google says Google will degrade the search results for your web site. And they are going to start falsely labeling web sites insecure which use HTTP in order to scare people away from going to your web site. What Google and EFF are doing is illegal and I'm contemplating suing them over this to get an injunction to stop them. <br />
<br />
Traditionally the Internet Engineering Task Force (IETF) sets the internet protocol specification to create communication standards for the world so that everyone can use those standards to be compatible. But Google and EFF have usurped the powers of the IETF and are trying to force a new standard to conform to their delusional view of reality.<br />
<br />
=== EFF exceeding the scope of their mandate ===</div>Marchttp://wiki.ctyme.com/index.php/HttpsHttps2018-03-06T15:35:16Z<p>Marc: /* Hacker Culture Values */</p>
<hr />
<div>= Why HTTPS everywhere is a really really bad idea =<br />
<br />
== Introduction ==<br />
<br />
HTTPS Everywhere sounds like a good idea, but as they say, the devil is in the details. The idea, supported primarily by the Electronic Frontier Foundation (https://eff.org) is to get all traffic on the internet to be encrypted. If everything is encrypted, as promoted, then no one can tap in and spy on your communication. This includes NSA spying and other government spying that is both illegal and immoral where third parties and government track you to create a digital profile of who you are that can be used against you, profile you, steal your passwords, invade your privacy, blackmail you, and round you up to put you and your freinds and family in concentration camps. Imaging if you will what would have happened if Adolf Hitler had today's technology. There would be no Jews left hiding in attics!<br />
<br />
And as we know from the revelation of Edward Snowden, my second favorite person in the world after Elon Musk, we know the government is actually doing a lot of the things that the EFF is paranoid about. Snowden confirmed what all paranoid schizophrenics new was true all along, the government(s) is spying on them. The nightmare, as it turns out, is actually real.<br />
<br />
So on it's face it would seem as if making it harder for these problems to occur would be a great idea. And - quite frankly, if it were done right it would be a great idea that I would support. However, the way it is being implemented through "Let's Encrypt" (https://letsencrypt.org) and Google strong arming the public to force everyone into it. By doing it wrong EFF's good intentions are actually making the problem worse. Forcing encryption on everyone, as it is being implemented, creates more problems than it solves and will inhibit freedom and privacy, not enhance it. Rather than making it harder for the NSA to track you, it makes it easier. Rather than enhancing free speech, it inhibits free speech, and rather that making the internet safer from criminals, it actually reduces internet security making it easier for the bad guys to take advantage of you.<br />
<br />
As someone who used to work for EFF as their first full time system administrator you would think I would be on EFF's side on this. And over the years there have been a number of issues EFF has got wrong. But this is a very serious issue that will negatively affect the entire internet and have a huge negative impact on EFF if they are successful in what they are trying to do. EFF sometimes has a habit of latching onto an idea like a bulldog without carefully thinking things through and is sometimes cult like in their opinion in spite of evidence that their position fails to make objective sense. I still support EFF as no organization is perfect and they get it right most of the time. But this time is not one of them.<br />
<br />
== Encryption / Authentication - Understanding the Basics ==<br />
<br />
HTTPS has 2 separate function, not one, that are artificially bound together into the HTTPS standards. These 2 functions are:<br />
<br />
# Encryption - making the data unreadable to 3rd parties<br />
# Authentication - making sure that the website you connect to is actually the real web site.<br />
<br />
And it is because of the binding together of there to unrelated functions that cause the problem. '''If these two protocols were unbundled, where you could have encryption without authentication, then my objections to encrypting everything goes away.''' The encrypting side is the easy part, the authenticating side is the part that is hard and expensive and causes all the problems. All this could be easily solved by allowing encryption without authentication. But modern browsers do not allow self signed certificates without dire warnings that would scare the average person to back away immediately. If they changed that it would solve the issues that I'm about to describe.<br />
<br />
=== How Encryption Works ===<br />
<br />
The actual process is long and complicated so I'm going to limit my explanation to the simple stuff you need to know. Encryption relies on a pair of keys, both keys are very large numbers. If you encrypt a message with one key you can only decrypt it with the other key. It doesn't matter which key you encrypt with as long as you use the other one to decrypt. <br />
<br />
One of the keys is know as the '''public key''', and the other is know as the '''private key'''. As the names imply, one key you make public, the other key you keep private. When someone wants to establish a secure connection with you they download your public key which is furnished by opening a connection. When you get the public key you can then encrypt a message that can only be read by the server which is usually a set of new keys to establish a secure connection. Because only the other end can read it you then have the keys to establish a secure connection that no person in the middle can break into.<br />
<br />
==== Vulnerabilities ====<br />
<br />
The encryption used in HTTPS is pretty good. It isn't easily broken. One of the main vulnerabilities is what's called a "man in the middle" attack. The attack isn't generally easy to do and usually requires hardware access to be in the middle of that connection which very few people have. However, when I used to fly more often I used to provide a free wifi access point using my cell phone to allow other travelers around me to access the internet without paying high fees. But if a were nefarious and evil I could create a fake certificate pretending to be their bank and steal their passwords. And I would need a fake cert for every domain I wanted to steal. Someone smarter than me could accomplish this. <br />
<br />
To make sure this doesn't happen we use authentication so that only the real certificate works. the real certificate is varified by the certificate authority issuing the certificate as real so if you are connecting to your bank, you can be (somewhat) confident there's no one in the middle stealing your information. <br />
<br />
There are other ways you're vulnerable. You could have someone looking over your shoulder when typing your username and password. You could have spyware on your computer that is logging your keystrokes and grabbing the display text on your web pages. Or the site you are logging into has been hacked. Remember Equifax? It was an encrypted site. And while your data was being stolen it was sent to the hackers over an encrypted connection.<br />
<br />
=== How Authentication Works ===<br />
<br />
Authentication is the other leg of the HTTPS security protocol. Authentication helps ensure that when you connect to a site using HTTPS that it is really the site you are connected to. Using certificates and certificate chains your web browser (is supposed to) verify that you are actually connected to the web site you think you are connecting to. This makes it much harder for someone to impersonate your bank to steal your passwords. A detailed explanation of this process is complicated so I will try to make the important concepts as easy as possible.<br />
<br />
When you connect through HTTPS it established an encrypted connection. It sends the sites certificate which was generated in unison with your '''certificate authority''' who validates your certificate. The web server not only sends your certificate, but also the chain of certificates leading back to the '''root certificates''' which are highly trusted certs that came with your browser. Using these certificates one can verify that the cert is authentic and can be trusted. You then see the green padlock and all is good.<br />
<br />
==== The down side of Authentication ====<br />
<br />
There is one step however that exposes your privacy. In order to fully verify the cert the web browser has to check to see if your certificate has been revoked. To check if the cert was revoked your browser has to ask the certificate authority through a "revocation request" if the cert is still valid. The reason for this is, if I'm running a web site and my private keys make it into the wild, hacker or government can decrypt your connection and steal your data. So if I'm a bank and I fire the head admin, I might want to change my keys by revoking my cert and getting a new one.<br />
<br />
Sounds simple but the process slows down browser performance a lot. Many commercial sites include content, usually advertising content, from many other websites. So when you go to localnewspaper.com, for example, you might see content from Walgreens, Safeway, Amazon, Verizon, etc. All these sites require a separate encrypted and separate verification and revocation request. Thus your visit might involve 50 separate connections to display the web page. Ever notice all those slow ads popping up, that's why.<br />
<br />
The problem is, as everyone goes to HTTPS then all websites are slow. Some browsers therefore cheat on the rules and they skip the revocation check in the interest of speed and the expense of security. Gibson Research has set up a test page to identify browsers who cheat. Click on https://revoked.grc.com to test your browser. If you see the page, your browser is insecure.<br />
<br />
The problem with skipping revocation checking is that, for example, if if I'm a bank and the keys were stolen and someone is impersonating my bank, if you are running Google's Chrome browser, you would never know you were on the fake site. So in order to get performance in your Chrome browser experience, security has been eliminated.<br />
<br />
Certificates are expensive and difficult to maintain. Installing certs is a hassle and certificates expire and have to be replaced on a regular basis. Unlike HTTP which you can set up knowing 20 years later everything is going to just keep working, HTTPS requires both effort and money to keep going. If you get it set up it will die on it's own if you don't maintain it.<br />
<br />
But - EFF and other like minded organizations have created an organization called "Let's Encrypt" to make HTTPS easier. But is it a solution or just to get you addicted and draw you in?<br />
<br />
==== Privacy Exposure of Authentication ====<br />
<br />
Another problem with certificates is the privacy exposure of checking certificate revocation. If your certificate is verified, for example, by Let's Encrypt, then every revocation request goes to one server that responds to revocation requests. If someone like the NSA were to intercept these requests, which are not encrypted, then the NSA could track the activity of every site verified through Let's Encrypt. That means the NSA doesn't have to wiretap 100 million sites. All the have to do it tap Let's Encrypt and it's one stop shopping for the NSA. They just made the job of the NSA millions of times easier.<br />
<br />
Granted that the NSA doesn't see the content, but if you go to some site like free-child-porn.online the NSA has a pretty good idea what you're doing there.<br />
<br />
=== Let's Encrypt - making HTTPS free and easy ===<br />
<br />
Let's Encrypt is a non-profit org created by EFF and friends to help solve the problems of making certificates easy and free. The supply not only free certs but provides scripts to install and configure certs easily. Certificates however are only good for 90 days and have to be replaced before the 90 days runs out. But the renewal scripts are also automated so, in theroy you should be able to set it up and forget about it, making it almost as easy as HTTP. Let's Encrypt claim is to have issued over 100 million certificates.<br />
<br />
Making it free and easy is a critical argument in EFF's and Google's war to force the internet to encrypt everything. Google, for example is downgrading your search visibility if you refuse to convert. But they say that converting is easy and that takes the sting out of it. But is that really true?<br />
<br />
==== The down side of Let's Encrypt ====<br />
<br />
There's a major problem with Let's Encrypt in that it's not a real business with real employees and a staff with tech support. All their verification is done using algorithms and scripts and they will give certificates away to anyone, and all for free. For example, if I get the domain name wellsfarg0.com, which looks like I'm Wells Fargo Bank, Let's encrypt will issue me a certificate for it and users who go to the fraudulent site will get a green light in their chrome browser. And even if someone points it out that this is a fraud site, they can revoke the cert, but if you used the Chrome browser you will never know because it doesn't use revocation checks.<br />
<br />
There is a down side to being free. Because it used to have cost criminals wouldn't bother to get certificates. But now that it's free every criminal site now has a valid cert and the browser give it the green light and users trust it because the browser is giving it the seal of approval. Because of this the original function of certificates has been compromised and the security of the internet has been diminished.<br />
<br />
==== Will Let's Encrypt always be there and be free? ====<br />
<br />
So, let's say I convert all my web sites to HTTPS and I'm using their scripts to maintain my web sites and one day I get an email saying the changes have been made. Perhaps people stop donating and they can't afford to operate? Perhaps they fail security standard and are decertified. Perhaps they get hacked and all their information is stolen. What do all these 100 million web sites do then?<br />
<br />
There's explicitly no guarantee that this service will give you free certificates forever. And once you go HTTPS, there's no easy path back to HTTP. In order to even redirect back to your old setup you need a valid certificate to redirect. All these people who thought they were going to get free certs forever are totally screwed and will have to start buying certs and might not have the nice scripts that maintain it automatically.<br />
<br />
Call me paranoid but when some organization offers me free service forever I don't tend to rely on that. I can't be in a position where keeping my web sites online depends on a shell organization that might not be there tomorrow.<br />
<br />
== NSA and Government Tracking ==<br />
<br />
The intent behind HTTPS everywhere is in part to thwart NSA spying. And let's not kid ourselves, NSA tracking is unconstitutional, illegal, and immoral. EFF has played a major role in protecting our online liberties in this matter. Sometimes when I see Snowden I notice that the back of his lap top has an EFF sticker. <br />
<br />
But - although well intentioned - does HTTPS solve the problem? No - it makes it worse.<br />
<br />
Although HTTPS makes it harder to read the content of your communication, it doesn't mask what web sites you are going to. So if you're married and trying to hook up on AsleyMadison.com the NSA doesn't know what woman you are hooking up with, but they do know you're cheating on your wife. And - using revocation requests tracking EFF has actually make it much easier for them to track your connections.<br />
<br />
== Now you need more permissions to stay on the web ==<br />
<br />
With HTTP all you need to do is register a domain name to have your own site online. ICANN is an international organization and has been very good at staying out of the clutches of government controls. However, with HTTPS you need to get a certificate authority to issue you a cert. That makes 2 orgs that have to give you permission instead of one and now your domain activity it trackable through revocation requests. If Congress were to pass laws regulating who can get certificates or requiring extensive personal information they can prevent you from getting online the way you can now with just HTTP. Every step you are forced into doing creates another chokepoint to free speech and free expression.<br />
<br />
== Freedom of Choice ==<br />
<br />
One thing I really object to is being forced and strong armed into doing things I choose not to do. I'm perfectly happy with my HTTP servers and I really resent EFF and Google trying to force me to participate in their cult like paranoia. My servers work fine. I've been online for 22 years now. I was online 3 years before Google. I choose not to encrypt and that my choice.<br />
<br />
EFF is supposed to be about freedom. They are supposed to be protecting me from people who would force me to change against my will, They believe it's for a higher cause, but it really isn't. If it were I might go along with it but HTTP has advantages over HTTPS that I like and want to stick with. many of my sites are static and informational. If the NSA can read the traffic - so what. Everything is on the site in plain text anyhow so where's the secret? If the traffic were encrypted the NSA would still know who is connecting and would assume what they are reading is what's on the site to be read by anyone. And HTTP doesn't make NSA tracking easier like HPPS does by generating revocation request.<br />
<br />
The bottom like is it's MY CHOICE! And EFF and Google doesn't have the right to take my choice away from me.<br />
<br />
== Do you need encryption? ==<br />
<br />
Whether or not you need encryption depends on who you are and what you are doing. If you are a bank clearly the answer is yes. However, if you have a static web site with no forms, do you need encryption? No - you don't.<br />
<br />
Let's say you have a static web site that tells people how to bake cookies. All the information is there for anyone to see. So if your connection is encrypted then anyone tracking knows you connected to the site and can infer you are reading about baking cookies. Even if there is a form on the site for you to subscribe to their newsletter and some 3rd party hacker captured your email address, so what? If you're accessing your bank then, yes definitely encrypt. But for an unimportant site, encryption make is slower and makes maintenance on the server side a hassle, a big hassle. Especially if the free cert goes away.<br />
<br />
== Is HTTPS secure? - Is HTTP insecure? ==<br />
<br />
One myth I want to bust is that HTTPS has increased security. In fact HTTPS has reduced overall security. HTTPS adds encryption you sites that don't heed encryption and that doesn't increase security. Let's look at the facts.<br />
<br />
There are 3 places where your information is vulnerable to attack, the server, your computer, and the connection between your computer and the server. HTTPS only provides encryption between your device and the web site but does nothing for either your device or the web server you are connected to. The connection is actually the hardest part to intercept even without encryption. Generally you have to have access to the internet infrastructure to tap communications even if it's not encrypted. But all you need is spyware to tap the communication on a device. And the spyware works if you are encrypted or not.<br />
<br />
But the best place to steal your data if if a hacker steals your information directly from the server side where your data is stored. Remember Equifax, the company that stores all your credit data? Encrypted didn't help them. In fact the people who hacked them did it over an HTTPS connection.<br />
<br />
=== Let's Encrypt Actually Reduces Security ===<br />
<br />
You would think that the internet is more secure because of Let's Encrypt, and you would be wrong. Surprisingly Let's Encrypt makes the net less secure.<br />
<br />
Before Let's Encrypt certificate were expensive and required work to maintain. Now it free and somewhat easy. And - I do want to thank Let's Encrypt for making it easier part. But in making it free the make it easy for phishing sites to go HTTPS and the consumer, who doesn't know much about how the web works, gets the green padlock and assumes all is good. The then type their username and password into wellsfarg0.com and 5 minutes later all their money is gone. All thanks to Let's Encrypt.<br />
<br />
EFF and Google, who is the major funder of Let's Encrypt, have been very successful claiming millions of web sites, have slowed the internet down because HTTPS is slower and more complex than HTTP. In order to compensate for the slowness browsers like Google Chrome no longer to certificate revocation to make sure the cert is still valid. So because of Let's Encrypt you can't really trust that the green padlock on the site can be relied on. So if Wells Fargo bank revokes their cert due to a security breach you would never know it using the Google Chrome browser. In fact if that ever happened Google would be partially liable for damages giving a green light to a revoked certificate. <br />
<br />
So a green indicator in your browser no longer means you are on a safe site. It really means nothing at all. Between Google and EFF they are making security that has worked in the past useless.<br />
<br />
And although HTTPS creates the illusion that the government can't spy on the data on the internet, through certificate revocation request it makes it far easier, not harder, to track what sites you are going to, which is the exact opposite of what you think you are getting. HTTPS reduces privacy.<br />
<br />
== The Culture of Paranoia ==<br />
<br />
In many ways the EFF/hacker community is similar to the National Rifle Association (NRA) in the one component is a culture of paranoia. Not that a lot of that paranoia if fully justified because the government is actually trying to spy on you.<br />
<br />
The NRA envisions a world where the government is going to take your guns and then turn Nazi and people won't be ably to overthrow the government to take America back for freedom. And it creates an inflated sense of importance to carry a gun. (Is that a gun in your pocket, Big Boy, or are you just glad to see me? It's a gun in my pocket.) Why shouldn't a law abiding citizen be able to buy a nuke to protect themselves? It's cultural where like minded people get their us vs. them experience.<br />
<br />
EFF is much closer to reality than the NRA. They do a lot of things that actually do protect our freedom from real government treats that are actually occurring. They were 7 years ahead of Snowden suing the NSA over spying. So I'm not going to beat up on them too badly here.<br />
<br />
But ....<br />
<br />
There are 3 areas where EFF/the hacker culture is totally clueless.<br />
<br />
1. They have absolutely no concept the intellectual property has any value.<br />
<br />
2. The concept that law enforcement has a role on the internet is mostly ignored. That crime is the price you pay for freedom. Their TOR project is the backbone for the ransomeware industry as well as an incredible amount of serious online crime, but the value of privacy is more important to the extent that they don't care about criminal issues at all.<br />
<br />
3. Sometimes EFF doesn't think things through. The get fixated on a solution with almost a cult like attachment without fully exploring the consequences. In this case they have a very strong mental block on this. I remember discussing this with them back when I worked there and it was a bad idea then as it is now. I never expected them to be successful with it. But unfortunately, the have.<br />
<br />
=== Hacker Culture Values ===<br />
<br />
To some extent I can identify with that culture. The spying that Snowden revealed is a prelude to to a modern day dictatorship where the government knows everything you say and everything you do. A world where AI figures put who you are and if it decides you are too free thinking that it executes you by activating a death chip in your brain. What Snowden revealed actually makes that plausible.<br />
<br />
I have personally been kidnapped by law enforcement 3 times. Not arrested - kidnapped. But there are good cops and bad cops and although law enforcement is far less than perfect they keep us safe. The police are not our enemy. The hacker community is excessively against law enforcement and sees aiding criminals as a measure of expanding personal freedom. TOR, for example, is 99% criminal traffic with a small amount of protecting the good guys from government persecution. There are steps TOR could do to reduce crime without compromising the freedom mission, like shutting down ransomware sites. But they are oblivious to that. TOR doesn't care about crime at all, and that's wrong.<br />
<br />
In the case of HTTPS the hacker community has a shared fantasy that they are getting even with the NSA for what Snowden revealed. They imagine that the NSA can't track what you're doing if everyone uses HTTPS. In actuality, they are making it easier for the NSA to track you using revocation requests but that's a reality they choose to somewhat ignore. Except that browsers are now trending to skip the certificate revocation checks to increase browser response and to plug this obvious privacy hole, but at the expense of good verification that the web site's keys haven't been stolen. In the hacker world security and safety of the public mean nothing, where fighting NSA spying mean everything. <br />
<br />
=== Google as Internet Bully ===</div>Marchttp://wiki.ctyme.com/index.php/HttpsHttps2018-03-06T15:20:18Z<p>Marc: /* The Culture of Paranoia */</p>
<hr />
<div>= Why HTTPS everywhere is a really really bad idea =<br />
<br />
== Introduction ==<br />
<br />
HTTPS Everywhere sounds like a good idea, but as they say, the devil is in the details. The idea, supported primarily by the Electronic Frontier Foundation (https://eff.org) is to get all traffic on the internet to be encrypted. If everything is encrypted, as promoted, then no one can tap in and spy on your communication. This includes NSA spying and other government spying that is both illegal and immoral where third parties and government track you to create a digital profile of who you are that can be used against you, profile you, steal your passwords, invade your privacy, blackmail you, and round you up to put you and your freinds and family in concentration camps. Imaging if you will what would have happened if Adolf Hitler had today's technology. There would be no Jews left hiding in attics!<br />
<br />
And as we know from the revelation of Edward Snowden, my second favorite person in the world after Elon Musk, we know the government is actually doing a lot of the things that the EFF is paranoid about. Snowden confirmed what all paranoid schizophrenics new was true all along, the government(s) is spying on them. The nightmare, as it turns out, is actually real.<br />
<br />
So on it's face it would seem as if making it harder for these problems to occur would be a great idea. And - quite frankly, if it were done right it would be a great idea that I would support. However, the way it is being implemented through "Let's Encrypt" (https://letsencrypt.org) and Google strong arming the public to force everyone into it. By doing it wrong EFF's good intentions are actually making the problem worse. Forcing encryption on everyone, as it is being implemented, creates more problems than it solves and will inhibit freedom and privacy, not enhance it. Rather than making it harder for the NSA to track you, it makes it easier. Rather than enhancing free speech, it inhibits free speech, and rather that making the internet safer from criminals, it actually reduces internet security making it easier for the bad guys to take advantage of you.<br />
<br />
As someone who used to work for EFF as their first full time system administrator you would think I would be on EFF's side on this. And over the years there have been a number of issues EFF has got wrong. But this is a very serious issue that will negatively affect the entire internet and have a huge negative impact on EFF if they are successful in what they are trying to do. EFF sometimes has a habit of latching onto an idea like a bulldog without carefully thinking things through and is sometimes cult like in their opinion in spite of evidence that their position fails to make objective sense. I still support EFF as no organization is perfect and they get it right most of the time. But this time is not one of them.<br />
<br />
== Encryption / Authentication - Understanding the Basics ==<br />
<br />
HTTPS has 2 separate function, not one, that are artificially bound together into the HTTPS standards. These 2 functions are:<br />
<br />
# Encryption - making the data unreadable to 3rd parties<br />
# Authentication - making sure that the website you connect to is actually the real web site.<br />
<br />
And it is because of the binding together of there to unrelated functions that cause the problem. '''If these two protocols were unbundled, where you could have encryption without authentication, then my objections to encrypting everything goes away.''' The encrypting side is the easy part, the authenticating side is the part that is hard and expensive and causes all the problems. All this could be easily solved by allowing encryption without authentication. But modern browsers do not allow self signed certificates without dire warnings that would scare the average person to back away immediately. If they changed that it would solve the issues that I'm about to describe.<br />
<br />
=== How Encryption Works ===<br />
<br />
The actual process is long and complicated so I'm going to limit my explanation to the simple stuff you need to know. Encryption relies on a pair of keys, both keys are very large numbers. If you encrypt a message with one key you can only decrypt it with the other key. It doesn't matter which key you encrypt with as long as you use the other one to decrypt. <br />
<br />
One of the keys is know as the '''public key''', and the other is know as the '''private key'''. As the names imply, one key you make public, the other key you keep private. When someone wants to establish a secure connection with you they download your public key which is furnished by opening a connection. When you get the public key you can then encrypt a message that can only be read by the server which is usually a set of new keys to establish a secure connection. Because only the other end can read it you then have the keys to establish a secure connection that no person in the middle can break into.<br />
<br />
==== Vulnerabilities ====<br />
<br />
The encryption used in HTTPS is pretty good. It isn't easily broken. One of the main vulnerabilities is what's called a "man in the middle" attack. The attack isn't generally easy to do and usually requires hardware access to be in the middle of that connection which very few people have. However, when I used to fly more often I used to provide a free wifi access point using my cell phone to allow other travelers around me to access the internet without paying high fees. But if a were nefarious and evil I could create a fake certificate pretending to be their bank and steal their passwords. And I would need a fake cert for every domain I wanted to steal. Someone smarter than me could accomplish this. <br />
<br />
To make sure this doesn't happen we use authentication so that only the real certificate works. the real certificate is varified by the certificate authority issuing the certificate as real so if you are connecting to your bank, you can be (somewhat) confident there's no one in the middle stealing your information. <br />
<br />
There are other ways you're vulnerable. You could have someone looking over your shoulder when typing your username and password. You could have spyware on your computer that is logging your keystrokes and grabbing the display text on your web pages. Or the site you are logging into has been hacked. Remember Equifax? It was an encrypted site. And while your data was being stolen it was sent to the hackers over an encrypted connection.<br />
<br />
=== How Authentication Works ===<br />
<br />
Authentication is the other leg of the HTTPS security protocol. Authentication helps ensure that when you connect to a site using HTTPS that it is really the site you are connected to. Using certificates and certificate chains your web browser (is supposed to) verify that you are actually connected to the web site you think you are connecting to. This makes it much harder for someone to impersonate your bank to steal your passwords. A detailed explanation of this process is complicated so I will try to make the important concepts as easy as possible.<br />
<br />
When you connect through HTTPS it established an encrypted connection. It sends the sites certificate which was generated in unison with your '''certificate authority''' who validates your certificate. The web server not only sends your certificate, but also the chain of certificates leading back to the '''root certificates''' which are highly trusted certs that came with your browser. Using these certificates one can verify that the cert is authentic and can be trusted. You then see the green padlock and all is good.<br />
<br />
==== The down side of Authentication ====<br />
<br />
There is one step however that exposes your privacy. In order to fully verify the cert the web browser has to check to see if your certificate has been revoked. To check if the cert was revoked your browser has to ask the certificate authority through a "revocation request" if the cert is still valid. The reason for this is, if I'm running a web site and my private keys make it into the wild, hacker or government can decrypt your connection and steal your data. So if I'm a bank and I fire the head admin, I might want to change my keys by revoking my cert and getting a new one.<br />
<br />
Sounds simple but the process slows down browser performance a lot. Many commercial sites include content, usually advertising content, from many other websites. So when you go to localnewspaper.com, for example, you might see content from Walgreens, Safeway, Amazon, Verizon, etc. All these sites require a separate encrypted and separate verification and revocation request. Thus your visit might involve 50 separate connections to display the web page. Ever notice all those slow ads popping up, that's why.<br />
<br />
The problem is, as everyone goes to HTTPS then all websites are slow. Some browsers therefore cheat on the rules and they skip the revocation check in the interest of speed and the expense of security. Gibson Research has set up a test page to identify browsers who cheat. Click on https://revoked.grc.com to test your browser. If you see the page, your browser is insecure.<br />
<br />
The problem with skipping revocation checking is that, for example, if if I'm a bank and the keys were stolen and someone is impersonating my bank, if you are running Google's Chrome browser, you would never know you were on the fake site. So in order to get performance in your Chrome browser experience, security has been eliminated.<br />
<br />
Certificates are expensive and difficult to maintain. Installing certs is a hassle and certificates expire and have to be replaced on a regular basis. Unlike HTTP which you can set up knowing 20 years later everything is going to just keep working, HTTPS requires both effort and money to keep going. If you get it set up it will die on it's own if you don't maintain it.<br />
<br />
But - EFF and other like minded organizations have created an organization called "Let's Encrypt" to make HTTPS easier. But is it a solution or just to get you addicted and draw you in?<br />
<br />
==== Privacy Exposure of Authentication ====<br />
<br />
Another problem with certificates is the privacy exposure of checking certificate revocation. If your certificate is verified, for example, by Let's Encrypt, then every revocation request goes to one server that responds to revocation requests. If someone like the NSA were to intercept these requests, which are not encrypted, then the NSA could track the activity of every site verified through Let's Encrypt. That means the NSA doesn't have to wiretap 100 million sites. All the have to do it tap Let's Encrypt and it's one stop shopping for the NSA. They just made the job of the NSA millions of times easier.<br />
<br />
Granted that the NSA doesn't see the content, but if you go to some site like free-child-porn.online the NSA has a pretty good idea what you're doing there.<br />
<br />
=== Let's Encrypt - making HTTPS free and easy ===<br />
<br />
Let's Encrypt is a non-profit org created by EFF and friends to help solve the problems of making certificates easy and free. The supply not only free certs but provides scripts to install and configure certs easily. Certificates however are only good for 90 days and have to be replaced before the 90 days runs out. But the renewal scripts are also automated so, in theroy you should be able to set it up and forget about it, making it almost as easy as HTTP. Let's Encrypt claim is to have issued over 100 million certificates.<br />
<br />
Making it free and easy is a critical argument in EFF's and Google's war to force the internet to encrypt everything. Google, for example is downgrading your search visibility if you refuse to convert. But they say that converting is easy and that takes the sting out of it. But is that really true?<br />
<br />
==== The down side of Let's Encrypt ====<br />
<br />
There's a major problem with Let's Encrypt in that it's not a real business with real employees and a staff with tech support. All their verification is done using algorithms and scripts and they will give certificates away to anyone, and all for free. For example, if I get the domain name wellsfarg0.com, which looks like I'm Wells Fargo Bank, Let's encrypt will issue me a certificate for it and users who go to the fraudulent site will get a green light in their chrome browser. And even if someone points it out that this is a fraud site, they can revoke the cert, but if you used the Chrome browser you will never know because it doesn't use revocation checks.<br />
<br />
There is a down side to being free. Because it used to have cost criminals wouldn't bother to get certificates. But now that it's free every criminal site now has a valid cert and the browser give it the green light and users trust it because the browser is giving it the seal of approval. Because of this the original function of certificates has been compromised and the security of the internet has been diminished.<br />
<br />
==== Will Let's Encrypt always be there and be free? ====<br />
<br />
So, let's say I convert all my web sites to HTTPS and I'm using their scripts to maintain my web sites and one day I get an email saying the changes have been made. Perhaps people stop donating and they can't afford to operate? Perhaps they fail security standard and are decertified. Perhaps they get hacked and all their information is stolen. What do all these 100 million web sites do then?<br />
<br />
There's explicitly no guarantee that this service will give you free certificates forever. And once you go HTTPS, there's no easy path back to HTTP. In order to even redirect back to your old setup you need a valid certificate to redirect. All these people who thought they were going to get free certs forever are totally screwed and will have to start buying certs and might not have the nice scripts that maintain it automatically.<br />
<br />
Call me paranoid but when some organization offers me free service forever I don't tend to rely on that. I can't be in a position where keeping my web sites online depends on a shell organization that might not be there tomorrow.<br />
<br />
== NSA and Government Tracking ==<br />
<br />
The intent behind HTTPS everywhere is in part to thwart NSA spying. And let's not kid ourselves, NSA tracking is unconstitutional, illegal, and immoral. EFF has played a major role in protecting our online liberties in this matter. Sometimes when I see Snowden I notice that the back of his lap top has an EFF sticker. <br />
<br />
But - although well intentioned - does HTTPS solve the problem? No - it makes it worse.<br />
<br />
Although HTTPS makes it harder to read the content of your communication, it doesn't mask what web sites you are going to. So if you're married and trying to hook up on AsleyMadison.com the NSA doesn't know what woman you are hooking up with, but they do know you're cheating on your wife. And - using revocation requests tracking EFF has actually make it much easier for them to track your connections.<br />
<br />
== Now you need more permissions to stay on the web ==<br />
<br />
With HTTP all you need to do is register a domain name to have your own site online. ICANN is an international organization and has been very good at staying out of the clutches of government controls. However, with HTTPS you need to get a certificate authority to issue you a cert. That makes 2 orgs that have to give you permission instead of one and now your domain activity it trackable through revocation requests. If Congress were to pass laws regulating who can get certificates or requiring extensive personal information they can prevent you from getting online the way you can now with just HTTP. Every step you are forced into doing creates another chokepoint to free speech and free expression.<br />
<br />
== Freedom of Choice ==<br />
<br />
One thing I really object to is being forced and strong armed into doing things I choose not to do. I'm perfectly happy with my HTTP servers and I really resent EFF and Google trying to force me to participate in their cult like paranoia. My servers work fine. I've been online for 22 years now. I was online 3 years before Google. I choose not to encrypt and that my choice.<br />
<br />
EFF is supposed to be about freedom. They are supposed to be protecting me from people who would force me to change against my will, They believe it's for a higher cause, but it really isn't. If it were I might go along with it but HTTP has advantages over HTTPS that I like and want to stick with. many of my sites are static and informational. If the NSA can read the traffic - so what. Everything is on the site in plain text anyhow so where's the secret? If the traffic were encrypted the NSA would still know who is connecting and would assume what they are reading is what's on the site to be read by anyone. And HTTP doesn't make NSA tracking easier like HPPS does by generating revocation request.<br />
<br />
The bottom like is it's MY CHOICE! And EFF and Google doesn't have the right to take my choice away from me.<br />
<br />
== Do you need encryption? ==<br />
<br />
Whether or not you need encryption depends on who you are and what you are doing. If you are a bank clearly the answer is yes. However, if you have a static web site with no forms, do you need encryption? No - you don't.<br />
<br />
Let's say you have a static web site that tells people how to bake cookies. All the information is there for anyone to see. So if your connection is encrypted then anyone tracking knows you connected to the site and can infer you are reading about baking cookies. Even if there is a form on the site for you to subscribe to their newsletter and some 3rd party hacker captured your email address, so what? If you're accessing your bank then, yes definitely encrypt. But for an unimportant site, encryption make is slower and makes maintenance on the server side a hassle, a big hassle. Especially if the free cert goes away.<br />
<br />
== Is HTTPS secure? - Is HTTP insecure? ==<br />
<br />
One myth I want to bust is that HTTPS has increased security. In fact HTTPS has reduced overall security. HTTPS adds encryption you sites that don't heed encryption and that doesn't increase security. Let's look at the facts.<br />
<br />
There are 3 places where your information is vulnerable to attack, the server, your computer, and the connection between your computer and the server. HTTPS only provides encryption between your device and the web site but does nothing for either your device or the web server you are connected to. The connection is actually the hardest part to intercept even without encryption. Generally you have to have access to the internet infrastructure to tap communications even if it's not encrypted. But all you need is spyware to tap the communication on a device. And the spyware works if you are encrypted or not.<br />
<br />
But the best place to steal your data if if a hacker steals your information directly from the server side where your data is stored. Remember Equifax, the company that stores all your credit data? Encrypted didn't help them. In fact the people who hacked them did it over an HTTPS connection.<br />
<br />
=== Let's Encrypt Actually Reduces Security ===<br />
<br />
You would think that the internet is more secure because of Let's Encrypt, and you would be wrong. Surprisingly Let's Encrypt makes the net less secure.<br />
<br />
Before Let's Encrypt certificate were expensive and required work to maintain. Now it free and somewhat easy. And - I do want to thank Let's Encrypt for making it easier part. But in making it free the make it easy for phishing sites to go HTTPS and the consumer, who doesn't know much about how the web works, gets the green padlock and assumes all is good. The then type their username and password into wellsfarg0.com and 5 minutes later all their money is gone. All thanks to Let's Encrypt.<br />
<br />
EFF and Google, who is the major funder of Let's Encrypt, have been very successful claiming millions of web sites, have slowed the internet down because HTTPS is slower and more complex than HTTP. In order to compensate for the slowness browsers like Google Chrome no longer to certificate revocation to make sure the cert is still valid. So because of Let's Encrypt you can't really trust that the green padlock on the site can be relied on. So if Wells Fargo bank revokes their cert due to a security breach you would never know it using the Google Chrome browser. In fact if that ever happened Google would be partially liable for damages giving a green light to a revoked certificate. <br />
<br />
So a green indicator in your browser no longer means you are on a safe site. It really means nothing at all. Between Google and EFF they are making security that has worked in the past useless.<br />
<br />
And although HTTPS creates the illusion that the government can't spy on the data on the internet, through certificate revocation request it makes it far easier, not harder, to track what sites you are going to, which is the exact opposite of what you think you are getting. HTTPS reduces privacy.<br />
<br />
== The Culture of Paranoia ==<br />
<br />
In many ways the EFF/hacker community is similar to the National Rifle Association (NRA) in the one component is a culture of paranoia. Not that a lot of that paranoia if fully justified because the government is actually trying to spy on you.<br />
<br />
The NRA envisions a world where the government is going to take your guns and then turn Nazi and people won't be ably to overthrow the government to take America back for freedom. And it creates an inflated sense of importance to carry a gun. (Is that a gun in your pocket, Big Boy, or are you just glad to see me? It's a gun in my pocket.) Why shouldn't a law abiding citizen be able to buy a nuke to protect themselves? It's cultural where like minded people get their us vs. them experience.<br />
<br />
EFF is much closer to reality than the NRA. They do a lot of things that actually do protect our freedom from real government treats that are actually occurring. They were 7 years ahead of Snowden suing the NSA over spying. So I'm not going to beat up on them too badly here.<br />
<br />
But ....<br />
<br />
There are 3 areas where EFF/the hacker culture is totally clueless.<br />
<br />
1. They have absolutely no concept the intellectual property has any value.<br />
<br />
2. The concept that law enforcement has a role on the internet is mostly ignored. That crime is the price you pay for freedom. Their TOR project is the backbone for the ransomeware industry as well as an incredible amount of serious online crime, but the value of privacy is more important to the extent that they don't care about criminal issues at all.<br />
<br />
3. Sometimes EFF doesn't think things through. The get fixated on a solution with almost a cult like attachment without fully exploring the consequences. In this case they have a very strong mental block on this. I remember discussing this with them back when I worked there and it was a bad idea then as it is now. I never expected them to be successful with it. But unfortunately, the have.<br />
<br />
=== Hacker Culture Values ===<br />
<br />
To some extent I can identify with that culture. The spying that Snowden revealed is a prelude to to a modern day dictatorship where the government knows everything you say and everything you do. A world where AI figures put who you are and if it decides you are too free thinking that it executes you by activating a death chip in your brain. What Snowden revealed actually makes that plausible.<br />
<br />
I have personally been kidnapped by law enforcement 3 times. Not arrested - kidnapped. But there are good cops and bad cops and although law enforcement is far less than perfect they keep us safe. The police are not our enemy. The hacker community is excessively against law enforcement and sees aiding criminals as a measure of expanding personal freedom. TOR, for example, is 99% criminal traffic with a small amount of protecting the good guys from government persecution. There are steps TOR could do to reduce crime without compromising the freedom mission, like shutting down ransomware sites. But they are oblivious to that. TOR doesn't care about crime at all, and that's wrong.</div>Marchttp://wiki.ctyme.com/index.php/HttpsHttps2018-03-06T02:14:04Z<p>Marc: /* The Culture of Paranoia */</p>
<hr />
<div>= Why HTTPS everywhere is a really really bad idea =<br />
<br />
== Introduction ==<br />
<br />
HTTPS Everywhere sounds like a good idea, but as they say, the devil is in the details. The idea, supported primarily by the Electronic Frontier Foundation (https://eff.org) is to get all traffic on the internet to be encrypted. If everything is encrypted, as promoted, then no one can tap in and spy on your communication. This includes NSA spying and other government spying that is both illegal and immoral where third parties and government track you to create a digital profile of who you are that can be used against you, profile you, steal your passwords, invade your privacy, blackmail you, and round you up to put you and your freinds and family in concentration camps. Imaging if you will what would have happened if Adolf Hitler had today's technology. There would be no Jews left hiding in attics!<br />
<br />
And as we know from the revelation of Edward Snowden, my second favorite person in the world after Elon Musk, we know the government is actually doing a lot of the things that the EFF is paranoid about. Snowden confirmed what all paranoid schizophrenics new was true all along, the government(s) is spying on them. The nightmare, as it turns out, is actually real.<br />
<br />
So on it's face it would seem as if making it harder for these problems to occur would be a great idea. And - quite frankly, if it were done right it would be a great idea that I would support. However, the way it is being implemented through "Let's Encrypt" (https://letsencrypt.org) and Google strong arming the public to force everyone into it. By doing it wrong EFF's good intentions are actually making the problem worse. Forcing encryption on everyone, as it is being implemented, creates more problems than it solves and will inhibit freedom and privacy, not enhance it. Rather than making it harder for the NSA to track you, it makes it easier. Rather than enhancing free speech, it inhibits free speech, and rather that making the internet safer from criminals, it actually reduces internet security making it easier for the bad guys to take advantage of you.<br />
<br />
As someone who used to work for EFF as their first full time system administrator you would think I would be on EFF's side on this. And over the years there have been a number of issues EFF has got wrong. But this is a very serious issue that will negatively affect the entire internet and have a huge negative impact on EFF if they are successful in what they are trying to do. EFF sometimes has a habit of latching onto an idea like a bulldog without carefully thinking things through and is sometimes cult like in their opinion in spite of evidence that their position fails to make objective sense. I still support EFF as no organization is perfect and they get it right most of the time. But this time is not one of them.<br />
<br />
== Encryption / Authentication - Understanding the Basics ==<br />
<br />
HTTPS has 2 separate function, not one, that are artificially bound together into the HTTPS standards. These 2 functions are:<br />
<br />
# Encryption - making the data unreadable to 3rd parties<br />
# Authentication - making sure that the website you connect to is actually the real web site.<br />
<br />
And it is because of the binding together of there to unrelated functions that cause the problem. '''If these two protocols were unbundled, where you could have encryption without authentication, then my objections to encrypting everything goes away.''' The encrypting side is the easy part, the authenticating side is the part that is hard and expensive and causes all the problems. All this could be easily solved by allowing encryption without authentication. But modern browsers do not allow self signed certificates without dire warnings that would scare the average person to back away immediately. If they changed that it would solve the issues that I'm about to describe.<br />
<br />
=== How Encryption Works ===<br />
<br />
The actual process is long and complicated so I'm going to limit my explanation to the simple stuff you need to know. Encryption relies on a pair of keys, both keys are very large numbers. If you encrypt a message with one key you can only decrypt it with the other key. It doesn't matter which key you encrypt with as long as you use the other one to decrypt. <br />
<br />
One of the keys is know as the '''public key''', and the other is know as the '''private key'''. As the names imply, one key you make public, the other key you keep private. When someone wants to establish a secure connection with you they download your public key which is furnished by opening a connection. When you get the public key you can then encrypt a message that can only be read by the server which is usually a set of new keys to establish a secure connection. Because only the other end can read it you then have the keys to establish a secure connection that no person in the middle can break into.<br />
<br />
==== Vulnerabilities ====<br />
<br />
The encryption used in HTTPS is pretty good. It isn't easily broken. One of the main vulnerabilities is what's called a "man in the middle" attack. The attack isn't generally easy to do and usually requires hardware access to be in the middle of that connection which very few people have. However, when I used to fly more often I used to provide a free wifi access point using my cell phone to allow other travelers around me to access the internet without paying high fees. But if a were nefarious and evil I could create a fake certificate pretending to be their bank and steal their passwords. And I would need a fake cert for every domain I wanted to steal. Someone smarter than me could accomplish this. <br />
<br />
To make sure this doesn't happen we use authentication so that only the real certificate works. the real certificate is varified by the certificate authority issuing the certificate as real so if you are connecting to your bank, you can be (somewhat) confident there's no one in the middle stealing your information. <br />
<br />
There are other ways you're vulnerable. You could have someone looking over your shoulder when typing your username and password. You could have spyware on your computer that is logging your keystrokes and grabbing the display text on your web pages. Or the site you are logging into has been hacked. Remember Equifax? It was an encrypted site. And while your data was being stolen it was sent to the hackers over an encrypted connection.<br />
<br />
=== How Authentication Works ===<br />
<br />
Authentication is the other leg of the HTTPS security protocol. Authentication helps ensure that when you connect to a site using HTTPS that it is really the site you are connected to. Using certificates and certificate chains your web browser (is supposed to) verify that you are actually connected to the web site you think you are connecting to. This makes it much harder for someone to impersonate your bank to steal your passwords. A detailed explanation of this process is complicated so I will try to make the important concepts as easy as possible.<br />
<br />
When you connect through HTTPS it established an encrypted connection. It sends the sites certificate which was generated in unison with your '''certificate authority''' who validates your certificate. The web server not only sends your certificate, but also the chain of certificates leading back to the '''root certificates''' which are highly trusted certs that came with your browser. Using these certificates one can verify that the cert is authentic and can be trusted. You then see the green padlock and all is good.<br />
<br />
==== The down side of Authentication ====<br />
<br />
There is one step however that exposes your privacy. In order to fully verify the cert the web browser has to check to see if your certificate has been revoked. To check if the cert was revoked your browser has to ask the certificate authority through a "revocation request" if the cert is still valid. The reason for this is, if I'm running a web site and my private keys make it into the wild, hacker or government can decrypt your connection and steal your data. So if I'm a bank and I fire the head admin, I might want to change my keys by revoking my cert and getting a new one.<br />
<br />
Sounds simple but the process slows down browser performance a lot. Many commercial sites include content, usually advertising content, from many other websites. So when you go to localnewspaper.com, for example, you might see content from Walgreens, Safeway, Amazon, Verizon, etc. All these sites require a separate encrypted and separate verification and revocation request. Thus your visit might involve 50 separate connections to display the web page. Ever notice all those slow ads popping up, that's why.<br />
<br />
The problem is, as everyone goes to HTTPS then all websites are slow. Some browsers therefore cheat on the rules and they skip the revocation check in the interest of speed and the expense of security. Gibson Research has set up a test page to identify browsers who cheat. Click on https://revoked.grc.com to test your browser. If you see the page, your browser is insecure.<br />
<br />
The problem with skipping revocation checking is that, for example, if if I'm a bank and the keys were stolen and someone is impersonating my bank, if you are running Google's Chrome browser, you would never know you were on the fake site. So in order to get performance in your Chrome browser experience, security has been eliminated.<br />
<br />
Certificates are expensive and difficult to maintain. Installing certs is a hassle and certificates expire and have to be replaced on a regular basis. Unlike HTTP which you can set up knowing 20 years later everything is going to just keep working, HTTPS requires both effort and money to keep going. If you get it set up it will die on it's own if you don't maintain it.<br />
<br />
But - EFF and other like minded organizations have created an organization called "Let's Encrypt" to make HTTPS easier. But is it a solution or just to get you addicted and draw you in?<br />
<br />
==== Privacy Exposure of Authentication ====<br />
<br />
Another problem with certificates is the privacy exposure of checking certificate revocation. If your certificate is verified, for example, by Let's Encrypt, then every revocation request goes to one server that responds to revocation requests. If someone like the NSA were to intercept these requests, which are not encrypted, then the NSA could track the activity of every site verified through Let's Encrypt. That means the NSA doesn't have to wiretap 100 million sites. All the have to do it tap Let's Encrypt and it's one stop shopping for the NSA. They just made the job of the NSA millions of times easier.<br />
<br />
Granted that the NSA doesn't see the content, but if you go to some site like free-child-porn.online the NSA has a pretty good idea what you're doing there.<br />
<br />
=== Let's Encrypt - making HTTPS free and easy ===<br />
<br />
Let's Encrypt is a non-profit org created by EFF and friends to help solve the problems of making certificates easy and free. The supply not only free certs but provides scripts to install and configure certs easily. Certificates however are only good for 90 days and have to be replaced before the 90 days runs out. But the renewal scripts are also automated so, in theroy you should be able to set it up and forget about it, making it almost as easy as HTTP. Let's Encrypt claim is to have issued over 100 million certificates.<br />
<br />
Making it free and easy is a critical argument in EFF's and Google's war to force the internet to encrypt everything. Google, for example is downgrading your search visibility if you refuse to convert. But they say that converting is easy and that takes the sting out of it. But is that really true?<br />
<br />
==== The down side of Let's Encrypt ====<br />
<br />
There's a major problem with Let's Encrypt in that it's not a real business with real employees and a staff with tech support. All their verification is done using algorithms and scripts and they will give certificates away to anyone, and all for free. For example, if I get the domain name wellsfarg0.com, which looks like I'm Wells Fargo Bank, Let's encrypt will issue me a certificate for it and users who go to the fraudulent site will get a green light in their chrome browser. And even if someone points it out that this is a fraud site, they can revoke the cert, but if you used the Chrome browser you will never know because it doesn't use revocation checks.<br />
<br />
There is a down side to being free. Because it used to have cost criminals wouldn't bother to get certificates. But now that it's free every criminal site now has a valid cert and the browser give it the green light and users trust it because the browser is giving it the seal of approval. Because of this the original function of certificates has been compromised and the security of the internet has been diminished.<br />
<br />
==== Will Let's Encrypt always be there and be free? ====<br />
<br />
So, let's say I convert all my web sites to HTTPS and I'm using their scripts to maintain my web sites and one day I get an email saying the changes have been made. Perhaps people stop donating and they can't afford to operate? Perhaps they fail security standard and are decertified. Perhaps they get hacked and all their information is stolen. What do all these 100 million web sites do then?<br />
<br />
There's explicitly no guarantee that this service will give you free certificates forever. And once you go HTTPS, there's no easy path back to HTTP. In order to even redirect back to your old setup you need a valid certificate to redirect. All these people who thought they were going to get free certs forever are totally screwed and will have to start buying certs and might not have the nice scripts that maintain it automatically.<br />
<br />
Call me paranoid but when some organization offers me free service forever I don't tend to rely on that. I can't be in a position where keeping my web sites online depends on a shell organization that might not be there tomorrow.<br />
<br />
== NSA and Government Tracking ==<br />
<br />
The intent behind HTTPS everywhere is in part to thwart NSA spying. And let's not kid ourselves, NSA tracking is unconstitutional, illegal, and immoral. EFF has played a major role in protecting our online liberties in this matter. Sometimes when I see Snowden I notice that the back of his lap top has an EFF sticker. <br />
<br />
But - although well intentioned - does HTTPS solve the problem? No - it makes it worse.<br />
<br />
Although HTTPS makes it harder to read the content of your communication, it doesn't mask what web sites you are going to. So if you're married and trying to hook up on AsleyMadison.com the NSA doesn't know what woman you are hooking up with, but they do know you're cheating on your wife. And - using revocation requests tracking EFF has actually make it much easier for them to track your connections.<br />
<br />
== Now you need more permissions to stay on the web ==<br />
<br />
With HTTP all you need to do is register a domain name to have your own site online. ICANN is an international organization and has been very good at staying out of the clutches of government controls. However, with HTTPS you need to get a certificate authority to issue you a cert. That makes 2 orgs that have to give you permission instead of one and now your domain activity it trackable through revocation requests. If Congress were to pass laws regulating who can get certificates or requiring extensive personal information they can prevent you from getting online the way you can now with just HTTP. Every step you are forced into doing creates another chokepoint to free speech and free expression.<br />
<br />
== Freedom of Choice ==<br />
<br />
One thing I really object to is being forced and strong armed into doing things I choose not to do. I'm perfectly happy with my HTTP servers and I really resent EFF and Google trying to force me to participate in their cult like paranoia. My servers work fine. I've been online for 22 years now. I was online 3 years before Google. I choose not to encrypt and that my choice.<br />
<br />
EFF is supposed to be about freedom. They are supposed to be protecting me from people who would force me to change against my will, They believe it's for a higher cause, but it really isn't. If it were I might go along with it but HTTP has advantages over HTTPS that I like and want to stick with. many of my sites are static and informational. If the NSA can read the traffic - so what. Everything is on the site in plain text anyhow so where's the secret? If the traffic were encrypted the NSA would still know who is connecting and would assume what they are reading is what's on the site to be read by anyone. And HTTP doesn't make NSA tracking easier like HPPS does by generating revocation request.<br />
<br />
The bottom like is it's MY CHOICE! And EFF and Google doesn't have the right to take my choice away from me.<br />
<br />
== Do you need encryption? ==<br />
<br />
Whether or not you need encryption depends on who you are and what you are doing. If you are a bank clearly the answer is yes. However, if you have a static web site with no forms, do you need encryption? No - you don't.<br />
<br />
Let's say you have a static web site that tells people how to bake cookies. All the information is there for anyone to see. So if your connection is encrypted then anyone tracking knows you connected to the site and can infer you are reading about baking cookies. Even if there is a form on the site for you to subscribe to their newsletter and some 3rd party hacker captured your email address, so what? If you're accessing your bank then, yes definitely encrypt. But for an unimportant site, encryption make is slower and makes maintenance on the server side a hassle, a big hassle. Especially if the free cert goes away.<br />
<br />
== Is HTTPS secure? - Is HTTP insecure? ==<br />
<br />
One myth I want to bust is that HTTPS has increased security. In fact HTTPS has reduced overall security. HTTPS adds encryption you sites that don't heed encryption and that doesn't increase security. Let's look at the facts.<br />
<br />
There are 3 places where your information is vulnerable to attack, the server, your computer, and the connection between your computer and the server. HTTPS only provides encryption between your device and the web site but does nothing for either your device or the web server you are connected to. The connection is actually the hardest part to intercept even without encryption. Generally you have to have access to the internet infrastructure to tap communications even if it's not encrypted. But all you need is spyware to tap the communication on a device. And the spyware works if you are encrypted or not.<br />
<br />
But the best place to steal your data if if a hacker steals your information directly from the server side where your data is stored. Remember Equifax, the company that stores all your credit data? Encrypted didn't help them. In fact the people who hacked them did it over an HTTPS connection.<br />
<br />
=== Let's Encrypt Actually Reduces Security ===<br />
<br />
You would think that the internet is more secure because of Let's Encrypt, and you would be wrong. Surprisingly Let's Encrypt makes the net less secure.<br />
<br />
Before Let's Encrypt certificate were expensive and required work to maintain. Now it free and somewhat easy. And - I do want to thank Let's Encrypt for making it easier part. But in making it free the make it easy for phishing sites to go HTTPS and the consumer, who doesn't know much about how the web works, gets the green padlock and assumes all is good. The then type their username and password into wellsfarg0.com and 5 minutes later all their money is gone. All thanks to Let's Encrypt.<br />
<br />
EFF and Google, who is the major funder of Let's Encrypt, have been very successful claiming millions of web sites, have slowed the internet down because HTTPS is slower and more complex than HTTP. In order to compensate for the slowness browsers like Google Chrome no longer to certificate revocation to make sure the cert is still valid. So because of Let's Encrypt you can't really trust that the green padlock on the site can be relied on. So if Wells Fargo bank revokes their cert due to a security breach you would never know it using the Google Chrome browser. In fact if that ever happened Google would be partially liable for damages giving a green light to a revoked certificate. <br />
<br />
So a green indicator in your browser no longer means you are on a safe site. It really means nothing at all. Between Google and EFF they are making security that has worked in the past useless.<br />
<br />
And although HTTPS creates the illusion that the government can't spy on the data on the internet, through certificate revocation request it makes it far easier, not harder, to track what sites you are going to, which is the exact opposite of what you think you are getting. HTTPS reduces privacy.<br />
<br />
== The Culture of Paranoia ==<br />
<br />
In many ways the EFF/hacker community is similar to the National Rifle Association (NRA) in the one component is a culture of paranoia. Not that a lot of that paranoia if fully justified because the government is actually trying to spy on you.<br />
<br />
The NRA envisions a world where the government is going to take your guns and then turn Nazi and people won't be ably to overthrow the government to take America back for freedom. And it creates an inflated sense of importance to carry a gun. (Is that a gun in your pocket, Big Boy, or are you just glad to see me? It's a gun in my pocket.) Why shouldn't a law abiding citizen be able to buy a nuke to protect themselves? It's cultural where like minded people get their us vs. them experience.<br />
<br />
EFF is much closer to reality than the NRA. They do a lot of things that actually do protect our freedom from real government treats that are actually occurring. They were 7 years ahead of Snowden suing the NSA over spying. So I'm not going to beat up on them too badly here.<br />
<br />
But ....<br />
<br />
There are 3 areas where EFF/the hacker culture is totally clueless.<br />
<br />
1. They have absolutely no concept the intellectual property has any value.<br />
<br />
2. The concept that law enforcement has a role on the internet is mostly ignored. That crime is the price you pay for freedom. Their TOR project is the backbone for the ransomeware industry as well as an incredible amount of serious online crime, but the value of privacy is more important to the extent that they don't care about criminal issues at all.<br />
<br />
3. Sometimes EFF doesn't think things through. The get fixated on a solution with almost a cult like attachment without fully exploring the consequences. In this case they have a very strong mental block on this. I remember discussing this with them back when I worked there and it was a bad idea then as it is now. I never expected them to be successful with it. But unfortunately, the have.</div>Marchttp://wiki.ctyme.com/index.php/HttpsHttps2018-03-06T00:11:35Z<p>Marc: /* The Culture of Paranoia */</p>
<hr />
<div>= Why HTTPS everywhere is a really really bad idea =<br />
<br />
== Introduction ==<br />
<br />
HTTPS Everywhere sounds like a good idea, but as they say, the devil is in the details. The idea, supported primarily by the Electronic Frontier Foundation (https://eff.org) is to get all traffic on the internet to be encrypted. If everything is encrypted, as promoted, then no one can tap in and spy on your communication. This includes NSA spying and other government spying that is both illegal and immoral where third parties and government track you to create a digital profile of who you are that can be used against you, profile you, steal your passwords, invade your privacy, blackmail you, and round you up to put you and your freinds and family in concentration camps. Imaging if you will what would have happened if Adolf Hitler had today's technology. There would be no Jews left hiding in attics!<br />
<br />
And as we know from the revelation of Edward Snowden, my second favorite person in the world after Elon Musk, we know the government is actually doing a lot of the things that the EFF is paranoid about. Snowden confirmed what all paranoid schizophrenics new was true all along, the government(s) is spying on them. The nightmare, as it turns out, is actually real.<br />
<br />
So on it's face it would seem as if making it harder for these problems to occur would be a great idea. And - quite frankly, if it were done right it would be a great idea that I would support. However, the way it is being implemented through "Let's Encrypt" (https://letsencrypt.org) and Google strong arming the public to force everyone into it. By doing it wrong EFF's good intentions are actually making the problem worse. Forcing encryption on everyone, as it is being implemented, creates more problems than it solves and will inhibit freedom and privacy, not enhance it. Rather than making it harder for the NSA to track you, it makes it easier. Rather than enhancing free speech, it inhibits free speech, and rather that making the internet safer from criminals, it actually reduces internet security making it easier for the bad guys to take advantage of you.<br />
<br />
As someone who used to work for EFF as their first full time system administrator you would think I would be on EFF's side on this. And over the years there have been a number of issues EFF has got wrong. But this is a very serious issue that will negatively affect the entire internet and have a huge negative impact on EFF if they are successful in what they are trying to do. EFF sometimes has a habit of latching onto an idea like a bulldog without carefully thinking things through and is sometimes cult like in their opinion in spite of evidence that their position fails to make objective sense. I still support EFF as no organization is perfect and they get it right most of the time. But this time is not one of them.<br />
<br />
== Encryption / Authentication - Understanding the Basics ==<br />
<br />
HTTPS has 2 separate function, not one, that are artificially bound together into the HTTPS standards. These 2 functions are:<br />
<br />
# Encryption - making the data unreadable to 3rd parties<br />
# Authentication - making sure that the website you connect to is actually the real web site.<br />
<br />
And it is because of the binding together of there to unrelated functions that cause the problem. '''If these two protocols were unbundled, where you could have encryption without authentication, then my objections to encrypting everything goes away.''' The encrypting side is the easy part, the authenticating side is the part that is hard and expensive and causes all the problems. All this could be easily solved by allowing encryption without authentication. But modern browsers do not allow self signed certificates without dire warnings that would scare the average person to back away immediately. If they changed that it would solve the issues that I'm about to describe.<br />
<br />
=== How Encryption Works ===<br />
<br />
The actual process is long and complicated so I'm going to limit my explanation to the simple stuff you need to know. Encryption relies on a pair of keys, both keys are very large numbers. If you encrypt a message with one key you can only decrypt it with the other key. It doesn't matter which key you encrypt with as long as you use the other one to decrypt. <br />
<br />
One of the keys is know as the '''public key''', and the other is know as the '''private key'''. As the names imply, one key you make public, the other key you keep private. When someone wants to establish a secure connection with you they download your public key which is furnished by opening a connection. When you get the public key you can then encrypt a message that can only be read by the server which is usually a set of new keys to establish a secure connection. Because only the other end can read it you then have the keys to establish a secure connection that no person in the middle can break into.<br />
<br />
==== Vulnerabilities ====<br />
<br />
The encryption used in HTTPS is pretty good. It isn't easily broken. One of the main vulnerabilities is what's called a "man in the middle" attack. The attack isn't generally easy to do and usually requires hardware access to be in the middle of that connection which very few people have. However, when I used to fly more often I used to provide a free wifi access point using my cell phone to allow other travelers around me to access the internet without paying high fees. But if a were nefarious and evil I could create a fake certificate pretending to be their bank and steal their passwords. And I would need a fake cert for every domain I wanted to steal. Someone smarter than me could accomplish this. <br />
<br />
To make sure this doesn't happen we use authentication so that only the real certificate works. the real certificate is varified by the certificate authority issuing the certificate as real so if you are connecting to your bank, you can be (somewhat) confident there's no one in the middle stealing your information. <br />
<br />
There are other ways you're vulnerable. You could have someone looking over your shoulder when typing your username and password. You could have spyware on your computer that is logging your keystrokes and grabbing the display text on your web pages. Or the site you are logging into has been hacked. Remember Equifax? It was an encrypted site. And while your data was being stolen it was sent to the hackers over an encrypted connection.<br />
<br />
=== How Authentication Works ===<br />
<br />
Authentication is the other leg of the HTTPS security protocol. Authentication helps ensure that when you connect to a site using HTTPS that it is really the site you are connected to. Using certificates and certificate chains your web browser (is supposed to) verify that you are actually connected to the web site you think you are connecting to. This makes it much harder for someone to impersonate your bank to steal your passwords. A detailed explanation of this process is complicated so I will try to make the important concepts as easy as possible.<br />
<br />
When you connect through HTTPS it established an encrypted connection. It sends the sites certificate which was generated in unison with your '''certificate authority''' who validates your certificate. The web server not only sends your certificate, but also the chain of certificates leading back to the '''root certificates''' which are highly trusted certs that came with your browser. Using these certificates one can verify that the cert is authentic and can be trusted. You then see the green padlock and all is good.<br />
<br />
==== The down side of Authentication ====<br />
<br />
There is one step however that exposes your privacy. In order to fully verify the cert the web browser has to check to see if your certificate has been revoked. To check if the cert was revoked your browser has to ask the certificate authority through a "revocation request" if the cert is still valid. The reason for this is, if I'm running a web site and my private keys make it into the wild, hacker or government can decrypt your connection and steal your data. So if I'm a bank and I fire the head admin, I might want to change my keys by revoking my cert and getting a new one.<br />
<br />
Sounds simple but the process slows down browser performance a lot. Many commercial sites include content, usually advertising content, from many other websites. So when you go to localnewspaper.com, for example, you might see content from Walgreens, Safeway, Amazon, Verizon, etc. All these sites require a separate encrypted and separate verification and revocation request. Thus your visit might involve 50 separate connections to display the web page. Ever notice all those slow ads popping up, that's why.<br />
<br />
The problem is, as everyone goes to HTTPS then all websites are slow. Some browsers therefore cheat on the rules and they skip the revocation check in the interest of speed and the expense of security. Gibson Research has set up a test page to identify browsers who cheat. Click on https://revoked.grc.com to test your browser. If you see the page, your browser is insecure.<br />
<br />
The problem with skipping revocation checking is that, for example, if if I'm a bank and the keys were stolen and someone is impersonating my bank, if you are running Google's Chrome browser, you would never know you were on the fake site. So in order to get performance in your Chrome browser experience, security has been eliminated.<br />
<br />
Certificates are expensive and difficult to maintain. Installing certs is a hassle and certificates expire and have to be replaced on a regular basis. Unlike HTTP which you can set up knowing 20 years later everything is going to just keep working, HTTPS requires both effort and money to keep going. If you get it set up it will die on it's own if you don't maintain it.<br />
<br />
But - EFF and other like minded organizations have created an organization called "Let's Encrypt" to make HTTPS easier. But is it a solution or just to get you addicted and draw you in?<br />
<br />
==== Privacy Exposure of Authentication ====<br />
<br />
Another problem with certificates is the privacy exposure of checking certificate revocation. If your certificate is verified, for example, by Let's Encrypt, then every revocation request goes to one server that responds to revocation requests. If someone like the NSA were to intercept these requests, which are not encrypted, then the NSA could track the activity of every site verified through Let's Encrypt. That means the NSA doesn't have to wiretap 100 million sites. All the have to do it tap Let's Encrypt and it's one stop shopping for the NSA. They just made the job of the NSA millions of times easier.<br />
<br />
Granted that the NSA doesn't see the content, but if you go to some site like free-child-porn.online the NSA has a pretty good idea what you're doing there.<br />
<br />
=== Let's Encrypt - making HTTPS free and easy ===<br />
<br />
Let's Encrypt is a non-profit org created by EFF and friends to help solve the problems of making certificates easy and free. The supply not only free certs but provides scripts to install and configure certs easily. Certificates however are only good for 90 days and have to be replaced before the 90 days runs out. But the renewal scripts are also automated so, in theroy you should be able to set it up and forget about it, making it almost as easy as HTTP. Let's Encrypt claim is to have issued over 100 million certificates.<br />
<br />
Making it free and easy is a critical argument in EFF's and Google's war to force the internet to encrypt everything. Google, for example is downgrading your search visibility if you refuse to convert. But they say that converting is easy and that takes the sting out of it. But is that really true?<br />
<br />
==== The down side of Let's Encrypt ====<br />
<br />
There's a major problem with Let's Encrypt in that it's not a real business with real employees and a staff with tech support. All their verification is done using algorithms and scripts and they will give certificates away to anyone, and all for free. For example, if I get the domain name wellsfarg0.com, which looks like I'm Wells Fargo Bank, Let's encrypt will issue me a certificate for it and users who go to the fraudulent site will get a green light in their chrome browser. And even if someone points it out that this is a fraud site, they can revoke the cert, but if you used the Chrome browser you will never know because it doesn't use revocation checks.<br />
<br />
There is a down side to being free. Because it used to have cost criminals wouldn't bother to get certificates. But now that it's free every criminal site now has a valid cert and the browser give it the green light and users trust it because the browser is giving it the seal of approval. Because of this the original function of certificates has been compromised and the security of the internet has been diminished.<br />
<br />
==== Will Let's Encrypt always be there and be free? ====<br />
<br />
So, let's say I convert all my web sites to HTTPS and I'm using their scripts to maintain my web sites and one day I get an email saying the changes have been made. Perhaps people stop donating and they can't afford to operate? Perhaps they fail security standard and are decertified. Perhaps they get hacked and all their information is stolen. What do all these 100 million web sites do then?<br />
<br />
There's explicitly no guarantee that this service will give you free certificates forever. And once you go HTTPS, there's no easy path back to HTTP. In order to even redirect back to your old setup you need a valid certificate to redirect. All these people who thought they were going to get free certs forever are totally screwed and will have to start buying certs and might not have the nice scripts that maintain it automatically.<br />
<br />
Call me paranoid but when some organization offers me free service forever I don't tend to rely on that. I can't be in a position where keeping my web sites online depends on a shell organization that might not be there tomorrow.<br />
<br />
== NSA and Government Tracking ==<br />
<br />
The intent behind HTTPS everywhere is in part to thwart NSA spying. And let's not kid ourselves, NSA tracking is unconstitutional, illegal, and immoral. EFF has played a major role in protecting our online liberties in this matter. Sometimes when I see Snowden I notice that the back of his lap top has an EFF sticker. <br />
<br />
But - although well intentioned - does HTTPS solve the problem? No - it makes it worse.<br />
<br />
Although HTTPS makes it harder to read the content of your communication, it doesn't mask what web sites you are going to. So if you're married and trying to hook up on AsleyMadison.com the NSA doesn't know what woman you are hooking up with, but they do know you're cheating on your wife. And - using revocation requests tracking EFF has actually make it much easier for them to track your connections.<br />
<br />
== Now you need more permissions to stay on the web ==<br />
<br />
With HTTP all you need to do is register a domain name to have your own site online. ICANN is an international organization and has been very good at staying out of the clutches of government controls. However, with HTTPS you need to get a certificate authority to issue you a cert. That makes 2 orgs that have to give you permission instead of one and now your domain activity it trackable through revocation requests. If Congress were to pass laws regulating who can get certificates or requiring extensive personal information they can prevent you from getting online the way you can now with just HTTP. Every step you are forced into doing creates another chokepoint to free speech and free expression.<br />
<br />
== Freedom of Choice ==<br />
<br />
One thing I really object to is being forced and strong armed into doing things I choose not to do. I'm perfectly happy with my HTTP servers and I really resent EFF and Google trying to force me to participate in their cult like paranoia. My servers work fine. I've been online for 22 years now. I was online 3 years before Google. I choose not to encrypt and that my choice.<br />
<br />
EFF is supposed to be about freedom. They are supposed to be protecting me from people who would force me to change against my will, They believe it's for a higher cause, but it really isn't. If it were I might go along with it but HTTP has advantages over HTTPS that I like and want to stick with. many of my sites are static and informational. If the NSA can read the traffic - so what. Everything is on the site in plain text anyhow so where's the secret? If the traffic were encrypted the NSA would still know who is connecting and would assume what they are reading is what's on the site to be read by anyone. And HTTP doesn't make NSA tracking easier like HPPS does by generating revocation request.<br />
<br />
The bottom like is it's MY CHOICE! And EFF and Google doesn't have the right to take my choice away from me.<br />
<br />
== Do you need encryption? ==<br />
<br />
Whether or not you need encryption depends on who you are and what you are doing. If you are a bank clearly the answer is yes. However, if you have a static web site with no forms, do you need encryption? No - you don't.<br />
<br />
Let's say you have a static web site that tells people how to bake cookies. All the information is there for anyone to see. So if your connection is encrypted then anyone tracking knows you connected to the site and can infer you are reading about baking cookies. Even if there is a form on the site for you to subscribe to their newsletter and some 3rd party hacker captured your email address, so what? If you're accessing your bank then, yes definitely encrypt. But for an unimportant site, encryption make is slower and makes maintenance on the server side a hassle, a big hassle. Especially if the free cert goes away.<br />
<br />
== Is HTTPS secure? - Is HTTP insecure? ==<br />
<br />
One myth I want to bust is that HTTPS has increased security. In fact HTTPS has reduced overall security. HTTPS adds encryption you sites that don't heed encryption and that doesn't increase security. Let's look at the facts.<br />
<br />
There are 3 places where your information is vulnerable to attack, the server, your computer, and the connection between your computer and the server. HTTPS only provides encryption between your device and the web site but does nothing for either your device or the web server you are connected to. The connection is actually the hardest part to intercept even without encryption. Generally you have to have access to the internet infrastructure to tap communications even if it's not encrypted. But all you need is spyware to tap the communication on a device. And the spyware works if you are encrypted or not.<br />
<br />
But the best place to steal your data if if a hacker steals your information directly from the server side where your data is stored. Remember Equifax, the company that stores all your credit data? Encrypted didn't help them. In fact the people who hacked them did it over an HTTPS connection.<br />
<br />
=== Let's Encrypt Actually Reduces Security ===<br />
<br />
You would think that the internet is more secure because of Let's Encrypt, and you would be wrong. Surprisingly Let's Encrypt makes the net less secure.<br />
<br />
Before Let's Encrypt certificate were expensive and required work to maintain. Now it free and somewhat easy. And - I do want to thank Let's Encrypt for making it easier part. But in making it free the make it easy for phishing sites to go HTTPS and the consumer, who doesn't know much about how the web works, gets the green padlock and assumes all is good. The then type their username and password into wellsfarg0.com and 5 minutes later all their money is gone. All thanks to Let's Encrypt.<br />
<br />
EFF and Google, who is the major funder of Let's Encrypt, have been very successful claiming millions of web sites, have slowed the internet down because HTTPS is slower and more complex than HTTP. In order to compensate for the slowness browsers like Google Chrome no longer to certificate revocation to make sure the cert is still valid. So because of Let's Encrypt you can't really trust that the green padlock on the site can be relied on. So if Wells Fargo bank revokes their cert due to a security breach you would never know it using the Google Chrome browser. In fact if that ever happened Google would be partially liable for damages giving a green light to a revoked certificate. <br />
<br />
So a green indicator in your browser no longer means you are on a safe site. It really means nothing at all. Between Google and EFF they are making security that has worked in the past useless.<br />
<br />
And although HTTPS creates the illusion that the government can't spy on the data on the internet, through certificate revocation request it makes it far easier, not harder, to track what sites you are going to, which is the exact opposite of what you think you are getting. HTTPS reduces privacy.<br />
<br />
== The Culture of Paranoia ==<br />
<br />
In many ways the EFF/hacker community is similar to the National Rifle Association (NRA) in the one component is a culture of paranoia. Not that a lot of that paranoia if fully justified because the government is actually trying to spy on you.<br />
<br />
The NRA envisions a world where the government is going to take your guns and then turn Nazi and people won't be ably to overthrow the government to take America back for freedom. And it creates an inflated sense of importance to carry a gun. (Is that a gun in your pocket, Big Boy, or are you just glad to see me? It's a gun in my pocket.) Why shouldn't a law abiding citizen be able to buy a nuke to protect themselves? It's cultural where like minded people get their us vs. them experience.<br />
<br />
EFF is much closer to reality than the NRA. They do a lot of things that actually do protect our freedom from real government treats that are actually occurring. They were 7 years ahead of Snowden suing the NSA over spying. So I'm not going to beat up on them too badly here.<br />
<br />
But ....<br />
<br />
There are 3 areas where EFF/the hacker culture is totally clueless.<br />
<br />
1. They have absolutely no concept the intellectual property has any value.<br />
<br />
2. The concept that law enforcement has a role on the internet is mostly ignored. That crime is the price you pay for freedom. Their TOR project is the backbone for the ransomeware industry as well as an incredibly amout os serious online crime, but the value of privacy is more important to the extent that they don't care about criminal issues at all.<br />
<br />
3. Sometimes EFF doesn't think things through. The get fixated on a solution with almost a cult like attachment without fully exploring the consequences. In this case they have a very strong mental block on this. I remember discussing this with them back when I worked there and it was a bad idea then as it is now. I never expected them to be successful with it. But unfortunately, the have.</div>Marchttp://wiki.ctyme.com/index.php/HttpsHttps2018-03-05T21:39:43Z<p>Marc: /* Let's Encrypt Actually Reduces Security */</p>
<hr />
<div>= Why HTTPS everywhere is a really really bad idea =<br />
<br />
== Introduction ==<br />
<br />
HTTPS Everywhere sounds like a good idea, but as they say, the devil is in the details. The idea, supported primarily by the Electronic Frontier Foundation (https://eff.org) is to get all traffic on the internet to be encrypted. If everything is encrypted, as promoted, then no one can tap in and spy on your communication. This includes NSA spying and other government spying that is both illegal and immoral where third parties and government track you to create a digital profile of who you are that can be used against you, profile you, steal your passwords, invade your privacy, blackmail you, and round you up to put you and your freinds and family in concentration camps. Imaging if you will what would have happened if Adolf Hitler had today's technology. There would be no Jews left hiding in attics!<br />
<br />
And as we know from the revelation of Edward Snowden, my second favorite person in the world after Elon Musk, we know the government is actually doing a lot of the things that the EFF is paranoid about. Snowden confirmed what all paranoid schizophrenics new was true all along, the government(s) is spying on them. The nightmare, as it turns out, is actually real.<br />
<br />
So on it's face it would seem as if making it harder for these problems to occur would be a great idea. And - quite frankly, if it were done right it would be a great idea that I would support. However, the way it is being implemented through "Let's Encrypt" (https://letsencrypt.org) and Google strong arming the public to force everyone into it. By doing it wrong EFF's good intentions are actually making the problem worse. Forcing encryption on everyone, as it is being implemented, creates more problems than it solves and will inhibit freedom and privacy, not enhance it. Rather than making it harder for the NSA to track you, it makes it easier. Rather than enhancing free speech, it inhibits free speech, and rather that making the internet safer from criminals, it actually reduces internet security making it easier for the bad guys to take advantage of you.<br />
<br />
As someone who used to work for EFF as their first full time system administrator you would think I would be on EFF's side on this. And over the years there have been a number of issues EFF has got wrong. But this is a very serious issue that will negatively affect the entire internet and have a huge negative impact on EFF if they are successful in what they are trying to do. EFF sometimes has a habit of latching onto an idea like a bulldog without carefully thinking things through and is sometimes cult like in their opinion in spite of evidence that their position fails to make objective sense. I still support EFF as no organization is perfect and they get it right most of the time. But this time is not one of them.<br />
<br />
== Encryption / Authentication - Understanding the Basics ==<br />
<br />
HTTPS has 2 separate function, not one, that are artificially bound together into the HTTPS standards. These 2 functions are:<br />
<br />
# Encryption - making the data unreadable to 3rd parties<br />
# Authentication - making sure that the website you connect to is actually the real web site.<br />
<br />
And it is because of the binding together of there to unrelated functions that cause the problem. '''If these two protocols were unbundled, where you could have encryption without authentication, then my objections to encrypting everything goes away.''' The encrypting side is the easy part, the authenticating side is the part that is hard and expensive and causes all the problems. All this could be easily solved by allowing encryption without authentication. But modern browsers do not allow self signed certificates without dire warnings that would scare the average person to back away immediately. If they changed that it would solve the issues that I'm about to describe.<br />
<br />
=== How Encryption Works ===<br />
<br />
The actual process is long and complicated so I'm going to limit my explanation to the simple stuff you need to know. Encryption relies on a pair of keys, both keys are very large numbers. If you encrypt a message with one key you can only decrypt it with the other key. It doesn't matter which key you encrypt with as long as you use the other one to decrypt. <br />
<br />
One of the keys is know as the '''public key''', and the other is know as the '''private key'''. As the names imply, one key you make public, the other key you keep private. When someone wants to establish a secure connection with you they download your public key which is furnished by opening a connection. When you get the public key you can then encrypt a message that can only be read by the server which is usually a set of new keys to establish a secure connection. Because only the other end can read it you then have the keys to establish a secure connection that no person in the middle can break into.<br />
<br />
==== Vulnerabilities ====<br />
<br />
The encryption used in HTTPS is pretty good. It isn't easily broken. One of the main vulnerabilities is what's called a "man in the middle" attack. The attack isn't generally easy to do and usually requires hardware access to be in the middle of that connection which very few people have. However, when I used to fly more often I used to provide a free wifi access point using my cell phone to allow other travelers around me to access the internet without paying high fees. But if a were nefarious and evil I could create a fake certificate pretending to be their bank and steal their passwords. And I would need a fake cert for every domain I wanted to steal. Someone smarter than me could accomplish this. <br />
<br />
To make sure this doesn't happen we use authentication so that only the real certificate works. the real certificate is varified by the certificate authority issuing the certificate as real so if you are connecting to your bank, you can be (somewhat) confident there's no one in the middle stealing your information. <br />
<br />
There are other ways you're vulnerable. You could have someone looking over your shoulder when typing your username and password. You could have spyware on your computer that is logging your keystrokes and grabbing the display text on your web pages. Or the site you are logging into has been hacked. Remember Equifax? It was an encrypted site. And while your data was being stolen it was sent to the hackers over an encrypted connection.<br />
<br />
=== How Authentication Works ===<br />
<br />
Authentication is the other leg of the HTTPS security protocol. Authentication helps ensure that when you connect to a site using HTTPS that it is really the site you are connected to. Using certificates and certificate chains your web browser (is supposed to) verify that you are actually connected to the web site you think you are connecting to. This makes it much harder for someone to impersonate your bank to steal your passwords. A detailed explanation of this process is complicated so I will try to make the important concepts as easy as possible.<br />
<br />
When you connect through HTTPS it established an encrypted connection. It sends the sites certificate which was generated in unison with your '''certificate authority''' who validates your certificate. The web server not only sends your certificate, but also the chain of certificates leading back to the '''root certificates''' which are highly trusted certs that came with your browser. Using these certificates one can verify that the cert is authentic and can be trusted. You then see the green padlock and all is good.<br />
<br />
==== The down side of Authentication ====<br />
<br />
There is one step however that exposes your privacy. In order to fully verify the cert the web browser has to check to see if your certificate has been revoked. To check if the cert was revoked your browser has to ask the certificate authority through a "revocation request" if the cert is still valid. The reason for this is, if I'm running a web site and my private keys make it into the wild, hacker or government can decrypt your connection and steal your data. So if I'm a bank and I fire the head admin, I might want to change my keys by revoking my cert and getting a new one.<br />
<br />
Sounds simple but the process slows down browser performance a lot. Many commercial sites include content, usually advertising content, from many other websites. So when you go to localnewspaper.com, for example, you might see content from Walgreens, Safeway, Amazon, Verizon, etc. All these sites require a separate encrypted and separate verification and revocation request. Thus your visit might involve 50 separate connections to display the web page. Ever notice all those slow ads popping up, that's why.<br />
<br />
The problem is, as everyone goes to HTTPS then all websites are slow. Some browsers therefore cheat on the rules and they skip the revocation check in the interest of speed and the expense of security. Gibson Research has set up a test page to identify browsers who cheat. Click on https://revoked.grc.com to test your browser. If you see the page, your browser is insecure.<br />
<br />
The problem with skipping revocation checking is that, for example, if if I'm a bank and the keys were stolen and someone is impersonating my bank, if you are running Google's Chrome browser, you would never know you were on the fake site. So in order to get performance in your Chrome browser experience, security has been eliminated.<br />
<br />
Certificates are expensive and difficult to maintain. Installing certs is a hassle and certificates expire and have to be replaced on a regular basis. Unlike HTTP which you can set up knowing 20 years later everything is going to just keep working, HTTPS requires both effort and money to keep going. If you get it set up it will die on it's own if you don't maintain it.<br />
<br />
But - EFF and other like minded organizations have created an organization called "Let's Encrypt" to make HTTPS easier. But is it a solution or just to get you addicted and draw you in?<br />
<br />
==== Privacy Exposure of Authentication ====<br />
<br />
Another problem with certificates is the privacy exposure of checking certificate revocation. If your certificate is verified, for example, by Let's Encrypt, then every revocation request goes to one server that responds to revocation requests. If someone like the NSA were to intercept these requests, which are not encrypted, then the NSA could track the activity of every site verified through Let's Encrypt. That means the NSA doesn't have to wiretap 100 million sites. All the have to do it tap Let's Encrypt and it's one stop shopping for the NSA. They just made the job of the NSA millions of times easier.<br />
<br />
Granted that the NSA doesn't see the content, but if you go to some site like free-child-porn.online the NSA has a pretty good idea what you're doing there.<br />
<br />
=== Let's Encrypt - making HTTPS free and easy ===<br />
<br />
Let's Encrypt is a non-profit org created by EFF and friends to help solve the problems of making certificates easy and free. The supply not only free certs but provides scripts to install and configure certs easily. Certificates however are only good for 90 days and have to be replaced before the 90 days runs out. But the renewal scripts are also automated so, in theroy you should be able to set it up and forget about it, making it almost as easy as HTTP. Let's Encrypt claim is to have issued over 100 million certificates.<br />
<br />
Making it free and easy is a critical argument in EFF's and Google's war to force the internet to encrypt everything. Google, for example is downgrading your search visibility if you refuse to convert. But they say that converting is easy and that takes the sting out of it. But is that really true?<br />
<br />
==== The down side of Let's Encrypt ====<br />
<br />
There's a major problem with Let's Encrypt in that it's not a real business with real employees and a staff with tech support. All their verification is done using algorithms and scripts and they will give certificates away to anyone, and all for free. For example, if I get the domain name wellsfarg0.com, which looks like I'm Wells Fargo Bank, Let's encrypt will issue me a certificate for it and users who go to the fraudulent site will get a green light in their chrome browser. And even if someone points it out that this is a fraud site, they can revoke the cert, but if you used the Chrome browser you will never know because it doesn't use revocation checks.<br />
<br />
There is a down side to being free. Because it used to have cost criminals wouldn't bother to get certificates. But now that it's free every criminal site now has a valid cert and the browser give it the green light and users trust it because the browser is giving it the seal of approval. Because of this the original function of certificates has been compromised and the security of the internet has been diminished.<br />
<br />
==== Will Let's Encrypt always be there and be free? ====<br />
<br />
So, let's say I convert all my web sites to HTTPS and I'm using their scripts to maintain my web sites and one day I get an email saying the changes have been made. Perhaps people stop donating and they can't afford to operate? Perhaps they fail security standard and are decertified. Perhaps they get hacked and all their information is stolen. What do all these 100 million web sites do then?<br />
<br />
There's explicitly no guarantee that this service will give you free certificates forever. And once you go HTTPS, there's no easy path back to HTTP. In order to even redirect back to your old setup you need a valid certificate to redirect. All these people who thought they were going to get free certs forever are totally screwed and will have to start buying certs and might not have the nice scripts that maintain it automatically.<br />
<br />
Call me paranoid but when some organization offers me free service forever I don't tend to rely on that. I can't be in a position where keeping my web sites online depends on a shell organization that might not be there tomorrow.<br />
<br />
== NSA and Government Tracking ==<br />
<br />
The intent behind HTTPS everywhere is in part to thwart NSA spying. And let's not kid ourselves, NSA tracking is unconstitutional, illegal, and immoral. EFF has played a major role in protecting our online liberties in this matter. Sometimes when I see Snowden I notice that the back of his lap top has an EFF sticker. <br />
<br />
But - although well intentioned - does HTTPS solve the problem? No - it makes it worse.<br />
<br />
Although HTTPS makes it harder to read the content of your communication, it doesn't mask what web sites you are going to. So if you're married and trying to hook up on AsleyMadison.com the NSA doesn't know what woman you are hooking up with, but they do know you're cheating on your wife. And - using revocation requests tracking EFF has actually make it much easier for them to track your connections.<br />
<br />
== Now you need more permissions to stay on the web ==<br />
<br />
With HTTP all you need to do is register a domain name to have your own site online. ICANN is an international organization and has been very good at staying out of the clutches of government controls. However, with HTTPS you need to get a certificate authority to issue you a cert. That makes 2 orgs that have to give you permission instead of one and now your domain activity it trackable through revocation requests. If Congress were to pass laws regulating who can get certificates or requiring extensive personal information they can prevent you from getting online the way you can now with just HTTP. Every step you are forced into doing creates another chokepoint to free speech and free expression.<br />
<br />
== Freedom of Choice ==<br />
<br />
One thing I really object to is being forced and strong armed into doing things I choose not to do. I'm perfectly happy with my HTTP servers and I really resent EFF and Google trying to force me to participate in their cult like paranoia. My servers work fine. I've been online for 22 years now. I was online 3 years before Google. I choose not to encrypt and that my choice.<br />
<br />
EFF is supposed to be about freedom. They are supposed to be protecting me from people who would force me to change against my will, They believe it's for a higher cause, but it really isn't. If it were I might go along with it but HTTP has advantages over HTTPS that I like and want to stick with. many of my sites are static and informational. If the NSA can read the traffic - so what. Everything is on the site in plain text anyhow so where's the secret? If the traffic were encrypted the NSA would still know who is connecting and would assume what they are reading is what's on the site to be read by anyone. And HTTP doesn't make NSA tracking easier like HPPS does by generating revocation request.<br />
<br />
The bottom like is it's MY CHOICE! And EFF and Google doesn't have the right to take my choice away from me.<br />
<br />
== Do you need encryption? ==<br />
<br />
Whether or not you need encryption depends on who you are and what you are doing. If you are a bank clearly the answer is yes. However, if you have a static web site with no forms, do you need encryption? No - you don't.<br />
<br />
Let's say you have a static web site that tells people how to bake cookies. All the information is there for anyone to see. So if your connection is encrypted then anyone tracking knows you connected to the site and can infer you are reading about baking cookies. Even if there is a form on the site for you to subscribe to their newsletter and some 3rd party hacker captured your email address, so what? If you're accessing your bank then, yes definitely encrypt. But for an unimportant site, encryption make is slower and makes maintenance on the server side a hassle, a big hassle. Especially if the free cert goes away.<br />
<br />
== Is HTTPS secure? - Is HTTP insecure? ==<br />
<br />
One myth I want to bust is that HTTPS has increased security. In fact HTTPS has reduced overall security. HTTPS adds encryption you sites that don't heed encryption and that doesn't increase security. Let's look at the facts.<br />
<br />
There are 3 places where your information is vulnerable to attack, the server, your computer, and the connection between your computer and the server. HTTPS only provides encryption between your device and the web site but does nothing for either your device or the web server you are connected to. The connection is actually the hardest part to intercept even without encryption. Generally you have to have access to the internet infrastructure to tap communications even if it's not encrypted. But all you need is spyware to tap the communication on a device. And the spyware works if you are encrypted or not.<br />
<br />
But the best place to steal your data if if a hacker steals your information directly from the server side where your data is stored. Remember Equifax, the company that stores all your credit data? Encrypted didn't help them. In fact the people who hacked them did it over an HTTPS connection.<br />
<br />
=== Let's Encrypt Actually Reduces Security ===<br />
<br />
You would think that the internet is more secure because of Let's Encrypt, and you would be wrong. Surprisingly Let's Encrypt makes the net less secure.<br />
<br />
Before Let's Encrypt certificate were expensive and required work to maintain. Now it free and somewhat easy. And - I do want to thank Let's Encrypt for making it easier part. But in making it free the make it easy for phishing sites to go HTTPS and the consumer, who doesn't know much about how the web works, gets the green padlock and assumes all is good. The then type their username and password into wellsfarg0.com and 5 minutes later all their money is gone. All thanks to Let's Encrypt.<br />
<br />
EFF and Google, who is the major funder of Let's Encrypt, have been very successful claiming millions of web sites, have slowed the internet down because HTTPS is slower and more complex than HTTP. In order to compensate for the slowness browsers like Google Chrome no longer to certificate revocation to make sure the cert is still valid. So because of Let's Encrypt you can't really trust that the green padlock on the site can be relied on. So if Wells Fargo bank revokes their cert due to a security breach you would never know it using the Google Chrome browser. In fact if that ever happened Google would be partially liable for damages giving a green light to a revoked certificate. <br />
<br />
So a green indicator in your browser no longer means you are on a safe site. It really means nothing at all. Between Google and EFF they are making security that has worked in the past useless.<br />
<br />
And although HTTPS creates the illusion that the government can't spy on the data on the internet, through certificate revocation request it makes it far easier, not harder, to track what sites you are going to, which is the exact opposite of what you think you are getting. HTTPS reduces privacy.<br />
<br />
== The Culture of Paranoia ==<br />
<br />
In many ways the EFF/hacker community is similar to the National Rifle Association (NRA) in the one component is a culture of paranoia. Not that a lot of that paranoia if fully justified because the government is actually trying to spy on you.<br />
<br />
The NRA envisions a world where the government is going to take your guns and then turn Nazi and people won't be ably to overthrow the government to take America back for freedom. And it creates an inflated sense of importance to carry a gun. (Is that a gun in your pocket, Big Boy, or are you just glad to see me? It's a gun in my pocket.) Why shouldn't a law abiding citizen be able to buy a nuke to protect themselves? It's cultural where like minded people get their us vs. them experience.<br />
<br />
EFF is much closer to reality than the NRA. They do a lot of things that actually do protect our freedom from real government treats that are actually occurring. They were 7 years ahead of Snowden suing the NSA over spying. So I'm not going to beat up on them too badly here.<br />
<br />
But ....<br />
<br />
There are 3 areas where EFF/the hacker culture is totally clueless.<br />
<br />
1. They have absolutely no concept the intellectual property has any value.<br />
<br />
2. The concept that law enforcement has a role on the internet is mostly ignored. That crime is the price you pay for freedom. Their TOR project is the backbone for the ransomeware industry as well as an incredibly amout os serious online crime, but the value of privacy is more important to the extent that they don't care about criminal issues at all.</div>Marchttp://wiki.ctyme.com/index.php/HttpsHttps2018-03-05T21:36:15Z<p>Marc: /* The Culture of Paranoia */</p>
<hr />
<div>= Why HTTPS everywhere is a really really bad idea =<br />
<br />
== Introduction ==<br />
<br />
HTTPS Everywhere sounds like a good idea, but as they say, the devil is in the details. The idea, supported primarily by the Electronic Frontier Foundation (https://eff.org) is to get all traffic on the internet to be encrypted. If everything is encrypted, as promoted, then no one can tap in and spy on your communication. This includes NSA spying and other government spying that is both illegal and immoral where third parties and government track you to create a digital profile of who you are that can be used against you, profile you, steal your passwords, invade your privacy, blackmail you, and round you up to put you and your freinds and family in concentration camps. Imaging if you will what would have happened if Adolf Hitler had today's technology. There would be no Jews left hiding in attics!<br />
<br />
And as we know from the revelation of Edward Snowden, my second favorite person in the world after Elon Musk, we know the government is actually doing a lot of the things that the EFF is paranoid about. Snowden confirmed what all paranoid schizophrenics new was true all along, the government(s) is spying on them. The nightmare, as it turns out, is actually real.<br />
<br />
So on it's face it would seem as if making it harder for these problems to occur would be a great idea. And - quite frankly, if it were done right it would be a great idea that I would support. However, the way it is being implemented through "Let's Encrypt" (https://letsencrypt.org) and Google strong arming the public to force everyone into it. By doing it wrong EFF's good intentions are actually making the problem worse. Forcing encryption on everyone, as it is being implemented, creates more problems than it solves and will inhibit freedom and privacy, not enhance it. Rather than making it harder for the NSA to track you, it makes it easier. Rather than enhancing free speech, it inhibits free speech, and rather that making the internet safer from criminals, it actually reduces internet security making it easier for the bad guys to take advantage of you.<br />
<br />
As someone who used to work for EFF as their first full time system administrator you would think I would be on EFF's side on this. And over the years there have been a number of issues EFF has got wrong. But this is a very serious issue that will negatively affect the entire internet and have a huge negative impact on EFF if they are successful in what they are trying to do. EFF sometimes has a habit of latching onto an idea like a bulldog without carefully thinking things through and is sometimes cult like in their opinion in spite of evidence that their position fails to make objective sense. I still support EFF as no organization is perfect and they get it right most of the time. But this time is not one of them.<br />
<br />
== Encryption / Authentication - Understanding the Basics ==<br />
<br />
HTTPS has 2 separate function, not one, that are artificially bound together into the HTTPS standards. These 2 functions are:<br />
<br />
# Encryption - making the data unreadable to 3rd parties<br />
# Authentication - making sure that the website you connect to is actually the real web site.<br />
<br />
And it is because of the binding together of there to unrelated functions that cause the problem. '''If these two protocols were unbundled, where you could have encryption without authentication, then my objections to encrypting everything goes away.''' The encrypting side is the easy part, the authenticating side is the part that is hard and expensive and causes all the problems. All this could be easily solved by allowing encryption without authentication. But modern browsers do not allow self signed certificates without dire warnings that would scare the average person to back away immediately. If they changed that it would solve the issues that I'm about to describe.<br />
<br />
=== How Encryption Works ===<br />
<br />
The actual process is long and complicated so I'm going to limit my explanation to the simple stuff you need to know. Encryption relies on a pair of keys, both keys are very large numbers. If you encrypt a message with one key you can only decrypt it with the other key. It doesn't matter which key you encrypt with as long as you use the other one to decrypt. <br />
<br />
One of the keys is know as the '''public key''', and the other is know as the '''private key'''. As the names imply, one key you make public, the other key you keep private. When someone wants to establish a secure connection with you they download your public key which is furnished by opening a connection. When you get the public key you can then encrypt a message that can only be read by the server which is usually a set of new keys to establish a secure connection. Because only the other end can read it you then have the keys to establish a secure connection that no person in the middle can break into.<br />
<br />
==== Vulnerabilities ====<br />
<br />
The encryption used in HTTPS is pretty good. It isn't easily broken. One of the main vulnerabilities is what's called a "man in the middle" attack. The attack isn't generally easy to do and usually requires hardware access to be in the middle of that connection which very few people have. However, when I used to fly more often I used to provide a free wifi access point using my cell phone to allow other travelers around me to access the internet without paying high fees. But if a were nefarious and evil I could create a fake certificate pretending to be their bank and steal their passwords. And I would need a fake cert for every domain I wanted to steal. Someone smarter than me could accomplish this. <br />
<br />
To make sure this doesn't happen we use authentication so that only the real certificate works. the real certificate is varified by the certificate authority issuing the certificate as real so if you are connecting to your bank, you can be (somewhat) confident there's no one in the middle stealing your information. <br />
<br />
There are other ways you're vulnerable. You could have someone looking over your shoulder when typing your username and password. You could have spyware on your computer that is logging your keystrokes and grabbing the display text on your web pages. Or the site you are logging into has been hacked. Remember Equifax? It was an encrypted site. And while your data was being stolen it was sent to the hackers over an encrypted connection.<br />
<br />
=== How Authentication Works ===<br />
<br />
Authentication is the other leg of the HTTPS security protocol. Authentication helps ensure that when you connect to a site using HTTPS that it is really the site you are connected to. Using certificates and certificate chains your web browser (is supposed to) verify that you are actually connected to the web site you think you are connecting to. This makes it much harder for someone to impersonate your bank to steal your passwords. A detailed explanation of this process is complicated so I will try to make the important concepts as easy as possible.<br />
<br />
When you connect through HTTPS it established an encrypted connection. It sends the sites certificate which was generated in unison with your '''certificate authority''' who validates your certificate. The web server not only sends your certificate, but also the chain of certificates leading back to the '''root certificates''' which are highly trusted certs that came with your browser. Using these certificates one can verify that the cert is authentic and can be trusted. You then see the green padlock and all is good.<br />
<br />
==== The down side of Authentication ====<br />
<br />
There is one step however that exposes your privacy. In order to fully verify the cert the web browser has to check to see if your certificate has been revoked. To check if the cert was revoked your browser has to ask the certificate authority through a "revocation request" if the cert is still valid. The reason for this is, if I'm running a web site and my private keys make it into the wild, hacker or government can decrypt your connection and steal your data. So if I'm a bank and I fire the head admin, I might want to change my keys by revoking my cert and getting a new one.<br />
<br />
Sounds simple but the process slows down browser performance a lot. Many commercial sites include content, usually advertising content, from many other websites. So when you go to localnewspaper.com, for example, you might see content from Walgreens, Safeway, Amazon, Verizon, etc. All these sites require a separate encrypted and separate verification and revocation request. Thus your visit might involve 50 separate connections to display the web page. Ever notice all those slow ads popping up, that's why.<br />
<br />
The problem is, as everyone goes to HTTPS then all websites are slow. Some browsers therefore cheat on the rules and they skip the revocation check in the interest of speed and the expense of security. Gibson Research has set up a test page to identify browsers who cheat. Click on https://revoked.grc.com to test your browser. If you see the page, your browser is insecure.<br />
<br />
The problem with skipping revocation checking is that, for example, if if I'm a bank and the keys were stolen and someone is impersonating my bank, if you are running Google's Chrome browser, you would never know you were on the fake site. So in order to get performance in your Chrome browser experience, security has been eliminated.<br />
<br />
Certificates are expensive and difficult to maintain. Installing certs is a hassle and certificates expire and have to be replaced on a regular basis. Unlike HTTP which you can set up knowing 20 years later everything is going to just keep working, HTTPS requires both effort and money to keep going. If you get it set up it will die on it's own if you don't maintain it.<br />
<br />
But - EFF and other like minded organizations have created an organization called "Let's Encrypt" to make HTTPS easier. But is it a solution or just to get you addicted and draw you in?<br />
<br />
==== Privacy Exposure of Authentication ====<br />
<br />
Another problem with certificates is the privacy exposure of checking certificate revocation. If your certificate is verified, for example, by Let's Encrypt, then every revocation request goes to one server that responds to revocation requests. If someone like the NSA were to intercept these requests, which are not encrypted, then the NSA could track the activity of every site verified through Let's Encrypt. That means the NSA doesn't have to wiretap 100 million sites. All the have to do it tap Let's Encrypt and it's one stop shopping for the NSA. They just made the job of the NSA millions of times easier.<br />
<br />
Granted that the NSA doesn't see the content, but if you go to some site like free-child-porn.online the NSA has a pretty good idea what you're doing there.<br />
<br />
=== Let's Encrypt - making HTTPS free and easy ===<br />
<br />
Let's Encrypt is a non-profit org created by EFF and friends to help solve the problems of making certificates easy and free. The supply not only free certs but provides scripts to install and configure certs easily. Certificates however are only good for 90 days and have to be replaced before the 90 days runs out. But the renewal scripts are also automated so, in theroy you should be able to set it up and forget about it, making it almost as easy as HTTP. Let's Encrypt claim is to have issued over 100 million certificates.<br />
<br />
Making it free and easy is a critical argument in EFF's and Google's war to force the internet to encrypt everything. Google, for example is downgrading your search visibility if you refuse to convert. But they say that converting is easy and that takes the sting out of it. But is that really true?<br />
<br />
==== The down side of Let's Encrypt ====<br />
<br />
There's a major problem with Let's Encrypt in that it's not a real business with real employees and a staff with tech support. All their verification is done using algorithms and scripts and they will give certificates away to anyone, and all for free. For example, if I get the domain name wellsfarg0.com, which looks like I'm Wells Fargo Bank, Let's encrypt will issue me a certificate for it and users who go to the fraudulent site will get a green light in their chrome browser. And even if someone points it out that this is a fraud site, they can revoke the cert, but if you used the Chrome browser you will never know because it doesn't use revocation checks.<br />
<br />
There is a down side to being free. Because it used to have cost criminals wouldn't bother to get certificates. But now that it's free every criminal site now has a valid cert and the browser give it the green light and users trust it because the browser is giving it the seal of approval. Because of this the original function of certificates has been compromised and the security of the internet has been diminished.<br />
<br />
==== Will Let's Encrypt always be there and be free? ====<br />
<br />
So, let's say I convert all my web sites to HTTPS and I'm using their scripts to maintain my web sites and one day I get an email saying the changes have been made. Perhaps people stop donating and they can't afford to operate? Perhaps they fail security standard and are decertified. Perhaps they get hacked and all their information is stolen. What do all these 100 million web sites do then?<br />
<br />
There's explicitly no guarantee that this service will give you free certificates forever. And once you go HTTPS, there's no easy path back to HTTP. In order to even redirect back to your old setup you need a valid certificate to redirect. All these people who thought they were going to get free certs forever are totally screwed and will have to start buying certs and might not have the nice scripts that maintain it automatically.<br />
<br />
Call me paranoid but when some organization offers me free service forever I don't tend to rely on that. I can't be in a position where keeping my web sites online depends on a shell organization that might not be there tomorrow.<br />
<br />
== NSA and Government Tracking ==<br />
<br />
The intent behind HTTPS everywhere is in part to thwart NSA spying. And let's not kid ourselves, NSA tracking is unconstitutional, illegal, and immoral. EFF has played a major role in protecting our online liberties in this matter. Sometimes when I see Snowden I notice that the back of his lap top has an EFF sticker. <br />
<br />
But - although well intentioned - does HTTPS solve the problem? No - it makes it worse.<br />
<br />
Although HTTPS makes it harder to read the content of your communication, it doesn't mask what web sites you are going to. So if you're married and trying to hook up on AsleyMadison.com the NSA doesn't know what woman you are hooking up with, but they do know you're cheating on your wife. And - using revocation requests tracking EFF has actually make it much easier for them to track your connections.<br />
<br />
== Now you need more permissions to stay on the web ==<br />
<br />
With HTTP all you need to do is register a domain name to have your own site online. ICANN is an international organization and has been very good at staying out of the clutches of government controls. However, with HTTPS you need to get a certificate authority to issue you a cert. That makes 2 orgs that have to give you permission instead of one and now your domain activity it trackable through revocation requests. If Congress were to pass laws regulating who can get certificates or requiring extensive personal information they can prevent you from getting online the way you can now with just HTTP. Every step you are forced into doing creates another chokepoint to free speech and free expression.<br />
<br />
== Freedom of Choice ==<br />
<br />
One thing I really object to is being forced and strong armed into doing things I choose not to do. I'm perfectly happy with my HTTP servers and I really resent EFF and Google trying to force me to participate in their cult like paranoia. My servers work fine. I've been online for 22 years now. I was online 3 years before Google. I choose not to encrypt and that my choice.<br />
<br />
EFF is supposed to be about freedom. They are supposed to be protecting me from people who would force me to change against my will, They believe it's for a higher cause, but it really isn't. If it were I might go along with it but HTTP has advantages over HTTPS that I like and want to stick with. many of my sites are static and informational. If the NSA can read the traffic - so what. Everything is on the site in plain text anyhow so where's the secret? If the traffic were encrypted the NSA would still know who is connecting and would assume what they are reading is what's on the site to be read by anyone. And HTTP doesn't make NSA tracking easier like HPPS does by generating revocation request.<br />
<br />
The bottom like is it's MY CHOICE! And EFF and Google doesn't have the right to take my choice away from me.<br />
<br />
== Do you need encryption? ==<br />
<br />
Whether or not you need encryption depends on who you are and what you are doing. If you are a bank clearly the answer is yes. However, if you have a static web site with no forms, do you need encryption? No - you don't.<br />
<br />
Let's say you have a static web site that tells people how to bake cookies. All the information is there for anyone to see. So if your connection is encrypted then anyone tracking knows you connected to the site and can infer you are reading about baking cookies. Even if there is a form on the site for you to subscribe to their newsletter and some 3rd party hacker captured your email address, so what? If you're accessing your bank then, yes definitely encrypt. But for an unimportant site, encryption make is slower and makes maintenance on the server side a hassle, a big hassle. Especially if the free cert goes away.<br />
<br />
== Is HTTPS secure? - Is HTTP insecure? ==<br />
<br />
One myth I want to bust is that HTTPS has increased security. In fact HTTPS has reduced overall security. HTTPS adds encryption you sites that don't heed encryption and that doesn't increase security. Let's look at the facts.<br />
<br />
There are 3 places where your information is vulnerable to attack, the server, your computer, and the connection between your computer and the server. HTTPS only provides encryption between your device and the web site but does nothing for either your device or the web server you are connected to. The connection is actually the hardest part to intercept even without encryption. Generally you have to have access to the internet infrastructure to tap communications even if it's not encrypted. But all you need is spyware to tap the communication on a device. And the spyware works if you are encrypted or not.<br />
<br />
But the best place to steal your data if if a hacker steals your information directly from the server side where your data is stored. Remember Equifax, the company that stores all your credit data? Encrypted didn't help them. In fact the people who hacked them did it over an HTTPS connection.<br />
<br />
=== Let's Encrypt Actually Reduces Security ===<br />
<br />
You would think that the internet is more secure because of Let's Encrypt, and you would be wrong. Surprisingly Let's Encrypt makes the net less secure.<br />
<br />
Before Let's Encrypt certificate were expensive and required work to maintain. Now it free and somewhat easy. And - I do want to thank Let's Encrypt for making it easier part. But in making it free the make it easy for phishing sites to go HTTPS and the consumer, who doesn't know much about how the web works, gets the green padlock and assumes all is good. The then type their username and password into wellsfarg0.com and 5 minutes later all their money is gone. All thanks to Let's Encrypt.<br />
<br />
EFF and Google, who is the major funder of Let's Encrypt, have been very successful claiming millions of web sites, have slowed the internet down because HTTPS is slower and more complex than HTTP. In order to compensate for the slowness browsers like Google Chrome no longer to certificate revocation to make sure the cert is still valid. So because of Let's Encrypt you can't really trust that the green padlock on the site can be relied on. So if Wells Fargo bank revokes their cert due to a security breach you would never know it using the Google Chrome browser. In fact if that ever happened Google would be partially liable for damages giving a green light to a revoked certificate. <br />
<br />
So a green indicator in your browser no longer means you are on a safe site. It really means nothing at all. Between Google and EFF they are making security that has worked in the past useless.<br />
<br />
== The Culture of Paranoia ==<br />
<br />
In many ways the EFF/hacker community is similar to the National Rifle Association (NRA) in the one component is a culture of paranoia. Not that a lot of that paranoia if fully justified because the government is actually trying to spy on you.<br />
<br />
The NRA envisions a world where the government is going to take your guns and then turn Nazi and people won't be ably to overthrow the government to take America back for freedom. And it creates an inflated sense of importance to carry a gun. (Is that a gun in your pocket, Big Boy, or are you just glad to see me? It's a gun in my pocket.) Why shouldn't a law abiding citizen be able to buy a nuke to protect themselves? It's cultural where like minded people get their us vs. them experience.<br />
<br />
EFF is much closer to reality than the NRA. They do a lot of things that actually do protect our freedom from real government treats that are actually occurring. They were 7 years ahead of Snowden suing the NSA over spying. So I'm not going to beat up on them too badly here.<br />
<br />
But ....<br />
<br />
There are 3 areas where EFF/the hacker culture is totally clueless.<br />
<br />
1. They have absolutely no concept the intellectual property has any value.<br />
<br />
2. The concept that law enforcement has a role on the internet is mostly ignored. That crime is the price you pay for freedom. Their TOR project is the backbone for the ransomeware industry as well as an incredibly amout os serious online crime, but the value of privacy is more important to the extent that they don't care about criminal issues at all.</div>Marchttp://wiki.ctyme.com/index.php/HttpsHttps2018-03-05T21:26:16Z<p>Marc: /* The Culture of Paranoia */</p>
<hr />
<div>= Why HTTPS everywhere is a really really bad idea =<br />
<br />
== Introduction ==<br />
<br />
HTTPS Everywhere sounds like a good idea, but as they say, the devil is in the details. The idea, supported primarily by the Electronic Frontier Foundation (https://eff.org) is to get all traffic on the internet to be encrypted. If everything is encrypted, as promoted, then no one can tap in and spy on your communication. This includes NSA spying and other government spying that is both illegal and immoral where third parties and government track you to create a digital profile of who you are that can be used against you, profile you, steal your passwords, invade your privacy, blackmail you, and round you up to put you and your freinds and family in concentration camps. Imaging if you will what would have happened if Adolf Hitler had today's technology. There would be no Jews left hiding in attics!<br />
<br />
And as we know from the revelation of Edward Snowden, my second favorite person in the world after Elon Musk, we know the government is actually doing a lot of the things that the EFF is paranoid about. Snowden confirmed what all paranoid schizophrenics new was true all along, the government(s) is spying on them. The nightmare, as it turns out, is actually real.<br />
<br />
So on it's face it would seem as if making it harder for these problems to occur would be a great idea. And - quite frankly, if it were done right it would be a great idea that I would support. However, the way it is being implemented through "Let's Encrypt" (https://letsencrypt.org) and Google strong arming the public to force everyone into it. By doing it wrong EFF's good intentions are actually making the problem worse. Forcing encryption on everyone, as it is being implemented, creates more problems than it solves and will inhibit freedom and privacy, not enhance it. Rather than making it harder for the NSA to track you, it makes it easier. Rather than enhancing free speech, it inhibits free speech, and rather that making the internet safer from criminals, it actually reduces internet security making it easier for the bad guys to take advantage of you.<br />
<br />
As someone who used to work for EFF as their first full time system administrator you would think I would be on EFF's side on this. And over the years there have been a number of issues EFF has got wrong. But this is a very serious issue that will negatively affect the entire internet and have a huge negative impact on EFF if they are successful in what they are trying to do. EFF sometimes has a habit of latching onto an idea like a bulldog without carefully thinking things through and is sometimes cult like in their opinion in spite of evidence that their position fails to make objective sense. I still support EFF as no organization is perfect and they get it right most of the time. But this time is not one of them.<br />
<br />
== Encryption / Authentication - Understanding the Basics ==<br />
<br />
HTTPS has 2 separate function, not one, that are artificially bound together into the HTTPS standards. These 2 functions are:<br />
<br />
# Encryption - making the data unreadable to 3rd parties<br />
# Authentication - making sure that the website you connect to is actually the real web site.<br />
<br />
And it is because of the binding together of there to unrelated functions that cause the problem. '''If these two protocols were unbundled, where you could have encryption without authentication, then my objections to encrypting everything goes away.''' The encrypting side is the easy part, the authenticating side is the part that is hard and expensive and causes all the problems. All this could be easily solved by allowing encryption without authentication. But modern browsers do not allow self signed certificates without dire warnings that would scare the average person to back away immediately. If they changed that it would solve the issues that I'm about to describe.<br />
<br />
=== How Encryption Works ===<br />
<br />
The actual process is long and complicated so I'm going to limit my explanation to the simple stuff you need to know. Encryption relies on a pair of keys, both keys are very large numbers. If you encrypt a message with one key you can only decrypt it with the other key. It doesn't matter which key you encrypt with as long as you use the other one to decrypt. <br />
<br />
One of the keys is know as the '''public key''', and the other is know as the '''private key'''. As the names imply, one key you make public, the other key you keep private. When someone wants to establish a secure connection with you they download your public key which is furnished by opening a connection. When you get the public key you can then encrypt a message that can only be read by the server which is usually a set of new keys to establish a secure connection. Because only the other end can read it you then have the keys to establish a secure connection that no person in the middle can break into.<br />
<br />
==== Vulnerabilities ====<br />
<br />
The encryption used in HTTPS is pretty good. It isn't easily broken. One of the main vulnerabilities is what's called a "man in the middle" attack. The attack isn't generally easy to do and usually requires hardware access to be in the middle of that connection which very few people have. However, when I used to fly more often I used to provide a free wifi access point using my cell phone to allow other travelers around me to access the internet without paying high fees. But if a were nefarious and evil I could create a fake certificate pretending to be their bank and steal their passwords. And I would need a fake cert for every domain I wanted to steal. Someone smarter than me could accomplish this. <br />
<br />
To make sure this doesn't happen we use authentication so that only the real certificate works. the real certificate is varified by the certificate authority issuing the certificate as real so if you are connecting to your bank, you can be (somewhat) confident there's no one in the middle stealing your information. <br />
<br />
There are other ways you're vulnerable. You could have someone looking over your shoulder when typing your username and password. You could have spyware on your computer that is logging your keystrokes and grabbing the display text on your web pages. Or the site you are logging into has been hacked. Remember Equifax? It was an encrypted site. And while your data was being stolen it was sent to the hackers over an encrypted connection.<br />
<br />
=== How Authentication Works ===<br />
<br />
Authentication is the other leg of the HTTPS security protocol. Authentication helps ensure that when you connect to a site using HTTPS that it is really the site you are connected to. Using certificates and certificate chains your web browser (is supposed to) verify that you are actually connected to the web site you think you are connecting to. This makes it much harder for someone to impersonate your bank to steal your passwords. A detailed explanation of this process is complicated so I will try to make the important concepts as easy as possible.<br />
<br />
When you connect through HTTPS it established an encrypted connection. It sends the sites certificate which was generated in unison with your '''certificate authority''' who validates your certificate. The web server not only sends your certificate, but also the chain of certificates leading back to the '''root certificates''' which are highly trusted certs that came with your browser. Using these certificates one can verify that the cert is authentic and can be trusted. You then see the green padlock and all is good.<br />
<br />
==== The down side of Authentication ====<br />
<br />
There is one step however that exposes your privacy. In order to fully verify the cert the web browser has to check to see if your certificate has been revoked. To check if the cert was revoked your browser has to ask the certificate authority through a "revocation request" if the cert is still valid. The reason for this is, if I'm running a web site and my private keys make it into the wild, hacker or government can decrypt your connection and steal your data. So if I'm a bank and I fire the head admin, I might want to change my keys by revoking my cert and getting a new one.<br />
<br />
Sounds simple but the process slows down browser performance a lot. Many commercial sites include content, usually advertising content, from many other websites. So when you go to localnewspaper.com, for example, you might see content from Walgreens, Safeway, Amazon, Verizon, etc. All these sites require a separate encrypted and separate verification and revocation request. Thus your visit might involve 50 separate connections to display the web page. Ever notice all those slow ads popping up, that's why.<br />
<br />
The problem is, as everyone goes to HTTPS then all websites are slow. Some browsers therefore cheat on the rules and they skip the revocation check in the interest of speed and the expense of security. Gibson Research has set up a test page to identify browsers who cheat. Click on https://revoked.grc.com to test your browser. If you see the page, your browser is insecure.<br />
<br />
The problem with skipping revocation checking is that, for example, if if I'm a bank and the keys were stolen and someone is impersonating my bank, if you are running Google's Chrome browser, you would never know you were on the fake site. So in order to get performance in your Chrome browser experience, security has been eliminated.<br />
<br />
Certificates are expensive and difficult to maintain. Installing certs is a hassle and certificates expire and have to be replaced on a regular basis. Unlike HTTP which you can set up knowing 20 years later everything is going to just keep working, HTTPS requires both effort and money to keep going. If you get it set up it will die on it's own if you don't maintain it.<br />
<br />
But - EFF and other like minded organizations have created an organization called "Let's Encrypt" to make HTTPS easier. But is it a solution or just to get you addicted and draw you in?<br />
<br />
==== Privacy Exposure of Authentication ====<br />
<br />
Another problem with certificates is the privacy exposure of checking certificate revocation. If your certificate is verified, for example, by Let's Encrypt, then every revocation request goes to one server that responds to revocation requests. If someone like the NSA were to intercept these requests, which are not encrypted, then the NSA could track the activity of every site verified through Let's Encrypt. That means the NSA doesn't have to wiretap 100 million sites. All the have to do it tap Let's Encrypt and it's one stop shopping for the NSA. They just made the job of the NSA millions of times easier.<br />
<br />
Granted that the NSA doesn't see the content, but if you go to some site like free-child-porn.online the NSA has a pretty good idea what you're doing there.<br />
<br />
=== Let's Encrypt - making HTTPS free and easy ===<br />
<br />
Let's Encrypt is a non-profit org created by EFF and friends to help solve the problems of making certificates easy and free. The supply not only free certs but provides scripts to install and configure certs easily. Certificates however are only good for 90 days and have to be replaced before the 90 days runs out. But the renewal scripts are also automated so, in theroy you should be able to set it up and forget about it, making it almost as easy as HTTP. Let's Encrypt claim is to have issued over 100 million certificates.<br />
<br />
Making it free and easy is a critical argument in EFF's and Google's war to force the internet to encrypt everything. Google, for example is downgrading your search visibility if you refuse to convert. But they say that converting is easy and that takes the sting out of it. But is that really true?<br />
<br />
==== The down side of Let's Encrypt ====<br />
<br />
There's a major problem with Let's Encrypt in that it's not a real business with real employees and a staff with tech support. All their verification is done using algorithms and scripts and they will give certificates away to anyone, and all for free. For example, if I get the domain name wellsfarg0.com, which looks like I'm Wells Fargo Bank, Let's encrypt will issue me a certificate for it and users who go to the fraudulent site will get a green light in their chrome browser. And even if someone points it out that this is a fraud site, they can revoke the cert, but if you used the Chrome browser you will never know because it doesn't use revocation checks.<br />
<br />
There is a down side to being free. Because it used to have cost criminals wouldn't bother to get certificates. But now that it's free every criminal site now has a valid cert and the browser give it the green light and users trust it because the browser is giving it the seal of approval. Because of this the original function of certificates has been compromised and the security of the internet has been diminished.<br />
<br />
==== Will Let's Encrypt always be there and be free? ====<br />
<br />
So, let's say I convert all my web sites to HTTPS and I'm using their scripts to maintain my web sites and one day I get an email saying the changes have been made. Perhaps people stop donating and they can't afford to operate? Perhaps they fail security standard and are decertified. Perhaps they get hacked and all their information is stolen. What do all these 100 million web sites do then?<br />
<br />
There's explicitly no guarantee that this service will give you free certificates forever. And once you go HTTPS, there's no easy path back to HTTP. In order to even redirect back to your old setup you need a valid certificate to redirect. All these people who thought they were going to get free certs forever are totally screwed and will have to start buying certs and might not have the nice scripts that maintain it automatically.<br />
<br />
Call me paranoid but when some organization offers me free service forever I don't tend to rely on that. I can't be in a position where keeping my web sites online depends on a shell organization that might not be there tomorrow.<br />
<br />
== NSA and Government Tracking ==<br />
<br />
The intent behind HTTPS everywhere is in part to thwart NSA spying. And let's not kid ourselves, NSA tracking is unconstitutional, illegal, and immoral. EFF has played a major role in protecting our online liberties in this matter. Sometimes when I see Snowden I notice that the back of his lap top has an EFF sticker. <br />
<br />
But - although well intentioned - does HTTPS solve the problem? No - it makes it worse.<br />
<br />
Although HTTPS makes it harder to read the content of your communication, it doesn't mask what web sites you are going to. So if you're married and trying to hook up on AsleyMadison.com the NSA doesn't know what woman you are hooking up with, but they do know you're cheating on your wife. And - using revocation requests tracking EFF has actually make it much easier for them to track your connections.<br />
<br />
== Now you need more permissions to stay on the web ==<br />
<br />
With HTTP all you need to do is register a domain name to have your own site online. ICANN is an international organization and has been very good at staying out of the clutches of government controls. However, with HTTPS you need to get a certificate authority to issue you a cert. That makes 2 orgs that have to give you permission instead of one and now your domain activity it trackable through revocation requests. If Congress were to pass laws regulating who can get certificates or requiring extensive personal information they can prevent you from getting online the way you can now with just HTTP. Every step you are forced into doing creates another chokepoint to free speech and free expression.<br />
<br />
== Freedom of Choice ==<br />
<br />
One thing I really object to is being forced and strong armed into doing things I choose not to do. I'm perfectly happy with my HTTP servers and I really resent EFF and Google trying to force me to participate in their cult like paranoia. My servers work fine. I've been online for 22 years now. I was online 3 years before Google. I choose not to encrypt and that my choice.<br />
<br />
EFF is supposed to be about freedom. They are supposed to be protecting me from people who would force me to change against my will, They believe it's for a higher cause, but it really isn't. If it were I might go along with it but HTTP has advantages over HTTPS that I like and want to stick with. many of my sites are static and informational. If the NSA can read the traffic - so what. Everything is on the site in plain text anyhow so where's the secret? If the traffic were encrypted the NSA would still know who is connecting and would assume what they are reading is what's on the site to be read by anyone. And HTTP doesn't make NSA tracking easier like HPPS does by generating revocation request.<br />
<br />
The bottom like is it's MY CHOICE! And EFF and Google doesn't have the right to take my choice away from me.<br />
<br />
== Do you need encryption? ==<br />
<br />
Whether or not you need encryption depends on who you are and what you are doing. If you are a bank clearly the answer is yes. However, if you have a static web site with no forms, do you need encryption? No - you don't.<br />
<br />
Let's say you have a static web site that tells people how to bake cookies. All the information is there for anyone to see. So if your connection is encrypted then anyone tracking knows you connected to the site and can infer you are reading about baking cookies. Even if there is a form on the site for you to subscribe to their newsletter and some 3rd party hacker captured your email address, so what? If you're accessing your bank then, yes definitely encrypt. But for an unimportant site, encryption make is slower and makes maintenance on the server side a hassle, a big hassle. Especially if the free cert goes away.<br />
<br />
== Is HTTPS secure? - Is HTTP insecure? ==<br />
<br />
One myth I want to bust is that HTTPS has increased security. In fact HTTPS has reduced overall security. HTTPS adds encryption you sites that don't heed encryption and that doesn't increase security. Let's look at the facts.<br />
<br />
There are 3 places where your information is vulnerable to attack, the server, your computer, and the connection between your computer and the server. HTTPS only provides encryption between your device and the web site but does nothing for either your device or the web server you are connected to. The connection is actually the hardest part to intercept even without encryption. Generally you have to have access to the internet infrastructure to tap communications even if it's not encrypted. But all you need is spyware to tap the communication on a device. And the spyware works if you are encrypted or not.<br />
<br />
But the best place to steal your data if if a hacker steals your information directly from the server side where your data is stored. Remember Equifax, the company that stores all your credit data? Encrypted didn't help them. In fact the people who hacked them did it over an HTTPS connection.<br />
<br />
=== Let's Encrypt Actually Reduces Security ===<br />
<br />
You would think that the internet is more secure because of Let's Encrypt, and you would be wrong. Surprisingly Let's Encrypt makes the net less secure.<br />
<br />
Before Let's Encrypt certificate were expensive and required work to maintain. Now it free and somewhat easy. And - I do want to thank Let's Encrypt for making it easier part. But in making it free the make it easy for phishing sites to go HTTPS and the consumer, who doesn't know much about how the web works, gets the green padlock and assumes all is good. The then type their username and password into wellsfarg0.com and 5 minutes later all their money is gone. All thanks to Let's Encrypt.<br />
<br />
EFF and Google, who is the major funder of Let's Encrypt, have been very successful claiming millions of web sites, have slowed the internet down because HTTPS is slower and more complex than HTTP. In order to compensate for the slowness browsers like Google Chrome no longer to certificate revocation to make sure the cert is still valid. So because of Let's Encrypt you can't really trust that the green padlock on the site can be relied on. So if Wells Fargo bank revokes their cert due to a security breach you would never know it using the Google Chrome browser. In fact if that ever happened Google would be partially liable for damages giving a green light to a revoked certificate. <br />
<br />
So a green indicator in your browser no longer means you are on a safe site. It really means nothing at all. Between Google and EFF they are making security that has worked in the past useless.<br />
<br />
== The Culture of Paranoia ==<br />
<br />
In many ways the EFF/hacker community is similar to the National Rifle Association (NRA) in the one component is a culture of paranoia. Not that a lot of that paranoia if fully justified because the government is actually trying to spy on you.<br />
<br />
The NRA envisions a world where the government is going to take your guns and then turn Nazi and people won't be ably to overthrow the government to take America back for freedom. And it creates an inflated sense of importance to carry a gun. (Is that a gun in your pocket, Big Boy, or are you just glad to see me? It's a gun in my pocket.) Why shouldn't a law abiding citizen be able to buy a nuke to protect themselves? It's cultural where like minded people get their us vs. them experience.</div>Marchttp://wiki.ctyme.com/index.php/HttpsHttps2018-03-05T21:17:31Z<p>Marc: /* The Culture of Paranoia */</p>
<hr />
<div>= Why HTTPS everywhere is a really really bad idea =<br />
<br />
== Introduction ==<br />
<br />
HTTPS Everywhere sounds like a good idea, but as they say, the devil is in the details. The idea, supported primarily by the Electronic Frontier Foundation (https://eff.org) is to get all traffic on the internet to be encrypted. If everything is encrypted, as promoted, then no one can tap in and spy on your communication. This includes NSA spying and other government spying that is both illegal and immoral where third parties and government track you to create a digital profile of who you are that can be used against you, profile you, steal your passwords, invade your privacy, blackmail you, and round you up to put you and your freinds and family in concentration camps. Imaging if you will what would have happened if Adolf Hitler had today's technology. There would be no Jews left hiding in attics!<br />
<br />
And as we know from the revelation of Edward Snowden, my second favorite person in the world after Elon Musk, we know the government is actually doing a lot of the things that the EFF is paranoid about. Snowden confirmed what all paranoid schizophrenics new was true all along, the government(s) is spying on them. The nightmare, as it turns out, is actually real.<br />
<br />
So on it's face it would seem as if making it harder for these problems to occur would be a great idea. And - quite frankly, if it were done right it would be a great idea that I would support. However, the way it is being implemented through "Let's Encrypt" (https://letsencrypt.org) and Google strong arming the public to force everyone into it. By doing it wrong EFF's good intentions are actually making the problem worse. Forcing encryption on everyone, as it is being implemented, creates more problems than it solves and will inhibit freedom and privacy, not enhance it. Rather than making it harder for the NSA to track you, it makes it easier. Rather than enhancing free speech, it inhibits free speech, and rather that making the internet safer from criminals, it actually reduces internet security making it easier for the bad guys to take advantage of you.<br />
<br />
As someone who used to work for EFF as their first full time system administrator you would think I would be on EFF's side on this. And over the years there have been a number of issues EFF has got wrong. But this is a very serious issue that will negatively affect the entire internet and have a huge negative impact on EFF if they are successful in what they are trying to do. EFF sometimes has a habit of latching onto an idea like a bulldog without carefully thinking things through and is sometimes cult like in their opinion in spite of evidence that their position fails to make objective sense. I still support EFF as no organization is perfect and they get it right most of the time. But this time is not one of them.<br />
<br />
== Encryption / Authentication - Understanding the Basics ==<br />
<br />
HTTPS has 2 separate function, not one, that are artificially bound together into the HTTPS standards. These 2 functions are:<br />
<br />
# Encryption - making the data unreadable to 3rd parties<br />
# Authentication - making sure that the website you connect to is actually the real web site.<br />
<br />
And it is because of the binding together of there to unrelated functions that cause the problem. '''If these two protocols were unbundled, where you could have encryption without authentication, then my objections to encrypting everything goes away.''' The encrypting side is the easy part, the authenticating side is the part that is hard and expensive and causes all the problems. All this could be easily solved by allowing encryption without authentication. But modern browsers do not allow self signed certificates without dire warnings that would scare the average person to back away immediately. If they changed that it would solve the issues that I'm about to describe.<br />
<br />
=== How Encryption Works ===<br />
<br />
The actual process is long and complicated so I'm going to limit my explanation to the simple stuff you need to know. Encryption relies on a pair of keys, both keys are very large numbers. If you encrypt a message with one key you can only decrypt it with the other key. It doesn't matter which key you encrypt with as long as you use the other one to decrypt. <br />
<br />
One of the keys is know as the '''public key''', and the other is know as the '''private key'''. As the names imply, one key you make public, the other key you keep private. When someone wants to establish a secure connection with you they download your public key which is furnished by opening a connection. When you get the public key you can then encrypt a message that can only be read by the server which is usually a set of new keys to establish a secure connection. Because only the other end can read it you then have the keys to establish a secure connection that no person in the middle can break into.<br />
<br />
==== Vulnerabilities ====<br />
<br />
The encryption used in HTTPS is pretty good. It isn't easily broken. One of the main vulnerabilities is what's called a "man in the middle" attack. The attack isn't generally easy to do and usually requires hardware access to be in the middle of that connection which very few people have. However, when I used to fly more often I used to provide a free wifi access point using my cell phone to allow other travelers around me to access the internet without paying high fees. But if a were nefarious and evil I could create a fake certificate pretending to be their bank and steal their passwords. And I would need a fake cert for every domain I wanted to steal. Someone smarter than me could accomplish this. <br />
<br />
To make sure this doesn't happen we use authentication so that only the real certificate works. the real certificate is varified by the certificate authority issuing the certificate as real so if you are connecting to your bank, you can be (somewhat) confident there's no one in the middle stealing your information. <br />
<br />
There are other ways you're vulnerable. You could have someone looking over your shoulder when typing your username and password. You could have spyware on your computer that is logging your keystrokes and grabbing the display text on your web pages. Or the site you are logging into has been hacked. Remember Equifax? It was an encrypted site. And while your data was being stolen it was sent to the hackers over an encrypted connection.<br />
<br />
=== How Authentication Works ===<br />
<br />
Authentication is the other leg of the HTTPS security protocol. Authentication helps ensure that when you connect to a site using HTTPS that it is really the site you are connected to. Using certificates and certificate chains your web browser (is supposed to) verify that you are actually connected to the web site you think you are connecting to. This makes it much harder for someone to impersonate your bank to steal your passwords. A detailed explanation of this process is complicated so I will try to make the important concepts as easy as possible.<br />
<br />
When you connect through HTTPS it established an encrypted connection. It sends the sites certificate which was generated in unison with your '''certificate authority''' who validates your certificate. The web server not only sends your certificate, but also the chain of certificates leading back to the '''root certificates''' which are highly trusted certs that came with your browser. Using these certificates one can verify that the cert is authentic and can be trusted. You then see the green padlock and all is good.<br />
<br />
==== The down side of Authentication ====<br />
<br />
There is one step however that exposes your privacy. In order to fully verify the cert the web browser has to check to see if your certificate has been revoked. To check if the cert was revoked your browser has to ask the certificate authority through a "revocation request" if the cert is still valid. The reason for this is, if I'm running a web site and my private keys make it into the wild, hacker or government can decrypt your connection and steal your data. So if I'm a bank and I fire the head admin, I might want to change my keys by revoking my cert and getting a new one.<br />
<br />
Sounds simple but the process slows down browser performance a lot. Many commercial sites include content, usually advertising content, from many other websites. So when you go to localnewspaper.com, for example, you might see content from Walgreens, Safeway, Amazon, Verizon, etc. All these sites require a separate encrypted and separate verification and revocation request. Thus your visit might involve 50 separate connections to display the web page. Ever notice all those slow ads popping up, that's why.<br />
<br />
The problem is, as everyone goes to HTTPS then all websites are slow. Some browsers therefore cheat on the rules and they skip the revocation check in the interest of speed and the expense of security. Gibson Research has set up a test page to identify browsers who cheat. Click on https://revoked.grc.com to test your browser. If you see the page, your browser is insecure.<br />
<br />
The problem with skipping revocation checking is that, for example, if if I'm a bank and the keys were stolen and someone is impersonating my bank, if you are running Google's Chrome browser, you would never know you were on the fake site. So in order to get performance in your Chrome browser experience, security has been eliminated.<br />
<br />
Certificates are expensive and difficult to maintain. Installing certs is a hassle and certificates expire and have to be replaced on a regular basis. Unlike HTTP which you can set up knowing 20 years later everything is going to just keep working, HTTPS requires both effort and money to keep going. If you get it set up it will die on it's own if you don't maintain it.<br />
<br />
But - EFF and other like minded organizations have created an organization called "Let's Encrypt" to make HTTPS easier. But is it a solution or just to get you addicted and draw you in?<br />
<br />
==== Privacy Exposure of Authentication ====<br />
<br />
Another problem with certificates is the privacy exposure of checking certificate revocation. If your certificate is verified, for example, by Let's Encrypt, then every revocation request goes to one server that responds to revocation requests. If someone like the NSA were to intercept these requests, which are not encrypted, then the NSA could track the activity of every site verified through Let's Encrypt. That means the NSA doesn't have to wiretap 100 million sites. All the have to do it tap Let's Encrypt and it's one stop shopping for the NSA. They just made the job of the NSA millions of times easier.<br />
<br />
Granted that the NSA doesn't see the content, but if you go to some site like free-child-porn.online the NSA has a pretty good idea what you're doing there.<br />
<br />
=== Let's Encrypt - making HTTPS free and easy ===<br />
<br />
Let's Encrypt is a non-profit org created by EFF and friends to help solve the problems of making certificates easy and free. The supply not only free certs but provides scripts to install and configure certs easily. Certificates however are only good for 90 days and have to be replaced before the 90 days runs out. But the renewal scripts are also automated so, in theroy you should be able to set it up and forget about it, making it almost as easy as HTTP. Let's Encrypt claim is to have issued over 100 million certificates.<br />
<br />
Making it free and easy is a critical argument in EFF's and Google's war to force the internet to encrypt everything. Google, for example is downgrading your search visibility if you refuse to convert. But they say that converting is easy and that takes the sting out of it. But is that really true?<br />
<br />
==== The down side of Let's Encrypt ====<br />
<br />
There's a major problem with Let's Encrypt in that it's not a real business with real employees and a staff with tech support. All their verification is done using algorithms and scripts and they will give certificates away to anyone, and all for free. For example, if I get the domain name wellsfarg0.com, which looks like I'm Wells Fargo Bank, Let's encrypt will issue me a certificate for it and users who go to the fraudulent site will get a green light in their chrome browser. And even if someone points it out that this is a fraud site, they can revoke the cert, but if you used the Chrome browser you will never know because it doesn't use revocation checks.<br />
<br />
There is a down side to being free. Because it used to have cost criminals wouldn't bother to get certificates. But now that it's free every criminal site now has a valid cert and the browser give it the green light and users trust it because the browser is giving it the seal of approval. Because of this the original function of certificates has been compromised and the security of the internet has been diminished.<br />
<br />
==== Will Let's Encrypt always be there and be free? ====<br />
<br />
So, let's say I convert all my web sites to HTTPS and I'm using their scripts to maintain my web sites and one day I get an email saying the changes have been made. Perhaps people stop donating and they can't afford to operate? Perhaps they fail security standard and are decertified. Perhaps they get hacked and all their information is stolen. What do all these 100 million web sites do then?<br />
<br />
There's explicitly no guarantee that this service will give you free certificates forever. And once you go HTTPS, there's no easy path back to HTTP. In order to even redirect back to your old setup you need a valid certificate to redirect. All these people who thought they were going to get free certs forever are totally screwed and will have to start buying certs and might not have the nice scripts that maintain it automatically.<br />
<br />
Call me paranoid but when some organization offers me free service forever I don't tend to rely on that. I can't be in a position where keeping my web sites online depends on a shell organization that might not be there tomorrow.<br />
<br />
== NSA and Government Tracking ==<br />
<br />
The intent behind HTTPS everywhere is in part to thwart NSA spying. And let's not kid ourselves, NSA tracking is unconstitutional, illegal, and immoral. EFF has played a major role in protecting our online liberties in this matter. Sometimes when I see Snowden I notice that the back of his lap top has an EFF sticker. <br />
<br />
But - although well intentioned - does HTTPS solve the problem? No - it makes it worse.<br />
<br />
Although HTTPS makes it harder to read the content of your communication, it doesn't mask what web sites you are going to. So if you're married and trying to hook up on AsleyMadison.com the NSA doesn't know what woman you are hooking up with, but they do know you're cheating on your wife. And - using revocation requests tracking EFF has actually make it much easier for them to track your connections.<br />
<br />
== Now you need more permissions to stay on the web ==<br />
<br />
With HTTP all you need to do is register a domain name to have your own site online. ICANN is an international organization and has been very good at staying out of the clutches of government controls. However, with HTTPS you need to get a certificate authority to issue you a cert. That makes 2 orgs that have to give you permission instead of one and now your domain activity it trackable through revocation requests. If Congress were to pass laws regulating who can get certificates or requiring extensive personal information they can prevent you from getting online the way you can now with just HTTP. Every step you are forced into doing creates another chokepoint to free speech and free expression.<br />
<br />
== Freedom of Choice ==<br />
<br />
One thing I really object to is being forced and strong armed into doing things I choose not to do. I'm perfectly happy with my HTTP servers and I really resent EFF and Google trying to force me to participate in their cult like paranoia. My servers work fine. I've been online for 22 years now. I was online 3 years before Google. I choose not to encrypt and that my choice.<br />
<br />
EFF is supposed to be about freedom. They are supposed to be protecting me from people who would force me to change against my will, They believe it's for a higher cause, but it really isn't. If it were I might go along with it but HTTP has advantages over HTTPS that I like and want to stick with. many of my sites are static and informational. If the NSA can read the traffic - so what. Everything is on the site in plain text anyhow so where's the secret? If the traffic were encrypted the NSA would still know who is connecting and would assume what they are reading is what's on the site to be read by anyone. And HTTP doesn't make NSA tracking easier like HPPS does by generating revocation request.<br />
<br />
The bottom like is it's MY CHOICE! And EFF and Google doesn't have the right to take my choice away from me.<br />
<br />
== Do you need encryption? ==<br />
<br />
Whether or not you need encryption depends on who you are and what you are doing. If you are a bank clearly the answer is yes. However, if you have a static web site with no forms, do you need encryption? No - you don't.<br />
<br />
Let's say you have a static web site that tells people how to bake cookies. All the information is there for anyone to see. So if your connection is encrypted then anyone tracking knows you connected to the site and can infer you are reading about baking cookies. Even if there is a form on the site for you to subscribe to their newsletter and some 3rd party hacker captured your email address, so what? If you're accessing your bank then, yes definitely encrypt. But for an unimportant site, encryption make is slower and makes maintenance on the server side a hassle, a big hassle. Especially if the free cert goes away.<br />
<br />
== Is HTTPS secure? - Is HTTP insecure? ==<br />
<br />
One myth I want to bust is that HTTPS has increased security. In fact HTTPS has reduced overall security. HTTPS adds encryption you sites that don't heed encryption and that doesn't increase security. Let's look at the facts.<br />
<br />
There are 3 places where your information is vulnerable to attack, the server, your computer, and the connection between your computer and the server. HTTPS only provides encryption between your device and the web site but does nothing for either your device or the web server you are connected to. The connection is actually the hardest part to intercept even without encryption. Generally you have to have access to the internet infrastructure to tap communications even if it's not encrypted. But all you need is spyware to tap the communication on a device. And the spyware works if you are encrypted or not.<br />
<br />
But the best place to steal your data if if a hacker steals your information directly from the server side where your data is stored. Remember Equifax, the company that stores all your credit data? Encrypted didn't help them. In fact the people who hacked them did it over an HTTPS connection.<br />
<br />
=== Let's Encrypt Actually Reduces Security ===<br />
<br />
You would think that the internet is more secure because of Let's Encrypt, and you would be wrong. Surprisingly Let's Encrypt makes the net less secure.<br />
<br />
Before Let's Encrypt certificate were expensive and required work to maintain. Now it free and somewhat easy. And - I do want to thank Let's Encrypt for making it easier part. But in making it free the make it easy for phishing sites to go HTTPS and the consumer, who doesn't know much about how the web works, gets the green padlock and assumes all is good. The then type their username and password into wellsfarg0.com and 5 minutes later all their money is gone. All thanks to Let's Encrypt.<br />
<br />
EFF and Google, who is the major funder of Let's Encrypt, have been very successful claiming millions of web sites, have slowed the internet down because HTTPS is slower and more complex than HTTP. In order to compensate for the slowness browsers like Google Chrome no longer to certificate revocation to make sure the cert is still valid. So because of Let's Encrypt you can't really trust that the green padlock on the site can be relied on. So if Wells Fargo bank revokes their cert due to a security breach you would never know it using the Google Chrome browser. In fact if that ever happened Google would be partially liable for damages giving a green light to a revoked certificate. <br />
<br />
So a green indicator in your browser no longer means you are on a safe site. It really means nothing at all. Between Google and EFF they are making security that has worked in the past useless.<br />
<br />
== The Culture of Paranoia ==<br />
<br />
In many ways the EFF/hacker community is similar to the National Rifle Association (NRA) in the one component is a culture of paranoia. Not that a lot of that paranoia if fully justified because the government is actually trying to spy on you.</div>Marchttp://wiki.ctyme.com/index.php/HttpsHttps2018-03-05T21:01:09Z<p>Marc: /* Let's Encrypt Actually Reduces Security */</p>
<hr />
<div>= Why HTTPS everywhere is a really really bad idea =<br />
<br />
== Introduction ==<br />
<br />
HTTPS Everywhere sounds like a good idea, but as they say, the devil is in the details. The idea, supported primarily by the Electronic Frontier Foundation (https://eff.org) is to get all traffic on the internet to be encrypted. If everything is encrypted, as promoted, then no one can tap in and spy on your communication. This includes NSA spying and other government spying that is both illegal and immoral where third parties and government track you to create a digital profile of who you are that can be used against you, profile you, steal your passwords, invade your privacy, blackmail you, and round you up to put you and your freinds and family in concentration camps. Imaging if you will what would have happened if Adolf Hitler had today's technology. There would be no Jews left hiding in attics!<br />
<br />
And as we know from the revelation of Edward Snowden, my second favorite person in the world after Elon Musk, we know the government is actually doing a lot of the things that the EFF is paranoid about. Snowden confirmed what all paranoid schizophrenics new was true all along, the government(s) is spying on them. The nightmare, as it turns out, is actually real.<br />
<br />
So on it's face it would seem as if making it harder for these problems to occur would be a great idea. And - quite frankly, if it were done right it would be a great idea that I would support. However, the way it is being implemented through "Let's Encrypt" (https://letsencrypt.org) and Google strong arming the public to force everyone into it. By doing it wrong EFF's good intentions are actually making the problem worse. Forcing encryption on everyone, as it is being implemented, creates more problems than it solves and will inhibit freedom and privacy, not enhance it. Rather than making it harder for the NSA to track you, it makes it easier. Rather than enhancing free speech, it inhibits free speech, and rather that making the internet safer from criminals, it actually reduces internet security making it easier for the bad guys to take advantage of you.<br />
<br />
As someone who used to work for EFF as their first full time system administrator you would think I would be on EFF's side on this. And over the years there have been a number of issues EFF has got wrong. But this is a very serious issue that will negatively affect the entire internet and have a huge negative impact on EFF if they are successful in what they are trying to do. EFF sometimes has a habit of latching onto an idea like a bulldog without carefully thinking things through and is sometimes cult like in their opinion in spite of evidence that their position fails to make objective sense. I still support EFF as no organization is perfect and they get it right most of the time. But this time is not one of them.<br />
<br />
== Encryption / Authentication - Understanding the Basics ==<br />
<br />
HTTPS has 2 separate function, not one, that are artificially bound together into the HTTPS standards. These 2 functions are:<br />
<br />
# Encryption - making the data unreadable to 3rd parties<br />
# Authentication - making sure that the website you connect to is actually the real web site.<br />
<br />
And it is because of the binding together of there to unrelated functions that cause the problem. '''If these two protocols were unbundled, where you could have encryption without authentication, then my objections to encrypting everything goes away.''' The encrypting side is the easy part, the authenticating side is the part that is hard and expensive and causes all the problems. All this could be easily solved by allowing encryption without authentication. But modern browsers do not allow self signed certificates without dire warnings that would scare the average person to back away immediately. If they changed that it would solve the issues that I'm about to describe.<br />
<br />
=== How Encryption Works ===<br />
<br />
The actual process is long and complicated so I'm going to limit my explanation to the simple stuff you need to know. Encryption relies on a pair of keys, both keys are very large numbers. If you encrypt a message with one key you can only decrypt it with the other key. It doesn't matter which key you encrypt with as long as you use the other one to decrypt. <br />
<br />
One of the keys is know as the '''public key''', and the other is know as the '''private key'''. As the names imply, one key you make public, the other key you keep private. When someone wants to establish a secure connection with you they download your public key which is furnished by opening a connection. When you get the public key you can then encrypt a message that can only be read by the server which is usually a set of new keys to establish a secure connection. Because only the other end can read it you then have the keys to establish a secure connection that no person in the middle can break into.<br />
<br />
==== Vulnerabilities ====<br />
<br />
The encryption used in HTTPS is pretty good. It isn't easily broken. One of the main vulnerabilities is what's called a "man in the middle" attack. The attack isn't generally easy to do and usually requires hardware access to be in the middle of that connection which very few people have. However, when I used to fly more often I used to provide a free wifi access point using my cell phone to allow other travelers around me to access the internet without paying high fees. But if a were nefarious and evil I could create a fake certificate pretending to be their bank and steal their passwords. And I would need a fake cert for every domain I wanted to steal. Someone smarter than me could accomplish this. <br />
<br />
To make sure this doesn't happen we use authentication so that only the real certificate works. the real certificate is varified by the certificate authority issuing the certificate as real so if you are connecting to your bank, you can be (somewhat) confident there's no one in the middle stealing your information. <br />
<br />
There are other ways you're vulnerable. You could have someone looking over your shoulder when typing your username and password. You could have spyware on your computer that is logging your keystrokes and grabbing the display text on your web pages. Or the site you are logging into has been hacked. Remember Equifax? It was an encrypted site. And while your data was being stolen it was sent to the hackers over an encrypted connection.<br />
<br />
=== How Authentication Works ===<br />
<br />
Authentication is the other leg of the HTTPS security protocol. Authentication helps ensure that when you connect to a site using HTTPS that it is really the site you are connected to. Using certificates and certificate chains your web browser (is supposed to) verify that you are actually connected to the web site you think you are connecting to. This makes it much harder for someone to impersonate your bank to steal your passwords. A detailed explanation of this process is complicated so I will try to make the important concepts as easy as possible.<br />
<br />
When you connect through HTTPS it established an encrypted connection. It sends the sites certificate which was generated in unison with your '''certificate authority''' who validates your certificate. The web server not only sends your certificate, but also the chain of certificates leading back to the '''root certificates''' which are highly trusted certs that came with your browser. Using these certificates one can verify that the cert is authentic and can be trusted. You then see the green padlock and all is good.<br />
<br />
==== The down side of Authentication ====<br />
<br />
There is one step however that exposes your privacy. In order to fully verify the cert the web browser has to check to see if your certificate has been revoked. To check if the cert was revoked your browser has to ask the certificate authority through a "revocation request" if the cert is still valid. The reason for this is, if I'm running a web site and my private keys make it into the wild, hacker or government can decrypt your connection and steal your data. So if I'm a bank and I fire the head admin, I might want to change my keys by revoking my cert and getting a new one.<br />
<br />
Sounds simple but the process slows down browser performance a lot. Many commercial sites include content, usually advertising content, from many other websites. So when you go to localnewspaper.com, for example, you might see content from Walgreens, Safeway, Amazon, Verizon, etc. All these sites require a separate encrypted and separate verification and revocation request. Thus your visit might involve 50 separate connections to display the web page. Ever notice all those slow ads popping up, that's why.<br />
<br />
The problem is, as everyone goes to HTTPS then all websites are slow. Some browsers therefore cheat on the rules and they skip the revocation check in the interest of speed and the expense of security. Gibson Research has set up a test page to identify browsers who cheat. Click on https://revoked.grc.com to test your browser. If you see the page, your browser is insecure.<br />
<br />
The problem with skipping revocation checking is that, for example, if if I'm a bank and the keys were stolen and someone is impersonating my bank, if you are running Google's Chrome browser, you would never know you were on the fake site. So in order to get performance in your Chrome browser experience, security has been eliminated.<br />
<br />
Certificates are expensive and difficult to maintain. Installing certs is a hassle and certificates expire and have to be replaced on a regular basis. Unlike HTTP which you can set up knowing 20 years later everything is going to just keep working, HTTPS requires both effort and money to keep going. If you get it set up it will die on it's own if you don't maintain it.<br />
<br />
But - EFF and other like minded organizations have created an organization called "Let's Encrypt" to make HTTPS easier. But is it a solution or just to get you addicted and draw you in?<br />
<br />
==== Privacy Exposure of Authentication ====<br />
<br />
Another problem with certificates is the privacy exposure of checking certificate revocation. If your certificate is verified, for example, by Let's Encrypt, then every revocation request goes to one server that responds to revocation requests. If someone like the NSA were to intercept these requests, which are not encrypted, then the NSA could track the activity of every site verified through Let's Encrypt. That means the NSA doesn't have to wiretap 100 million sites. All the have to do it tap Let's Encrypt and it's one stop shopping for the NSA. They just made the job of the NSA millions of times easier.<br />
<br />
Granted that the NSA doesn't see the content, but if you go to some site like free-child-porn.online the NSA has a pretty good idea what you're doing there.<br />
<br />
=== Let's Encrypt - making HTTPS free and easy ===<br />
<br />
Let's Encrypt is a non-profit org created by EFF and friends to help solve the problems of making certificates easy and free. The supply not only free certs but provides scripts to install and configure certs easily. Certificates however are only good for 90 days and have to be replaced before the 90 days runs out. But the renewal scripts are also automated so, in theroy you should be able to set it up and forget about it, making it almost as easy as HTTP. Let's Encrypt claim is to have issued over 100 million certificates.<br />
<br />
Making it free and easy is a critical argument in EFF's and Google's war to force the internet to encrypt everything. Google, for example is downgrading your search visibility if you refuse to convert. But they say that converting is easy and that takes the sting out of it. But is that really true?<br />
<br />
==== The down side of Let's Encrypt ====<br />
<br />
There's a major problem with Let's Encrypt in that it's not a real business with real employees and a staff with tech support. All their verification is done using algorithms and scripts and they will give certificates away to anyone, and all for free. For example, if I get the domain name wellsfarg0.com, which looks like I'm Wells Fargo Bank, Let's encrypt will issue me a certificate for it and users who go to the fraudulent site will get a green light in their chrome browser. And even if someone points it out that this is a fraud site, they can revoke the cert, but if you used the Chrome browser you will never know because it doesn't use revocation checks.<br />
<br />
There is a down side to being free. Because it used to have cost criminals wouldn't bother to get certificates. But now that it's free every criminal site now has a valid cert and the browser give it the green light and users trust it because the browser is giving it the seal of approval. Because of this the original function of certificates has been compromised and the security of the internet has been diminished.<br />
<br />
==== Will Let's Encrypt always be there and be free? ====<br />
<br />
So, let's say I convert all my web sites to HTTPS and I'm using their scripts to maintain my web sites and one day I get an email saying the changes have been made. Perhaps people stop donating and they can't afford to operate? Perhaps they fail security standard and are decertified. Perhaps they get hacked and all their information is stolen. What do all these 100 million web sites do then?<br />
<br />
There's explicitly no guarantee that this service will give you free certificates forever. And once you go HTTPS, there's no easy path back to HTTP. In order to even redirect back to your old setup you need a valid certificate to redirect. All these people who thought they were going to get free certs forever are totally screwed and will have to start buying certs and might not have the nice scripts that maintain it automatically.<br />
<br />
Call me paranoid but when some organization offers me free service forever I don't tend to rely on that. I can't be in a position where keeping my web sites online depends on a shell organization that might not be there tomorrow.<br />
<br />
== NSA and Government Tracking ==<br />
<br />
The intent behind HTTPS everywhere is in part to thwart NSA spying. And let's not kid ourselves, NSA tracking is unconstitutional, illegal, and immoral. EFF has played a major role in protecting our online liberties in this matter. Sometimes when I see Snowden I notice that the back of his lap top has an EFF sticker. <br />
<br />
But - although well intentioned - does HTTPS solve the problem? No - it makes it worse.<br />
<br />
Although HTTPS makes it harder to read the content of your communication, it doesn't mask what web sites you are going to. So if you're married and trying to hook up on AsleyMadison.com the NSA doesn't know what woman you are hooking up with, but they do know you're cheating on your wife. And - using revocation requests tracking EFF has actually make it much easier for them to track your connections.<br />
<br />
== Now you need more permissions to stay on the web ==<br />
<br />
With HTTP all you need to do is register a domain name to have your own site online. ICANN is an international organization and has been very good at staying out of the clutches of government controls. However, with HTTPS you need to get a certificate authority to issue you a cert. That makes 2 orgs that have to give you permission instead of one and now your domain activity it trackable through revocation requests. If Congress were to pass laws regulating who can get certificates or requiring extensive personal information they can prevent you from getting online the way you can now with just HTTP. Every step you are forced into doing creates another chokepoint to free speech and free expression.<br />
<br />
== Freedom of Choice ==<br />
<br />
One thing I really object to is being forced and strong armed into doing things I choose not to do. I'm perfectly happy with my HTTP servers and I really resent EFF and Google trying to force me to participate in their cult like paranoia. My servers work fine. I've been online for 22 years now. I was online 3 years before Google. I choose not to encrypt and that my choice.<br />
<br />
EFF is supposed to be about freedom. They are supposed to be protecting me from people who would force me to change against my will, They believe it's for a higher cause, but it really isn't. If it were I might go along with it but HTTP has advantages over HTTPS that I like and want to stick with. many of my sites are static and informational. If the NSA can read the traffic - so what. Everything is on the site in plain text anyhow so where's the secret? If the traffic were encrypted the NSA would still know who is connecting and would assume what they are reading is what's on the site to be read by anyone. And HTTP doesn't make NSA tracking easier like HPPS does by generating revocation request.<br />
<br />
The bottom like is it's MY CHOICE! And EFF and Google doesn't have the right to take my choice away from me.<br />
<br />
== Do you need encryption? ==<br />
<br />
Whether or not you need encryption depends on who you are and what you are doing. If you are a bank clearly the answer is yes. However, if you have a static web site with no forms, do you need encryption? No - you don't.<br />
<br />
Let's say you have a static web site that tells people how to bake cookies. All the information is there for anyone to see. So if your connection is encrypted then anyone tracking knows you connected to the site and can infer you are reading about baking cookies. Even if there is a form on the site for you to subscribe to their newsletter and some 3rd party hacker captured your email address, so what? If you're accessing your bank then, yes definitely encrypt. But for an unimportant site, encryption make is slower and makes maintenance on the server side a hassle, a big hassle. Especially if the free cert goes away.<br />
<br />
== Is HTTPS secure? - Is HTTP insecure? ==<br />
<br />
One myth I want to bust is that HTTPS has increased security. In fact HTTPS has reduced overall security. HTTPS adds encryption you sites that don't heed encryption and that doesn't increase security. Let's look at the facts.<br />
<br />
There are 3 places where your information is vulnerable to attack, the server, your computer, and the connection between your computer and the server. HTTPS only provides encryption between your device and the web site but does nothing for either your device or the web server you are connected to. The connection is actually the hardest part to intercept even without encryption. Generally you have to have access to the internet infrastructure to tap communications even if it's not encrypted. But all you need is spyware to tap the communication on a device. And the spyware works if you are encrypted or not.<br />
<br />
But the best place to steal your data if if a hacker steals your information directly from the server side where your data is stored. Remember Equifax, the company that stores all your credit data? Encrypted didn't help them. In fact the people who hacked them did it over an HTTPS connection.<br />
<br />
=== Let's Encrypt Actually Reduces Security ===<br />
<br />
You would think that the internet is more secure because of Let's Encrypt, and you would be wrong. Surprisingly Let's Encrypt makes the net less secure.<br />
<br />
Before Let's Encrypt certificate were expensive and required work to maintain. Now it free and somewhat easy. And - I do want to thank Let's Encrypt for making it easier part. But in making it free the make it easy for phishing sites to go HTTPS and the consumer, who doesn't know much about how the web works, gets the green padlock and assumes all is good. The then type their username and password into wellsfarg0.com and 5 minutes later all their money is gone. All thanks to Let's Encrypt.<br />
<br />
EFF and Google, who is the major funder of Let's Encrypt, have been very successful claiming millions of web sites, have slowed the internet down because HTTPS is slower and more complex than HTTP. In order to compensate for the slowness browsers like Google Chrome no longer to certificate revocation to make sure the cert is still valid. So because of Let's Encrypt you can't really trust that the green padlock on the site can be relied on. So if Wells Fargo bank revokes their cert due to a security breach you would never know it using the Google Chrome browser. In fact if that ever happened Google would be partially liable for damages giving a green light to a revoked certificate. <br />
<br />
So a green indicator in your browser no longer means you are on a safe site. It really means nothing at all. Between Google and EFF they are making security that has worked in the past useless.<br />
<br />
== The Culture of Paranoia ==</div>Marchttp://wiki.ctyme.com/index.php/HttpsHttps2018-03-05T21:00:34Z<p>Marc: /* Let's Encrypt Actually Reduces Security */</p>
<hr />
<div>= Why HTTPS everywhere is a really really bad idea =<br />
<br />
== Introduction ==<br />
<br />
HTTPS Everywhere sounds like a good idea, but as they say, the devil is in the details. The idea, supported primarily by the Electronic Frontier Foundation (https://eff.org) is to get all traffic on the internet to be encrypted. If everything is encrypted, as promoted, then no one can tap in and spy on your communication. This includes NSA spying and other government spying that is both illegal and immoral where third parties and government track you to create a digital profile of who you are that can be used against you, profile you, steal your passwords, invade your privacy, blackmail you, and round you up to put you and your freinds and family in concentration camps. Imaging if you will what would have happened if Adolf Hitler had today's technology. There would be no Jews left hiding in attics!<br />
<br />
And as we know from the revelation of Edward Snowden, my second favorite person in the world after Elon Musk, we know the government is actually doing a lot of the things that the EFF is paranoid about. Snowden confirmed what all paranoid schizophrenics new was true all along, the government(s) is spying on them. The nightmare, as it turns out, is actually real.<br />
<br />
So on it's face it would seem as if making it harder for these problems to occur would be a great idea. And - quite frankly, if it were done right it would be a great idea that I would support. However, the way it is being implemented through "Let's Encrypt" (https://letsencrypt.org) and Google strong arming the public to force everyone into it. By doing it wrong EFF's good intentions are actually making the problem worse. Forcing encryption on everyone, as it is being implemented, creates more problems than it solves and will inhibit freedom and privacy, not enhance it. Rather than making it harder for the NSA to track you, it makes it easier. Rather than enhancing free speech, it inhibits free speech, and rather that making the internet safer from criminals, it actually reduces internet security making it easier for the bad guys to take advantage of you.<br />
<br />
As someone who used to work for EFF as their first full time system administrator you would think I would be on EFF's side on this. And over the years there have been a number of issues EFF has got wrong. But this is a very serious issue that will negatively affect the entire internet and have a huge negative impact on EFF if they are successful in what they are trying to do. EFF sometimes has a habit of latching onto an idea like a bulldog without carefully thinking things through and is sometimes cult like in their opinion in spite of evidence that their position fails to make objective sense. I still support EFF as no organization is perfect and they get it right most of the time. But this time is not one of them.<br />
<br />
== Encryption / Authentication - Understanding the Basics ==<br />
<br />
HTTPS has 2 separate function, not one, that are artificially bound together into the HTTPS standards. These 2 functions are:<br />
<br />
# Encryption - making the data unreadable to 3rd parties<br />
# Authentication - making sure that the website you connect to is actually the real web site.<br />
<br />
And it is because of the binding together of there to unrelated functions that cause the problem. '''If these two protocols were unbundled, where you could have encryption without authentication, then my objections to encrypting everything goes away.''' The encrypting side is the easy part, the authenticating side is the part that is hard and expensive and causes all the problems. All this could be easily solved by allowing encryption without authentication. But modern browsers do not allow self signed certificates without dire warnings that would scare the average person to back away immediately. If they changed that it would solve the issues that I'm about to describe.<br />
<br />
=== How Encryption Works ===<br />
<br />
The actual process is long and complicated so I'm going to limit my explanation to the simple stuff you need to know. Encryption relies on a pair of keys, both keys are very large numbers. If you encrypt a message with one key you can only decrypt it with the other key. It doesn't matter which key you encrypt with as long as you use the other one to decrypt. <br />
<br />
One of the keys is know as the '''public key''', and the other is know as the '''private key'''. As the names imply, one key you make public, the other key you keep private. When someone wants to establish a secure connection with you they download your public key which is furnished by opening a connection. When you get the public key you can then encrypt a message that can only be read by the server which is usually a set of new keys to establish a secure connection. Because only the other end can read it you then have the keys to establish a secure connection that no person in the middle can break into.<br />
<br />
==== Vulnerabilities ====<br />
<br />
The encryption used in HTTPS is pretty good. It isn't easily broken. One of the main vulnerabilities is what's called a "man in the middle" attack. The attack isn't generally easy to do and usually requires hardware access to be in the middle of that connection which very few people have. However, when I used to fly more often I used to provide a free wifi access point using my cell phone to allow other travelers around me to access the internet without paying high fees. But if a were nefarious and evil I could create a fake certificate pretending to be their bank and steal their passwords. And I would need a fake cert for every domain I wanted to steal. Someone smarter than me could accomplish this. <br />
<br />
To make sure this doesn't happen we use authentication so that only the real certificate works. the real certificate is varified by the certificate authority issuing the certificate as real so if you are connecting to your bank, you can be (somewhat) confident there's no one in the middle stealing your information. <br />
<br />
There are other ways you're vulnerable. You could have someone looking over your shoulder when typing your username and password. You could have spyware on your computer that is logging your keystrokes and grabbing the display text on your web pages. Or the site you are logging into has been hacked. Remember Equifax? It was an encrypted site. And while your data was being stolen it was sent to the hackers over an encrypted connection.<br />
<br />
=== How Authentication Works ===<br />
<br />
Authentication is the other leg of the HTTPS security protocol. Authentication helps ensure that when you connect to a site using HTTPS that it is really the site you are connected to. Using certificates and certificate chains your web browser (is supposed to) verify that you are actually connected to the web site you think you are connecting to. This makes it much harder for someone to impersonate your bank to steal your passwords. A detailed explanation of this process is complicated so I will try to make the important concepts as easy as possible.<br />
<br />
When you connect through HTTPS it established an encrypted connection. It sends the sites certificate which was generated in unison with your '''certificate authority''' who validates your certificate. The web server not only sends your certificate, but also the chain of certificates leading back to the '''root certificates''' which are highly trusted certs that came with your browser. Using these certificates one can verify that the cert is authentic and can be trusted. You then see the green padlock and all is good.<br />
<br />
==== The down side of Authentication ====<br />
<br />
There is one step however that exposes your privacy. In order to fully verify the cert the web browser has to check to see if your certificate has been revoked. To check if the cert was revoked your browser has to ask the certificate authority through a "revocation request" if the cert is still valid. The reason for this is, if I'm running a web site and my private keys make it into the wild, hacker or government can decrypt your connection and steal your data. So if I'm a bank and I fire the head admin, I might want to change my keys by revoking my cert and getting a new one.<br />
<br />
Sounds simple but the process slows down browser performance a lot. Many commercial sites include content, usually advertising content, from many other websites. So when you go to localnewspaper.com, for example, you might see content from Walgreens, Safeway, Amazon, Verizon, etc. All these sites require a separate encrypted and separate verification and revocation request. Thus your visit might involve 50 separate connections to display the web page. Ever notice all those slow ads popping up, that's why.<br />
<br />
The problem is, as everyone goes to HTTPS then all websites are slow. Some browsers therefore cheat on the rules and they skip the revocation check in the interest of speed and the expense of security. Gibson Research has set up a test page to identify browsers who cheat. Click on https://revoked.grc.com to test your browser. If you see the page, your browser is insecure.<br />
<br />
The problem with skipping revocation checking is that, for example, if if I'm a bank and the keys were stolen and someone is impersonating my bank, if you are running Google's Chrome browser, you would never know you were on the fake site. So in order to get performance in your Chrome browser experience, security has been eliminated.<br />
<br />
Certificates are expensive and difficult to maintain. Installing certs is a hassle and certificates expire and have to be replaced on a regular basis. Unlike HTTP which you can set up knowing 20 years later everything is going to just keep working, HTTPS requires both effort and money to keep going. If you get it set up it will die on it's own if you don't maintain it.<br />
<br />
But - EFF and other like minded organizations have created an organization called "Let's Encrypt" to make HTTPS easier. But is it a solution or just to get you addicted and draw you in?<br />
<br />
==== Privacy Exposure of Authentication ====<br />
<br />
Another problem with certificates is the privacy exposure of checking certificate revocation. If your certificate is verified, for example, by Let's Encrypt, then every revocation request goes to one server that responds to revocation requests. If someone like the NSA were to intercept these requests, which are not encrypted, then the NSA could track the activity of every site verified through Let's Encrypt. That means the NSA doesn't have to wiretap 100 million sites. All the have to do it tap Let's Encrypt and it's one stop shopping for the NSA. They just made the job of the NSA millions of times easier.<br />
<br />
Granted that the NSA doesn't see the content, but if you go to some site like free-child-porn.online the NSA has a pretty good idea what you're doing there.<br />
<br />
=== Let's Encrypt - making HTTPS free and easy ===<br />
<br />
Let's Encrypt is a non-profit org created by EFF and friends to help solve the problems of making certificates easy and free. The supply not only free certs but provides scripts to install and configure certs easily. Certificates however are only good for 90 days and have to be replaced before the 90 days runs out. But the renewal scripts are also automated so, in theroy you should be able to set it up and forget about it, making it almost as easy as HTTP. Let's Encrypt claim is to have issued over 100 million certificates.<br />
<br />
Making it free and easy is a critical argument in EFF's and Google's war to force the internet to encrypt everything. Google, for example is downgrading your search visibility if you refuse to convert. But they say that converting is easy and that takes the sting out of it. But is that really true?<br />
<br />
==== The down side of Let's Encrypt ====<br />
<br />
There's a major problem with Let's Encrypt in that it's not a real business with real employees and a staff with tech support. All their verification is done using algorithms and scripts and they will give certificates away to anyone, and all for free. For example, if I get the domain name wellsfarg0.com, which looks like I'm Wells Fargo Bank, Let's encrypt will issue me a certificate for it and users who go to the fraudulent site will get a green light in their chrome browser. And even if someone points it out that this is a fraud site, they can revoke the cert, but if you used the Chrome browser you will never know because it doesn't use revocation checks.<br />
<br />
There is a down side to being free. Because it used to have cost criminals wouldn't bother to get certificates. But now that it's free every criminal site now has a valid cert and the browser give it the green light and users trust it because the browser is giving it the seal of approval. Because of this the original function of certificates has been compromised and the security of the internet has been diminished.<br />
<br />
==== Will Let's Encrypt always be there and be free? ====<br />
<br />
So, let's say I convert all my web sites to HTTPS and I'm using their scripts to maintain my web sites and one day I get an email saying the changes have been made. Perhaps people stop donating and they can't afford to operate? Perhaps they fail security standard and are decertified. Perhaps they get hacked and all their information is stolen. What do all these 100 million web sites do then?<br />
<br />
There's explicitly no guarantee that this service will give you free certificates forever. And once you go HTTPS, there's no easy path back to HTTP. In order to even redirect back to your old setup you need a valid certificate to redirect. All these people who thought they were going to get free certs forever are totally screwed and will have to start buying certs and might not have the nice scripts that maintain it automatically.<br />
<br />
Call me paranoid but when some organization offers me free service forever I don't tend to rely on that. I can't be in a position where keeping my web sites online depends on a shell organization that might not be there tomorrow.<br />
<br />
== NSA and Government Tracking ==<br />
<br />
The intent behind HTTPS everywhere is in part to thwart NSA spying. And let's not kid ourselves, NSA tracking is unconstitutional, illegal, and immoral. EFF has played a major role in protecting our online liberties in this matter. Sometimes when I see Snowden I notice that the back of his lap top has an EFF sticker. <br />
<br />
But - although well intentioned - does HTTPS solve the problem? No - it makes it worse.<br />
<br />
Although HTTPS makes it harder to read the content of your communication, it doesn't mask what web sites you are going to. So if you're married and trying to hook up on AsleyMadison.com the NSA doesn't know what woman you are hooking up with, but they do know you're cheating on your wife. And - using revocation requests tracking EFF has actually make it much easier for them to track your connections.<br />
<br />
== Now you need more permissions to stay on the web ==<br />
<br />
With HTTP all you need to do is register a domain name to have your own site online. ICANN is an international organization and has been very good at staying out of the clutches of government controls. However, with HTTPS you need to get a certificate authority to issue you a cert. That makes 2 orgs that have to give you permission instead of one and now your domain activity it trackable through revocation requests. If Congress were to pass laws regulating who can get certificates or requiring extensive personal information they can prevent you from getting online the way you can now with just HTTP. Every step you are forced into doing creates another chokepoint to free speech and free expression.<br />
<br />
== Freedom of Choice ==<br />
<br />
One thing I really object to is being forced and strong armed into doing things I choose not to do. I'm perfectly happy with my HTTP servers and I really resent EFF and Google trying to force me to participate in their cult like paranoia. My servers work fine. I've been online for 22 years now. I was online 3 years before Google. I choose not to encrypt and that my choice.<br />
<br />
EFF is supposed to be about freedom. They are supposed to be protecting me from people who would force me to change against my will, They believe it's for a higher cause, but it really isn't. If it were I might go along with it but HTTP has advantages over HTTPS that I like and want to stick with. many of my sites are static and informational. If the NSA can read the traffic - so what. Everything is on the site in plain text anyhow so where's the secret? If the traffic were encrypted the NSA would still know who is connecting and would assume what they are reading is what's on the site to be read by anyone. And HTTP doesn't make NSA tracking easier like HPPS does by generating revocation request.<br />
<br />
The bottom like is it's MY CHOICE! And EFF and Google doesn't have the right to take my choice away from me.<br />
<br />
== Do you need encryption? ==<br />
<br />
Whether or not you need encryption depends on who you are and what you are doing. If you are a bank clearly the answer is yes. However, if you have a static web site with no forms, do you need encryption? No - you don't.<br />
<br />
Let's say you have a static web site that tells people how to bake cookies. All the information is there for anyone to see. So if your connection is encrypted then anyone tracking knows you connected to the site and can infer you are reading about baking cookies. Even if there is a form on the site for you to subscribe to their newsletter and some 3rd party hacker captured your email address, so what? If you're accessing your bank then, yes definitely encrypt. But for an unimportant site, encryption make is slower and makes maintenance on the server side a hassle, a big hassle. Especially if the free cert goes away.<br />
<br />
== Is HTTPS secure? - Is HTTP insecure? ==<br />
<br />
One myth I want to bust is that HTTPS has increased security. In fact HTTPS has reduced overall security. HTTPS adds encryption you sites that don't heed encryption and that doesn't increase security. Let's look at the facts.<br />
<br />
There are 3 places where your information is vulnerable to attack, the server, your computer, and the connection between your computer and the server. HTTPS only provides encryption between your device and the web site but does nothing for either your device or the web server you are connected to. The connection is actually the hardest part to intercept even without encryption. Generally you have to have access to the internet infrastructure to tap communications even if it's not encrypted. But all you need is spyware to tap the communication on a device. And the spyware works if you are encrypted or not.<br />
<br />
But the best place to steal your data if if a hacker steals your information directly from the server side where your data is stored. Remember Equifax, the company that stores all your credit data? Encrypted didn't help them. In fact the people who hacked them did it over an HTTPS connection.<br />
<br />
=== Let's Encrypt Actually Reduces Security ===<br />
<br />
You would think that the internet is more secure because of Let's Encrypt, and you would be wrong. Surprisingly Let's Encrypt makes the net less secure.<br />
<br />
Before Let's Encrypt certificate were expensive and required work to maintain. Now it free and somewhat easy. And - I do want to thank Let's Encrypt for making it easier part. But in making it free the make it easy for phishing sites to go HTTPS and the consumer, who doesn't know much about how the web works, gets the green padlock and assumes all is good. The then type their username and password into wellsfarg0.com and 5 minutes later all their money is gone. All thanks to Let's Encrypt.<br />
<br />
EFF and Google, who is the major funder of Let's Encrypt, have been very successful claiming millions of web sites, have slowed the internet down because HTTPS is slower and more complex than HTTP. In order to compensate for the slowness browsers like Google Chrome no longer to certificate revocation to make sure the cert is still valid. So because of Let's Encrypt you can't really trust that the green padlock on the site can be relied on. So if Wells Fargo bank revokes their cert due to a security breach you would never know it using the Google Chrome browser. In fact if that ever happened Google would be partially liable for damages giving a green light to a revoked certificate. <br />
<br />
So a green indicator in your browser no longer means you are on a safe site. It really means nothing at all. Between Google and EFF they are making security that has worked in the past useless.</div>Marchttp://wiki.ctyme.com/index.php/HttpsHttps2018-03-05T20:44:33Z<p>Marc: /* Is HTTPS secure? - Is HTTP insecure? */</p>
<hr />
<div>= Why HTTPS everywhere is a really really bad idea =<br />
<br />
== Introduction ==<br />
<br />
HTTPS Everywhere sounds like a good idea, but as they say, the devil is in the details. The idea, supported primarily by the Electronic Frontier Foundation (https://eff.org) is to get all traffic on the internet to be encrypted. If everything is encrypted, as promoted, then no one can tap in and spy on your communication. This includes NSA spying and other government spying that is both illegal and immoral where third parties and government track you to create a digital profile of who you are that can be used against you, profile you, steal your passwords, invade your privacy, blackmail you, and round you up to put you and your freinds and family in concentration camps. Imaging if you will what would have happened if Adolf Hitler had today's technology. There would be no Jews left hiding in attics!<br />
<br />
And as we know from the revelation of Edward Snowden, my second favorite person in the world after Elon Musk, we know the government is actually doing a lot of the things that the EFF is paranoid about. Snowden confirmed what all paranoid schizophrenics new was true all along, the government(s) is spying on them. The nightmare, as it turns out, is actually real.<br />
<br />
So on it's face it would seem as if making it harder for these problems to occur would be a great idea. And - quite frankly, if it were done right it would be a great idea that I would support. However, the way it is being implemented through "Let's Encrypt" (https://letsencrypt.org) and Google strong arming the public to force everyone into it. By doing it wrong EFF's good intentions are actually making the problem worse. Forcing encryption on everyone, as it is being implemented, creates more problems than it solves and will inhibit freedom and privacy, not enhance it. Rather than making it harder for the NSA to track you, it makes it easier. Rather than enhancing free speech, it inhibits free speech, and rather that making the internet safer from criminals, it actually reduces internet security making it easier for the bad guys to take advantage of you.<br />
<br />
As someone who used to work for EFF as their first full time system administrator you would think I would be on EFF's side on this. And over the years there have been a number of issues EFF has got wrong. But this is a very serious issue that will negatively affect the entire internet and have a huge negative impact on EFF if they are successful in what they are trying to do. EFF sometimes has a habit of latching onto an idea like a bulldog without carefully thinking things through and is sometimes cult like in their opinion in spite of evidence that their position fails to make objective sense. I still support EFF as no organization is perfect and they get it right most of the time. But this time is not one of them.<br />
<br />
== Encryption / Authentication - Understanding the Basics ==<br />
<br />
HTTPS has 2 separate function, not one, that are artificially bound together into the HTTPS standards. These 2 functions are:<br />
<br />
# Encryption - making the data unreadable to 3rd parties<br />
# Authentication - making sure that the website you connect to is actually the real web site.<br />
<br />
And it is because of the binding together of there to unrelated functions that cause the problem. '''If these two protocols were unbundled, where you could have encryption without authentication, then my objections to encrypting everything goes away.''' The encrypting side is the easy part, the authenticating side is the part that is hard and expensive and causes all the problems. All this could be easily solved by allowing encryption without authentication. But modern browsers do not allow self signed certificates without dire warnings that would scare the average person to back away immediately. If they changed that it would solve the issues that I'm about to describe.<br />
<br />
=== How Encryption Works ===<br />
<br />
The actual process is long and complicated so I'm going to limit my explanation to the simple stuff you need to know. Encryption relies on a pair of keys, both keys are very large numbers. If you encrypt a message with one key you can only decrypt it with the other key. It doesn't matter which key you encrypt with as long as you use the other one to decrypt. <br />
<br />
One of the keys is know as the '''public key''', and the other is know as the '''private key'''. As the names imply, one key you make public, the other key you keep private. When someone wants to establish a secure connection with you they download your public key which is furnished by opening a connection. When you get the public key you can then encrypt a message that can only be read by the server which is usually a set of new keys to establish a secure connection. Because only the other end can read it you then have the keys to establish a secure connection that no person in the middle can break into.<br />
<br />
==== Vulnerabilities ====<br />
<br />
The encryption used in HTTPS is pretty good. It isn't easily broken. One of the main vulnerabilities is what's called a "man in the middle" attack. The attack isn't generally easy to do and usually requires hardware access to be in the middle of that connection which very few people have. However, when I used to fly more often I used to provide a free wifi access point using my cell phone to allow other travelers around me to access the internet without paying high fees. But if a were nefarious and evil I could create a fake certificate pretending to be their bank and steal their passwords. And I would need a fake cert for every domain I wanted to steal. Someone smarter than me could accomplish this. <br />
<br />
To make sure this doesn't happen we use authentication so that only the real certificate works. the real certificate is varified by the certificate authority issuing the certificate as real so if you are connecting to your bank, you can be (somewhat) confident there's no one in the middle stealing your information. <br />
<br />
There are other ways you're vulnerable. You could have someone looking over your shoulder when typing your username and password. You could have spyware on your computer that is logging your keystrokes and grabbing the display text on your web pages. Or the site you are logging into has been hacked. Remember Equifax? It was an encrypted site. And while your data was being stolen it was sent to the hackers over an encrypted connection.<br />
<br />
=== How Authentication Works ===<br />
<br />
Authentication is the other leg of the HTTPS security protocol. Authentication helps ensure that when you connect to a site using HTTPS that it is really the site you are connected to. Using certificates and certificate chains your web browser (is supposed to) verify that you are actually connected to the web site you think you are connecting to. This makes it much harder for someone to impersonate your bank to steal your passwords. A detailed explanation of this process is complicated so I will try to make the important concepts as easy as possible.<br />
<br />
When you connect through HTTPS it established an encrypted connection. It sends the sites certificate which was generated in unison with your '''certificate authority''' who validates your certificate. The web server not only sends your certificate, but also the chain of certificates leading back to the '''root certificates''' which are highly trusted certs that came with your browser. Using these certificates one can verify that the cert is authentic and can be trusted. You then see the green padlock and all is good.<br />
<br />
==== The down side of Authentication ====<br />
<br />
There is one step however that exposes your privacy. In order to fully verify the cert the web browser has to check to see if your certificate has been revoked. To check if the cert was revoked your browser has to ask the certificate authority through a "revocation request" if the cert is still valid. The reason for this is, if I'm running a web site and my private keys make it into the wild, hacker or government can decrypt your connection and steal your data. So if I'm a bank and I fire the head admin, I might want to change my keys by revoking my cert and getting a new one.<br />
<br />
Sounds simple but the process slows down browser performance a lot. Many commercial sites include content, usually advertising content, from many other websites. So when you go to localnewspaper.com, for example, you might see content from Walgreens, Safeway, Amazon, Verizon, etc. All these sites require a separate encrypted and separate verification and revocation request. Thus your visit might involve 50 separate connections to display the web page. Ever notice all those slow ads popping up, that's why.<br />
<br />
The problem is, as everyone goes to HTTPS then all websites are slow. Some browsers therefore cheat on the rules and they skip the revocation check in the interest of speed and the expense of security. Gibson Research has set up a test page to identify browsers who cheat. Click on https://revoked.grc.com to test your browser. If you see the page, your browser is insecure.<br />
<br />
The problem with skipping revocation checking is that, for example, if if I'm a bank and the keys were stolen and someone is impersonating my bank, if you are running Google's Chrome browser, you would never know you were on the fake site. So in order to get performance in your Chrome browser experience, security has been eliminated.<br />
<br />
Certificates are expensive and difficult to maintain. Installing certs is a hassle and certificates expire and have to be replaced on a regular basis. Unlike HTTP which you can set up knowing 20 years later everything is going to just keep working, HTTPS requires both effort and money to keep going. If you get it set up it will die on it's own if you don't maintain it.<br />
<br />
But - EFF and other like minded organizations have created an organization called "Let's Encrypt" to make HTTPS easier. But is it a solution or just to get you addicted and draw you in?<br />
<br />
==== Privacy Exposure of Authentication ====<br />
<br />
Another problem with certificates is the privacy exposure of checking certificate revocation. If your certificate is verified, for example, by Let's Encrypt, then every revocation request goes to one server that responds to revocation requests. If someone like the NSA were to intercept these requests, which are not encrypted, then the NSA could track the activity of every site verified through Let's Encrypt. That means the NSA doesn't have to wiretap 100 million sites. All the have to do it tap Let's Encrypt and it's one stop shopping for the NSA. They just made the job of the NSA millions of times easier.<br />
<br />
Granted that the NSA doesn't see the content, but if you go to some site like free-child-porn.online the NSA has a pretty good idea what you're doing there.<br />
<br />
=== Let's Encrypt - making HTTPS free and easy ===<br />
<br />
Let's Encrypt is a non-profit org created by EFF and friends to help solve the problems of making certificates easy and free. The supply not only free certs but provides scripts to install and configure certs easily. Certificates however are only good for 90 days and have to be replaced before the 90 days runs out. But the renewal scripts are also automated so, in theroy you should be able to set it up and forget about it, making it almost as easy as HTTP. Let's Encrypt claim is to have issued over 100 million certificates.<br />
<br />
Making it free and easy is a critical argument in EFF's and Google's war to force the internet to encrypt everything. Google, for example is downgrading your search visibility if you refuse to convert. But they say that converting is easy and that takes the sting out of it. But is that really true?<br />
<br />
==== The down side of Let's Encrypt ====<br />
<br />
There's a major problem with Let's Encrypt in that it's not a real business with real employees and a staff with tech support. All their verification is done using algorithms and scripts and they will give certificates away to anyone, and all for free. For example, if I get the domain name wellsfarg0.com, which looks like I'm Wells Fargo Bank, Let's encrypt will issue me a certificate for it and users who go to the fraudulent site will get a green light in their chrome browser. And even if someone points it out that this is a fraud site, they can revoke the cert, but if you used the Chrome browser you will never know because it doesn't use revocation checks.<br />
<br />
There is a down side to being free. Because it used to have cost criminals wouldn't bother to get certificates. But now that it's free every criminal site now has a valid cert and the browser give it the green light and users trust it because the browser is giving it the seal of approval. Because of this the original function of certificates has been compromised and the security of the internet has been diminished.<br />
<br />
==== Will Let's Encrypt always be there and be free? ====<br />
<br />
So, let's say I convert all my web sites to HTTPS and I'm using their scripts to maintain my web sites and one day I get an email saying the changes have been made. Perhaps people stop donating and they can't afford to operate? Perhaps they fail security standard and are decertified. Perhaps they get hacked and all their information is stolen. What do all these 100 million web sites do then?<br />
<br />
There's explicitly no guarantee that this service will give you free certificates forever. And once you go HTTPS, there's no easy path back to HTTP. In order to even redirect back to your old setup you need a valid certificate to redirect. All these people who thought they were going to get free certs forever are totally screwed and will have to start buying certs and might not have the nice scripts that maintain it automatically.<br />
<br />
Call me paranoid but when some organization offers me free service forever I don't tend to rely on that. I can't be in a position where keeping my web sites online depends on a shell organization that might not be there tomorrow.<br />
<br />
== NSA and Government Tracking ==<br />
<br />
The intent behind HTTPS everywhere is in part to thwart NSA spying. And let's not kid ourselves, NSA tracking is unconstitutional, illegal, and immoral. EFF has played a major role in protecting our online liberties in this matter. Sometimes when I see Snowden I notice that the back of his lap top has an EFF sticker. <br />
<br />
But - although well intentioned - does HTTPS solve the problem? No - it makes it worse.<br />
<br />
Although HTTPS makes it harder to read the content of your communication, it doesn't mask what web sites you are going to. So if you're married and trying to hook up on AsleyMadison.com the NSA doesn't know what woman you are hooking up with, but they do know you're cheating on your wife. And - using revocation requests tracking EFF has actually make it much easier for them to track your connections.<br />
<br />
== Now you need more permissions to stay on the web ==<br />
<br />
With HTTP all you need to do is register a domain name to have your own site online. ICANN is an international organization and has been very good at staying out of the clutches of government controls. However, with HTTPS you need to get a certificate authority to issue you a cert. That makes 2 orgs that have to give you permission instead of one and now your domain activity it trackable through revocation requests. If Congress were to pass laws regulating who can get certificates or requiring extensive personal information they can prevent you from getting online the way you can now with just HTTP. Every step you are forced into doing creates another chokepoint to free speech and free expression.<br />
<br />
== Freedom of Choice ==<br />
<br />
One thing I really object to is being forced and strong armed into doing things I choose not to do. I'm perfectly happy with my HTTP servers and I really resent EFF and Google trying to force me to participate in their cult like paranoia. My servers work fine. I've been online for 22 years now. I was online 3 years before Google. I choose not to encrypt and that my choice.<br />
<br />
EFF is supposed to be about freedom. They are supposed to be protecting me from people who would force me to change against my will, They believe it's for a higher cause, but it really isn't. If it were I might go along with it but HTTP has advantages over HTTPS that I like and want to stick with. many of my sites are static and informational. If the NSA can read the traffic - so what. Everything is on the site in plain text anyhow so where's the secret? If the traffic were encrypted the NSA would still know who is connecting and would assume what they are reading is what's on the site to be read by anyone. And HTTP doesn't make NSA tracking easier like HPPS does by generating revocation request.<br />
<br />
The bottom like is it's MY CHOICE! And EFF and Google doesn't have the right to take my choice away from me.<br />
<br />
== Do you need encryption? ==<br />
<br />
Whether or not you need encryption depends on who you are and what you are doing. If you are a bank clearly the answer is yes. However, if you have a static web site with no forms, do you need encryption? No - you don't.<br />
<br />
Let's say you have a static web site that tells people how to bake cookies. All the information is there for anyone to see. So if your connection is encrypted then anyone tracking knows you connected to the site and can infer you are reading about baking cookies. Even if there is a form on the site for you to subscribe to their newsletter and some 3rd party hacker captured your email address, so what? If you're accessing your bank then, yes definitely encrypt. But for an unimportant site, encryption make is slower and makes maintenance on the server side a hassle, a big hassle. Especially if the free cert goes away.<br />
<br />
== Is HTTPS secure? - Is HTTP insecure? ==<br />
<br />
One myth I want to bust is that HTTPS has increased security. In fact HTTPS has reduced overall security. HTTPS adds encryption you sites that don't heed encryption and that doesn't increase security. Let's look at the facts.<br />
<br />
There are 3 places where your information is vulnerable to attack, the server, your computer, and the connection between your computer and the server. HTTPS only provides encryption between your device and the web site but does nothing for either your device or the web server you are connected to. The connection is actually the hardest part to intercept even without encryption. Generally you have to have access to the internet infrastructure to tap communications even if it's not encrypted. But all you need is spyware to tap the communication on a device. And the spyware works if you are encrypted or not.<br />
<br />
But the best place to steal your data if if a hacker steals your information directly from the server side where your data is stored. Remember Equifax, the company that stores all your credit data? Encrypted didn't help them. In fact the people who hacked them did it over an HTTPS connection.<br />
<br />
=== Let's Encrypt Actually Reduces Security ===<br />
<br />
You would think that the internet is more secure because of Let's Encrypt, and you would be wrong. Surprisingly Let's Encrypt makes the net less secure.</div>Marchttp://wiki.ctyme.com/index.php/HttpsHttps2018-03-05T20:37:54Z<p>Marc: /* Is HTTPS secure? - Is HTTP insecure? */</p>
<hr />
<div>= Why HTTPS everywhere is a really really bad idea =<br />
<br />
== Introduction ==<br />
<br />
HTTPS Everywhere sounds like a good idea, but as they say, the devil is in the details. The idea, supported primarily by the Electronic Frontier Foundation (https://eff.org) is to get all traffic on the internet to be encrypted. If everything is encrypted, as promoted, then no one can tap in and spy on your communication. This includes NSA spying and other government spying that is both illegal and immoral where third parties and government track you to create a digital profile of who you are that can be used against you, profile you, steal your passwords, invade your privacy, blackmail you, and round you up to put you and your freinds and family in concentration camps. Imaging if you will what would have happened if Adolf Hitler had today's technology. There would be no Jews left hiding in attics!<br />
<br />
And as we know from the revelation of Edward Snowden, my second favorite person in the world after Elon Musk, we know the government is actually doing a lot of the things that the EFF is paranoid about. Snowden confirmed what all paranoid schizophrenics new was true all along, the government(s) is spying on them. The nightmare, as it turns out, is actually real.<br />
<br />
So on it's face it would seem as if making it harder for these problems to occur would be a great idea. And - quite frankly, if it were done right it would be a great idea that I would support. However, the way it is being implemented through "Let's Encrypt" (https://letsencrypt.org) and Google strong arming the public to force everyone into it. By doing it wrong EFF's good intentions are actually making the problem worse. Forcing encryption on everyone, as it is being implemented, creates more problems than it solves and will inhibit freedom and privacy, not enhance it. Rather than making it harder for the NSA to track you, it makes it easier. Rather than enhancing free speech, it inhibits free speech, and rather that making the internet safer from criminals, it actually reduces internet security making it easier for the bad guys to take advantage of you.<br />
<br />
As someone who used to work for EFF as their first full time system administrator you would think I would be on EFF's side on this. And over the years there have been a number of issues EFF has got wrong. But this is a very serious issue that will negatively affect the entire internet and have a huge negative impact on EFF if they are successful in what they are trying to do. EFF sometimes has a habit of latching onto an idea like a bulldog without carefully thinking things through and is sometimes cult like in their opinion in spite of evidence that their position fails to make objective sense. I still support EFF as no organization is perfect and they get it right most of the time. But this time is not one of them.<br />
<br />
== Encryption / Authentication - Understanding the Basics ==<br />
<br />
HTTPS has 2 separate function, not one, that are artificially bound together into the HTTPS standards. These 2 functions are:<br />
<br />
# Encryption - making the data unreadable to 3rd parties<br />
# Authentication - making sure that the website you connect to is actually the real web site.<br />
<br />
And it is because of the binding together of there to unrelated functions that cause the problem. '''If these two protocols were unbundled, where you could have encryption without authentication, then my objections to encrypting everything goes away.''' The encrypting side is the easy part, the authenticating side is the part that is hard and expensive and causes all the problems. All this could be easily solved by allowing encryption without authentication. But modern browsers do not allow self signed certificates without dire warnings that would scare the average person to back away immediately. If they changed that it would solve the issues that I'm about to describe.<br />
<br />
=== How Encryption Works ===<br />
<br />
The actual process is long and complicated so I'm going to limit my explanation to the simple stuff you need to know. Encryption relies on a pair of keys, both keys are very large numbers. If you encrypt a message with one key you can only decrypt it with the other key. It doesn't matter which key you encrypt with as long as you use the other one to decrypt. <br />
<br />
One of the keys is know as the '''public key''', and the other is know as the '''private key'''. As the names imply, one key you make public, the other key you keep private. When someone wants to establish a secure connection with you they download your public key which is furnished by opening a connection. When you get the public key you can then encrypt a message that can only be read by the server which is usually a set of new keys to establish a secure connection. Because only the other end can read it you then have the keys to establish a secure connection that no person in the middle can break into.<br />
<br />
==== Vulnerabilities ====<br />
<br />
The encryption used in HTTPS is pretty good. It isn't easily broken. One of the main vulnerabilities is what's called a "man in the middle" attack. The attack isn't generally easy to do and usually requires hardware access to be in the middle of that connection which very few people have. However, when I used to fly more often I used to provide a free wifi access point using my cell phone to allow other travelers around me to access the internet without paying high fees. But if a were nefarious and evil I could create a fake certificate pretending to be their bank and steal their passwords. And I would need a fake cert for every domain I wanted to steal. Someone smarter than me could accomplish this. <br />
<br />
To make sure this doesn't happen we use authentication so that only the real certificate works. the real certificate is varified by the certificate authority issuing the certificate as real so if you are connecting to your bank, you can be (somewhat) confident there's no one in the middle stealing your information. <br />
<br />
There are other ways you're vulnerable. You could have someone looking over your shoulder when typing your username and password. You could have spyware on your computer that is logging your keystrokes and grabbing the display text on your web pages. Or the site you are logging into has been hacked. Remember Equifax? It was an encrypted site. And while your data was being stolen it was sent to the hackers over an encrypted connection.<br />
<br />
=== How Authentication Works ===<br />
<br />
Authentication is the other leg of the HTTPS security protocol. Authentication helps ensure that when you connect to a site using HTTPS that it is really the site you are connected to. Using certificates and certificate chains your web browser (is supposed to) verify that you are actually connected to the web site you think you are connecting to. This makes it much harder for someone to impersonate your bank to steal your passwords. A detailed explanation of this process is complicated so I will try to make the important concepts as easy as possible.<br />
<br />
When you connect through HTTPS it established an encrypted connection. It sends the sites certificate which was generated in unison with your '''certificate authority''' who validates your certificate. The web server not only sends your certificate, but also the chain of certificates leading back to the '''root certificates''' which are highly trusted certs that came with your browser. Using these certificates one can verify that the cert is authentic and can be trusted. You then see the green padlock and all is good.<br />
<br />
==== The down side of Authentication ====<br />
<br />
There is one step however that exposes your privacy. In order to fully verify the cert the web browser has to check to see if your certificate has been revoked. To check if the cert was revoked your browser has to ask the certificate authority through a "revocation request" if the cert is still valid. The reason for this is, if I'm running a web site and my private keys make it into the wild, hacker or government can decrypt your connection and steal your data. So if I'm a bank and I fire the head admin, I might want to change my keys by revoking my cert and getting a new one.<br />
<br />
Sounds simple but the process slows down browser performance a lot. Many commercial sites include content, usually advertising content, from many other websites. So when you go to localnewspaper.com, for example, you might see content from Walgreens, Safeway, Amazon, Verizon, etc. All these sites require a separate encrypted and separate verification and revocation request. Thus your visit might involve 50 separate connections to display the web page. Ever notice all those slow ads popping up, that's why.<br />
<br />
The problem is, as everyone goes to HTTPS then all websites are slow. Some browsers therefore cheat on the rules and they skip the revocation check in the interest of speed and the expense of security. Gibson Research has set up a test page to identify browsers who cheat. Click on https://revoked.grc.com to test your browser. If you see the page, your browser is insecure.<br />
<br />
The problem with skipping revocation checking is that, for example, if if I'm a bank and the keys were stolen and someone is impersonating my bank, if you are running Google's Chrome browser, you would never know you were on the fake site. So in order to get performance in your Chrome browser experience, security has been eliminated.<br />
<br />
Certificates are expensive and difficult to maintain. Installing certs is a hassle and certificates expire and have to be replaced on a regular basis. Unlike HTTP which you can set up knowing 20 years later everything is going to just keep working, HTTPS requires both effort and money to keep going. If you get it set up it will die on it's own if you don't maintain it.<br />
<br />
But - EFF and other like minded organizations have created an organization called "Let's Encrypt" to make HTTPS easier. But is it a solution or just to get you addicted and draw you in?<br />
<br />
==== Privacy Exposure of Authentication ====<br />
<br />
Another problem with certificates is the privacy exposure of checking certificate revocation. If your certificate is verified, for example, by Let's Encrypt, then every revocation request goes to one server that responds to revocation requests. If someone like the NSA were to intercept these requests, which are not encrypted, then the NSA could track the activity of every site verified through Let's Encrypt. That means the NSA doesn't have to wiretap 100 million sites. All the have to do it tap Let's Encrypt and it's one stop shopping for the NSA. They just made the job of the NSA millions of times easier.<br />
<br />
Granted that the NSA doesn't see the content, but if you go to some site like free-child-porn.online the NSA has a pretty good idea what you're doing there.<br />
<br />
=== Let's Encrypt - making HTTPS free and easy ===<br />
<br />
Let's Encrypt is a non-profit org created by EFF and friends to help solve the problems of making certificates easy and free. The supply not only free certs but provides scripts to install and configure certs easily. Certificates however are only good for 90 days and have to be replaced before the 90 days runs out. But the renewal scripts are also automated so, in theroy you should be able to set it up and forget about it, making it almost as easy as HTTP. Let's Encrypt claim is to have issued over 100 million certificates.<br />
<br />
Making it free and easy is a critical argument in EFF's and Google's war to force the internet to encrypt everything. Google, for example is downgrading your search visibility if you refuse to convert. But they say that converting is easy and that takes the sting out of it. But is that really true?<br />
<br />
==== The down side of Let's Encrypt ====<br />
<br />
There's a major problem with Let's Encrypt in that it's not a real business with real employees and a staff with tech support. All their verification is done using algorithms and scripts and they will give certificates away to anyone, and all for free. For example, if I get the domain name wellsfarg0.com, which looks like I'm Wells Fargo Bank, Let's encrypt will issue me a certificate for it and users who go to the fraudulent site will get a green light in their chrome browser. And even if someone points it out that this is a fraud site, they can revoke the cert, but if you used the Chrome browser you will never know because it doesn't use revocation checks.<br />
<br />
There is a down side to being free. Because it used to have cost criminals wouldn't bother to get certificates. But now that it's free every criminal site now has a valid cert and the browser give it the green light and users trust it because the browser is giving it the seal of approval. Because of this the original function of certificates has been compromised and the security of the internet has been diminished.<br />
<br />
==== Will Let's Encrypt always be there and be free? ====<br />
<br />
So, let's say I convert all my web sites to HTTPS and I'm using their scripts to maintain my web sites and one day I get an email saying the changes have been made. Perhaps people stop donating and they can't afford to operate? Perhaps they fail security standard and are decertified. Perhaps they get hacked and all their information is stolen. What do all these 100 million web sites do then?<br />
<br />
There's explicitly no guarantee that this service will give you free certificates forever. And once you go HTTPS, there's no easy path back to HTTP. In order to even redirect back to your old setup you need a valid certificate to redirect. All these people who thought they were going to get free certs forever are totally screwed and will have to start buying certs and might not have the nice scripts that maintain it automatically.<br />
<br />
Call me paranoid but when some organization offers me free service forever I don't tend to rely on that. I can't be in a position where keeping my web sites online depends on a shell organization that might not be there tomorrow.<br />
<br />
== NSA and Government Tracking ==<br />
<br />
The intent behind HTTPS everywhere is in part to thwart NSA spying. And let's not kid ourselves, NSA tracking is unconstitutional, illegal, and immoral. EFF has played a major role in protecting our online liberties in this matter. Sometimes when I see Snowden I notice that the back of his lap top has an EFF sticker. <br />
<br />
But - although well intentioned - does HTTPS solve the problem? No - it makes it worse.<br />
<br />
Although HTTPS makes it harder to read the content of your communication, it doesn't mask what web sites you are going to. So if you're married and trying to hook up on AsleyMadison.com the NSA doesn't know what woman you are hooking up with, but they do know you're cheating on your wife. And - using revocation requests tracking EFF has actually make it much easier for them to track your connections.<br />
<br />
== Now you need more permissions to stay on the web ==<br />
<br />
With HTTP all you need to do is register a domain name to have your own site online. ICANN is an international organization and has been very good at staying out of the clutches of government controls. However, with HTTPS you need to get a certificate authority to issue you a cert. That makes 2 orgs that have to give you permission instead of one and now your domain activity it trackable through revocation requests. If Congress were to pass laws regulating who can get certificates or requiring extensive personal information they can prevent you from getting online the way you can now with just HTTP. Every step you are forced into doing creates another chokepoint to free speech and free expression.<br />
<br />
== Freedom of Choice ==<br />
<br />
One thing I really object to is being forced and strong armed into doing things I choose not to do. I'm perfectly happy with my HTTP servers and I really resent EFF and Google trying to force me to participate in their cult like paranoia. My servers work fine. I've been online for 22 years now. I was online 3 years before Google. I choose not to encrypt and that my choice.<br />
<br />
EFF is supposed to be about freedom. They are supposed to be protecting me from people who would force me to change against my will, They believe it's for a higher cause, but it really isn't. If it were I might go along with it but HTTP has advantages over HTTPS that I like and want to stick with. many of my sites are static and informational. If the NSA can read the traffic - so what. Everything is on the site in plain text anyhow so where's the secret? If the traffic were encrypted the NSA would still know who is connecting and would assume what they are reading is what's on the site to be read by anyone. And HTTP doesn't make NSA tracking easier like HPPS does by generating revocation request.<br />
<br />
The bottom like is it's MY CHOICE! And EFF and Google doesn't have the right to take my choice away from me.<br />
<br />
== Do you need encryption? ==<br />
<br />
Whether or not you need encryption depends on who you are and what you are doing. If you are a bank clearly the answer is yes. However, if you have a static web site with no forms, do you need encryption? No - you don't.<br />
<br />
Let's say you have a static web site that tells people how to bake cookies. All the information is there for anyone to see. So if your connection is encrypted then anyone tracking knows you connected to the site and can infer you are reading about baking cookies. Even if there is a form on the site for you to subscribe to their newsletter and some 3rd party hacker captured your email address, so what? If you're accessing your bank then, yes definitely encrypt. But for an unimportant site, encryption make is slower and makes maintenance on the server side a hassle, a big hassle. Especially if the free cert goes away.<br />
<br />
== Is HTTPS secure? - Is HTTP insecure? ==<br />
<br />
One myth I want to bust is that HTTPS has increased security. In fact HTTPS has reduced overall security. HTTPS adds encryption you sites that don't heed encryption and that doesn't increase security. Let's look at the facts.<br />
<br />
There are 3 places where your information is vulnerable to attack, the server, your computer, and the connection between your computer and the server. HTTPS only provides encryption between your device and the web site but does nothing for either your device or the web server you are connected to. The connection is actually the hardest part to intercept even without encryption. Generally you have to have access to the internet infrastructure to tap communications even if it's not encrypted. But all you need is spyware to tap the communication on a device. And the spyware works if you are encrypted or not.</div>Marchttp://wiki.ctyme.com/index.php/HttpsHttps2018-03-05T20:24:33Z<p>Marc: /* Do you need encryption? */</p>
<hr />
<div>= Why HTTPS everywhere is a really really bad idea =<br />
<br />
== Introduction ==<br />
<br />
HTTPS Everywhere sounds like a good idea, but as they say, the devil is in the details. The idea, supported primarily by the Electronic Frontier Foundation (https://eff.org) is to get all traffic on the internet to be encrypted. If everything is encrypted, as promoted, then no one can tap in and spy on your communication. This includes NSA spying and other government spying that is both illegal and immoral where third parties and government track you to create a digital profile of who you are that can be used against you, profile you, steal your passwords, invade your privacy, blackmail you, and round you up to put you and your freinds and family in concentration camps. Imaging if you will what would have happened if Adolf Hitler had today's technology. There would be no Jews left hiding in attics!<br />
<br />
And as we know from the revelation of Edward Snowden, my second favorite person in the world after Elon Musk, we know the government is actually doing a lot of the things that the EFF is paranoid about. Snowden confirmed what all paranoid schizophrenics new was true all along, the government(s) is spying on them. The nightmare, as it turns out, is actually real.<br />
<br />
So on it's face it would seem as if making it harder for these problems to occur would be a great idea. And - quite frankly, if it were done right it would be a great idea that I would support. However, the way it is being implemented through "Let's Encrypt" (https://letsencrypt.org) and Google strong arming the public to force everyone into it. By doing it wrong EFF's good intentions are actually making the problem worse. Forcing encryption on everyone, as it is being implemented, creates more problems than it solves and will inhibit freedom and privacy, not enhance it. Rather than making it harder for the NSA to track you, it makes it easier. Rather than enhancing free speech, it inhibits free speech, and rather that making the internet safer from criminals, it actually reduces internet security making it easier for the bad guys to take advantage of you.<br />
<br />
As someone who used to work for EFF as their first full time system administrator you would think I would be on EFF's side on this. And over the years there have been a number of issues EFF has got wrong. But this is a very serious issue that will negatively affect the entire internet and have a huge negative impact on EFF if they are successful in what they are trying to do. EFF sometimes has a habit of latching onto an idea like a bulldog without carefully thinking things through and is sometimes cult like in their opinion in spite of evidence that their position fails to make objective sense. I still support EFF as no organization is perfect and they get it right most of the time. But this time is not one of them.<br />
<br />
== Encryption / Authentication - Understanding the Basics ==<br />
<br />
HTTPS has 2 separate function, not one, that are artificially bound together into the HTTPS standards. These 2 functions are:<br />
<br />
# Encryption - making the data unreadable to 3rd parties<br />
# Authentication - making sure that the website you connect to is actually the real web site.<br />
<br />
And it is because of the binding together of there to unrelated functions that cause the problem. '''If these two protocols were unbundled, where you could have encryption without authentication, then my objections to encrypting everything goes away.''' The encrypting side is the easy part, the authenticating side is the part that is hard and expensive and causes all the problems. All this could be easily solved by allowing encryption without authentication. But modern browsers do not allow self signed certificates without dire warnings that would scare the average person to back away immediately. If they changed that it would solve the issues that I'm about to describe.<br />
<br />
=== How Encryption Works ===<br />
<br />
The actual process is long and complicated so I'm going to limit my explanation to the simple stuff you need to know. Encryption relies on a pair of keys, both keys are very large numbers. If you encrypt a message with one key you can only decrypt it with the other key. It doesn't matter which key you encrypt with as long as you use the other one to decrypt. <br />
<br />
One of the keys is know as the '''public key''', and the other is know as the '''private key'''. As the names imply, one key you make public, the other key you keep private. When someone wants to establish a secure connection with you they download your public key which is furnished by opening a connection. When you get the public key you can then encrypt a message that can only be read by the server which is usually a set of new keys to establish a secure connection. Because only the other end can read it you then have the keys to establish a secure connection that no person in the middle can break into.<br />
<br />
==== Vulnerabilities ====<br />
<br />
The encryption used in HTTPS is pretty good. It isn't easily broken. One of the main vulnerabilities is what's called a "man in the middle" attack. The attack isn't generally easy to do and usually requires hardware access to be in the middle of that connection which very few people have. However, when I used to fly more often I used to provide a free wifi access point using my cell phone to allow other travelers around me to access the internet without paying high fees. But if a were nefarious and evil I could create a fake certificate pretending to be their bank and steal their passwords. And I would need a fake cert for every domain I wanted to steal. Someone smarter than me could accomplish this. <br />
<br />
To make sure this doesn't happen we use authentication so that only the real certificate works. the real certificate is varified by the certificate authority issuing the certificate as real so if you are connecting to your bank, you can be (somewhat) confident there's no one in the middle stealing your information. <br />
<br />
There are other ways you're vulnerable. You could have someone looking over your shoulder when typing your username and password. You could have spyware on your computer that is logging your keystrokes and grabbing the display text on your web pages. Or the site you are logging into has been hacked. Remember Equifax? It was an encrypted site. And while your data was being stolen it was sent to the hackers over an encrypted connection.<br />
<br />
=== How Authentication Works ===<br />
<br />
Authentication is the other leg of the HTTPS security protocol. Authentication helps ensure that when you connect to a site using HTTPS that it is really the site you are connected to. Using certificates and certificate chains your web browser (is supposed to) verify that you are actually connected to the web site you think you are connecting to. This makes it much harder for someone to impersonate your bank to steal your passwords. A detailed explanation of this process is complicated so I will try to make the important concepts as easy as possible.<br />
<br />
When you connect through HTTPS it established an encrypted connection. It sends the sites certificate which was generated in unison with your '''certificate authority''' who validates your certificate. The web server not only sends your certificate, but also the chain of certificates leading back to the '''root certificates''' which are highly trusted certs that came with your browser. Using these certificates one can verify that the cert is authentic and can be trusted. You then see the green padlock and all is good.<br />
<br />
==== The down side of Authentication ====<br />
<br />
There is one step however that exposes your privacy. In order to fully verify the cert the web browser has to check to see if your certificate has been revoked. To check if the cert was revoked your browser has to ask the certificate authority through a "revocation request" if the cert is still valid. The reason for this is, if I'm running a web site and my private keys make it into the wild, hacker or government can decrypt your connection and steal your data. So if I'm a bank and I fire the head admin, I might want to change my keys by revoking my cert and getting a new one.<br />
<br />
Sounds simple but the process slows down browser performance a lot. Many commercial sites include content, usually advertising content, from many other websites. So when you go to localnewspaper.com, for example, you might see content from Walgreens, Safeway, Amazon, Verizon, etc. All these sites require a separate encrypted and separate verification and revocation request. Thus your visit might involve 50 separate connections to display the web page. Ever notice all those slow ads popping up, that's why.<br />
<br />
The problem is, as everyone goes to HTTPS then all websites are slow. Some browsers therefore cheat on the rules and they skip the revocation check in the interest of speed and the expense of security. Gibson Research has set up a test page to identify browsers who cheat. Click on https://revoked.grc.com to test your browser. If you see the page, your browser is insecure.<br />
<br />
The problem with skipping revocation checking is that, for example, if if I'm a bank and the keys were stolen and someone is impersonating my bank, if you are running Google's Chrome browser, you would never know you were on the fake site. So in order to get performance in your Chrome browser experience, security has been eliminated.<br />
<br />
Certificates are expensive and difficult to maintain. Installing certs is a hassle and certificates expire and have to be replaced on a regular basis. Unlike HTTP which you can set up knowing 20 years later everything is going to just keep working, HTTPS requires both effort and money to keep going. If you get it set up it will die on it's own if you don't maintain it.<br />
<br />
But - EFF and other like minded organizations have created an organization called "Let's Encrypt" to make HTTPS easier. But is it a solution or just to get you addicted and draw you in?<br />
<br />
==== Privacy Exposure of Authentication ====<br />
<br />
Another problem with certificates is the privacy exposure of checking certificate revocation. If your certificate is verified, for example, by Let's Encrypt, then every revocation request goes to one server that responds to revocation requests. If someone like the NSA were to intercept these requests, which are not encrypted, then the NSA could track the activity of every site verified through Let's Encrypt. That means the NSA doesn't have to wiretap 100 million sites. All the have to do it tap Let's Encrypt and it's one stop shopping for the NSA. They just made the job of the NSA millions of times easier.<br />
<br />
Granted that the NSA doesn't see the content, but if you go to some site like free-child-porn.online the NSA has a pretty good idea what you're doing there.<br />
<br />
=== Let's Encrypt - making HTTPS free and easy ===<br />
<br />
Let's Encrypt is a non-profit org created by EFF and friends to help solve the problems of making certificates easy and free. The supply not only free certs but provides scripts to install and configure certs easily. Certificates however are only good for 90 days and have to be replaced before the 90 days runs out. But the renewal scripts are also automated so, in theroy you should be able to set it up and forget about it, making it almost as easy as HTTP. Let's Encrypt claim is to have issued over 100 million certificates.<br />
<br />
Making it free and easy is a critical argument in EFF's and Google's war to force the internet to encrypt everything. Google, for example is downgrading your search visibility if you refuse to convert. But they say that converting is easy and that takes the sting out of it. But is that really true?<br />
<br />
==== The down side of Let's Encrypt ====<br />
<br />
There's a major problem with Let's Encrypt in that it's not a real business with real employees and a staff with tech support. All their verification is done using algorithms and scripts and they will give certificates away to anyone, and all for free. For example, if I get the domain name wellsfarg0.com, which looks like I'm Wells Fargo Bank, Let's encrypt will issue me a certificate for it and users who go to the fraudulent site will get a green light in their chrome browser. And even if someone points it out that this is a fraud site, they can revoke the cert, but if you used the Chrome browser you will never know because it doesn't use revocation checks.<br />
<br />
There is a down side to being free. Because it used to have cost criminals wouldn't bother to get certificates. But now that it's free every criminal site now has a valid cert and the browser give it the green light and users trust it because the browser is giving it the seal of approval. Because of this the original function of certificates has been compromised and the security of the internet has been diminished.<br />
<br />
==== Will Let's Encrypt always be there and be free? ====<br />
<br />
So, let's say I convert all my web sites to HTTPS and I'm using their scripts to maintain my web sites and one day I get an email saying the changes have been made. Perhaps people stop donating and they can't afford to operate? Perhaps they fail security standard and are decertified. Perhaps they get hacked and all their information is stolen. What do all these 100 million web sites do then?<br />
<br />
There's explicitly no guarantee that this service will give you free certificates forever. And once you go HTTPS, there's no easy path back to HTTP. In order to even redirect back to your old setup you need a valid certificate to redirect. All these people who thought they were going to get free certs forever are totally screwed and will have to start buying certs and might not have the nice scripts that maintain it automatically.<br />
<br />
Call me paranoid but when some organization offers me free service forever I don't tend to rely on that. I can't be in a position where keeping my web sites online depends on a shell organization that might not be there tomorrow.<br />
<br />
== NSA and Government Tracking ==<br />
<br />
The intent behind HTTPS everywhere is in part to thwart NSA spying. And let's not kid ourselves, NSA tracking is unconstitutional, illegal, and immoral. EFF has played a major role in protecting our online liberties in this matter. Sometimes when I see Snowden I notice that the back of his lap top has an EFF sticker. <br />
<br />
But - although well intentioned - does HTTPS solve the problem? No - it makes it worse.<br />
<br />
Although HTTPS makes it harder to read the content of your communication, it doesn't mask what web sites you are going to. So if you're married and trying to hook up on AsleyMadison.com the NSA doesn't know what woman you are hooking up with, but they do know you're cheating on your wife. And - using revocation requests tracking EFF has actually make it much easier for them to track your connections.<br />
<br />
== Now you need more permissions to stay on the web ==<br />
<br />
With HTTP all you need to do is register a domain name to have your own site online. ICANN is an international organization and has been very good at staying out of the clutches of government controls. However, with HTTPS you need to get a certificate authority to issue you a cert. That makes 2 orgs that have to give you permission instead of one and now your domain activity it trackable through revocation requests. If Congress were to pass laws regulating who can get certificates or requiring extensive personal information they can prevent you from getting online the way you can now with just HTTP. Every step you are forced into doing creates another chokepoint to free speech and free expression.<br />
<br />
== Freedom of Choice ==<br />
<br />
One thing I really object to is being forced and strong armed into doing things I choose not to do. I'm perfectly happy with my HTTP servers and I really resent EFF and Google trying to force me to participate in their cult like paranoia. My servers work fine. I've been online for 22 years now. I was online 3 years before Google. I choose not to encrypt and that my choice.<br />
<br />
EFF is supposed to be about freedom. They are supposed to be protecting me from people who would force me to change against my will, They believe it's for a higher cause, but it really isn't. If it were I might go along with it but HTTP has advantages over HTTPS that I like and want to stick with. many of my sites are static and informational. If the NSA can read the traffic - so what. Everything is on the site in plain text anyhow so where's the secret? If the traffic were encrypted the NSA would still know who is connecting and would assume what they are reading is what's on the site to be read by anyone. And HTTP doesn't make NSA tracking easier like HPPS does by generating revocation request.<br />
<br />
The bottom like is it's MY CHOICE! And EFF and Google doesn't have the right to take my choice away from me.<br />
<br />
== Do you need encryption? ==<br />
<br />
Whether or not you need encryption depends on who you are and what you are doing. If you are a bank clearly the answer is yes. However, if you have a static web site with no forms, do you need encryption? No - you don't.<br />
<br />
Let's say you have a static web site that tells people how to bake cookies. All the information is there for anyone to see. So if your connection is encrypted then anyone tracking knows you connected to the site and can infer you are reading about baking cookies. Even if there is a form on the site for you to subscribe to their newsletter and some 3rd party hacker captured your email address, so what? If you're accessing your bank then, yes definitely encrypt. But for an unimportant site, encryption make is slower and makes maintenance on the server side a hassle, a big hassle. Especially if the free cert goes away.<br />
<br />
== Is HTTPS secure? - Is HTTP insecure? ==</div>Marchttp://wiki.ctyme.com/index.php/HttpsHttps2018-03-04T01:44:41Z<p>Marc: /* Do you need encryption? */</p>
<hr />
<div>= Why HTTPS everywhere is a really really bad idea =<br />
<br />
== Introduction ==<br />
<br />
HTTPS Everywhere sounds like a good idea, but as they say, the devil is in the details. The idea, supported primarily by the Electronic Frontier Foundation (https://eff.org) is to get all traffic on the internet to be encrypted. If everything is encrypted, as promoted, then no one can tap in and spy on your communication. This includes NSA spying and other government spying that is both illegal and immoral where third parties and government track you to create a digital profile of who you are that can be used against you, profile you, steal your passwords, invade your privacy, blackmail you, and round you up to put you and your freinds and family in concentration camps. Imaging if you will what would have happened if Adolf Hitler had today's technology. There would be no Jews left hiding in attics!<br />
<br />
And as we know from the revelation of Edward Snowden, my second favorite person in the world after Elon Musk, we know the government is actually doing a lot of the things that the EFF is paranoid about. Snowden confirmed what all paranoid schizophrenics new was true all along, the government(s) is spying on them. The nightmare, as it turns out, is actually real.<br />
<br />
So on it's face it would seem as if making it harder for these problems to occur would be a great idea. And - quite frankly, if it were done right it would be a great idea that I would support. However, the way it is being implemented through "Let's Encrypt" (https://letsencrypt.org) and Google strong arming the public to force everyone into it. By doing it wrong EFF's good intentions are actually making the problem worse. Forcing encryption on everyone, as it is being implemented, creates more problems than it solves and will inhibit freedom and privacy, not enhance it. Rather than making it harder for the NSA to track you, it makes it easier. Rather than enhancing free speech, it inhibits free speech, and rather that making the internet safer from criminals, it actually reduces internet security making it easier for the bad guys to take advantage of you.<br />
<br />
As someone who used to work for EFF as their first full time system administrator you would think I would be on EFF's side on this. And over the years there have been a number of issues EFF has got wrong. But this is a very serious issue that will negatively affect the entire internet and have a huge negative impact on EFF if they are successful in what they are trying to do. EFF sometimes has a habit of latching onto an idea like a bulldog without carefully thinking things through and is sometimes cult like in their opinion in spite of evidence that their position fails to make objective sense. I still support EFF as no organization is perfect and they get it right most of the time. But this time is not one of them.<br />
<br />
== Encryption / Authentication - Understanding the Basics ==<br />
<br />
HTTPS has 2 separate function, not one, that are artificially bound together into the HTTPS standards. These 2 functions are:<br />
<br />
# Encryption - making the data unreadable to 3rd parties<br />
# Authentication - making sure that the website you connect to is actually the real web site.<br />
<br />
And it is because of the binding together of there to unrelated functions that cause the problem. '''If these two protocols were unbundled, where you could have encryption without authentication, then my objections to encrypting everything goes away.''' The encrypting side is the easy part, the authenticating side is the part that is hard and expensive and causes all the problems. All this could be easily solved by allowing encryption without authentication. But modern browsers do not allow self signed certificates without dire warnings that would scare the average person to back away immediately. If they changed that it would solve the issues that I'm about to describe.<br />
<br />
=== How Encryption Works ===<br />
<br />
The actual process is long and complicated so I'm going to limit my explanation to the simple stuff you need to know. Encryption relies on a pair of keys, both keys are very large numbers. If you encrypt a message with one key you can only decrypt it with the other key. It doesn't matter which key you encrypt with as long as you use the other one to decrypt. <br />
<br />
One of the keys is know as the '''public key''', and the other is know as the '''private key'''. As the names imply, one key you make public, the other key you keep private. When someone wants to establish a secure connection with you they download your public key which is furnished by opening a connection. When you get the public key you can then encrypt a message that can only be read by the server which is usually a set of new keys to establish a secure connection. Because only the other end can read it you then have the keys to establish a secure connection that no person in the middle can break into.<br />
<br />
==== Vulnerabilities ====<br />
<br />
The encryption used in HTTPS is pretty good. It isn't easily broken. One of the main vulnerabilities is what's called a "man in the middle" attack. The attack isn't generally easy to do and usually requires hardware access to be in the middle of that connection which very few people have. However, when I used to fly more often I used to provide a free wifi access point using my cell phone to allow other travelers around me to access the internet without paying high fees. But if a were nefarious and evil I could create a fake certificate pretending to be their bank and steal their passwords. And I would need a fake cert for every domain I wanted to steal. Someone smarter than me could accomplish this. <br />
<br />
To make sure this doesn't happen we use authentication so that only the real certificate works. the real certificate is varified by the certificate authority issuing the certificate as real so if you are connecting to your bank, you can be (somewhat) confident there's no one in the middle stealing your information. <br />
<br />
There are other ways you're vulnerable. You could have someone looking over your shoulder when typing your username and password. You could have spyware on your computer that is logging your keystrokes and grabbing the display text on your web pages. Or the site you are logging into has been hacked. Remember Equifax? It was an encrypted site. And while your data was being stolen it was sent to the hackers over an encrypted connection.<br />
<br />
=== How Authentication Works ===<br />
<br />
Authentication is the other leg of the HTTPS security protocol. Authentication helps ensure that when you connect to a site using HTTPS that it is really the site you are connected to. Using certificates and certificate chains your web browser (is supposed to) verify that you are actually connected to the web site you think you are connecting to. This makes it much harder for someone to impersonate your bank to steal your passwords. A detailed explanation of this process is complicated so I will try to make the important concepts as easy as possible.<br />
<br />
When you connect through HTTPS it established an encrypted connection. It sends the sites certificate which was generated in unison with your '''certificate authority''' who validates your certificate. The web server not only sends your certificate, but also the chain of certificates leading back to the '''root certificates''' which are highly trusted certs that came with your browser. Using these certificates one can verify that the cert is authentic and can be trusted. You then see the green padlock and all is good.<br />
<br />
==== The down side of Authentication ====<br />
<br />
There is one step however that exposes your privacy. In order to fully verify the cert the web browser has to check to see if your certificate has been revoked. To check if the cert was revoked your browser has to ask the certificate authority through a "revocation request" if the cert is still valid. The reason for this is, if I'm running a web site and my private keys make it into the wild, hacker or government can decrypt your connection and steal your data. So if I'm a bank and I fire the head admin, I might want to change my keys by revoking my cert and getting a new one.<br />
<br />
Sounds simple but the process slows down browser performance a lot. Many commercial sites include content, usually advertising content, from many other websites. So when you go to localnewspaper.com, for example, you might see content from Walgreens, Safeway, Amazon, Verizon, etc. All these sites require a separate encrypted and separate verification and revocation request. Thus your visit might involve 50 separate connections to display the web page. Ever notice all those slow ads popping up, that's why.<br />
<br />
The problem is, as everyone goes to HTTPS then all websites are slow. Some browsers therefore cheat on the rules and they skip the revocation check in the interest of speed and the expense of security. Gibson Research has set up a test page to identify browsers who cheat. Click on https://revoked.grc.com to test your browser. If you see the page, your browser is insecure.<br />
<br />
The problem with skipping revocation checking is that, for example, if if I'm a bank and the keys were stolen and someone is impersonating my bank, if you are running Google's Chrome browser, you would never know you were on the fake site. So in order to get performance in your Chrome browser experience, security has been eliminated.<br />
<br />
Certificates are expensive and difficult to maintain. Installing certs is a hassle and certificates expire and have to be replaced on a regular basis. Unlike HTTP which you can set up knowing 20 years later everything is going to just keep working, HTTPS requires both effort and money to keep going. If you get it set up it will die on it's own if you don't maintain it.<br />
<br />
But - EFF and other like minded organizations have created an organization called "Let's Encrypt" to make HTTPS easier. But is it a solution or just to get you addicted and draw you in?<br />
<br />
==== Privacy Exposure of Authentication ====<br />
<br />
Another problem with certificates is the privacy exposure of checking certificate revocation. If your certificate is verified, for example, by Let's Encrypt, then every revocation request goes to one server that responds to revocation requests. If someone like the NSA were to intercept these requests, which are not encrypted, then the NSA could track the activity of every site verified through Let's Encrypt. That means the NSA doesn't have to wiretap 100 million sites. All the have to do it tap Let's Encrypt and it's one stop shopping for the NSA. They just made the job of the NSA millions of times easier.<br />
<br />
Granted that the NSA doesn't see the content, but if you go to some site like free-child-porn.online the NSA has a pretty good idea what you're doing there.<br />
<br />
=== Let's Encrypt - making HTTPS free and easy ===<br />
<br />
Let's Encrypt is a non-profit org created by EFF and friends to help solve the problems of making certificates easy and free. The supply not only free certs but provides scripts to install and configure certs easily. Certificates however are only good for 90 days and have to be replaced before the 90 days runs out. But the renewal scripts are also automated so, in theroy you should be able to set it up and forget about it, making it almost as easy as HTTP. Let's Encrypt claim is to have issued over 100 million certificates.<br />
<br />
Making it free and easy is a critical argument in EFF's and Google's war to force the internet to encrypt everything. Google, for example is downgrading your search visibility if you refuse to convert. But they say that converting is easy and that takes the sting out of it. But is that really true?<br />
<br />
==== The down side of Let's Encrypt ====<br />
<br />
There's a major problem with Let's Encrypt in that it's not a real business with real employees and a staff with tech support. All their verification is done using algorithms and scripts and they will give certificates away to anyone, and all for free. For example, if I get the domain name wellsfarg0.com, which looks like I'm Wells Fargo Bank, Let's encrypt will issue me a certificate for it and users who go to the fraudulent site will get a green light in their chrome browser. And even if someone points it out that this is a fraud site, they can revoke the cert, but if you used the Chrome browser you will never know because it doesn't use revocation checks.<br />
<br />
There is a down side to being free. Because it used to have cost criminals wouldn't bother to get certificates. But now that it's free every criminal site now has a valid cert and the browser give it the green light and users trust it because the browser is giving it the seal of approval. Because of this the original function of certificates has been compromised and the security of the internet has been diminished.<br />
<br />
==== Will Let's Encrypt always be there and be free? ====<br />
<br />
So, let's say I convert all my web sites to HTTPS and I'm using their scripts to maintain my web sites and one day I get an email saying the changes have been made. Perhaps people stop donating and they can't afford to operate? Perhaps they fail security standard and are decertified. Perhaps they get hacked and all their information is stolen. What do all these 100 million web sites do then?<br />
<br />
There's explicitly no guarantee that this service will give you free certificates forever. And once you go HTTPS, there's no easy path back to HTTP. In order to even redirect back to your old setup you need a valid certificate to redirect. All these people who thought they were going to get free certs forever are totally screwed and will have to start buying certs and might not have the nice scripts that maintain it automatically.<br />
<br />
Call me paranoid but when some organization offers me free service forever I don't tend to rely on that. I can't be in a position where keeping my web sites online depends on a shell organization that might not be there tomorrow.<br />
<br />
== NSA and Government Tracking ==<br />
<br />
The intent behind HTTPS everywhere is in part to thwart NSA spying. And let's not kid ourselves, NSA tracking is unconstitutional, illegal, and immoral. EFF has played a major role in protecting our online liberties in this matter. Sometimes when I see Snowden I notice that the back of his lap top has an EFF sticker. <br />
<br />
But - although well intentioned - does HTTPS solve the problem? No - it makes it worse.<br />
<br />
Although HTTPS makes it harder to read the content of your communication, it doesn't mask what web sites you are going to. So if you're married and trying to hook up on AsleyMadison.com the NSA doesn't know what woman you are hooking up with, but they do know you're cheating on your wife. And - using revocation requests tracking EFF has actually make it much easier for them to track your connections.<br />
<br />
== Now you need more permissions to stay on the web ==<br />
<br />
With HTTP all you need to do is register a domain name to have your own site online. ICANN is an international organization and has been very good at staying out of the clutches of government controls. However, with HTTPS you need to get a certificate authority to issue you a cert. That makes 2 orgs that have to give you permission instead of one and now your domain activity it trackable through revocation requests. If Congress were to pass laws regulating who can get certificates or requiring extensive personal information they can prevent you from getting online the way you can now with just HTTP. Every step you are forced into doing creates another chokepoint to free speech and free expression.<br />
<br />
== Freedom of Choice ==<br />
<br />
One thing I really object to is being forced and strong armed into doing things I choose not to do. I'm perfectly happy with my HTTP servers and I really resent EFF and Google trying to force me to participate in their cult like paranoia. My servers work fine. I've been online for 22 years now. I was online 3 years before Google. I choose not to encrypt and that my choice.<br />
<br />
EFF is supposed to be about freedom. They are supposed to be protecting me from people who would force me to change against my will, They believe it's for a higher cause, but it really isn't. If it were I might go along with it but HTTP has advantages over HTTPS that I like and want to stick with. many of my sites are static and informational. If the NSA can read the traffic - so what. Everything is on the site in plain text anyhow so where's the secret? If the traffic were encrypted the NSA would still know who is connecting and would assume what they are reading is what's on the site to be read by anyone. And HTTP doesn't make NSA tracking easier like HPPS does by generating revocation request.<br />
<br />
The bottom like is it's MY CHOICE! And EFF and Google doesn't have the right to take my choice away from me.<br />
<br />
== Do you need encryption? ==<br />
<br />
Whether or not you need encryption depends on who you are and what you are doing. If you are a bank clearly the answer is yes. However, if you have a static web site with no forms, do you need encryption? No - you don't.<br />
<br />
== Is HTTPS secure? - Is HTTP insecure? ==</div>Marchttp://wiki.ctyme.com/index.php/HttpsHttps2018-03-01T18:00:13Z<p>Marc: /* Let's Encrypt - making HTTPS free and easy */</p>
<hr />
<div>= Why HTTPS everywhere is a really really bad idea =<br />
<br />
== Introduction ==<br />
<br />
HTTPS Everywhere sounds like a good idea, but as they say, the devil is in the details. The idea, supported primarily by the Electronic Frontier Foundation (https://eff.org) is to get all traffic on the internet to be encrypted. If everything is encrypted, as promoted, then no one can tap in and spy on your communication. This includes NSA spying and other government spying that is both illegal and immoral where third parties and government track you to create a digital profile of who you are that can be used against you, profile you, steal your passwords, invade your privacy, blackmail you, and round you up to put you and your freinds and family in concentration camps. Imaging if you will what would have happened if Adolf Hitler had today's technology. There would be no Jews left hiding in attics!<br />
<br />
And as we know from the revelation of Edward Snowden, my second favorite person in the world after Elon Musk, we know the government is actually doing a lot of the things that the EFF is paranoid about. Snowden confirmed what all paranoid schizophrenics new was true all along, the government(s) is spying on them. The nightmare, as it turns out, is actually real.<br />
<br />
So on it's face it would seem as if making it harder for these problems to occur would be a great idea. And - quite frankly, if it were done right it would be a great idea that I would support. However, the way it is being implemented through "Let's Encrypt" (https://letsencrypt.org) and Google strong arming the public to force everyone into it. By doing it wrong EFF's good intentions are actually making the problem worse. Forcing encryption on everyone, as it is being implemented, creates more problems than it solves and will inhibit freedom and privacy, not enhance it. Rather than making it harder for the NSA to track you, it makes it easier. Rather than enhancing free speech, it inhibits free speech, and rather that making the internet safer from criminals, it actually reduces internet security making it easier for the bad guys to take advantage of you.<br />
<br />
As someone who used to work for EFF as their first full time system administrator you would think I would be on EFF's side on this. And over the years there have been a number of issues EFF has got wrong. But this is a very serious issue that will negatively affect the entire internet and have a huge negative impact on EFF if they are successful in what they are trying to do. EFF sometimes has a habit of latching onto an idea like a bulldog without carefully thinking things through and is sometimes cult like in their opinion in spite of evidence that their position fails to make objective sense. I still support EFF as no organization is perfect and they get it right most of the time. But this time is not one of them.<br />
<br />
== Encryption / Authentication - Understanding the Basics ==<br />
<br />
HTTPS has 2 separate function, not one, that are artificially bound together into the HTTPS standards. These 2 functions are:<br />
<br />
# Encryption - making the data unreadable to 3rd parties<br />
# Authentication - making sure that the website you connect to is actually the real web site.<br />
<br />
And it is because of the binding together of there to unrelated functions that cause the problem. '''If these two protocols were unbundled, where you could have encryption without authentication, then my objections to encrypting everything goes away.''' The encrypting side is the easy part, the authenticating side is the part that is hard and expensive and causes all the problems. All this could be easily solved by allowing encryption without authentication. But modern browsers do not allow self signed certificates without dire warnings that would scare the average person to back away immediately. If they changed that it would solve the issues that I'm about to describe.<br />
<br />
=== How Encryption Works ===<br />
<br />
The actual process is long and complicated so I'm going to limit my explanation to the simple stuff you need to know. Encryption relies on a pair of keys, both keys are very large numbers. If you encrypt a message with one key you can only decrypt it with the other key. It doesn't matter which key you encrypt with as long as you use the other one to decrypt. <br />
<br />
One of the keys is know as the '''public key''', and the other is know as the '''private key'''. As the names imply, one key you make public, the other key you keep private. When someone wants to establish a secure connection with you they download your public key which is furnished by opening a connection. When you get the public key you can then encrypt a message that can only be read by the server which is usually a set of new keys to establish a secure connection. Because only the other end can read it you then have the keys to establish a secure connection that no person in the middle can break into.<br />
<br />
==== Vulnerabilities ====<br />
<br />
The encryption used in HTTPS is pretty good. It isn't easily broken. One of the main vulnerabilities is what's called a "man in the middle" attack. The attack isn't generally easy to do and usually requires hardware access to be in the middle of that connection which very few people have. However, when I used to fly more often I used to provide a free wifi access point using my cell phone to allow other travelers around me to access the internet without paying high fees. But if a were nefarious and evil I could create a fake certificate pretending to be their bank and steal their passwords. And I would need a fake cert for every domain I wanted to steal. Someone smarter than me could accomplish this. <br />
<br />
To make sure this doesn't happen we use authentication so that only the real certificate works. the real certificate is varified by the certificate authority issuing the certificate as real so if you are connecting to your bank, you can be (somewhat) confident there's no one in the middle stealing your information. <br />
<br />
There are other ways you're vulnerable. You could have someone looking over your shoulder when typing your username and password. You could have spyware on your computer that is logging your keystrokes and grabbing the display text on your web pages. Or the site you are logging into has been hacked. Remember Equifax? It was an encrypted site. And while your data was being stolen it was sent to the hackers over an encrypted connection.<br />
<br />
=== How Authentication Works ===<br />
<br />
Authentication is the other leg of the HTTPS security protocol. Authentication helps ensure that when you connect to a site using HTTPS that it is really the site you are connected to. Using certificates and certificate chains your web browser (is supposed to) verify that you are actually connected to the web site you think you are connecting to. This makes it much harder for someone to impersonate your bank to steal your passwords. A detailed explanation of this process is complicated so I will try to make the important concepts as easy as possible.<br />
<br />
When you connect through HTTPS it established an encrypted connection. It sends the sites certificate which was generated in unison with your '''certificate authority''' who validates your certificate. The web server not only sends your certificate, but also the chain of certificates leading back to the '''root certificates''' which are highly trusted certs that came with your browser. Using these certificates one can verify that the cert is authentic and can be trusted. You then see the green padlock and all is good.<br />
<br />
==== The down side of Authentication ====<br />
<br />
There is one step however that exposes your privacy. In order to fully verify the cert the web browser has to check to see if your certificate has been revoked. To check if the cert was revoked your browser has to ask the certificate authority through a "revocation request" if the cert is still valid. The reason for this is, if I'm running a web site and my private keys make it into the wild, hacker or government can decrypt your connection and steal your data. So if I'm a bank and I fire the head admin, I might want to change my keys by revoking my cert and getting a new one.<br />
<br />
Sounds simple but the process slows down browser performance a lot. Many commercial sites include content, usually advertising content, from many other websites. So when you go to localnewspaper.com, for example, you might see content from Walgreens, Safeway, Amazon, Verizon, etc. All these sites require a separate encrypted and separate verification and revocation request. Thus your visit might involve 50 separate connections to display the web page. Ever notice all those slow ads popping up, that's why.<br />
<br />
The problem is, as everyone goes to HTTPS then all websites are slow. Some browsers therefore cheat on the rules and they skip the revocation check in the interest of speed and the expense of security. Gibson Research has set up a test page to identify browsers who cheat. Click on https://revoked.grc.com to test your browser. If you see the page, your browser is insecure.<br />
<br />
The problem with skipping revocation checking is that, for example, if if I'm a bank and the keys were stolen and someone is impersonating my bank, if you are running Google's Chrome browser, you would never know you were on the fake site. So in order to get performance in your Chrome browser experience, security has been eliminated.<br />
<br />
Certificates are expensive and difficult to maintain. Installing certs is a hassle and certificates expire and have to be replaced on a regular basis. Unlike HTTP which you can set up knowing 20 years later everything is going to just keep working, HTTPS requires both effort and money to keep going. If you get it set up it will die on it's own if you don't maintain it.<br />
<br />
But - EFF and other like minded organizations have created an organization called "Let's Encrypt" to make HTTPS easier. But is it a solution or just to get you addicted and draw you in?<br />
<br />
==== Privacy Exposure of Authentication ====<br />
<br />
Another problem with certificates is the privacy exposure of checking certificate revocation. If your certificate is verified, for example, by Let's Encrypt, then every revocation request goes to one server that responds to revocation requests. If someone like the NSA were to intercept these requests, which are not encrypted, then the NSA could track the activity of every site verified through Let's Encrypt. That means the NSA doesn't have to wiretap 100 million sites. All the have to do it tap Let's Encrypt and it's one stop shopping for the NSA. They just made the job of the NSA millions of times easier.<br />
<br />
Granted that the NSA doesn't see the content, but if you go to some site like free-child-porn.online the NSA has a pretty good idea what you're doing there.<br />
<br />
=== Let's Encrypt - making HTTPS free and easy ===<br />
<br />
Let's Encrypt is a non-profit org created by EFF and friends to help solve the problems of making certificates easy and free. The supply not only free certs but provides scripts to install and configure certs easily. Certificates however are only good for 90 days and have to be replaced before the 90 days runs out. But the renewal scripts are also automated so, in theroy you should be able to set it up and forget about it, making it almost as easy as HTTP. Let's Encrypt claim is to have issued over 100 million certificates.<br />
<br />
Making it free and easy is a critical argument in EFF's and Google's war to force the internet to encrypt everything. Google, for example is downgrading your search visibility if you refuse to convert. But they say that converting is easy and that takes the sting out of it. But is that really true?<br />
<br />
==== The down side of Let's Encrypt ====<br />
<br />
There's a major problem with Let's Encrypt in that it's not a real business with real employees and a staff with tech support. All their verification is done using algorithms and scripts and they will give certificates away to anyone, and all for free. For example, if I get the domain name wellsfarg0.com, which looks like I'm Wells Fargo Bank, Let's encrypt will issue me a certificate for it and users who go to the fraudulent site will get a green light in their chrome browser. And even if someone points it out that this is a fraud site, they can revoke the cert, but if you used the Chrome browser you will never know because it doesn't use revocation checks.<br />
<br />
There is a down side to being free. Because it used to have cost criminals wouldn't bother to get certificates. But now that it's free every criminal site now has a valid cert and the browser give it the green light and users trust it because the browser is giving it the seal of approval. Because of this the original function of certificates has been compromised and the security of the internet has been diminished.<br />
<br />
==== Will Let's Encrypt always be there and be free? ====<br />
<br />
So, let's say I convert all my web sites to HTTPS and I'm using their scripts to maintain my web sites and one day I get an email saying the changes have been made. Perhaps people stop donating and they can't afford to operate? Perhaps they fail security standard and are decertified. Perhaps they get hacked and all their information is stolen. What do all these 100 million web sites do then?<br />
<br />
There's explicitly no guarantee that this service will give you free certificates forever. And once you go HTTPS, there's no easy path back to HTTP. In order to even redirect back to your old setup you need a valid certificate to redirect. All these people who thought they were going to get free certs forever are totally screwed and will have to start buying certs and might not have the nice scripts that maintain it automatically.<br />
<br />
Call me paranoid but when some organization offers me free service forever I don't tend to rely on that. I can't be in a position where keeping my web sites online depends on a shell organization that might not be there tomorrow.<br />
<br />
== NSA and Government Tracking ==<br />
<br />
The intent behind HTTPS everywhere is in part to thwart NSA spying. And let's not kid ourselves, NSA tracking is unconstitutional, illegal, and immoral. EFF has played a major role in protecting our online liberties in this matter. Sometimes when I see Snowden I notice that the back of his lap top has an EFF sticker. <br />
<br />
But - although well intentioned - does HTTPS solve the problem? No - it makes it worse.<br />
<br />
Although HTTPS makes it harder to read the content of your communication, it doesn't mask what web sites you are going to. So if you're married and trying to hook up on AsleyMadison.com the NSA doesn't know what woman you are hooking up with, but they do know you're cheating on your wife. And - using revocation requests tracking EFF has actually make it much easier for them to track your connections.<br />
<br />
== Now you need more permissions to stay on the web ==<br />
<br />
With HTTP all you need to do is register a domain name to have your own site online. ICANN is an international organization and has been very good at staying out of the clutches of government controls. However, with HTTPS you need to get a certificate authority to issue you a cert. That makes 2 orgs that have to give you permission instead of one and now your domain activity it trackable through revocation requests. If Congress were to pass laws regulating who can get certificates or requiring extensive personal information they can prevent you from getting online the way you can now with just HTTP. Every step you are forced into doing creates another chokepoint to free speech and free expression.<br />
<br />
== Freedom of Choice ==<br />
<br />
One thing I really object to is being forced and strong armed into doing things I choose not to do. I'm perfectly happy with my HTTP servers and I really resent EFF and Google trying to force me to participate in their cult like paranoia. My servers work fine. I've been online for 22 years now. I was online 3 years before Google. I choose not to encrypt and that my choice.<br />
<br />
EFF is supposed to be about freedom. They are supposed to be protecting me from people who would force me to change against my will, They believe it's for a higher cause, but it really isn't. If it were I might go along with it but HTTP has advantages over HTTPS that I like and want to stick with. many of my sites are static and informational. If the NSA can read the traffic - so what. Everything is on the site in plain text anyhow so where's the secret? If the traffic were encrypted the NSA would still know who is connecting and would assume what they are reading is what's on the site to be read by anyone. And HTTP doesn't make NSA tracking easier like HPPS does by generating revocation request.<br />
<br />
The bottom like is it's MY CHOICE! And EFF and Google doesn't have the right to take my choice away from me.<br />
<br />
== Do you need encryption? ==<br />
<br />
== Is HTTPS secure? - Is HTTP insecure? ==</div>Marchttp://wiki.ctyme.com/index.php/HttpsHttps2018-02-28T21:10:30Z<p>Marc: /* Freedom of Choice */</p>
<hr />
<div>= Why HTTPS everywhere is a really really bad idea =<br />
<br />
== Introduction ==<br />
<br />
HTTPS Everywhere sounds like a good idea, but as they say, the devil is in the details. The idea, supported primarily by the Electronic Frontier Foundation (https://eff.org) is to get all traffic on the internet to be encrypted. If everything is encrypted, as promoted, then no one can tap in and spy on your communication. This includes NSA spying and other government spying that is both illegal and immoral where third parties and government track you to create a digital profile of who you are that can be used against you, profile you, steal your passwords, invade your privacy, blackmail you, and round you up to put you and your freinds and family in concentration camps. Imaging if you will what would have happened if Adolf Hitler had today's technology. There would be no Jews left hiding in attics!<br />
<br />
And as we know from the revelation of Edward Snowden, my second favorite person in the world after Elon Musk, we know the government is actually doing a lot of the things that the EFF is paranoid about. Snowden confirmed what all paranoid schizophrenics new was true all along, the government(s) is spying on them. The nightmare, as it turns out, is actually real.<br />
<br />
So on it's face it would seem as if making it harder for these problems to occur would be a great idea. And - quite frankly, if it were done right it would be a great idea that I would support. However, the way it is being implemented through "Let's Encrypt" (https://letsencrypt.org) and Google strong arming the public to force everyone into it. By doing it wrong EFF's good intentions are actually making the problem worse. Forcing encryption on everyone, as it is being implemented, creates more problems than it solves and will inhibit freedom and privacy, not enhance it. Rather than making it harder for the NSA to track you, it makes it easier. Rather than enhancing free speech, it inhibits free speech, and rather that making the internet safer from criminals, it actually reduces internet security making it easier for the bad guys to take advantage of you.<br />
<br />
As someone who used to work for EFF as their first full time system administrator you would think I would be on EFF's side on this. And over the years there have been a number of issues EFF has got wrong. But this is a very serious issue that will negatively affect the entire internet and have a huge negative impact on EFF if they are successful in what they are trying to do. EFF sometimes has a habit of latching onto an idea like a bulldog without carefully thinking things through and is sometimes cult like in their opinion in spite of evidence that their position fails to make objective sense. I still support EFF as no organization is perfect and they get it right most of the time. But this time is not one of them.<br />
<br />
== Encryption / Authentication - Understanding the Basics ==<br />
<br />
HTTPS has 2 separate function, not one, that are artificially bound together into the HTTPS standards. These 2 functions are:<br />
<br />
# Encryption - making the data unreadable to 3rd parties<br />
# Authentication - making sure that the website you connect to is actually the real web site.<br />
<br />
And it is because of the binding together of there to unrelated functions that cause the problem. '''If these two protocols were unbundled, where you could have encryption without authentication, then my objections to encrypting everything goes away.''' The encrypting side is the easy part, the authenticating side is the part that is hard and expensive and causes all the problems. All this could be easily solved by allowing encryption without authentication. But modern browsers do not allow self signed certificates without dire warnings that would scare the average person to back away immediately. If they changed that it would solve the issues that I'm about to describe.<br />
<br />
=== How Encryption Works ===<br />
<br />
The actual process is long and complicated so I'm going to limit my explanation to the simple stuff you need to know. Encryption relies on a pair of keys, both keys are very large numbers. If you encrypt a message with one key you can only decrypt it with the other key. It doesn't matter which key you encrypt with as long as you use the other one to decrypt. <br />
<br />
One of the keys is know as the '''public key''', and the other is know as the '''private key'''. As the names imply, one key you make public, the other key you keep private. When someone wants to establish a secure connection with you they download your public key which is furnished by opening a connection. When you get the public key you can then encrypt a message that can only be read by the server which is usually a set of new keys to establish a secure connection. Because only the other end can read it you then have the keys to establish a secure connection that no person in the middle can break into.<br />
<br />
==== Vulnerabilities ====<br />
<br />
The encryption used in HTTPS is pretty good. It isn't easily broken. One of the main vulnerabilities is what's called a "man in the middle" attack. The attack isn't generally easy to do and usually requires hardware access to be in the middle of that connection which very few people have. However, when I used to fly more often I used to provide a free wifi access point using my cell phone to allow other travelers around me to access the internet without paying high fees. But if a were nefarious and evil I could create a fake certificate pretending to be their bank and steal their passwords. And I would need a fake cert for every domain I wanted to steal. Someone smarter than me could accomplish this. <br />
<br />
To make sure this doesn't happen we use authentication so that only the real certificate works. the real certificate is varified by the certificate authority issuing the certificate as real so if you are connecting to your bank, you can be (somewhat) confident there's no one in the middle stealing your information. <br />
<br />
There are other ways you're vulnerable. You could have someone looking over your shoulder when typing your username and password. You could have spyware on your computer that is logging your keystrokes and grabbing the display text on your web pages. Or the site you are logging into has been hacked. Remember Equifax? It was an encrypted site. And while your data was being stolen it was sent to the hackers over an encrypted connection.<br />
<br />
=== How Authentication Works ===<br />
<br />
Authentication is the other leg of the HTTPS security protocol. Authentication helps ensure that when you connect to a site using HTTPS that it is really the site you are connected to. Using certificates and certificate chains your web browser (is supposed to) verify that you are actually connected to the web site you think you are connecting to. This makes it much harder for someone to impersonate your bank to steal your passwords. A detailed explanation of this process is complicated so I will try to make the important concepts as easy as possible.<br />
<br />
When you connect through HTTPS it established an encrypted connection. It sends the sites certificate which was generated in unison with your '''certificate authority''' who validates your certificate. The web server not only sends your certificate, but also the chain of certificates leading back to the '''root certificates''' which are highly trusted certs that came with your browser. Using these certificates one can verify that the cert is authentic and can be trusted. You then see the green padlock and all is good.<br />
<br />
==== The down side of Authentication ====<br />
<br />
There is one step however that exposes your privacy. In order to fully verify the cert the web browser has to check to see if your certificate has been revoked. To check if the cert was revoked your browser has to ask the certificate authority through a "revocation request" if the cert is still valid. The reason for this is, if I'm running a web site and my private keys make it into the wild, hacker or government can decrypt your connection and steal your data. So if I'm a bank and I fire the head admin, I might want to change my keys by revoking my cert and getting a new one.<br />
<br />
Sounds simple but the process slows down browser performance a lot. Many commercial sites include content, usually advertising content, from many other websites. So when you go to localnewspaper.com, for example, you might see content from Walgreens, Safeway, Amazon, Verizon, etc. All these sites require a separate encrypted and separate verification and revocation request. Thus your visit might involve 50 separate connections to display the web page. Ever notice all those slow ads popping up, that's why.<br />
<br />
The problem is, as everyone goes to HTTPS then all websites are slow. Some browsers therefore cheat on the rules and they skip the revocation check in the interest of speed and the expense of security. Gibson Research has set up a test page to identify browsers who cheat. Click on https://revoked.grc.com to test your browser. If you see the page, your browser is insecure.<br />
<br />
The problem with skipping revocation checking is that, for example, if if I'm a bank and the keys were stolen and someone is impersonating my bank, if you are running Google's Chrome browser, you would never know you were on the fake site. So in order to get performance in your Chrome browser experience, security has been eliminated.<br />
<br />
Certificates are expensive and difficult to maintain. Installing certs is a hassle and certificates expire and have to be replaced on a regular basis. Unlike HTTP which you can set up knowing 20 years later everything is going to just keep working, HTTPS requires both effort and money to keep going. If you get it set up it will die on it's own if you don't maintain it.<br />
<br />
But - EFF and other like minded organizations have created an organization called "Let's Encrypt" to make HTTPS easier. But is it a solution or just to get you addicted and draw you in?<br />
<br />
==== Privacy Exposure of Authentication ====<br />
<br />
Another problem with certificates is the privacy exposure of checking certificate revocation. If your certificate is verified, for example, by Let's Encrypt, then every revocation request goes to one server that responds to revocation requests. If someone like the NSA were to intercept these requests, which are not encrypted, then the NSA could track the activity of every site verified through Let's Encrypt. That means the NSA doesn't have to wiretap 100 million sites. All the have to do it tap Let's Encrypt and it's one stop shopping for the NSA. They just made the job of the NSA millions of times easier.<br />
<br />
Granted that the NSA doesn't see the content, but if you go to some site like free-child-porn.online the NSA has a pretty good idea what you're doing there.<br />
<br />
=== Let's Encrypt - making HTTPS free and easy ===<br />
<br />
Let's Encrypt is a non-profit org created by EFF and friends to help solve the problems of making certificates easy and free. The supply not only free certs but provides scripts to install and configure certs easily. Certificates however are only good for 90 days and have to be replaced before the 90 days runs out. But the renewal scripts are also automated so, in theroy you should be able to set it up and forget about it, making it almost as easy as HTTP. Let's Encrypt claim is to have issued over 100 million certificates.<br />
<br />
Making it free and easy is a critical argument in EFF's and Google's war to force the internet to encrypt everything. Google, for example is downgrading your search visibility if you refuse to convert. But they say that converting is easy and that takes the sting out of it. But is that really true?<br />
<br />
There's a major problem with Let's Encrypt in that it's not a real business with real employees and a staff with tech support. All their verification is done using algorithms and scripts and they will give certificates away to anyone, and all for free. For example, if I get the domain name wellsfarg0.com, which looks like I'm Wells Fargo Bank, Let's encrypt will issue me a certificate for it and users who go to the fraudulent site will get a green light in their chrome browser. And even if someone points it out that this is a fraud site, they can revoke the cert, but if you used the Chrome browser you will never know because it doesn't use revocation checks.<br />
<br />
There is a down side to being free. Because it used to have cost criminals wouldn't bother to get certificates. But now that it's free every criminal site now has a valid cert and the browser give it the green light and users trust it because the browser is giving it the seal of approval. Because of this the original function of certificates has been compromised and the security of the internet has been diminished.<br />
<br />
==== Will Let's Encrypt always be there and be free? ====<br />
<br />
So, let's say I convert all my web sites to HTTPS and I'm using their scripts to maintain my web sites and one day I get an email saying the changes have been made. Perhaps people stop donating and they can't afford to operate? Perhaps they fail security standard and are decertified. Perhaps they get hacked and all their information is stolen. What do all these 100 million web sites do then?<br />
<br />
There's explicitly no guarantee that this service will give you free certificates forever. And once you go HTTPS, there's no easy path back to HTTP. In order to even redirect back to your old setup you need a valid certificate to redirect. All these people who thought they were going to get free certs forever are totally screwed and will have to start buying certs and might not have the nice scripts that maintain it automatically.<br />
<br />
Call me paranoid but when some organization offers me free service forever I don't tend to rely on that. I can't be in a position where keeping my web sites online depends on a shell organization that might not be there tomorrow.<br />
<br />
== NSA and Government Tracking ==<br />
<br />
The intent behind HTTPS everywhere is in part to thwart NSA spying. And let's not kid ourselves, NSA tracking is unconstitutional, illegal, and immoral. EFF has played a major role in protecting our online liberties in this matter. Sometimes when I see Snowden I notice that the back of his lap top has an EFF sticker. <br />
<br />
But - although well intentioned - does HTTPS solve the problem? No - it makes it worse.<br />
<br />
Although HTTPS makes it harder to read the content of your communication, it doesn't mask what web sites you are going to. So if you're married and trying to hook up on AsleyMadison.com the NSA doesn't know what woman you are hooking up with, but they do know you're cheating on your wife. And - using revocation requests tracking EFF has actually make it much easier for them to track your connections.<br />
<br />
== Now you need more permissions to stay on the web ==<br />
<br />
With HTTP all you need to do is register a domain name to have your own site online. ICANN is an international organization and has been very good at staying out of the clutches of government controls. However, with HTTPS you need to get a certificate authority to issue you a cert. That makes 2 orgs that have to give you permission instead of one and now your domain activity it trackable through revocation requests. If Congress were to pass laws regulating who can get certificates or requiring extensive personal information they can prevent you from getting online the way you can now with just HTTP. Every step you are forced into doing creates another chokepoint to free speech and free expression.<br />
<br />
== Freedom of Choice ==<br />
<br />
One thing I really object to is being forced and strong armed into doing things I choose not to do. I'm perfectly happy with my HTTP servers and I really resent EFF and Google trying to force me to participate in their cult like paranoia. My servers work fine. I've been online for 22 years now. I was online 3 years before Google. I choose not to encrypt and that my choice.<br />
<br />
EFF is supposed to be about freedom. They are supposed to be protecting me from people who would force me to change against my will, They believe it's for a higher cause, but it really isn't. If it were I might go along with it but HTTP has advantages over HTTPS that I like and want to stick with. many of my sites are static and informational. If the NSA can read the traffic - so what. Everything is on the site in plain text anyhow so where's the secret? If the traffic were encrypted the NSA would still know who is connecting and would assume what they are reading is what's on the site to be read by anyone. And HTTP doesn't make NSA tracking easier like HPPS does by generating revocation request.<br />
<br />
The bottom like is it's MY CHOICE! And EFF and Google doesn't have the right to take my choice away from me.<br />
<br />
== Do you need encryption? ==<br />
<br />
== Is HTTPS secure? - Is HTTP insecure? ==</div>Marchttp://wiki.ctyme.com/index.php/HttpsHttps2018-02-28T21:04:40Z<p>Marc: /* Freedom of Choice */</p>
<hr />
<div>= Why HTTPS everywhere is a really really bad idea =<br />
<br />
== Introduction ==<br />
<br />
HTTPS Everywhere sounds like a good idea, but as they say, the devil is in the details. The idea, supported primarily by the Electronic Frontier Foundation (https://eff.org) is to get all traffic on the internet to be encrypted. If everything is encrypted, as promoted, then no one can tap in and spy on your communication. This includes NSA spying and other government spying that is both illegal and immoral where third parties and government track you to create a digital profile of who you are that can be used against you, profile you, steal your passwords, invade your privacy, blackmail you, and round you up to put you and your freinds and family in concentration camps. Imaging if you will what would have happened if Adolf Hitler had today's technology. There would be no Jews left hiding in attics!<br />
<br />
And as we know from the revelation of Edward Snowden, my second favorite person in the world after Elon Musk, we know the government is actually doing a lot of the things that the EFF is paranoid about. Snowden confirmed what all paranoid schizophrenics new was true all along, the government(s) is spying on them. The nightmare, as it turns out, is actually real.<br />
<br />
So on it's face it would seem as if making it harder for these problems to occur would be a great idea. And - quite frankly, if it were done right it would be a great idea that I would support. However, the way it is being implemented through "Let's Encrypt" (https://letsencrypt.org) and Google strong arming the public to force everyone into it. By doing it wrong EFF's good intentions are actually making the problem worse. Forcing encryption on everyone, as it is being implemented, creates more problems than it solves and will inhibit freedom and privacy, not enhance it. Rather than making it harder for the NSA to track you, it makes it easier. Rather than enhancing free speech, it inhibits free speech, and rather that making the internet safer from criminals, it actually reduces internet security making it easier for the bad guys to take advantage of you.<br />
<br />
As someone who used to work for EFF as their first full time system administrator you would think I would be on EFF's side on this. And over the years there have been a number of issues EFF has got wrong. But this is a very serious issue that will negatively affect the entire internet and have a huge negative impact on EFF if they are successful in what they are trying to do. EFF sometimes has a habit of latching onto an idea like a bulldog without carefully thinking things through and is sometimes cult like in their opinion in spite of evidence that their position fails to make objective sense. I still support EFF as no organization is perfect and they get it right most of the time. But this time is not one of them.<br />
<br />
== Encryption / Authentication - Understanding the Basics ==<br />
<br />
HTTPS has 2 separate function, not one, that are artificially bound together into the HTTPS standards. These 2 functions are:<br />
<br />
# Encryption - making the data unreadable to 3rd parties<br />
# Authentication - making sure that the website you connect to is actually the real web site.<br />
<br />
And it is because of the binding together of there to unrelated functions that cause the problem. '''If these two protocols were unbundled, where you could have encryption without authentication, then my objections to encrypting everything goes away.''' The encrypting side is the easy part, the authenticating side is the part that is hard and expensive and causes all the problems. All this could be easily solved by allowing encryption without authentication. But modern browsers do not allow self signed certificates without dire warnings that would scare the average person to back away immediately. If they changed that it would solve the issues that I'm about to describe.<br />
<br />
=== How Encryption Works ===<br />
<br />
The actual process is long and complicated so I'm going to limit my explanation to the simple stuff you need to know. Encryption relies on a pair of keys, both keys are very large numbers. If you encrypt a message with one key you can only decrypt it with the other key. It doesn't matter which key you encrypt with as long as you use the other one to decrypt. <br />
<br />
One of the keys is know as the '''public key''', and the other is know as the '''private key'''. As the names imply, one key you make public, the other key you keep private. When someone wants to establish a secure connection with you they download your public key which is furnished by opening a connection. When you get the public key you can then encrypt a message that can only be read by the server which is usually a set of new keys to establish a secure connection. Because only the other end can read it you then have the keys to establish a secure connection that no person in the middle can break into.<br />
<br />
==== Vulnerabilities ====<br />
<br />
The encryption used in HTTPS is pretty good. It isn't easily broken. One of the main vulnerabilities is what's called a "man in the middle" attack. The attack isn't generally easy to do and usually requires hardware access to be in the middle of that connection which very few people have. However, when I used to fly more often I used to provide a free wifi access point using my cell phone to allow other travelers around me to access the internet without paying high fees. But if a were nefarious and evil I could create a fake certificate pretending to be their bank and steal their passwords. And I would need a fake cert for every domain I wanted to steal. Someone smarter than me could accomplish this. <br />
<br />
To make sure this doesn't happen we use authentication so that only the real certificate works. the real certificate is varified by the certificate authority issuing the certificate as real so if you are connecting to your bank, you can be (somewhat) confident there's no one in the middle stealing your information. <br />
<br />
There are other ways you're vulnerable. You could have someone looking over your shoulder when typing your username and password. You could have spyware on your computer that is logging your keystrokes and grabbing the display text on your web pages. Or the site you are logging into has been hacked. Remember Equifax? It was an encrypted site. And while your data was being stolen it was sent to the hackers over an encrypted connection.<br />
<br />
=== How Authentication Works ===<br />
<br />
Authentication is the other leg of the HTTPS security protocol. Authentication helps ensure that when you connect to a site using HTTPS that it is really the site you are connected to. Using certificates and certificate chains your web browser (is supposed to) verify that you are actually connected to the web site you think you are connecting to. This makes it much harder for someone to impersonate your bank to steal your passwords. A detailed explanation of this process is complicated so I will try to make the important concepts as easy as possible.<br />
<br />
When you connect through HTTPS it established an encrypted connection. It sends the sites certificate which was generated in unison with your '''certificate authority''' who validates your certificate. The web server not only sends your certificate, but also the chain of certificates leading back to the '''root certificates''' which are highly trusted certs that came with your browser. Using these certificates one can verify that the cert is authentic and can be trusted. You then see the green padlock and all is good.<br />
<br />
==== The down side of Authentication ====<br />
<br />
There is one step however that exposes your privacy. In order to fully verify the cert the web browser has to check to see if your certificate has been revoked. To check if the cert was revoked your browser has to ask the certificate authority through a "revocation request" if the cert is still valid. The reason for this is, if I'm running a web site and my private keys make it into the wild, hacker or government can decrypt your connection and steal your data. So if I'm a bank and I fire the head admin, I might want to change my keys by revoking my cert and getting a new one.<br />
<br />
Sounds simple but the process slows down browser performance a lot. Many commercial sites include content, usually advertising content, from many other websites. So when you go to localnewspaper.com, for example, you might see content from Walgreens, Safeway, Amazon, Verizon, etc. All these sites require a separate encrypted and separate verification and revocation request. Thus your visit might involve 50 separate connections to display the web page. Ever notice all those slow ads popping up, that's why.<br />
<br />
The problem is, as everyone goes to HTTPS then all websites are slow. Some browsers therefore cheat on the rules and they skip the revocation check in the interest of speed and the expense of security. Gibson Research has set up a test page to identify browsers who cheat. Click on https://revoked.grc.com to test your browser. If you see the page, your browser is insecure.<br />
<br />
The problem with skipping revocation checking is that, for example, if if I'm a bank and the keys were stolen and someone is impersonating my bank, if you are running Google's Chrome browser, you would never know you were on the fake site. So in order to get performance in your Chrome browser experience, security has been eliminated.<br />
<br />
Certificates are expensive and difficult to maintain. Installing certs is a hassle and certificates expire and have to be replaced on a regular basis. Unlike HTTP which you can set up knowing 20 years later everything is going to just keep working, HTTPS requires both effort and money to keep going. If you get it set up it will die on it's own if you don't maintain it.<br />
<br />
But - EFF and other like minded organizations have created an organization called "Let's Encrypt" to make HTTPS easier. But is it a solution or just to get you addicted and draw you in?<br />
<br />
==== Privacy Exposure of Authentication ====<br />
<br />
Another problem with certificates is the privacy exposure of checking certificate revocation. If your certificate is verified, for example, by Let's Encrypt, then every revocation request goes to one server that responds to revocation requests. If someone like the NSA were to intercept these requests, which are not encrypted, then the NSA could track the activity of every site verified through Let's Encrypt. That means the NSA doesn't have to wiretap 100 million sites. All the have to do it tap Let's Encrypt and it's one stop shopping for the NSA. They just made the job of the NSA millions of times easier.<br />
<br />
Granted that the NSA doesn't see the content, but if you go to some site like free-child-porn.online the NSA has a pretty good idea what you're doing there.<br />
<br />
=== Let's Encrypt - making HTTPS free and easy ===<br />
<br />
Let's Encrypt is a non-profit org created by EFF and friends to help solve the problems of making certificates easy and free. The supply not only free certs but provides scripts to install and configure certs easily. Certificates however are only good for 90 days and have to be replaced before the 90 days runs out. But the renewal scripts are also automated so, in theroy you should be able to set it up and forget about it, making it almost as easy as HTTP. Let's Encrypt claim is to have issued over 100 million certificates.<br />
<br />
Making it free and easy is a critical argument in EFF's and Google's war to force the internet to encrypt everything. Google, for example is downgrading your search visibility if you refuse to convert. But they say that converting is easy and that takes the sting out of it. But is that really true?<br />
<br />
There's a major problem with Let's Encrypt in that it's not a real business with real employees and a staff with tech support. All their verification is done using algorithms and scripts and they will give certificates away to anyone, and all for free. For example, if I get the domain name wellsfarg0.com, which looks like I'm Wells Fargo Bank, Let's encrypt will issue me a certificate for it and users who go to the fraudulent site will get a green light in their chrome browser. And even if someone points it out that this is a fraud site, they can revoke the cert, but if you used the Chrome browser you will never know because it doesn't use revocation checks.<br />
<br />
There is a down side to being free. Because it used to have cost criminals wouldn't bother to get certificates. But now that it's free every criminal site now has a valid cert and the browser give it the green light and users trust it because the browser is giving it the seal of approval. Because of this the original function of certificates has been compromised and the security of the internet has been diminished.<br />
<br />
==== Will Let's Encrypt always be there and be free? ====<br />
<br />
So, let's say I convert all my web sites to HTTPS and I'm using their scripts to maintain my web sites and one day I get an email saying the changes have been made. Perhaps people stop donating and they can't afford to operate? Perhaps they fail security standard and are decertified. Perhaps they get hacked and all their information is stolen. What do all these 100 million web sites do then?<br />
<br />
There's explicitly no guarantee that this service will give you free certificates forever. And once you go HTTPS, there's no easy path back to HTTP. In order to even redirect back to your old setup you need a valid certificate to redirect. All these people who thought they were going to get free certs forever are totally screwed and will have to start buying certs and might not have the nice scripts that maintain it automatically.<br />
<br />
Call me paranoid but when some organization offers me free service forever I don't tend to rely on that. I can't be in a position where keeping my web sites online depends on a shell organization that might not be there tomorrow.<br />
<br />
== NSA and Government Tracking ==<br />
<br />
The intent behind HTTPS everywhere is in part to thwart NSA spying. And let's not kid ourselves, NSA tracking is unconstitutional, illegal, and immoral. EFF has played a major role in protecting our online liberties in this matter. Sometimes when I see Snowden I notice that the back of his lap top has an EFF sticker. <br />
<br />
But - although well intentioned - does HTTPS solve the problem? No - it makes it worse.<br />
<br />
Although HTTPS makes it harder to read the content of your communication, it doesn't mask what web sites you are going to. So if you're married and trying to hook up on AsleyMadison.com the NSA doesn't know what woman you are hooking up with, but they do know you're cheating on your wife. And - using revocation requests tracking EFF has actually make it much easier for them to track your connections.<br />
<br />
== Now you need more permissions to stay on the web ==<br />
<br />
With HTTP all you need to do is register a domain name to have your own site online. ICANN is an international organization and has been very good at staying out of the clutches of government controls. However, with HTTPS you need to get a certificate authority to issue you a cert. That makes 2 orgs that have to give you permission instead of one and now your domain activity it trackable through revocation requests. If Congress were to pass laws regulating who can get certificates or requiring extensive personal information they can prevent you from getting online the way you can now with just HTTP. Every step you are forced into doing creates another chokepoint to free speech and free expression.<br />
<br />
== Freedom of Choice ==<br />
<br />
One thing I really object to is being forced and strong armed into doing things I choose not to do. I'm perfectly happy with my HTTP servers and I really resent EFF and Google trying to force me to participate in their cult like paranoia. My servers work fine. I've been online for 22 years now. I was online 3 years before Google. I choose not to encrypt and that my choice.<br />
<br />
EFF is supposed to be about freedom. They are supposed to be protecting me from people who would force me to change against my will, They believe it's for a higher cause, but it really isn't. If it were I might go along with it but HTTP has advantages over HTTPS that I like and want to stick with. many of my sites are static and informational. If the NSA can read the traffic - so what. Everything is on the site in plain text anyhow so where's the secret? If the traffic were encrypted the NSA would still know who is connecting and would assume what they are reading is what's on the site to be read by anyone. And HTTP doesn't make NSA tracking easier like HPPS does by generating revocation request.<br />
<br />
The bottom like is it's MY CHOICE! And EFF and Google doesn't have the right to take my choice away from me.</div>Marchttp://wiki.ctyme.com/index.php/HttpsHttps2018-02-28T20:54:56Z<p>Marc: /* NSA and Government Tracking */</p>
<hr />
<div>= Why HTTPS everywhere is a really really bad idea =<br />
<br />
== Introduction ==<br />
<br />
HTTPS Everywhere sounds like a good idea, but as they say, the devil is in the details. The idea, supported primarily by the Electronic Frontier Foundation (https://eff.org) is to get all traffic on the internet to be encrypted. If everything is encrypted, as promoted, then no one can tap in and spy on your communication. This includes NSA spying and other government spying that is both illegal and immoral where third parties and government track you to create a digital profile of who you are that can be used against you, profile you, steal your passwords, invade your privacy, blackmail you, and round you up to put you and your freinds and family in concentration camps. Imaging if you will what would have happened if Adolf Hitler had today's technology. There would be no Jews left hiding in attics!<br />
<br />
And as we know from the revelation of Edward Snowden, my second favorite person in the world after Elon Musk, we know the government is actually doing a lot of the things that the EFF is paranoid about. Snowden confirmed what all paranoid schizophrenics new was true all along, the government(s) is spying on them. The nightmare, as it turns out, is actually real.<br />
<br />
So on it's face it would seem as if making it harder for these problems to occur would be a great idea. And - quite frankly, if it were done right it would be a great idea that I would support. However, the way it is being implemented through "Let's Encrypt" (https://letsencrypt.org) and Google strong arming the public to force everyone into it. By doing it wrong EFF's good intentions are actually making the problem worse. Forcing encryption on everyone, as it is being implemented, creates more problems than it solves and will inhibit freedom and privacy, not enhance it. Rather than making it harder for the NSA to track you, it makes it easier. Rather than enhancing free speech, it inhibits free speech, and rather that making the internet safer from criminals, it actually reduces internet security making it easier for the bad guys to take advantage of you.<br />
<br />
As someone who used to work for EFF as their first full time system administrator you would think I would be on EFF's side on this. And over the years there have been a number of issues EFF has got wrong. But this is a very serious issue that will negatively affect the entire internet and have a huge negative impact on EFF if they are successful in what they are trying to do. EFF sometimes has a habit of latching onto an idea like a bulldog without carefully thinking things through and is sometimes cult like in their opinion in spite of evidence that their position fails to make objective sense. I still support EFF as no organization is perfect and they get it right most of the time. But this time is not one of them.<br />
<br />
== Encryption / Authentication - Understanding the Basics ==<br />
<br />
HTTPS has 2 separate function, not one, that are artificially bound together into the HTTPS standards. These 2 functions are:<br />
<br />
# Encryption - making the data unreadable to 3rd parties<br />
# Authentication - making sure that the website you connect to is actually the real web site.<br />
<br />
And it is because of the binding together of there to unrelated functions that cause the problem. '''If these two protocols were unbundled, where you could have encryption without authentication, then my objections to encrypting everything goes away.''' The encrypting side is the easy part, the authenticating side is the part that is hard and expensive and causes all the problems. All this could be easily solved by allowing encryption without authentication. But modern browsers do not allow self signed certificates without dire warnings that would scare the average person to back away immediately. If they changed that it would solve the issues that I'm about to describe.<br />
<br />
=== How Encryption Works ===<br />
<br />
The actual process is long and complicated so I'm going to limit my explanation to the simple stuff you need to know. Encryption relies on a pair of keys, both keys are very large numbers. If you encrypt a message with one key you can only decrypt it with the other key. It doesn't matter which key you encrypt with as long as you use the other one to decrypt. <br />
<br />
One of the keys is know as the '''public key''', and the other is know as the '''private key'''. As the names imply, one key you make public, the other key you keep private. When someone wants to establish a secure connection with you they download your public key which is furnished by opening a connection. When you get the public key you can then encrypt a message that can only be read by the server which is usually a set of new keys to establish a secure connection. Because only the other end can read it you then have the keys to establish a secure connection that no person in the middle can break into.<br />
<br />
==== Vulnerabilities ====<br />
<br />
The encryption used in HTTPS is pretty good. It isn't easily broken. One of the main vulnerabilities is what's called a "man in the middle" attack. The attack isn't generally easy to do and usually requires hardware access to be in the middle of that connection which very few people have. However, when I used to fly more often I used to provide a free wifi access point using my cell phone to allow other travelers around me to access the internet without paying high fees. But if a were nefarious and evil I could create a fake certificate pretending to be their bank and steal their passwords. And I would need a fake cert for every domain I wanted to steal. Someone smarter than me could accomplish this. <br />
<br />
To make sure this doesn't happen we use authentication so that only the real certificate works. the real certificate is varified by the certificate authority issuing the certificate as real so if you are connecting to your bank, you can be (somewhat) confident there's no one in the middle stealing your information. <br />
<br />
There are other ways you're vulnerable. You could have someone looking over your shoulder when typing your username and password. You could have spyware on your computer that is logging your keystrokes and grabbing the display text on your web pages. Or the site you are logging into has been hacked. Remember Equifax? It was an encrypted site. And while your data was being stolen it was sent to the hackers over an encrypted connection.<br />
<br />
=== How Authentication Works ===<br />
<br />
Authentication is the other leg of the HTTPS security protocol. Authentication helps ensure that when you connect to a site using HTTPS that it is really the site you are connected to. Using certificates and certificate chains your web browser (is supposed to) verify that you are actually connected to the web site you think you are connecting to. This makes it much harder for someone to impersonate your bank to steal your passwords. A detailed explanation of this process is complicated so I will try to make the important concepts as easy as possible.<br />
<br />
When you connect through HTTPS it established an encrypted connection. It sends the sites certificate which was generated in unison with your '''certificate authority''' who validates your certificate. The web server not only sends your certificate, but also the chain of certificates leading back to the '''root certificates''' which are highly trusted certs that came with your browser. Using these certificates one can verify that the cert is authentic and can be trusted. You then see the green padlock and all is good.<br />
<br />
==== The down side of Authentication ====<br />
<br />
There is one step however that exposes your privacy. In order to fully verify the cert the web browser has to check to see if your certificate has been revoked. To check if the cert was revoked your browser has to ask the certificate authority through a "revocation request" if the cert is still valid. The reason for this is, if I'm running a web site and my private keys make it into the wild, hacker or government can decrypt your connection and steal your data. So if I'm a bank and I fire the head admin, I might want to change my keys by revoking my cert and getting a new one.<br />
<br />
Sounds simple but the process slows down browser performance a lot. Many commercial sites include content, usually advertising content, from many other websites. So when you go to localnewspaper.com, for example, you might see content from Walgreens, Safeway, Amazon, Verizon, etc. All these sites require a separate encrypted and separate verification and revocation request. Thus your visit might involve 50 separate connections to display the web page. Ever notice all those slow ads popping up, that's why.<br />
<br />
The problem is, as everyone goes to HTTPS then all websites are slow. Some browsers therefore cheat on the rules and they skip the revocation check in the interest of speed and the expense of security. Gibson Research has set up a test page to identify browsers who cheat. Click on https://revoked.grc.com to test your browser. If you see the page, your browser is insecure.<br />
<br />
The problem with skipping revocation checking is that, for example, if if I'm a bank and the keys were stolen and someone is impersonating my bank, if you are running Google's Chrome browser, you would never know you were on the fake site. So in order to get performance in your Chrome browser experience, security has been eliminated.<br />
<br />
Certificates are expensive and difficult to maintain. Installing certs is a hassle and certificates expire and have to be replaced on a regular basis. Unlike HTTP which you can set up knowing 20 years later everything is going to just keep working, HTTPS requires both effort and money to keep going. If you get it set up it will die on it's own if you don't maintain it.<br />
<br />
But - EFF and other like minded organizations have created an organization called "Let's Encrypt" to make HTTPS easier. But is it a solution or just to get you addicted and draw you in?<br />
<br />
==== Privacy Exposure of Authentication ====<br />
<br />
Another problem with certificates is the privacy exposure of checking certificate revocation. If your certificate is verified, for example, by Let's Encrypt, then every revocation request goes to one server that responds to revocation requests. If someone like the NSA were to intercept these requests, which are not encrypted, then the NSA could track the activity of every site verified through Let's Encrypt. That means the NSA doesn't have to wiretap 100 million sites. All the have to do it tap Let's Encrypt and it's one stop shopping for the NSA. They just made the job of the NSA millions of times easier.<br />
<br />
Granted that the NSA doesn't see the content, but if you go to some site like free-child-porn.online the NSA has a pretty good idea what you're doing there.<br />
<br />
=== Let's Encrypt - making HTTPS free and easy ===<br />
<br />
Let's Encrypt is a non-profit org created by EFF and friends to help solve the problems of making certificates easy and free. The supply not only free certs but provides scripts to install and configure certs easily. Certificates however are only good for 90 days and have to be replaced before the 90 days runs out. But the renewal scripts are also automated so, in theroy you should be able to set it up and forget about it, making it almost as easy as HTTP. Let's Encrypt claim is to have issued over 100 million certificates.<br />
<br />
Making it free and easy is a critical argument in EFF's and Google's war to force the internet to encrypt everything. Google, for example is downgrading your search visibility if you refuse to convert. But they say that converting is easy and that takes the sting out of it. But is that really true?<br />
<br />
There's a major problem with Let's Encrypt in that it's not a real business with real employees and a staff with tech support. All their verification is done using algorithms and scripts and they will give certificates away to anyone, and all for free. For example, if I get the domain name wellsfarg0.com, which looks like I'm Wells Fargo Bank, Let's encrypt will issue me a certificate for it and users who go to the fraudulent site will get a green light in their chrome browser. And even if someone points it out that this is a fraud site, they can revoke the cert, but if you used the Chrome browser you will never know because it doesn't use revocation checks.<br />
<br />
There is a down side to being free. Because it used to have cost criminals wouldn't bother to get certificates. But now that it's free every criminal site now has a valid cert and the browser give it the green light and users trust it because the browser is giving it the seal of approval. Because of this the original function of certificates has been compromised and the security of the internet has been diminished.<br />
<br />
==== Will Let's Encrypt always be there and be free? ====<br />
<br />
So, let's say I convert all my web sites to HTTPS and I'm using their scripts to maintain my web sites and one day I get an email saying the changes have been made. Perhaps people stop donating and they can't afford to operate? Perhaps they fail security standard and are decertified. Perhaps they get hacked and all their information is stolen. What do all these 100 million web sites do then?<br />
<br />
There's explicitly no guarantee that this service will give you free certificates forever. And once you go HTTPS, there's no easy path back to HTTP. In order to even redirect back to your old setup you need a valid certificate to redirect. All these people who thought they were going to get free certs forever are totally screwed and will have to start buying certs and might not have the nice scripts that maintain it automatically.<br />
<br />
Call me paranoid but when some organization offers me free service forever I don't tend to rely on that. I can't be in a position where keeping my web sites online depends on a shell organization that might not be there tomorrow.<br />
<br />
== NSA and Government Tracking ==<br />
<br />
The intent behind HTTPS everywhere is in part to thwart NSA spying. And let's not kid ourselves, NSA tracking is unconstitutional, illegal, and immoral. EFF has played a major role in protecting our online liberties in this matter. Sometimes when I see Snowden I notice that the back of his lap top has an EFF sticker. <br />
<br />
But - although well intentioned - does HTTPS solve the problem? No - it makes it worse.<br />
<br />
Although HTTPS makes it harder to read the content of your communication, it doesn't mask what web sites you are going to. So if you're married and trying to hook up on AsleyMadison.com the NSA doesn't know what woman you are hooking up with, but they do know you're cheating on your wife. And - using revocation requests tracking EFF has actually make it much easier for them to track your connections.<br />
<br />
== Now you need more permissions to stay on the web ==<br />
<br />
With HTTP all you need to do is register a domain name to have your own site online. ICANN is an international organization and has been very good at staying out of the clutches of government controls. However, with HTTPS you need to get a certificate authority to issue you a cert. That makes 2 orgs that have to give you permission instead of one and now your domain activity it trackable through revocation requests. If Congress were to pass laws regulating who can get certificates or requiring extensive personal information they can prevent you from getting online the way you can now with just HTTP. Every step you are forced into doing creates another chokepoint to free speech and free expression.<br />
<br />
== Freedom of Choice ==</div>Marc