Archive for the ‘Security’ Category

File Under: Identity, Security, Web Basics

EFF Wants to Secure the Web With “HTTPS Now” Campaign

The Electronic Frontier Foundation (EFF) has kicked off a new “HTTPS Now” campaign to educate consumers and help “make web surfing safer.”

The new campaign is a two part effort. First the EFF would like to encourage users to install the HTTPS Everywhere Firefox add-on, which will automatically redirect you to https connections. HTTPS Everywhere makes sure you’re always using a secure connection when you visit Gmail, Twitter and several dozen other sites; you don’t need to worry about checking the URL everytime you login.

While HTTPS Everywhere is a good suggestion for users, the primary thrust of the HTTPS Now campaign is aimed at popular websites. After all, HTTPS Everywhere only works if your favorite sites offer secure connections, and an alarming number of sites do not.

The EFF has partnered with Access, a digital freedom activist group, to create the new HTTPS Now website. The new site will keep track of which sites offer HTTPS connections, how much of the site is secure and whether or not the site mixes secure and insecure content.

Why all the fuss about HTTPS? Well, every time you log in to Twitter, Facebook or any other service that uses a plain HTTP connection, you expose your data to the world. It’s a bit like writing your username and password on a postcard and dropping it in the mailbox.

There is a better way, the secure version of HTTP — HTTPS. That extra “S” in the URL means your connection is secure, and it’s much harder for anyone else to see what you’re doing. Think of the extra “S” as the envelop that keeps prying eyes from looking at your postcards.

The problem gets a bit more complicated than just HTTPS though. Most sites already use HTTPS to handle your login info — that’s a good first step — but once you’re logged in the sites often revert back to using an insecure HTTP connection. That means you’re vulnerable to simple attacks like those made possible by the Firesheep Firefox plugin. Firesheep sniffs network traffic and looks for insecure cookies which it then uses to spoof your login credentials to the site. Firesheep allows other people to quickly and easily become you on the web.

So why doesn’t the entire web use HTTPS all the time? The answer is slightly complicated, but the primary reason is speed. HTTPS can’t be cached on CDN networks and there are also some (minor) costs involved with HTTPS certificates.

But obviously neither cost nor minor speed hits have stopped big sites like Twitter, Facebook, Gmail and Flickr from implementing HTTPS. The EFF would like to encourage other sites to follow suit.

If you’d like to see how your favorite sites fair when it comes to protecting your data from traffic snoops, head on over to the HTTPS Now website.

Photo: Joffley/Flickr/CC

See Also:

File Under: Security

It’s World Backup Day, Do You Know Where Your Files Are?

This is your PC.

Amazon’s recent leap into the world of online backups, with its new CloudDrive service, is just one of several dozen ways you can backup your files. And, as anyone with a failed hard drive can tell you, there’s no such thing as too many backups. Sadly, most of us discover the value of good backups only after tragedy strikes.

That’s why a group of Reddit fans were inspired to launch the first ever World Backup Day — today, March 31st 2011.

If you’re not an rsync master with RAID drives, tape machines and servers around the world making copies of your files, the Reddit thread that started the idea of a world backup day is well worth a read. Not only are there plenty of suggestions for automated cloud backup services like Dropbox or Backblaze, there are some great tricks and tips for making sure your files never go missing (like checking your restores — when was the last time you actually tried to recover from your backups?)

If you’ve been a bit lax in your backups, head over to WorldBackupDay.net for some discounts from online backup services and more tips for making sure that even if your computer disappears tomorrow your files won’t go with it.

Now go back up your data. Seriously.

Photo: alexmuse/Flickr/CC

See Also:

File Under: HTML, Programming, Security

HTTPS Is More Secure, So Why Isn’t the Web Using It?

You wouldn’t write your username and passwords on a postcard and mail it for the world to see, so why are you doing it online? Every time you log in to Twitter, Facebook or any other service that uses a plain HTTP connection, that’s essentially what you’re doing.

There is a better way, the secure version of HTTP — HTTPS. That extra “S” in the URL means your connection is secure, and it’s much harder for anyone else to see what you’re doing. But if HTTPS is more secure, why doesn’t the entire web use it?

HTTPS has been around nearly as long as the web, but it’s primarily used by sites that handle money — your bank’s website or shopping carts that capture credit card data. Even many sites that do use HTTPS use it only for the portions of their websites that need it — like shopping carts or account pages.

Web security got a shot in the arm last year when the FireSheep network-sniffing tool made it easy for anyone to detect your login info over insecure networks — your local coffeeshop’s hotspot or public Wi-Fi at the library. That prompted a number of large sites to begin offering encrypted versions of their services on HTTPS connections.

Lately even sites like Twitter (which has almost entirely public data anyway) are nevertheless offering HTTPS connections. You might not mind anyone sniffing and reading your Twitter messages en route to the server, but most people don’t want someone also reading their username and password info. That’s why Twitter recently announced a new option to force HTTPS connections (note that Twitter’s HTTPS option only works with a desktop browser, not the mobile site, which still requires manually entering the HTTPS address).

Google has even announced it will add HTTPS to many of the company’s APIs. Firefox users can go a step further and use the HTTPS Everywhere add-on to force HTTPS connections to several dozen websites that offer HTTPS, but don’t use it by default.

So, with the web clearly moving toward more HTTPS connections, why not just make everything HTTPS?

That’s the question I put to Yves Lafon, one of the resident experts on HTTP(s) at the W3C. There are some practical issues most web developers are probably aware of, such as the high cost of secure certificates, but obviously that’s not as much of an issue with large web services that have millions of dollars.

The real problem, according to Lafon, is that with HTTPS you lose the ability to cache. “Not really an issue when servers and clients are in the same region (meaning continent),” writes Lafon in an e-mail to Webmonkey, “but people in Australia (for example) love when something can be cached and served without a huge response time.”

Lafon also notes that there’s another small performance hit when using HTTPS, since “the SSL initial key exchange adds to the latency.” In other words, a purely security-focused, HTTPS-only web would, with today’s technology, be slower.

For sites that don’t have any reason to encrypt anything — in other words, you never log in, so there’s nothing to protect — the overhead and loss of caching that comes with HTTPS just doesn’t make sense. However, for big sites like Facebook, Google Apps or Twitter, many users might be willing to take the slight performance hit in exchange for a more-secure connection. And the fact that more and more websites are adding support of HTTPS shows that users do value security over speed, so long as the speed difference is minimal.

Another problem with running an HTTPS site is the cost of operations. “Although servers are faster, and implementations of SSL more optimized, it still costs more than doing plain HTTP,” writes Lafon. While less of a concern for smaller sites with little traffic, HTTPS can add up, if your site suddenly becomes popular.

Perhaps the main reason most of us are not using HTTPS to serve our websites is simply that it doesn’t work with virtual hosts. Virtual hosts, which are what the most common cheap web-hosting providers offer, allow the web host to serve multiple websites from the same physical server — hundreds of websites all with the same IP address. That works just fine with regular HTTP connections, but it doesn’t work at all with HTTPS.

There is a way to make virtual hosting and HTTPS work together — the TLS Extensions protocol — but Lafon notes that, so far, it’s only partially implemented. Of course that’s not an issue for big sites, which often have entire server farms behind them. But until that spec — or something similar — is widely used, HTTPS isn’t going to work for small, virtually hosted websites.

In the end there is no real reason the whole web couldn’t use HTTPS. There are practical reasons why it isn’t happening today, but eventually the practical hurdles will fall away. Broadband speeds will improve, which will make caching less of a concern, and improved servers will be further optimized for secure connections.

In the web of the future the main concern won’t just be how fast a site loads, but how well it safeguards you and protects your data once it does load.

Photo: Joffley/Flickr/CC

File Under: Browsers, Identity, Security

Chrome Add-on Kills Tracking Cookies

Not to be outdone by Mozilla, Google has released a new add-on for its Chrome web browser that allows users to opt-out of online advertising tracking. While Mozilla’s privacy tool is still just a proposal, and involves a new HTTP header, Google’s add-on uses the more practical, cookie-based approach and works today.

The Keep My Opt-Outs add-on works like a very persistant cookie, but this one is working in your favor. The add-on uses Chrome’s internal cookie APIs to set the opt-out flag for each advertising network that participates in the opt-out program created by the ad industry. Not only is it easier than setting those cookies yourself, the add-on ensures that, even if you clear the rest of your cookies, the opt-out cookies remain intact.

While it works, Google’s approach is something of a hack. The add-on intercepts and rewrites cookies, which is not exactly an ideal solution. Still, if you’re a Chrome user and you’ve been looking for a way to stop advertising cookies today, the Keep My Opt-Outs add-on has you covered.

Keep My Opt-Outs also makes a viable alternative to ad-blockers, particularly for those concerned that ad-blocking add-ons are denying their favorite sites much needed revenue. Provided you don’t mind a few advertisements here and there, using the new add-on in conjunction with some smart cookie settings, you can support your favorite sites without forfeiting your privacy. And for those that do use ad blockers, keep in mind that just because the ad is not shown, doesn’t always mean it can’t set cookies.

In the long term, Mozilla’s header-based approach to stopping cookie-based tracking is a better solution, and we expect, if the idea catches on, Chrome and other browsers will support it as well. For those who want something that works today, Google’s new add-on fits the bill.

Footprints photo by Vinoth Chandar/Flickr/CC

See Also:

File Under: Browsers, Identity, Security

Mozilla Plans ‘Do-Not-Track’ Privacy Tools for Firefox

Mozilla wants to create a new HTTP header that will allow Firefox and other browsers to shut off web tracking tools like cookies. The new header would offer a universal way to tell websites that a user wishes to opt-out of third party, advertising-based tracking.

Behavioral advertising, as such tracking is known, is becoming increasingly common on the web. Advertisers use cookies to follow you around the web, tracking which sites you visit, what you buy and even, in the case of mobile browsers, where you go. The U.S. Federal Trade Commission has already outlined a Do Not Track mechanism (PDF link), which would work much like the FTC’s Do Not Call list, offering a way to opt-out of online tracking.

The proposed do-not-track HTTP header is one of several ways Mozilla plans to implement the FTC’s suggestions. While the header idea has been around for a while — the Do Not Track Firefox add-on from the Stanford Law School is one example — currently most online opt-out schemes use cookies to set user preferences. Mozilla believes “the header-based approach has the potential to be better for the web in the long run because it is a clearer and more universal opt-out mechanism than cookies or blacklists.”

While the new header is just a proposal at the moment, Mozilla already has some code ready and is considering adding the feature to future versions of Firefox. The current plan is to create a new preferences option that would allow you to opt-out from tracking. Check the box in the preferences and Firefox will start sending the do-not-track header each time you request a new page.

Interestingly, the header Mozilla proposes is not the same as the “X-Do-Not-Track” proposal, which is already implemented in Firefox add-ons NoScript and Adblock Plus. For more details on how Mozilla’s new HTTP header will work, see Mozilla developer Sid Stamm’s blog post.

Like Mozilla’s proposed privacy icons, the problem with the new header is getting third-party ad sites to obey it. Mozilla calls it a “chicken and egg” problem and hopes to jumpstart the idea by including the header in future releases of Firefox. At that point it would be up to third party websites to support the header and, as Mozilla puts it, “honor people’s privacy choices.”

See Also: