Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
SSL everywhere prevents eavesdropping and code insertion
If the only sites that used SSL were the ones that transmitted vitally important secrets, it would be trivial to find and attack those traffic streams. By running everything in SSL, including unimportant traffic, we protect the important traffic from new SSL exploits. That's the server side argument.
On the client side, using SSL and managing certificates properly in the client browser helps prevent false-AP attacks in coffee shops and other public wi-fi hotspots. If you are browsing an unencrypted website, and I have a browser exploit, I can insert it into your system using airpwn or similar tools.
Incidentally, I have never seen any noticeable server load from running SSL myself. The network I/O always chokes the traffic down more than the processor load does in any reasonably well designed application. When Google implemented HTTPS for gmail, they didn't add any new servers and they only saw a 1% increase in load on their old servers.
The only problem with 'SSL everywhere' as a philosophy is that it places power in the hands of the certificate authorities, who seem to be mostly amoral and incompetent.
I tried to visit that site, and Chrome gave me a big red security warning. It said the SSL certificate being served was not for the site I was visiting, and that I should not proceed.
This is also your first day posting here.
Is there some funny business happening?
Also, if you visit the http version, you can see that that site does indeed take login information, and that the reason it uses https is therefore completely obvious.
Distribution: Ubuntu 10.04 , Linux Mint Debian Edition , Microsoft Windows 7
Posts: 390
Rep:
Quote:
Originally Posted by dugan
I tried to visit that site, and Chrome gave me a big red security warning. It said the SSL certificate being served was not for the site I was visiting, and that I should not proceed.
javaserverfaces.java.net uses an invalid security certificate.
The certificate is only valid for the following names:
www.java.net , java.net , website.java.net , hg.java.net , svn.java.net
(Error code: ssl_error_bad_cert_domain)
What funkiness is going on here?
Last edited by lupusarcanus; 04-21-2011 at 03:47 PM.
Outstanding response Medievalist! Thank you. I 2nd post and I already learned something. So, using SSL for "unimportant" connections is for the benefit for all. But, if SSL doesn't cause significant load, then why do they make SSL offload cards? Anyway, based on your server-side argument, maybe it would be a good idea for ALL sites to use SSL to encrypt, but w/o necessarily needing a cert issued by an authority (self-signed), just for basic privacy measures. Then, we wouldn't have to use Tor so much. Any talk along those lines?
@Dugan, yes, this is my first day posting! But, I don't know what you mean by funny business. And that site was just an example; surely you've happened across other sites using https that don't require logins... but, that point is moot now. I guess I found it annoying that that site didn't have their cert updated, or was using one from the java.com site. I ignored the FF warning that went in anyway since their is only a risk of the site not being authentic (low risk in this case) and I didn't plan on sending sensitive info and the chance of it being a phishing site is also low.
If the only sites that used SSL were the ones that transmitted vitally important secrets, it would be trivial to find and attack those traffic streams. By running everything in SSL, including unimportant traffic, we protect the important traffic from new SSL exploits.
You're saying that the difficulty of targeting specific HTTPS connections increases with the amount of existent HTTPS connections? That sounds kind of weird to me, honestly. For example, say I use these three sites: google.com, bankofamerica.com, and linuxquestions.org. How exactly would using HTTPS on all three sites make it more difficult for a criminal to attempt to MITM (for example) my bankofamerica.com connection? How would using HTTPS only on bankofamerica.com make it easier to be directly targeted?
Then, we wouldn't have to use Tor so much. Any talk along those lines?
The privacy benefit is limited in at least 2 ways :
Tor hides the URL, https does not. If anybody wants to know what you're reading, they may try to access the same URL themselfes. https will help only if the site returns content based on your input, without reloading the page / changing the URL
Even if the site gives content without reload, the domain name of the site is still visible. This alone can give enough information to the party you're hiding your business from
Tor hides the URL, https does not. If anybody wants to know what you're reading, they may try to access the same URL themselfes.
The HTTPS URL is transmitted within the SSL connection, so it's not visible. What is visible to the bad guys is the domain name and port you're using. Also, keep in mind that any hiding Tor may do only applies within the Tor network. That is, the Tor exit node you're using will still have the same access any other non-Tor node would have. In the case of HTTPS, it'll mean domain/port... and in HTTP, well, everything.
You're saying that the difficulty of targeting specific HTTPS connections increases with the amount of existent HTTPS connections? That sounds kind of weird to me, honestly. For example, say I use these three sites: google.com, bankofamerica.com, and linuxquestions.org. How exactly would using HTTPS on all three sites make it more difficult for a criminal to attempt to MITM (for example) my bankofamerica.com connection? How would using HTTPS only on bankofamerica.com make it easier to be directly targeted?
That isn't really what I took away from his statement. I believe he is more referring to how a lot of sites use SSL for the login, but then display regular pages without using SSL. When this happens You can pull session keys out of the traffic for the non-SSL'd pages and hijack the users session. However if you keep the whole site encrypted with SSL even the non-important pages, you can no longer use this attack vector. There are a lot of sites now changing over to encrypting the whole site ever since firesheep gave everyone a reality check.
But I could have misunderstood what he was trying to say.
Why would they want to create extra load on their servers for just a regular page that doesn't require login or exchange of info???
In a perfect world, ALL SITES would use SSL. It does not add any additional load on modern servers (or clients) and users would get the benefit of never having to pay attention to whether or not SSL is being used.
That isn't really what I took away from his statement. I believe he is more referring to how a lot of sites use SSL for the login, but then display regular pages without using SSL. When this happens You can pull session keys out of the traffic for the non-SSL'd pages and hijack the users session. However if you keep the whole site encrypted with SSL even the non-important pages, you can no longer use this attack vector. There are a lot of sites now changing over to encrypting the whole site ever since firesheep gave everyone a reality check.
But I could have misunderstood what he was trying to say.
Yeah, I know what you mean (and I agree). It just sounds to me like you and Medievalist are referring to two totally different things. In retrospect, however, I see how his/her statement can be interpreted in a number of different ways.
Besides, this explains why it sounded so weird to me.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.