Should we change our position on HTTPS Everywhere?

polonus · 2015-10-29T12:49:08.000Z

Detected: https://www.virustotal.com/nl/url/17e021a3076549bfbf0e6d2da7b9b2c6c2294a9f89d3c26d90906c3306b2d94f/analysis/
No detection here: https://urlquery.net/report.php?id=1446069985439
The request comes via a new browser attack test page: -http://zyan.scripts.mit.edu/sniffly/ Do not visit the POC site in Google Chrome without https everywhere enabled.

Read about this new timing attack here: https://news.ycombinator.com/item?id=10455735
Flagged as the redirection to https could not be performed: -http://www.freelancer.in
redirects to -https://www.freelancer.in/
but then Adguard is the one that blocks this a a known PHISHing page.

Question should we now standard have HTTPS Everywhere enabled to prevent this clever new browser attack.
Be asured that this abuse of a browser feature will take a long time to get patched in the Google Chrome browser.

Websites can protect against this attack by adding their domain to the HSTS preload list. Is this the case the domain name goes hardcoded to the browser, so it can only and exclusively be visited via HTTPS.

Further abuse still possible? Don’t be too optimistic because also on https only websites a lot of telemetry could go insecure to third party websites. It is a pity that for instance where id-tracking is concerned no regulations exist, so parties could honour your opt-out, but also ignore. Ad- and script-blocking is your best option there, what cannot connect, cannot track!

Anyone?

polonus

DavidR · 2015-10-29T15:48:48.000Z

My position hasn’t really changed on this - it is still forcing a secure on a site not set up for SSL/TLS - I have also seen a couple of topics where it would appear using HTTPS Everywhere might also conflict with the avast HTTPS scanning (though I can’t test or confirm this).

polonus · 2015-10-29T16:39:30.000Z

Just seen that reported in this forum and the victim of such an alert had to disable https scanning: https://forum.avast.com/index.php?topic=178308.msg1262843#msg1262843 (so there you have your example )

On the other hand with an exploit of this magnitude in Google Chrome where https sites cannot load as https sites and are used for malicious ends, we find ourselves between a rock and a hard stone really.

On the other hand we must see that there is an awful lot insecurity in between the real secure HTTPS website and the ones that still have insecurities of all kinds (unique IDs are being transferred not securely, insecure txt log-ins and password transfers, mixed content, etc. etc.).

Web wide implementation of https only is an aim set out by some large players like Google, EFF etc. but we are a long way of from reaching an ideal encrypted situation as I think we will never reach that.

It will also inspire other forces more and more to go and look inside computers there where the info still lies around unencrypted, that is inside your comp, so this will form an extra stimulus for so-called legalized governmental hacking.

polonus

Announcements