dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
10259
share rss forum feed


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to Mele20

Re: Google disables SSL compression in Chrome against new attack

said by Mele20:

It puzzles me why there is a push for secure browsing when it is just ordinary browsing.

Because using HTTPS makes snooping harder. I use SSL with Google/GoogleSharing to prevent my ISP from monitoring my searches. Bob might still be able to see stuff but without going to great lengths I can't stop that
--
Don't feed trolls--it only makes them grow!

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to Name Game

said by Name Game:

SPDY is an open standard developed by Google to speed up Web-page load times and often uses TLS encryption.

So, this is a Google invention? That explains it. Google wants Proxo dead. (God forbid that any of us be able to block Google ads). Screw Google. I am so glad I don't use ANY of their crap except their search engine and I have Google Sharing extension on Fx and SM to thwart Google tracking me when using their search engine.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to StuartMW

Well, I had forgotten momentarily that Google Sharing extension forces SSL connection. I love the extension but I see no real need for SSL for searches if the extension is scrambling and mixing up my search with a bunch of others. Because I don't use SSL for Proxo it means I see ads on Google searches using Google Sharing.

As for my ISP, well, gee, again I don't see why I should get upset about them theoretically being able to see every where I go. That has been the case since I got a computer in 1999. Why the sudden concern now, but not for all these past years? My ISP has never betrayed me (except for trying to force their search page for urls that are mistyped but I could easily and permanently opt out), but Google sure would just as Facebook, etc would.. and Yahoo...I haven't been to Yahoo about 10 years. They are the worst for betrayal and snooping...but my ISP? As I said, why would that suddenly concern me when it hasn't in all these years? I haven't seen my ISP suddenly becoming evel...maybe I am missing something though.....
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

2 edits
reply to Mele20

Right and google invented SSL and TSL
Get real.
How can you protect yourself from CRIME, BEAST’s successor?
»security.blogoverflow.com/2012/0···ccessor/

Crack in Internet’s foundation of trust allows HTTPS session hijacking
safari info added:

»quickiphoneapps.com/crack-in-int···jacking/

--

Gladiator Security Forum
»www.gladiator-antivirus.com/



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to Mele20

said by Mele20:

...maybe I am missing something though.....

I think so.

Your ISP is Going to Spy on You Starting July 12, 2012

quote:
One year ago, the RIAA and the MPAA organized a project with the largest internet service providers in the US to begin monitoring their customer’s internet activity. This monitoring was introduced as a joint coalition to combat piracy.

--
Don't feed trolls--it only makes them grow!

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

Oh...the pirating thing....haven't done that in many years...errr...if I ever did. Yeah, I read that thread but that affects those who pirate. The ISPs have always been able to track the users so the only difference now is they will do so in connection with RIAA and that is the pits but unless you are a current pirate how does it affect you differently from before this?

I would be very pissed if my idiot state legislature had passed that hairbrained law that one representative introduced last session because she didn't know how to properly protect her website, but that got canned and I don't equate looking for pirates to be anything like what the state law would have been if passed and implemented. It is this latter crap that we must protest and stop.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



Anon users

@anonymouse.org
reply to StuartMW

SPDY ON on Firefox 15!!! not on 10ESR

No wonder why Firefox Mobile has discontinued 10.0.7 ESR and force users to use 15.0.1

Just turned off SPDY in Firefox mobile 15, Thx a million!!! Shame Mozilla!!!


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to Name Game

SPDY is an open standard developed by Google so what do you mean by "get real"? I didn't claim Google invented SSL and TSL....geez. Just because you are madly in love with Google doesn't mean everyone is or that your admiration and love is not misplaced.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

2 edits

Then I would remind you that Crime exploits TLS.

"The researchers who developed the attack that exploits this weakness say that all versions of TLS are affected, including TLS 1.2, and that the cipher suite used in the encrypted session makes no difference in the success of the attack."

And...
»SSL is broken and nearly impossible to fix

If you use Opera..even many month ago..

SSL2 should be disabled.
TLS 1.1 and TLS 1.2 should be enabled and are preferred, though TLS 1.2 was not yet supported on many servers

But for Opera this was the problem even in Jan 2012

»my.opera.com/community/forums/to···=1262702

Firefox, with "HTTPS Everywhere" (which forces TLS when available), along with "Perspectives" (which polls various certificate notaries to bolster the browsers trust for the Certificate in question) should have been used, if possible.

Sooo..getting back to the real world..

Rizzo confirmed Thursday via email that CRIME exploits that data compression feature of SSL and TLS. However, SPDY -- a networking protocol that uses a similar compression scheme -- is also vulnerable, he said.

»www.pcworld.idg.com.au/article/4···essions/

--
Gladiator Security Forum
»www.gladiator-antivirus.com/

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

Yes, TLS is vulnerable although supposedly Fx and SM are now patched according to the Arstechnica artile linked here in this thread.

But I am talking about SPDY and not just in the context of this exploit. You ignored this and instead began discussing TLS which is related but not the subject. I didn't know hardly anything about SPDY until this thread (it is not available on my default browser or my other Fx browser or Opera or IE so this thread is the first I have heard of it). I don't like the possible threat it poses to Proxo even if you use Proxo with the files that make it able to filter HTTPS sites which I have never done. FF4m3 says he had to disable it in Fx so that Proxo will filter HTTPS correctly. So, I am talking about SPDY and you deliberately? or obtusely? changed the subject to TLS.

I am in the real world. You though wandered off somewhere else.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

And you still don't know anything about SPDY and this thread is about Crime..Rizzo and TLS.

And this is a joke

»prxbx.com/forums/showthread.php?tid=2029
--
Gladiator Security Forum
»www.gladiator-antivirus.com/



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to Mele20

said by Mele20:

Yeah, I read that thread but that affects those who pirate.

I disagree. I don't pirate but that's not the point. Many ISP's now monitor traffic ostensibly in the name of preventing piracy but who knows what they do with the data they collect. No doubt the three letter agencies get a copy.

The bottom line: it's none of my ISP's (or anyone else's) business what I search for etc. But if you're ok with everything being monitored be my guest.
--
Don't feed trolls--it only makes them grow!


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Mele20

SPDY indicator
An indicator in the address bar for SPDY usage by each website.
»chrome.google.com/webstore/detai···ggcjblin
These are the sites that happen to use it today

Server support and usage

As of March 2012, there are not many SPDY-enabled websites. Some Google services (e.g. Google search, Gmail, and other SSL-enabled services) use SPDY when available.[26] Google's ads are also served from SPDY-enabled servers.[27]
Twitter has enabled SPDY on its servers in March 2012, making it the second largest site known to deploy SPDY.[28]
Cloudflare is also providing a beta of SPDY on their servers from June 2012, though users who would like to use/test it must be paying customers as SPDY is built on top of TLS, only paying customers can use SSL/TLS Certificates.[29]
In March 2012, the open source Jetty Web Server announced support for SPDY in version 7.6.2,[30] while other open source projects were working on implementing support for SPDY, like node.js,[31][32] Apache (mod_spdy),[33] curl,[34] and nginx.[35]
In April 2012 Google started providing SPDY packages for Apache servers which led some smaller websites to provide SPDY support.[36]
In May 2012 F5 Networks announced support for SPDY in its BIG-IP application delivery controllers.[37]
In June 2012 NGINX, Inc. announced support for SPDY in the open source web server Nginx.[38]
In July 2012 Facebook announced implementation plans for SPDY.[39]
In August 2012 Wordpress.com announced support for SPDY across all their hosted blogs.[40]

»en.wikipedia.org/wiki/SPDY

For Firefox one can do this..but there is no reason to..be more concerned about TLS.

»bugzilla.mozilla.org/show_bug.cgi?id=763163
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to Name Game

Yes, it started out being about Crime and TLS but it quickly got into SPDY. If SPDY should not be in this thread then please "hey mod" the thread and ask that all the posts on SPDY be moved to a new thread that is open for posts as I, and I think some others, would like to pursue not only the relationship of SPDY and Crime but SPDY more generally.

I'm sure I don't know a lot about SPDY as it is new to me but it is inaccurate for you to claim I know nothing and sounds just like a spiteful remark because you don't like the turn this thread has taken.

Yeah, I was about to go to prxbx and see if there was anything there regarding SPDY. I am not too surprised at that thread. It is very early to be concerned and we don't have Sidki now...stlll...the reply was lacking but that doesn't mean that when push comes to shove that Proxo lovers will not be able to meet the challenge. But the time will come, some day, when, because we don't have the Proxo code, it will become less and less relevant but I don't see that happening for years.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



FF4m3

@bhn.net
reply to Mele20

said by Mele20:

I don't like the possible threat it poses to Proxo even if you use Proxo with the files that make it able to filter HTTPS sites which I have never done. FF4m3 says he had to disable it in Fx so that Proxo will filter HTTPS correctly

From SPDY: An experimental protocol for a faster web I learned that SPDY has a goal to reduce the bandwidth currently used by HTTP by compressing headers, an admirable objective.

However, SPDY compresses request and response HTTP headers. Not so good for Proxo's digestive process. Hence my disabling of SPDY capabilities in Firefox.


FF4m3

@bhn.net
reply to Mele20

said by Mele20:

Google wants Proxo dead.

No they don't. Google could care less about Proxo.

I don't rely only on Proxo to block Google ads. It's easy to completely block Google's ad servers via host file entries and Avast's internal site blocking capabilities.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Mele20

Have they told you if proxo with work with Windows 8..I hear it might be compatible but not tested..

We have a lot of experts guessing at what Crime might be able to do and how..so we shall see... I do remember in Beast there was a lot of speculation...

Because of Beast this happened..

»blog.torproject.org/blog/tor-and···l-attack

Then users were clamouring for TLS 1.1 or 1.2 support in firefox
»support.mozilla.org/en-US/questions/781028
Finally someone from Hawaii posted and
You might understand it all more in this thread where scarlettrunner20
shows people how to do a little test at "boh.com" The Bank of Hawaii .
»forums.mozillazine.org/viewtopic···=2310053
--
Gladiator Security Forum
»www.gladiator-antivirus.com/



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to FF4m3

said by FF4m3 :

said by Mele20:

I don't like the possible threat it poses to Proxo even if you use Proxo with the files that make it able to filter HTTPS sites which I have never done. FF4m3 says he had to disable it in Fx so that Proxo will filter HTTPS correctly

From SPDY: An experimental protocol for a faster web I learned that SPDY has a goal to reduce the bandwidth currently used by HTTP by compressing headers, an admirable objective.

However, SPDY compresses request and response HTTP headers. Not so good for Proxo's digestive process. Hence my disabling of SPDY capabilities in Firefox.

And even though the SPDY is spoken "speedy" It might not really be that fast today...

Performance

An independent study shows that, in testing, the page load time with SPDY is not significantly different on most websites from HTTP or HTTPS,[41] because old optimization techniques such as splitting the content between many hosts prevent pipelining from taking place.

--
Gladiator Security Forum
»www.gladiator-antivirus.com/

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to Name Game

Click for full size
said by Name Game:

SPDY indicator
An indicator in the address bar for SPDY usage by each website.
»chrome.google.com/webstore/detai···ggcjblin
These are the sites that happen to use it today

As of March 2012, there are not many SPDY-enabled websites.

For Firefox one can do this..but there is no reason to..be more concerned about TLS.

»bugzilla.mozilla.org/show_bug.cgi?id=763163

I only have SPDY on SeaMonkey and earlier today I disabled it in about:config. That was after I tried to install the SPDY indicator 2.1 and it won't install on SM.
»addons.mozilla.org/en-US/firefox···/?src=ss

So, I disabled SPDY as I would want to know when it is being used. Then I went to SM support newsgroup and asked about the extension and if/when it will be available for Sea Monkey or if there is a trick to get it working now on SM. I got one reponse so far and it was "Huh"? Someone who didn't know about SPDY like I didn't until this thread.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable
reply to Mele20

said by Mele20:

It puzzles me why there is a push for secure browsing

it concerns me because i don't like the idea that data that is transferred via a secure connection bypasses my av program's "webguard"..


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

2 edits
reply to Mele20


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to FF4m3

said by FF4m3 :

said by Mele20:

Google wants Proxo dead.

No they don't. Google could care less about Proxo.

Google doesn't want Proxo dead? Then explain to me why they stopped allowing Proxo to fake a Google cookie? Google has become more hostile toward Proxo in the last few years.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to Name Game

said by Name Game:

Have they told you if proxo with work with Windows 8..I hear it might be compatible but not tested..

You might understand it all more in this thread where scarlettrunner20
shows people how to do a little test at "boh.com" The Bank of Hawaii .
»forums.mozillazine.org/viewtopic···=2310053

Proxo should work on Windows 8. As long as the web is based on HTTP protocol Proxo should work. Some sites may have problems when filtered by Proxo but that has always been the case and SPDY could pose some problems. When Sidki left public Proxo development after his 10/2010 filters gift to us users, he gave his notes, etc. to JJoe and JJoe gave us a filter set updating Sidki's last set in 12/11. I still use Sidki's 10/2010 filters on my host machine and JJoe's on virtual machines.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Mele20

You are so funny..then stop using google and stop ranting about it.



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to Mele20

said by Mele20:

(God forbid that any of us be able to block Google ads).

I use the AdBlock Plus extension in FF and don't see Google or any other ads. But use whatever does, or doesn't, work for you.
--
Don't feed trolls--it only makes them grow!


norwegian
Premium
join:2005-02-15
Outback
reply to Name Game

said by Name Game:

SSL2 should be disabled.
TLS 1.1 and TLS 1.2 should be enabled and are preferred, though TLS 1.2 was not yet supported on many servers

But for Opera this was the problem even in Jan 2012

»my.opera.com/community/forums/to···=1262702

Quite a good link. However it is interesting in this quote:

quote:
The RFC also says that servers MUST accept that clients send extensions (and ignore the ones it cannot handle), and MUST accept that clients may signal a higher version than they support. Unfortunately, what the RFCs say, and what got implemented in the server can be two very different things. There is a reason why RFC 5746 (The Renego patch) includes a reminder about what the RFCs say on those two points.
Well, what can you say. It is all too similar to a lot of Internet browsing.

You have to allow for it to be a reply to a request. What we need to do is create an environment whereby that initial handshake doesn't allow all, doesn't allow by default, looks for certain strings....guess to some extent that may happen already and you to become pwoned....

So to start with not allowing anything but still recognize the link it needs....love to be able to have that signed in my name.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



norwegian
Premium
join:2005-02-15
Outback
reply to Name Game

said by Name Game:

TLS 1.1 .... .... should be enabled and are preferred, though TLS 1.2 was not yet supported on many servers

That comment seems to have merit. Turning it on has evolved my browsing experience.


caffeinator
Coming soon to a cup near you..
Premium
join:2005-01-16
WA, USA
kudos:4
reply to Name Game

said by Name Game:

If you use Opera..even many month ago..

SSL2 should be disabled.
TLS 1.1 and TLS 1.2 should be enabled and are preferred, though TLS 1.2 was not yet supported on many servers

Hmm...

I'm still using Opera 11.64 on this box. Even so, when checking under security protocols, there is no SSL v2 listed at all. Only SSL v3 and the TLS variants.



Those are the default settings, I haven't had a need to change them.

--

My 9/11 Tribute..online since 9/14/01
Need an Avatar? Check out Wafen's Avatar Pages


FF4m3

@bhn.net
reply to MagnusM

The perfect CRIME? New HTTPS web hijack attack explained:

The so-called CRIME technique lures a vulnerable web browser into leaking an authentication cookie created when a user starts a secure session with a website. Once the cookie has been obtained, it can be used by hackers to login to the victim's account on the site.

The cookie is deduced by tricking the browser into sending compressed encrypted requests for files to a HTTPS website and exploiting information inadvertently leaked in the process. During the attack, the encrypted requests - each of which contains the cookie - are continually modified by malicious JavaScript code, and the changing size of the compressed message is used to determine the cookie's contents character by character.

Punters using web browsers that implement either TLS or SPDY compression are potentially at risk - but the vulnerability only comes into play if the victim visits a website that accepts the affected protocols. Support is widespread but far from ubiquitous.

The researchers worked with Mozilla and Google to ensure that both Firefox and Chrome are protected. Microsoft's Internet Explorer is not vulnerable to the attack, and only beta versions of Opera support SPDY. Smartphone browsers and other applications that rely on TLS may be vulnerable, according to Ars Technica.

"Basically, the attacker is running a script on Evil.com," Rizzo explained to Kaspersky Labs' Threatpost. "He forces the browser to open requests to Bank.com by, for example, adding tags with the src pointing to Bank.com. Each of those requests contains data from mixed sources."

Each encrypted request includes an image file name - a constantly changing detail that is generated by the malicious script; the browser's identification headers, which don't change; and the login cookie, the target of the attack. When the file name matches part of the login cookie, the size of the message drops because the compression algorithm removes this redundancy.

"The problem is that compression combines all those sources together," Rizzo added. "The attacker can sniff the packets and get the size of the requests that are sent. By changing the [file name] path, he could attempt to minimise the request size, ie: when the file name matches the cookie."

This brute-force attack has been demonstrated against several sites including Dropbox, Github and Stripe. Affected organisations were notified by the pair, and the websites have reportedly suspended support for the leaky encryption compression protocols. Ivan Ristic, director of engineering at Qualys, estimates 42 percent of sites support TLS compression.

The researchers will present their work at the Ekoparty security conference in Buenos Aires, Argentina next week. In the meantime, Jeremiah Grossman, founder and chief technology officer of WhiteHat Security, has a detailed take on the attack here.


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to caffeinator

SSL 2 hasn't been around on Opera since version 10 or earlier I think. Hasn't been, I know for sure, on version 11.0 and above.

I don't know what Name Game See Profile is referring to as the Opera forum link he gives points out the futility of starting with TLS 1.1 or TLS 1.2 as 98% of servers are not able to use it. Opera's main security developer explains Opera's reasoning in that thread.

So, Opera, for PRACTICAL reasons, defaults to SSL 3 and TLS 1.0. Why Name Game See Profile thinks Opera should support a protocol that is not supported yet on the web, except in a tiny minority of cases, I don't understand. Opera should be a guinea pig? Why? I think he should clarify his comment.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson