backtop


Print 24 comment(s) - last by cjohnson2136.. on Mar 3 at 8:06 PM


  (Source: Reuters)
Sen. Schumer (D-N.Y.) calls on popular websites to default to HTTPS

If Senator Charles Schumer gets his way, popular websites like Facebook, Twitter, and Amazon will default to more secure protocol -- HTTPS instead of HTTP -- to prevent identity theft in Wi-Fi hotspots like coffee shops and libraries.

Schumer (D-N.Y.) held a news conference in New York yesterday to spread his message.

"What many people do not know is ... hackers can use wireless hot spots as a gateway to your most private information," Schumer told reporters at the event, held at a Manhattan coffee shop. 

"The quickest and easiest way to shut down this one-stop shop for identity theft is for major Web sites to switch to secure HTTPS web addresses instead of the less secure HTTP protocol," Schumer said.

One of the senator's staffers demonstrated how easy it is to hack someone else's machine on an open Wi-Fi network by hacking into the Twitter account of a colleague that was also connected to the coffee shop's wireless network. 

Schumer called on top-level executives at Facebook, Twitter, Yahoo, and Amazon to change their default protocols to HTTPS. He said he would be sending letters to the heads of the companies urging them to make the change. 

"The bottom line is, if we let this proliferate, everyone is going to pay the price," Schumer said. "It could become the leading cause of identity theft."





Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Difference cost wise?
By cjohnson2136 on 2/28/2011 8:25:49 AM , Rating: 2
I know the difference between between http and https but is there a difference cost wise to the business for defaulting to https?




RE: Difference cost wise?
By MeesterNid on 2/28/2011 8:31:10 AM , Rating: 2
I don't think it's very high, but since there is a computational cost in terns of the actual encryption itself then there is the cost of hardware to take up the overhead HTTPS has over HTTP.


RE: Difference cost wise?
By blaktron on 2/28/2011 8:32:55 AM , Rating: 2
Its negligible compared to the overheard of server 100 million + concurrent users.


RE: Difference cost wise?
By Alexvrb on 2/28/2011 8:01:58 PM , Rating: 2
No. Just no. Read amanojaku's post below.


RE: Difference cost wise?
By amanojaku on 2/28/2011 9:31:17 AM , Rating: 2
Yes, there is. Encryption overhead on the CPU is high, so the number of connections served per web server decreases. The end result may be more servers, and servers aren't free. If you're using an SSL/TLS offload device the device may need to be upgraded to support SHA-256 (Citrix's NetScalers support this already, other devices may not) and the latest digital cert requirements (2048 bits, also supported by NetScaler). The offload device may need to be upgraded (possibly a license), expanded (like with the server count), or decommissioned if the capability does not exist. So, no, this is not exactly trivial for organizations who are behind the curve. Amazon, Google, etc... won't be affected because they already have the hardware to do this.


RE: Difference cost wise?
By cjohnson2136 on 2/28/2011 9:38:31 AM , Rating: 3
But the article is the guy trying to get the big companies like Amazon, Google, etc... doing this. So if this is not a big deal for those companies why wouldn't they do it already?


RE: Difference cost wise?
By amanojaku on 2/28/2011 11:29:41 AM , Rating: 2
This will have a negative impact on large-volume sites that do not make sales. Amazon, Google, etc... have eCommerce sites, so they need this protection. I have never used MySpace, Facebook, or Twitter, but I assume they do not use expensive encryption as they do not generate revenue online, or at all, really...


RE: Difference cost wise?
By cjohnson2136 on 3/3/2011 8:06:03 PM , Rating: 2
fyi Facebook does use https, thought it would handy to know


RE: Difference cost wise?
By bah12 on 2/28/2011 9:34:10 AM , Rating: 2
Usually a wildcard certificate is about $500 per year per server. This will cover all sub domains.

Thing is most of these companies already offer a secure section so they already have the certificate. Now in a case like Amazon's it may not be as simple. They would have hundreds of servers to cover, and the secured portion of their site may be served from a different box. So there could be a substantial amount of outlay to do this.


Encrypted public wifi
By blaktron on 2/28/2011 8:35:51 AM , Rating: 2
The actual BEST solution would be to have both the websites use SSL (HTTPS) but also to have public wifi use good encryption (WPA2) and just publicize the key. The reason it is so easy to steal data on a wifi connection is because your data is sent in plain text to everyone else connected to the wifi SSID. Just encrypting the network would solve so many problems.

Although, in reality, we should retire port 80 traffic and encrypt the internet....




RE: Encrypted public wifi
By cjohnson2136 on 2/28/2011 8:41:21 AM , Rating: 2
I like the idea of encrypt the entire internet. Would that be just wonderful. To bad it probably won't happen...anytime soon at least.


RE: Encrypted public wifi
By lyeoh on 2/28/2011 9:32:21 AM , Rating: 2
Shared key WPA2 (WPA2 PSK) is not secure for cafe/guest WiFi environments. If everyone has the same key and you know that key, sniff a session's 4 way handshake, and you can decrypt that session's traffic. Forcing a 4 way handshake is left as an exercise to the reader.

The other WPA2 mode isn't vulnerable to that but may not be that secure either: see tinyurl.com/2dl9zg3 (dailytech thinks my post is spam if I make it a link).

Plus it requires the additional overhead of running stuff like radius or other authentication servers (most APs don't come in with a built-in radius server).

Basically the WiFi bunch screwed up big time and kept screwing up over the years.


RE: Encrypted public wifi
By omnicronx on 2/28/2011 11:34:29 AM , Rating: 2
quote:
Shared key WPA2 (WPA2 PSK) is not secure for cafe/guest WiFi environments. If everyone has the same key and you know that key, sniff a session's 4 way handshake, and you can decrypt that session's traffic. Forcing a 4 way handshake is left as an exercise to the reader.
It would at least somewhat help though, at least people would not be able to access it from the street, they would have to physically be there, or have been there before to know the key. If anything the lack of AP isolation is what scares me, with wireless devices being able to communicate with other wireless devices.
quote:
The other WPA2 mode isn't vulnerable to that but may not be that secure either: see <removed> (dailytech thinks my post is spam if I make it a link).
I'm pretty sure thats just TKIP, so WPA2 AES should be fine.. (though most routers still default to a mixed mode)
quote:
Basically the WiFi bunch screwed up big time and kept screwing up over the years.
Not sure I agree here , as they are not in charge of implementation. Each and every place of business that allows for free wireless is in charge of their own implementation.Which for the most part seem to be setup like home networks. Sure most AP's don't come with things such as RADIUS support, but these routers are hardly being marketed for such a use in the first place.

That said, I would tend to agree that there is not exactly an easy way to offer free wireless. Either its open and insecure, or completely locked down and harder to access. What we really need is something in the middle.


RE: Encrypted public wifi
By ApfDaMan on 2/28/2011 10:32:54 AM , Rating: 2
If you can intercept somebody's data and have the key to the wireless network you can simply decrypt the data with the key i beleive. im not 100 percent sure though.


RE: Encrypted public wifi
By CZroe on 2/28/2011 1:33:09 PM , Rating: 2
Uhh, if it's public WiFi then the key would need to be public and the attacker can still execute the exact same attack.


RE: Encrypted public wifi
By cjohnson2136 on 2/28/2011 2:32:10 PM , Rating: 2
No because the unless I am mistaken the data sent over the connection is encrypted. Data sent over the WEP connection used now is not encrypted. So the attacker would have to get the info and then decrypt it.


RE: Encrypted public wifi
By CZroe on 3/2/2011 5:21:34 AM , Rating: 2
We are talking about a DEMONSTRATED attack. That SAME attack would still work as long as the attacker had the public key. Adding a key + encryption to public wifi does NOT prevent this type of attack. Period.


he just cant shut up
By rika13 on 2/28/2011 2:08:09 PM , Rating: 2
This moron single-handedly caused a run on IndyMac by claiming they would lose people's money.

The use of HTTPS instead of HTTP will impose additional hardware requirements on both ends as encryption isn't easy for CPUs. It also makes blocking these sites stupid easy as now all that has to be done is block TLS.

Also, he openly and flagrantly organized a criminal act (hacking into Twitter, being the internet, its a federal crime) and had subordinates perform it. He should be arrested and imprisoned for such. He could have described the technique legally, but actually performing it is highly illegal.




RE: he just cant shut up
By cjohnson2136 on 2/28/2011 4:14:24 PM , Rating: 2
Well if the guy had permission to hack into the system to show how it can be done this would be classified as White Hat. There are companies and the government that pay for security breaches to found so they can fix it. So is finding the security hole with permission to do really illegal if you are told to do it?


RE: he just cant shut up
By tmouse on 3/1/2011 9:20:45 AM , Rating: 2
I'm no fan of Schumer but your way off base. Hacking as described in the federal statute is broadly defined as intentionally accessing a computer without authorization or exceeding authorized access. They did not hack into Twitter's servers. They hacked into the recipients computer which was authorized (thats why the two staffers were there). No crime here.


Not a conern
By gamerk2 on 2/28/2011 9:05:35 AM , Rating: 2
Fact is, TCP wasn't concerned with packet security back when it was first designed. You can come up with as many work arounds as you want, but the actual protocol is not secure. Maybe its time TCP finally went by the wayside?




RE: Not a conern
By MeesterNid on 2/28/2011 9:49:31 AM , Rating: 2
Yeah, good luck with that. TCP is an actual transport layer protocol that's so prolific it would be a monstrous undertaking to replace it. Going from HTTP to HTTPS is a much, much cheaper proposition and since that's at the application layer you're not effecting everything else in the stack.


What has 2 thumbs...
By mherlund on 2/28/2011 9:30:03 AM , Rating: 2
Q: What has 2 thumbs and thinks he is tech savy?

A: Charles Schumer




By Warwulf on 3/2/2011 12:45:16 PM , Rating: 2
There is no such thing as a truly secure public wifi.

Second of all, HTTPS is not the answer to everything. In fact, it's a false sense of security. As long as the AP/Router is not hardened against a MITM attack, stripping out SSL (using SSLstrip) or faking a secure session (with better means) is really a trivial matter. Or, a hacker could set up his own AP and MITM that way.

Besides, open wifi is not a leading cause of identity theft. He should probably try a top-down approach for dealing with the causes.




"People Don't Respect Confidentiality in This Industry" -- Sony Computer Entertainment of America President and CEO Jack Tretton










botimage
Copyright 2015 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki