#1 By: Cory Doctorow, February 6th, 2014 01:00
#2 By: Hunt Pogroth, February 6th, 2014 01:29
I see we're still misspelling product names, out of spite.
#3 By: Tiago, February 6th, 2014 03:21
Https doesn't work with boingboing, sadly...
#4 By: void, February 6th, 2014 03:27
Indeed, it is very important that bopingboing.net and all of its communications should become available through https. They do have an important key role to play.
#5 By: Paul Sampson, February 6th, 2014 04:42
I refuse to respond to this remark lest my unencrypted post incriminate me in the future.
#6 By: Phillip Hallam Baker, February 6th, 2014 10:19
That isn't clear.
The EFF pages don't explain how it works. But I know Peter and his work so my guess is that he is using the fact that most Web servers that have a certificate installed will allow access to any of the Web sites hosted on the machine via SSL. He has suggested this approach several times in the past at any rate and it is the only model that fits the circumstances,
So BoingBoing.net would not need a certificate for its own site if it is co-hosted on a machine with bigshoppy.com which has a certificate for accepting credit card payments.
This is very close to a model that the IETF has been working on called promiscuous security. It does have certain advantages as a defense against the black arts of the NSA. But like Bruce Schneier points out, brakes are good but if you think your brakes are better than they are, you are likely to find they cause you to crash when they fail.
What Peter is giving up here is authentication. Which means that he is only providing protection against passive surveillance. He is not really providing protection for WiFi as stated in the article.
There are models that could extend the scheme to provide some degree of authentication. One of them is DANE. Unfortunately that is rather compromised by the fact that it is built on DNSSEC and the US government has defacto control over the DNSSEC root. That does not enable an actual attack but has led several of the governments we are most worried about to strip out DNSSEC data at their national firewalls.
I have proposed a scheme called Omnibroker which could be used to address the authentication gap through a heuristic approach. But my focus right now is end-to-end email security.
Incidentally the IETF is meeting in London at the end of the month and we are discussing these very issues.
#7 By: Wrecksdart, February 6th, 2014 12:55
That's right, it's time for Pedantry!! When a thing is key to the thing being described, it's pretty much met and surpassed the "important" mark, thereby eliminating the need to include it in the phrase, wouldn't you say? This is a very critically importantly crucially super-duper key thing to remember.
Thank you and have a nice day.
#8 By: Duncan Idaho, February 6th, 2014 14:00
I've never really gotten the point of the app, all it's doing is checking to make sure you are using https on a site that has it available. Which a site would likely have redirectors to make sure you are using it if they care anything about security.
Http-everywhere makes it sound like they are actually encrypting you... everywhere, which is totally misleading.
#9 By: Cowicide, February 7th, 2014 05:11
It's not so much posts, it's login data.
#10 By: Cowicide, February 7th, 2014 05:17
Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by using a clever technology to rewrite requests to these sites to HTTPS
Doesn't seem deceptive to me and I appreciate the free extension because it can cover more bases as they explain above.
#11 By: Cowicide, February 7th, 2014 05:52
I really wish the icon in the address bar was optional, there's really not that much space there already on mobile & this just cuts into the titles or urls of Web pages.
#12 By: Cory Doctorow, February 11th, 2014 01:00
This topic was automatically closed after 5 days. New replies are no longer allowed.