| Pages:
1
2 |
aga
Forum Drunkard
Posts: 7030
Registered: 25-3-2014
Member Is Offline
|
|
Life has a way of just Happening all by itself, with no regard to what we want.
Sciencemadness Https (aka whisper) is pointless.
If you're discussing Online some seriously Bad Shit, it may be 'secure' when you type it, yet a few seconds later it's been magically altered into
plain text.
E.g. spider the site using https. Oops.
|
|
|
Loptr
International Hazard
Posts: 1347
Registered: 20-5-2014
Location: USA
Member Is Offline
Mood: Grateful
|
|
Well, I was pushing the HTTPS mainly for the reason your username/password being transmitted over HTTP being a bad thing.
Now, yes, there are tricks for an MITM attack where I can force you session to downgrade to a defective version of SSL or TLS, or even back down to
HTTP altogether, both that is a separate issue.
And again, it would require a targeted attack.
[Edited on 10-4-2015 by Loptr]
Also, not to mention, if they don't see your content going back and forth, then unless they have access to the site logs, they don't know who you are
on the forum. Without an identity in hand, they have no idea what you are saying. So why hand out your identity like that? They would have access to
your session cookies, and any other identifying metadata that would be sent in the HTTP headers. There is also the possibility of then injecting
content in the returned HTTP responses to execute javascript within your browser and try and fingerprint your machine, such as accessing an img hosted
on their server to get your gateway IP address, etc.
[Edited on 10-4-2015 by Loptr]
It's also just standard operating procedure for majority of sys admins in the world, as I would expect of you, aga, as you say you help run a network.
[Edited on 10-4-2015 by Loptr]
|
|
|
macckone
International Hazard
Posts: 2159
Registered: 1-3-2013
Location: Over a mile high
Member Is Offline
Mood: Electrical
|
|
Quote: Originally posted by Loptr  |
Actually, what brought them down is the servers were infiltrated. They may have attempted analysis, but ultimately, they hacked into the machines.
|
Not to quibble bits but they hacked into machines and actually put machines on-line (no one controls who adds machines to tor) to do the traffic
analysis. They also used human resources to contact those suspects to further enhance the certainty they had the correct suspects before they actually
got warrants to tap computer hardware. Once they had 'suspects' they were able to get warrants to plant software on those suspects personal machines.
Once they have a warrant you are basically screwed. Tor is secure as long as noone can monitor your personal computer or traffic to your entry node.
Once they can monitor that traffic they can correlate it to traffic on web sites of interest and exit nodes etc. It is uncertain how many entry and
exit nodes are currently compromised by security agencies. Adding a VPN to move your entry IP offshore might provide some additional security, but
only if it is in a country that doesn't honor requests from american (or your country of residence) law enforcement or security agencies. HTTPS is
fairly secure if you disable SSL and only use TLSv1.1 or higher and you monitor the certificate that is presented.
|
|
|
Loptr
International Hazard
Posts: 1347
Registered: 20-5-2014
Location: USA
Member Is Offline
Mood: Grateful
|
|
No argument from me, macckone.
A lot of things take place during that sort of operation.
Like I said originally, majority of intelligence comes from people, the humint factor.
|
|
|
aga
Forum Drunkard
Posts: 7030
Registered: 25-3-2014
Member Is Offline
|
|
Reminds me of an argument i once had with a rival wifi network operator.
We were back and forth with all sorts of technical banter about vulnerabilities, security etc.
Eventually he won the day by saying :-
'Nobody witholds passwords from a man with a gun, or a big hammer'
|
|
|
Loptr
International Hazard
Posts: 1347
Registered: 20-5-2014
Location: USA
Member Is Offline
Mood: Grateful
|
|
| Quote: Originally posted by aga | Reminds me of an argument i once had with a rival wifi network operator.
We were back and forth with all sorts of technical banter about vulnerabilities, security etc.
Eventually he won the day by saying :-
'Nobody witholds passwords from a man with a gun, or a big hammer' |
Well, that is the where the idea of keys come into play. You can't tell them if you don't know it because it is so large.
I honestly don't know a lot of my passwords, so if you were to ask me, I honestly wouldn't be able to tell you.
|
|
|
aga
Forum Drunkard
Posts: 7030
Registered: 25-3-2014
Member Is Offline
|
|
Likely that you'd perform whatever action you were asked if a gun were to your head, or your child's.
I know i would.
Bypasses all of the tricky security, passwords and keys neatly.
Basically there isn't any computer data worth more than a life that i care about.
|
|
|
Loptr
International Hazard
Posts: 1347
Registered: 20-5-2014
Location: USA
Member Is Offline
Mood: Grateful
|
|
How has this discussion come to this???
My head is spinning trying to make the connection with the original topic.
Why are we arguing physical access is ownership? Yes, absolutely.
|
|
|
aga
Forum Drunkard
Posts: 7030
Registered: 25-3-2014
Member Is Offline
|
|
Basically we were arguing about technological measures to ensure 'security' as in data paseed to-and-fro on the internet.
We started disagreeing, saying it *can* be secure, and we ended up here, agreeing that it never really is.
So no, don't bother with a VPN IMO.
|
|
|
| Pages:
1
2 |
![[*]](images/xpblue/default_icon.gif){kind=icon}
