Google - Google že od maja 2010 omogoča varno šifrirano povezavo prek SSL pri iskanju, če do strani dostopamo na naslov https://www.google.com. To se ne bo spremenilo, saj bo ta način še vedno deloval za vse, prijavljene in neprijavljene, uporabnike. Bo pa odslej Google prijavljene uporabnike privzeto preusmerjal na to šifrirano stran, so zapisali na svojem blogu.
Google pravi, da gre za korak, ki bo pomagal zaščititi zasebnost uporabnikov. Ker so rezultati iskanja vedno bolj personalizirani, postaja možnost prisluškovanja prometu, kadar se nahajamo na javnih internetnih točkah (kiberkavarne, javni Wi-Fi) ali javnih računalnikih (knjižnice), problematična. Uporaba šifrirane povezave SSL te možnosti odpravi.
Nekaj sprememb prinaša to tudi za strani, ki jih obiskujemo. Te so doslej v polju Referral videle, da na stran prihajamo z Googla in z iskanjem po katerih ključnih besedah smo jih našli. Odslej bodo videle le, da prihajamo z Googla, ne bodo pa več videle ključnih besed. Google jim sicer ponuja seznam 1000 kumulativno najpogostejših ključnih besed, prek katerih so uporabniki prišli na njihovo stran v zadnjih 30 dneh.
Seveda! Jaz iščem direktno iz chroma in brskalnik ne javi da sem prišel na varno povezavo tko da zaenkrat je tole vse skupaj fail. Tako kot facebook, ki malce pusti https malce pa ne...
Samo interesa ravno ni, ker podjetjem to stane (zaupanja vredni CA-ji...), vlade pa nimajo nič proti možnostim prisluškovanja, laiki pa itak ne vedo zakaj se gre.
PS: Kak pa a scroogle deluje? Če je več kot dva klika, je fail.
Motiti se je človeško.
Motiti se pogosto je neumno.
Vztrajati pri zmoti je... oh, pozdravljen!
Precej se je namreč že razpaslo pregledovanje prometa z namenom "zaščite" pred virusi in zlonamenimi stranmi.
In ni nič nenavadnega, da prideš v tujino v hotel in ti ob kliku na https povezavo njihov hišni network appliance ponudi svoj certifikat. V stilu "HTTPS Inspection Authority", ki ti zagotavlja, da bo pregledal tudi vsebino SSL zaščitenih spletnih strani in te še tam (nebogljenega revčka) obvaroval pred razno nesnago.
Korak naprej ali nazaj?
Po moje korak nazaj, ker slej ko prej bodo hekerji začeli na tak način prestrezati komunikacije. Vse kar bodo morali storiti bo, da bodo svoj certifikat ustrezno poimenovali ("HTTPS Inspector and Protector"), in voila...!
vlade pa nimajo nič proti možnostim prisluškovanja
Ne razumem, ravno vlade so krive za to varnostno nočno moro. In SSL certifikati so eden večjih simbolov tega. Več na povezavi, tukaj pa samo zaključek:
Fast forward to the new millenium, and that somewhere else was online payment systems and banks. I.e., where the money is. The first known phishing attack on a financial operator was June 2001 against e-gold. Delivered using spam techniques, users were tricked into entering their passwords into near-enough websites. And it was here that the browser security model was first challenged and failed within moments. The one thing that the certificate was supposed to do was tell the user that they were on the right site, plus or minus some details. But by the time the attackers arrived, the security model had been so abused by other agendas that it wasn't capable of putting up a fight against a real criminal.
Worse, the huge infrastructure that had been built up - crypto libraries, protocol libraries, browser manufacturers, web server manufacturers, standards committees, certificate authorities, auditors, audit standards models, digital signature laws, PKI rollouts and a cast of a thousand onlookers - proved itself simply incapable of accepting the threat for what it was - a successful attack on the browser's security model.
We're still there - working with a security model that was envisaged as a nice quick and dirty fix for credit cards in the first instance, in the second instance squabbled over by a bunch of disparate interests, and in the third instance broken like a child's toy sword the day after Christmas when the first bully turned up and wacked it with a stick. Worse, in the fourth instance, phishing has invested its proceeds and diversified into the trojan / malware and data breach spaces so any fixes delivered are not going to stem the tide of red ink losses.