R__ Posted March 6, 2011 Report Share Posted March 6, 2011 The web is a very dangerous place. When you view a webpage, essentially what you are doing is asking a remote server to run code on your local machine(!). If that doesn't scare you, IT SHOULD. Here is why: Cookies are not safe. Any website can pull all the cookies out of your browser. If you use online banking, you should be concerned, because porn sites tend to be the "legitimate" side of illegitimate organizations (to spell it out: criminals run porn sites). Porn sites are not even the biggest fear... I'm personally more afraid of Facebook than anything. Cookies can sometimes also contain session IDs, which would allow an evil person to rip cookies out of your browser, and log into a target website as you without actually logging in (this is less common, however). Flash cookies: even more scary than normal cookies. Flash is the most insecure piece of your browsing experience. Adobe has a monopoly, and therefore no incentive to improve their product. Don't think they care about improving security; any security updates are to prevent PR nightmares. Flash cookies are impossible to clear from your browser directly; you must use Adobe's flash control panel: http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html Cross-Site Scripting/XSS: This is my personal favourite. I have lots of evil PHP scripts on my webserver that show examples of this. Javascript can do a lot of amazing things, and a lot of evil things. Evil things like passing your session ID to a PHP script on my webserver that allows me to become you. Another really evil thing that can be done with this, is to have an evil script post messages to forums, or even Facebook, as you. Imagine your facebook status being changed to "I love child porn" for your boss to see. It's all doable through XSS. Porn sites are the worst for running these attacks on you. Of course, I personally never go to any of those, and I'm sure nobody here does either, but be aware. This is where spam comes from: you surf some shady websites, and they rip out your cookies. Now they know all your email addresses, some of your online banking info, and your general online identity. I'm sure Facebook does it too. Do your online banking with a LiveCD/LiveUSB operating system, in a secure browser. If that's too much for you, keep an install of Firefox around with the NoScript plugin installed. Don't do online banking with IE, unless you're a retard. In fact, don't use IE at all unless you're a retard. It's the least secure browser out there. Always has been, always will be (there are plenty of exploits in the wild that can easily be run on webservers that cause your wonderful IE browser to add you to a botnet and/or install all other kinds of malware). Stay away from porn! Quote Link to comment Share on other sites More sharing options...
Mercurial Posted March 6, 2011 Report Share Posted March 6, 2011 B-but I love porn :'( Quote Link to comment Share on other sites More sharing options...
Mal Posted March 6, 2011 Report Share Posted March 6, 2011 Porn is good... IT MAKES ME WANT TO LIVE TO THE NEXT DAY. Also, nice article you got here on the forums. Informative but still. Quote Link to comment Share on other sites More sharing options...
deanb Posted March 10, 2011 Report Share Posted March 10, 2011 http://www.bbc.co.uk/news/technology-12668552 Supposedly an EU Directive is coming into force in a few months that will dictate cookie use. Not sure if it will be good or bad, since as the article points out many folks may soon be getting an increase in pop-ups n such asking if a site can track them or store cookies and such. Facebooks reaction will be interesting since many folks use it as their gateway to the internet, but they also have their fingers in many pies across the net tracking your likes and visits across the net. Quote Link to comment Share on other sites More sharing options...
Faiblesse Des Sens Posted March 10, 2011 Report Share Posted March 10, 2011 I wonder if that will tie into Mozilla's opt-out standard. Quote Link to comment Share on other sites More sharing options...
deanb Posted March 10, 2011 Report Share Posted March 10, 2011 I doubt it. As it stands Do Not Track is pretty much just a ..placebo is the wrong word... Dummy button. Mozilla went "It'd be neat if this feature existed". They need all the guys reliant on tracking your data to agree it's a neat idea too. that's not my word that their's: https://wiki.mozilla..._DoNotTrack_FAQ Will turning on the header block tracking? No. When the header is turned on it will send a signal to the website that the user would like to opt-out of tracking by third parties. This does not force an opt-out or currently require that websites comply. Our hope is that by implementing this header other browsers and websites will adopt and maintain it. Google have a similar solution, but since they not only make the browser but the tracking cookies too they have the edge for now with a system that actually works. http://www.networkad...ing/opt_out.asp (It uses that list there basically) And since the Chrome/NIA version is up and running and more than just hopes and dreams I have a feeling that'd be the path EU would most likely take. From a government viewpoint it's certainly the much easier route. If companies are already self-complying with the NIA opt-out list, then it makes sense to let them continue with that then force then to sign up to Mozillas list too. Quote Link to comment Share on other sites More sharing options...
deanb Posted March 21, 2011 Report Share Posted March 21, 2011 HTTPS is more secure, so why isn't the Web using it? Quote Link to comment Share on other sites More sharing options...
Faiblesse Des Sens Posted March 21, 2011 Report Share Posted March 21, 2011 Nice read. Quote Link to comment Share on other sites More sharing options...
R__ Posted March 22, 2011 Author Report Share Posted March 22, 2011 HTTPS is more secure, so why isn't the Web using it? I haven't read the article but I'm guessing these are the reasons: 1. Encryption = eating CPU 2. People don't give a fuck about security. Never have, never will. Quote Link to comment Share on other sites More sharing options...
Faiblesse Des Sens Posted March 22, 2011 Report Share Posted March 22, 2011 Encryption eats the CPU? Wait, what? Second one is sort of true. It talks about how people are only just now giving a fuck. Quote Link to comment Share on other sites More sharing options...
R__ Posted March 22, 2011 Author Report Share Posted March 22, 2011 Using SSL increases the workload on both ends of the connection. If a site is even a little bit popular, the extra CPU load could mean additional servers are required to keep up with the traffic. Plus certificates are a pain... Quote Link to comment Share on other sites More sharing options...
Faiblesse Des Sens Posted March 22, 2011 Report Share Posted March 22, 2011 Sure, there's going to be an increase, but would it even be that much of an increase? Certainly it can build up server side with a lot of people connecting but the same can be said for not having a completely optimized site in the first place. Anyways, read the article yet? Quote Link to comment Share on other sites More sharing options...
deanb Posted March 22, 2011 Report Share Posted March 22, 2011 Well I have read the article (hence linking) and R____ is right, the encryption chews through CPU, and HTTPS can't cache, meaning it needs to be generated n resent every time. It's why on the sites that are enabling it, it's optional not forced, and smaller sites can't use it or generally have little use for it. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.