HTTPS Encryption

Started by Lucy_Helene, September 27, 2019, 08:46:43 PM

Previous topic - Next topic

Lucy_Helene

I didn't know where else to post this, so I supposed I would put it in this category.

I usually use Firefox when visiting the forums on my computer, and I've noticed that as I navigate between subforums and the pages of threads, the address bar sometimes displays "HTTPS" (with the green lock indicating secure) and sometimes only "HTTP". Sometimes I get a "mixed content" notice from Firefox, where my browser still displays "HTTPS" but without the green lock, and with a yellow warning sign.

Is there anyone knowledgeable here who might have an idea of what's going on? Is this any cause for concern when entering login credentials?

Gardener

https://support.mozilla.org/en-US/kb/mixed-content-blocking-firefox

HTTP = bad (not secure); force https or just move on if it's a page where you need to enter info.

Mixed = HTTPS and HTTP; which is which? Who knows. YMMV and tread carefully.

btw, please enable DNS over HTTPS in the new Firefox release (https://support.mozilla.org/en-US/kb/firefox-dns-over-https#w_enabling-and-disabling-dns-over-https).

And get a password manager so you can have unique passwords at every site you log into. :)

-Your friendly local IT security guy.
"If anyone does not wish to have Mary Immaculate for his Mother, he will not have Christ for his Brother." - St. Maximilian Kolbe

Lucy_Helene

Quote from: Gardener on September 27, 2019, 10:55:42 PM
https://support.mozilla.org/en-US/kb/mixed-content-blocking-firefox

HTTP = bad (not secure); force https or just move on if it's a page where you need to enter info.

Mixed = HTTPS and HTTP; which is which? Who knows. YMMV and tread carefully.

btw, please enable DNS over HTTPS in the new Firefox release (https://support.mozilla.org/en-US/kb/firefox-dns-over-https#w_enabling-and-disabling-dns-over-https).

And get a password manager so you can have unique passwords at every site you log into. :)

-Your friendly local IT security guy.

Thanks for this information. I can't seem to do anything with my outdated version of Firefox though...probably because I'm still using Windows XP...

Gardener

... XP? What do you think you are, a hospital?  :lol:

Laptop or desktop? Ever considered upgrading and switching the Operating System to something which can run on your hardware and still gets updates? Like a Linux variant?
"If anyone does not wish to have Mary Immaculate for his Mother, he will not have Christ for his Brother." - St. Maximilian Kolbe

Lucy_Helene

Quote from: Gardener on September 29, 2019, 05:47:03 PM
... XP? What do you think you are, a hospital?  :lol:

Laptop or desktop? Ever considered upgrading and switching the Operating System to something which can run on your hardware and still gets updates? Like a Linux variant?
Yep, I'm a dinosaur.  ;)

Desktop. I've been wanting to update the Operating System, but since I'll be leaving my current living arrangement in a year or so and getting a laptop then, I'm trying to last until then using this old PC. I don't really use it for anything other than checking my emails, a couple of forums, and using Microsoft Word to get work done...and with antivirus software, I don't think I have much to worry about.

Gardener

Is it necessary for you to use Word specifically, or could you get along with something like LibreOffice which can still save in a .doc/.docx format if needed?

How large would your needed files be, if saved for loading onto a new PC or a PC with a new Operating System?

Do you have a OneDrive storage account where you could do things in Word online if needed?
"If anyone does not wish to have Mary Immaculate for his Mother, he will not have Christ for his Brother." - St. Maximilian Kolbe

Lucy_Helene

Quote from: Gardener on September 30, 2019, 07:25:15 AM
Is it necessary for you to use Word specifically, or could you get along with something like LibreOffice which can still save in a .doc/.docx format if needed?
I suppose I could.

Quote from: Gardener on September 30, 2019, 07:25:15 AM
How large would your needed files be, if saved for loading onto a new PC or a PC with a new Operating System?
Last time I checked, around 5 GB.

Quote from: Gardener on September 30, 2019, 07:25:15 AM
Do you have a OneDrive storage account where you could do things in Word online if needed?
No, but I've been using Zoho Docs for about a week or so, and it works for me.

If I needed OneDrive I could always pull out my university Microsoft account.  :P

Tales

Gardener,

I keep my myriad of unique passwords written on paper and avoid using digital password lockers, but I have no insider information that informed me in that decision.  Given your expertise, in your opinion are password managers safe to use?

Also how secure do you consider OneDrive to be?  I use it for work but none of that is especially sensitive.  Would you store things with personal identifiers on it (taxes, for example) or think that best remain offline?

Thanks!

Lucy_Helene

Quote from: Davis Blank - EG on October 02, 2019, 05:58:17 AM
Also how secure do you consider OneDrive to be?  I use it for work but none of that is especially sensitive.  Would you store things with personal identifiers on it (taxes, for example) or think that best remain offline?
Thanks!
I'm by no means an expert in this (though I do have a family member who works in IT), but my issue with OneDrive is not security, but privacy. Microsoft's security is very strong (and perhaps even a bit overkill at times), but when it comes to big companies like Microsoft and Google, I find privacy to be the bigger concern. Microsoft has frequently criticised Google for its practise of scanning users' email messages and looking at browsing history for targeted ads, but from what I've seen, Microsoft isn't that much better on the privacy front either. If I were storing personally identifiable documents, I'd choose a service where the files are encrypted on my computer beforehand (rather than only "in transit"), where I'm the one holding the encryption keys. I do choose to keep such things offline as much as possible though.

Just my two cents.

Gardener

Quote from: Davis Blank - EG on October 02, 2019, 05:58:17 AM
Gardener,

I keep my myriad of unique passwords written on paper and avoid using digital password lockers, but I have no insider information that informed me in that decision.  Given your expertise, in your opinion are password managers safe to use?

Also how secure do you consider OneDrive to be?  I use it for work but none of that is especially sensitive.  Would you store things with personal identifiers on it (taxes, for example) or think that best remain offline?

Thanks!

Apologies for the late reply:

"Are password managers safe to use?"

YES, if you follow some basic security hygiene.

1) Since the ONLY password you should have to remember when using a PM is the password to open the app, then you should make it complex enough to withstand brute force attacks. While the past has had advice like 14 characters, upper and lower case, symbols, etc., those are hard to remember and convey if you need someone to get into it (such as your wife). We tend to remember phrases better. Phrases, if complex enough, tend to be just as algorithmically complex as the "complex" passwords.

Per "howsecureismypassword.net" the following complexity is deduced:

SMI38#%8n2ASd!L)
1 trillion years for a computer to crack


JesusMarySacredImmaculate33ad!@
24 duodecillion years for a computer to crack. Yet, it's much easier to remember!

So your password for gaining access to the manager is:

a) easy to remember
b) only a quantum computer is cracking it, ever, UNLESS you EVER you use it for anything else and that other thing is compromised in a data breach.
i) the machine itself is already compromised when you enter it (keylogger, etc.)

If a quantum computer is hitting your credentials, it's a nation state and there are easier vectors for them to monitor (backdoor NSA style tools, key loggers installed, etc.)

I'm ok with 1 trillion years, but I can make it even better with setting complexity requirements in the PW manager when creating a new entry:

$i@%R3n7z*!RUA^EGtH#nGMAz@T4$Zd#9zSditrqN3q2$b^sdy$*
99 quinquavigintillion years to crack.

Only Rain Man would remember that.

So with some basic cyber hygiene on the front end, you have access to something which allows UNIQUE passwords for EVERY account.

You might ask, "But what about the app itself? What about the cloud-based server storing my vault of passwords?"

Good question. The app itself, for the major players, encrypts the vault and/or password before uploading it to the cloud where your info is kept. So let's say you choose XYZ brand and they get mega hacked. Well, the encryption applied to your vault is going to protect that.

In the case of bitwarden, it's AES 256 combined with PBKDF2/SHA-256 (https://help.bitwarden.com/article/what-encryption-is-used/)

Now you might say, "What about when it's open on my computer itself?"

Yeah, the rub always resides with data in use. It HAS to be decrypted to be used. But that's where I prefer to do something like open the app, grab the PW I need, and then close the app.

In the end, the only winning move is to not play.

Where a password manager can become compromised more easily, as was recently the case with Last Pass, is browser plug-in's. I avoid them. I have to "log in" to the plug-in anyway, so I might as well open the app itself. Further, the plug-in's working requires the URL for the site be entered with the respective entry to be a right-click and go experience.

Personally, I use the following:

KeePass - free; local only; it has no cloud component. You can sync the database with something like DropBox, but I find it a pain. If you are a multiple device user, I'd avoid it. But, it's a go-to for many security practitioners.

Bitwarden - free; cloud based; client side encryption prior to upload; nearly instant sync (so if I make a new entry on my phone in the app, and then open my laptop, the new entry is there).
-------
Last Pass is another popular one. I found their XML import for my KeePass DB to not work. So I promptly deleted it. My co-worker uses it and is happy. I just simply didn't want to recreate something like 50 entries.

What I like about a cloud based PW manager is the following:

Everywhere access (offline mode will not grab entries entered elsewhere until sync, but I can open my app on my phone in airplane mode and grab whatever was last synced).

Instant generation of insanely complex passwords - no temptation or need to be creative

Secure as can be expected

Isn't going away if my computer dies (looking at you, excel to store password users)

Secure notes/CC info, etc., all encrypted.

----------------

OneDrive

Secure? Yeah. Possibly a buffet of privacy violation by provider? Yeah.

If the latter is your concern, consider a different cloud provider.

The information you store is likely stored somewhere else too. Those locations, frankly, are but a subpoena away from being accessed. They're a phishing attempt away from the IRS giving that access to an attacker. As far as can be reasonably assumed, unless you are storing plans and contacts for a legit crime, I have no problem with using OneDrive.

But, others feel differently. As AI, monitoring tech, and data analytics evolve, we are entering a period where privacy will need to be rethought by the average person. Individuals ID'ed as suspect/problematic/etc. will be targeted for closer monitoring.

When that occurs, or if one feels it is going on now (probably to a degree), the only answer is to unplug everything OR be SCRUPULOUS about presenting an innocent profile and leave ALL forum/personal/opinion/etc., stuff offline, in your head, and be a good little subject of the state.
"If anyone does not wish to have Mary Immaculate for his Mother, he will not have Christ for his Brother." - St. Maximilian Kolbe

Tales

#10
Gardener,

Thank you for the detailed reply!

Regarding OneDrive, it seems like already with Windows they (Microsoft, the government) have access to all files on our computers if they want them.  I'm increasingly of the belief that the government already can and will access what it wants so the best I can do is try to keep extortioners from accessing any of my data.  Another giant source of risk is in all of the accounts we must create to do anything online - there are so many cases of big companies and sites being hacked and names / addresses / passport numbers being stolen.  One can do things right from their side but then Cathay Pacific or Capital One gets hacked and our data gets out anyways.  The big companies often do not even take security seriously - HSBC will call and ask very personal questions about account matters.  When asked for them to identify themselves they are bewildered - even went in to the branch to ask if that employee name & phone number were authentic HSBC and they wouldn't give a response, so just closed the account.  If they won't take security seriously then why deal with them?  Are they unaware of the innumerable phone scams across the planet?

Keyloggers, phishing scams, phone scams, bitcoin extortion viruses, and the list goes on and on.  I used to think cyber security / cyber warfare was a joke but with how much of our finances (personal & business) are digital and how much damage can be done from identity theft / extortion, I now see it is a colossal threat.  The email account seems to be central to it all since it is the source of resetting passwords for all accounts - if the email account gets hacked it is off to the races for the criminal.  Hopefully 2FA cannot be gotten around (barring stealing the phone).

Edit:  another major annoyance are apps that require permission to access media & location.  No thanks!

Gardener

You can theoretically achieve better security through strict segmented layering of operations and air gapping, but frankly it's a tedious thing to do so.

The time to truly disconnect was 15 years ago. Now we are only in damage control mode. And even now, if disconnected, one's information is still out there on other systems.

One can get by without Windows, OneDrive, etc. Plenty of free OS's out there: Ubuntu, Linux Mint, etc. Plenty of security-centric cloud providers. There are also solutions like FreedomBox:
https://freedomboxfoundation.org/

2FA is able to be bypassed, but it's much harder to do so, so long as one's "2FA" isn't an email; think something more along the lines of Okta, Google Authenticator, Duo, RSA fob, etc. In order to do so for a txt or call would require inside access to a phone provider to mimic/dual home the number, or... well, one's paycheck to be signed by an Alphabet.

With a well built password manager, one can implement 2FA to even access the vault.

fun tip: gmail doesn't distinguish dots on their end. So if your email is davis.blank.eg@gmail.com, you could sign up for website A with davisblank.eg@gmail.com, B with davisblankeg@gmail.com, C with d.a.v.i.s.blank.eg@gmail.com, and so on. Then, if you receive an email to d.a.v.i.s.blank.eg@gmail.com, you know they got it from website C. Not sure about other providers.
"If anyone does not wish to have Mary Immaculate for his Mother, he will not have Christ for his Brother." - St. Maximilian Kolbe