Sophos Cloud Optix
Farewell HTTP, it’s been fun but we’ve moved on.
From now on Naked Security will only be available over secure, encrypted HTTPS with Strict Transport Security and Forward Secrecy.
Did you even notice? Perhaps not. Will the NSA have sleepless nights now? We doubt it.
But do we like it better this way?
Yes we do, and judging by the comments you left when we first rolled out HTTPS as an option a few months ago, some of you do too.
We have always used HTTPS where it was absolutely necessary – on our admin interface and login pages for example – but back in June, to coincide with Reset the Net, we decided to make all the pages of Naked Security available over HTTPS too, for anyone who preferred them that way.
To begin with it was voluntary and only available to those who used the HTTPS Everywhere browser plugin or who added the ‘S’ to the protocol in the address bar themselves.
Over the intervening period we’ve ratcheted up the number of visits that are encrypted by using HTTPS on the links published via our syndication channels like Facebook and our daily news email.
Finally, a week ago, we pulled the plug on HTTP completely.
Some of you are probably thinking that the NSA doesn’t care if you read Naked Security, so why did we bother?
HTTP is unencrypted and therefore vulnerable to both eavesdropping and man-in-the-middle attacks by anyone – from opportunists using the same coffee shop Wi-Fi as you, to government agencies plugged into the internet backbone.
Most of the time those vulnerabilities are not worth exploiting, and even if they are exploited they don’t turn up anything useful anyway – it just isn’t worth hacking your web traffic to discover that you read Naked Security, for example.
And that’s the way the web grew up – with unencrypted HTTP as the default and HTTPS the exception, reserved for situations where it’s essential that your traffic isn’t spied upon because it might include sensitive information like passwords, private data or, latterly session tokens.
Increasingly though, people are demanding that privacy should be the rule and not the exception. Most of us don’t think of our browsing or email as public but that is, in effect, what it is and always has been.
Groups as diverse as Reset the Net and Google are now encouraging users and organisations to adopt encryption as a matter of course, while the Internet Engineering Task Force is putting encryption front and centre in the design of HTTP 2.0.
Slowly but inexorably HTTPS is becoming the rule rather than the exception for websites and that’s a trend we’re happy to be a part of.
Image of portcullis courtesy of Shutterstock.
In the UK we just had an interested insight into the ‘NSA/GCHQ’ is watching me issue.
London, UK. A jihadist drives a car at high speed into an off duty soldier on the pavement (sidewalk). He and a chum jump out the car and then hack the injured soldier’s head off.
Inquiry into ‘intelligence failure’ just completed. Apparently ample material in his internet activities to predict an impending attack – in advance – and stop him.
Problem? No one looking at his internet activities.
Apparently, despite a previous conviction, a highly publicised arrest in Kenya for planning a terrorist act and even a public appearance on TV ranting about jihad, he was not considered high enough risk to cross the threshold for full surveillance of all his internet activity.
Yet – bizarrely – people are being misdirected into thinking NSA/GCHQ are reading ordinary people’s emails about buying a extra lightning cable for their iPad …
… or monitoring their reading of naked security.
NSA/GCHQ surely CAN read my emails, texts, phone metadata, but they just don’t care enough to actually do it.
On the other hand, doesn’t that sort of prove the point that these agencies don’t really need this power? It seems far more likely to me that this sort of skying is way more likely to be used by a corrupt member of intelligence services for their own gain than it is to be used in an investigation.
My company has issues properly querying it’s own sales data, so I’d imagine the amount of information one would get swamped with querying an intelligence database is mostly a lot of noise. Unless you’re seriously dedicated to unearthing dirt on a particular individual, you’re likely to avoid bothering. And that dedication is usually not because you’re good at your job.
In addition, there appears to have been ample proper public information to have flagged this guy as a potential nutjob without hoovering up more. That they ignored that tells me they don’t need this toy until they’ve played with their others and learned to be responsible with them.
I think you misunderstand the nature of people’s concerns about this. I don’t for a second believe that GCHQ or the NSA have an analyst watching my every move but I object to mass, secret, data collection.
There is a difference between getting a warrant and collecting information about an individual and collecting information about all individuals in case you need a warrant for one of them. The risks of the latter are vastly greater than the former.
GCHQ failing to stop an awful crime says nothing about the their ability to mine data en masse for industrial espionage, for example.
hey, great to see you saying goodbye to HTTP.
I noticed that you’re simply redirecting traffic from HTTP to HTTPS .. that’s not exactly “pulling the plug on HTTP completely”. As you are talking about eavesdropping and MITM: this is still possible while redirecting from HTTP to HTTPS. If you really want to pull the plug than you really should get rid of HTTP connections and close port 80.
But with that comes another problem: lazy users who don’t want to type in “https://…” they will be banned from your site.
So it’s up to the browser vendors. I think there should be a “default to https://” in every browser and just fallback to http. This way the web becomes secure and even gets the lazy (or unaware) users back.
You’re right, I guess. But no part of Naked Security’s content is served via HTTP any more. So, strictly speaking, I think “pulling the plug on HTTP” is an acceptable metaphor here. We’ve pulled the plug. We just haven’t disconnected the power outlet and plastered over the hole where it used to be yet.
In support of the previous commenter, the email content that you specifically mention, use HTTP (no S) links that go via list-manage (.com)
If you’re going to say you’ve done it everywhere, that should be looked at too, even if it’s a third party service it is still a possible attack surface that you are endorsing through use.
It is, and we’re looking at that too, but what we’ve done is a massive improvement and STS will help protect users from abuse of the HTTP links in emails.
If and when we solve the email links problem we’ll just be left with plain text email, the biggest attack surface of them all…
I clicked on a link sent in the emailed “Latest News” and my browser was taken here to list-manage.com
Your content may not be served via HTTP but your links into it are, and that’s not much help, IMHO – it’s a bit like having a padlock on a carrier bag (and I used to know someone who did just that).
Browsers initially attempting https would be really great. Until then, accepting http and forwarding the user into https is the only realistic way to do this, since you can’t control unaware users as well as http links from external sources.
Good job Naked Security.
That’s what STS is for, well almost.
I get your point, and I think you’re saying you support what we’re doing and understand it, so thanks, but I think you’re splitting hairs a bit here too.
You can’t find Naked Security on port 80, there’s just a sign written in HTTP saying “we’ve moved forever”. You follow it once, get the STS header and never go back. There is a chance you could be snared by a MITM but there’s a chance of being snared in a MITM *with* HTTPS.
There’s absolutely no way that we’d pull the plug on port 80, we have a lot of links out there and our remit is to talk to people. We want to do our jobs securely not be so secure we can’t do them.
Stopping your web server listening on port 80 doesn’t gain any security, because a man-in-the-middle can still successfully intercept connection attempts to that port.
This is excellent news. Extra kudos to Sophos for implementing HSTS and perfect forward secrecy (PFS). Sophos certainly do go the extra mile.
I wish more sites would also implement https, however 2015 should see more sites adopt it.
Thanks.
(We prefer to call it just forward secrecy. The word “perfect” feels a bit haughty in the context of computer security 🙂
Not to mention that it might be akin to “throwing down the gauntlet”.
The banner headline is a little misleading and has been for a few weeks. It says “From 15 November we’ll no longer support Windows XP” which isn’t strictly true.
It should really read “From 15 November we’ll no longer support Internet Explorer 8.” Windows XP can access Naked Security without problems using the Chrome browser, for example. I’m testing that at this moment.
We should either change the message, or actually stop supporting XP 🙂
Seriously, folks, if you are still using XP for day to day browsing, you are letting everyone else down, not just yourselves.
It’s like insisting on carrying on smoking smoking when everyone else around really wants you to stop because they know it’s moderately bad for everyone in the vicinity, but especially bad for you.
Having said that, Firefox or Chrome will work.
The feature that we’re using to deliver HTTPS is Server Name Indication which is not supported on any Microsoft browser on Windows XP but is supported by IE7+ on Windows Vista.
Not supporting XP means that the needs and desires of XP users will not feature in our decision making nor prevent us from doing things. If you can get it to work fine, but we aren’t going to help and when you get here we’ll ask you if it isn’t time to upgrade already ; )
Good work on going to https guys, I would be interested if someone there has the time to do a more technical article about how you made the change and any additional load on web servers (or if you used SSL offloaders etc.) encountered by moving to https.
And yet you are still sending out mail with the links as HTTP?
Even the message about now using HTTPS still has only HTTP as it’s link.
Pretty sure I can find a box for of S’s around the office if you are short…. 🙂
Thanks for this.
After having a job that was 75% installing AV products for people and then later cleaning up the mess those products let happen, I never thought I would come to actually respect a security company ever again. But y’all put your money where your mouth is and actually implement and usefully discuss all the small changes that make the web a safer place for all of us. Thanks for that.
The Naked Security certificate, like most others, contains the site name. This has to be sent in plain during the connection handshake. So even if the server IP address isn’t enough the certificate will confirm which site someone is looking at.
It might hide which specific page, but I’m not sure about that. Would it be possible to create a page “fingerprint” by looking at the pattern of connections, timing, and amounts of data in a web browser connection? It would depend how much random data padding the encryption does. This is just a bit of speculation, but it might be possible to tell what is in a connection by looking at how that connection is working. Then comparing that with the results obtained by, for example, a web crawler.