Announcement

Collapse
No announcement yet.

HTTPS vulnerability

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    HTTPS vulnerability

    This article reviews an attack vector via HTTPS using a java script

    http://arstechnica.com/security/2016...m-https-pages/

    Do read.
    Kubuntu 24.11 64bit under Kernel 6.11.0, Hp Pavilion, 6MB ram. Stay away from all things Google...

    #2
    Interesting. Using Javascript to exploit http2. WWW3 states:
    Why Study JavaScript?

    JavaScript is one of the 3 languages all web developers must learn:
    1. HTML to define the content of web pages
    2. CSS to specify the layout of web pages
    3. JavaScript to program the behavior of web pages
    Want to find out what browsing would be like without Javascript on FireFox? Enter "about:config" in the URL and promise you won't break anything. Search for "Javascript" and toggle "Javascript.enabled" to false. Restart your browser. BUT, if I read the article correctly it doesn't matter if your browser is using Javascript, only that the server you are visiting is using javascript which has been hacked. Five years ago Google tried to get javascript replaced with their "Dart" language but failed. Python can't do it. Neither can PHP, Ruby or Perl. A big problem would be to rewrite https and update all the browsers, web tools and re-educate the developers.
    Last edited by GreyGeek; Aug 03, 2016, 08:13 PM.
    "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
    – John F. Kennedy, February 26, 1962.

    Comment


      #3
      I do wish there were an alternative to Javascript...

      I can access the DOM interface with other tools, but those tools just are not as well developed.
      Kubuntu 24.11 64bit under Kernel 6.11.0, Hp Pavilion, 6MB ram. Stay away from all things Google...

      Comment


        #4
        Disabling 3rd party cookies is claimed to be one prevention technique:
        Van Goethem said the only mitigation he knows of is to disable the third-party cookies, since responses sent by the HTTPS site are no longer associated with the victim. At the moment, most Web browsers by default enable the receipt of third-party cookies, and some online services don't work unless third-party cookies are allowed.
        "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
        – John F. Kennedy, February 26, 1962.

        Comment


          #5
          I've seen a few sites which "warn" that I "must" allow third party cookies from their site, or as they phrase it: "to get full benefit" of their website...

          That's when I leave their site and remove any bookmarks I might have saved.

          Bad PR is bad PR and I hope it drives more people away, but sheeple want to be entertained (bread and circuses?).
          Kubuntu 24.11 64bit under Kernel 6.11.0, Hp Pavilion, 6MB ram. Stay away from all things Google...

          Comment


            #6
            http://www.nbcnews.com/tech/security...ng-you-n622391

            I installed the Toy-browser launcher app from the repository yesterday and opened TCP/UDP holes in my firewall for it at ports 9050 and 9150. It is a VAST improvement over the version I tried out five or six years ago. Very fast, with none of the plugin-container problems FF47 has. It exposed a tracker I had never seen before: third party requests for my HTML5 "canvas" information. Spamhouse blocked me from using Kubuntuforums because the IP address it was presenting to the world had been used before by a spammer or hacker. They have a feature which allows you to change your "identity", route and IP address by the click of a button. Plays YouTube videos very nicely.
            "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
            – John F. Kennedy, February 26, 1962.

            Comment


              #7
              Just wanted to point out umatrix in case you haven't used it, I've been using it for a few months and think it's a great replacement for noscript, gives you way more granular control over which scripts and frames etc. are downloaded & displayed by your browser.

              https://addons.mozilla.org/en-US/firefox/addon/umatrix/

              Useful, and also educational - see how many sites break with umatrix installed, and you see which sites have terrible design. For example, install ublock and then compare this pretty impressive yet clean site for a german civil engineering company:

              https://www.ischebeck.de/en/

              to BBC news:

              http://www.bbc.co.uk/sport/live/olympics/36706107

              the live feeds on BBC news seem to be even worse than the rest of the site, not only drawing scripts and content from 10+ subdomains, but sometimes using bare IP addresses. Not very elegant at all!
              samhobbs.co.uk

              Comment

              Working...
              X