

Reddit co-founder: Tech companies can help fight NSA snooping [video] - Crypta
http://www.rawstory.com/rs/2013/06/30/reddit-co-founder-tech-companies-can-help-fight-nsa-snooping/

======
lucb1e
Start by implementing https on Reddit then. The only page using https is the
login page, but only if you load reddit.com/login directly. If you use the
main form (which doesn't even mention the dedicated and secured login page),
sslstrip (there's an app for that, literally) can intercept the credentials.

~~~
pietro
If the form is submitted to an HTTPS URL, the credentials will be submitted
using HTTPS. The protocol of the page containing the form doesn't matter.

~~~
lucb1e
I'm sorry but you're wrong. Look up what sslstrip does (that I mentioned in
the post you replied to).

~~~
thirsteh
He's right--you're just not talking about the same thing. You're saying that
if somebody forges a non-HTTPS page so that it _doesn 't_ POST to the original
secure page, then you can trivially intercept the credentials, and you're
absolutely right. But pietro is also correct that if a non-HTTPS page that
POSTs to a HTTPS page _isn 't_ manipulated, then yes, the POST contents will
be encrypted--but the fact that that doesn't matter if you can manipulate the
connection is clearly a problem, one HSTS is intended to alleviate.

~~~
lucb1e
Except if the HSTS cache is not present for whatever reason (reinstalled OS,
new browser, cleared browser cache, or just a first-time visit). Rather
unlikely usually, but HSTS is not the ultimate solution to this. People should
type https manually or know exactly what to look for (padlock; don't mistake
paypal.com.index.php.session.longhexcode.tk for paypal; mixed content; etc.)
if they want to be absolutely positive the connection is secure.

~~~
thirsteh
That's why I said alleviate, not solve. HSTS is a bandaid at best.

The bottom line is regular people don't know the difference between entering
"www.mybank.com" or "[https://www.mybank.com"](https://www.mybank.com"), they
never do the latter, and they rarely notice if a page is non-HTTPS if it has
other icons that make it seem secure (e.g. "McAfee protected")--hence the
reason sslstrip exists in the first place.

------
motters
I think it's more complicated than this video suggests. The most obvious
omission is where are the rights of non-Americans in all of this? Privacy
isn't just something in the US constitution, it's a human right. As it stands
it looks as if well known US companies whose users aren't exclusively American
are being used as vehicles to abuse people's rights globally.

Also, I'm not sure that there is a business model fix for this. Presumably if
someone from the government shows up and insists that certain equipment be
installed at your company then you have no legal powers to resist that. If
there are data retention laws then you have to store data for some amount of
time.

Technology can go some way towards ameliorating the problems, but I think the
ultimate fix for this bug is at the political level.

------
tippytop
If there's one thing we've learned from all this it's that the tech companies
should be viewed as collaborators and can not be relied upon to assert our
privacy rights.

------
mtgx
Why aren't Google, Facebook and Microsoft joining the StopWatching.Us
movement? Google joined the anti-SOPA movement last time, and urged visitors
to call their Congressman over it, but that was because it was in their
immediate profit interest. Maybe they still don't think this spying scandal
will affect them much.

