Hacker News new | comments | show | ask | jobs | submit login
Reddit co-founder: Tech companies can help fight NSA snooping [video] (rawstory.com)
27 points by Crypta 1488 days ago | hide | past | web | 10 comments | favorite

Start by implementing https on Reddit then. The only page using https is the login page, but only if you load reddit.com/login directly. If you use the main form (which doesn't even mention the dedicated and secured login page), sslstrip (there's an app for that, literally) can intercept the credentials.

Actually, if you go to reddit.com/login directly, you get http://reddit.com/login, not https://reddit.com/login, which means anyone can forge the login page. This is the problem HSTS was designed to be a bandaid for, but reddit doesn't use it:

    # curl -i reddit.com/login
    HTTP/1.1 302 Moved Temporarily
    Server: AkamaiGHost
    Content-Length: 0
    Location: http://www.reddit.com/login
    Date: Sun, 30 Jun 2013 22:50:13 GMT
    Connection: keep-alive

    # curl -i www.reddit.com/login
    HTTP/1.1 302 Moved Temporarily
    Content-Length: 0
    Location: https://ssl.reddit.com/login
    Cache-Control: no-cache
    Date: Sun, 30 Jun 2013 22:50:24 GMT
    Connection: keep-alive

If the form is submitted to an HTTPS URL, the credentials will be submitted using HTTPS. The protocol of the page containing the form doesn't matter.

I'm sorry but you're wrong. Look up what sslstrip does (that I mentioned in the post you replied to).

He's right--you're just not talking about the same thing. You're saying that if somebody forges a non-HTTPS page so that it doesn't POST to the original secure page, then you can trivially intercept the credentials, and you're absolutely right. But pietro is also correct that if a non-HTTPS page that POSTs to a HTTPS page isn't manipulated, then yes, the POST contents will be encrypted--but the fact that that doesn't matter if you can manipulate the connection is clearly a problem, one HSTS is intended to alleviate.

Except if the HSTS cache is not present for whatever reason (reinstalled OS, new browser, cleared browser cache, or just a first-time visit). Rather unlikely usually, but HSTS is not the ultimate solution to this. People should type https manually or know exactly what to look for (padlock; don't mistake paypal.com.index.php.session.longhexcode.tk for paypal; mixed content; etc.) if they want to be absolutely positive the connection is secure.

That's why I said alleviate, not solve. HSTS is a bandaid at best.

The bottom line is regular people don't know the difference between entering "www.mybank.com" or "https://www.mybank.com", they never do the latter, and they rarely notice if a page is non-HTTPS if it has other icons that make it seem secure (e.g. "McAfee protected")--hence the reason sslstrip exists in the first place.

I think it's more complicated than this video suggests. The most obvious omission is where are the rights of non-Americans in all of this? Privacy isn't just something in the US constitution, it's a human right. As it stands it looks as if well known US companies whose users aren't exclusively American are being used as vehicles to abuse people's rights globally.

Also, I'm not sure that there is a business model fix for this. Presumably if someone from the government shows up and insists that certain equipment be installed at your company then you have no legal powers to resist that. If there are data retention laws then you have to store data for some amount of time.

Technology can go some way towards ameliorating the problems, but I think the ultimate fix for this bug is at the political level.

If there's one thing we've learned from all this it's that the tech companies should be viewed as collaborators and can not be relied upon to assert our privacy rights.

Why aren't Google, Facebook and Microsoft joining the StopWatching.Us movement? Google joined the anti-SOPA movement last time, and urged visitors to call their Congressman over it, but that was because it was in their immediate profit interest. Maybe they still don't think this spying scandal will affect them much.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact