Is it time to make everything encrypted?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Is it time to make everything encrypted?

Cambre, Aren

http://www.theverge.com/2016/9/8/12847880/chrome-warning-encryption-web-google-ssl-https

 

“The next version of Chrome will include a new warning for unencrypted login sites, according to a post today on the Google Security Blog. Chrome 56, which is planned to launch in January, will mark HTTP login pages as "not secure" in a window next to the address bar. Unencrypted HTTP is particularly dangerous for login pages, as it could allow an attacker to intercept passwords as they travel across the network.”

 

image001

Aren Cambre, D.Eng., '99, '03, '14
Director, Web Application Services
Office of Information Technology
Southern Methodist University

 

 



You are currently subscribed to [hidden email].
To unsubscribe send an email to [hidden email] with the subject line unsubscribe uwebd. Leave the message body blank. If you experience problems, contact list owner Eric Kreider at [hidden email]. More information is available at: http://www.uakron.edu/webteam/university-web-developers.dot




Reply | Threaded
Open this post in threaded view
|

Re: Is it time to make everything encrypted?

Bauserman, Andrew A
Short answer: Yes.

The quoted statement is specifically about clear-text login pages. Every part of a system that relies on login needs to be encrypted, which everyone has known since 2010 when Firesheep turned the exploit into a browser plugin... https://en.wikipedia.org/wiki/Firesheep

With the prevalence of weaponized images & "specially-crafted urls" that a man-in-the-middle could insert into a page, it's about time we encrypt all connections (and deploy certificate pinning and HSTS). And thanks to letsencrypt.org the barrier to setting up a secure server is virtually nil.

Opinions are my own... not necessarily my employer's ;)

--
Andrew Bauserman
Web & Design
William & Mary




You are currently subscribed to [hidden email].
To unsubscribe send an email to [hidden email] with the subject line unsubscribe uwebd. Leave the message body blank. If you experience problems, contact list owner Eric Kreider at [hidden email]. More information is available at: http://www.uakron.edu/webteam/university-web-developers.dot