If Trump has “tapes” on Comey, you’re next: encrypt the web!

HTTPS Everywhere!

I’m going to diverge from my usual topic today to write about internet security. I’ve actually been meaning to post something about this for a long time, but the Trump news cycle has kept me busy with all of his shenanigans. Recently, however, something came up that makes a cybersecurity post a timely one.

Recently I was asked for permission to cross-post one my posts on another blogging-type site and I said OK. They set up an account for me on their site and gave me a password through email. Naturally, I wanted to change it, but then I noticed that the login page to the account was not secure. Also, when I did change the password an email was sent back to me with my new password right in the email (!), which kind of defeats the purpose of changing it.

I contacted the site’s administrator and asked if this could be changed. The admin told me that although s/he agreed with me they couldn’t do it now because of their shoe-string budget. I explained that I understood that, but informed them that I wouldn’t be logging into the site until this was changed and hoped they understood. They said they didn’t understand, but whatever.

I’m not naming the person or site because I think s/he’s probably sincere and I don’t want to make it seem like I’m throwing mud at them. I hope their site becomes a great success, but it’s important that they understand the necessity of keeping things secure and how it can scare bloggers like me away from their site.

I remember the old days of the internet when we were blissfully ignorant of the dangers of internet insecurity, back when we thought that “qwerty1234” was a strong password and weren’t afraid to search the web for terms like “how to get rid of warts in my butt.” Fast forward to 2013 and we find out from Edward Snowden that the NSA’s been collecting data on all of us. Sure, I know— none of us are important enough for the NSA to really care about, but it’s unsettling nonetheless. And we find out that Facebook and Google is harvesting our data as well. And this year Trump signed the repeal of privacy protections passed last year by the Federal Communications Commission (FCC) that would have given internet users greater control over what service providers can do with their data. Thanks a lot, Trump. And we can’t forget to mention the most probable threat to your privacy, criminals and miscreants who want to use your data for their profit, or simply to harass you.

So you think what’s the big deal, you have nothing to hide? Next time you apply your hemorrhoid cream give me call and we’ll live-stream it. But that would be your prerogative; our lives should be private by default and you should be able to share only what you want to share. This isn’t paranoia. It’s just that times are changing and we have to be prepared to deal with it.

Okay, so the dangers are established. Now, what can we do about it?

First, understand that email is not, and never was intended to be, a secure means of communication. You can make email more secure by using GPG to encrypt and sign your messages, but I understand that many are not willing to nerd hard enough to get this set up.

For those people, an easier solution that should meet most people’s needs is an email account at ProtonMail or Tutanota. These sites offer webmail accounts using Javascript encryption, which many argue is not secure, but I argue is “secure enough” for the average user. Whatever the case, it is wise to consider anything sent through email as vulnerable. Never, never, send passwords, credit card info, or anything else of a sensitive nature through email. In the case of the blogging site I mentioned above, I could not change my password without that same password being sent back to me through cleartext email, which pretty much makes the new password compromised as far as I’m concerned. That’s basically like sending your password on a postcard.

Secondly, be aware of HTTP vs HTTPS. HTTP stands for “Hypertext Transfer Protocol” and this is the protocol used to deliver most of the web pages you look at on the internet. Increasingly, though, web sites are utilizing HTTPS, the “S” meaning “secure.” This protocol encrypts your connection to web sites. A peeping-tom spying on your packets will be able to see what website you’re looking at, but won’t be able to see what you’re doing on that website. For example, if you go to https://www.google.com an observer will see that you are on Google, but will not be able to see what you are googling. On regular HTTP sites it’s all clear text and anyone can see everything. Next time you log in to an account, look at your browser’s address bar. You should see a lock symbol. This means you are using HTTPS.

Like this, in Firefox. (image from Wikipedia)

This is dependent on your browser, of course, but if you don’t see any indication that you are using HTTPS when logging in do not log in. Your user name and password will be clear to anyone monitoring your network. This is the case with the website I mentioned above. Besides the insecurity of transmitting passwords through cleartext email, there is no way to securely log in to that site.

So how can you ensure you are using HTTPS when browsing? Well, not every website uses HTTPS, and that’s part of the problem. But one thing you can do, besides manually typing in “https” when you go to a website, is install HTTPS Everywhere a browser extension courtesy of the Electronic Frontier Foundation that forces your browser to use HTTPS if it’s available. This is a simple thing to do. I highly recommend installing this add-on. Do this now.

Obviously, this post isn’t intended to be a technical guide on how to be a cyber-ninja. These are just a couple of things regular folks should think about when using the interwebz. These are probably the most basic considerations that can make the biggest impact on your security. Maybe in the future we’ll talk about Tor, VPNs, proxies, encryption, etc., but I’m sure there are better sites out there that talk about that kind of stuff. Also, I hope the administrator of the blogging site mentioned above is reading this. S/he said that s/he did not understand where I was coming from with this, but I hope this helps to explain my position. As it is, her/his website is not secure and I sincerely hope that changes will be made.

America is about freedom, and part of being free is having a say in one’s own privacy and security. I consider this especially relevant nowadays. With all the available technology and a president who seems more than willing to flagrantly violate your civil liberties it is incumbent upon ourselves that we take responsibility for our privacy. When Trump implies a threat regarding “taped” conversations to his former FBI Director you should take that as an indication about how little he would care about your privacy.

For further reading on smart internet usage, I recommend perusing the EFF website, www.eff.org for more tips and knowledge.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s