An imminently forthcoming version of Google's Chrome browser will flip the way that browsers convey information about privacy and security to users: instead of discreetly informing users that the HTTPS-enabled sites they're browsing are more secure, they'll flag any non-HTTPS site as insecure, with a series of escalating alerts that will end -- at some unspecified date -- by displaying an exclamation point inside red triangle and the letters HTTP next to the web addresses of non-HTTPS sites. Read the rest
Fallout from yesterday's enormous dump of internal documents from Italy's notorious Hacking Team, a cyber-arms dealer for the world's worst autocratic regimes, is just getting started. Read the rest
Librarians in Massachusetts are working to give their patrons a chance to opt-out of pervasive surveillance. Partnering with the ACLU of Massachusetts, area librarians have been teaching and taking workshops on how freedom of speech and the right to privacy are compromised by the surveillance of online and digital communications -- and what new privacy-protecting services they can offer patrons to shield them from unwanted spying of their library activity.
April from EFF writes, "Help improve the Electronic Frontier Foundation's free software projects to defend freedom & enhance privacy and security online.
Here's a list of all the projects we invite you to hack your heart out on!" Read the rest
Peter from the Electronic Frontier Foundation writes, "Over at EFF, we just released a version of our HTTPS Everywhere extension for Firefox for Android. HTTPS Everywhere upgrades your insecure web requests to HTTPS on many thousands of sites, and this means that Firefox on Android with HTTPS Everywhere is now by far the most secure browser against dragnet surveillance attacks like those performed by the NSA, GCHQ, and other intelligence agencies."
I installed it today. Read the rest
Kate sez, "Soapy is a new web browser plug-in that allows users to visit websites blocked by SOPA by automatically redirecting them to the site's IP address. The Firefox version of the plugin is downloadable now; the Google Chrome version will be finished shortly.
This free software makes the practical implementation of SOPA impossible, since anyone can download the plug-in and circumvent SOPA. So--if anybody can unblock SOPA, what is the point of SOPA?"
Read the rest
The code is available on GitHub for programmers, activists, and informed consumers. Every site that Soapy unblocks has a set of XML rules that are tailored to the quirks of that specific site. Much of the code has been borrowed from HTTPS-Everywhere and NoScript. Templates are available so that unblocking future sites can be crowdsourced by hacktivists inside or outside the United States (Soapy's developer is a member of this community) as quickly as they are identified.
For reasons unknown, Microsoft has changed the settings on Hotmail to disable HTTPS for users in several countries including Bahrain, Morocco, Algeria, Syria, Sudan, Iran, Lebanon, Jordan, Congo, Myanmar, Nigeria, Kazakhstan, Uzbekistan, Turkmenistan, Tajikistan, and Kyrgyzstan. Hotmail users in those countries can now be readily spied upon by ISPs and their governments. The Electronic Frontier Foundation has some good perspective:
Microsoft debuted the always-use-HTTPS feature for Hotmail in December of 2010, in order to give users the option of always encrypting their webmail traffic and protecting their sensitive communications from malicious hackers using tools such as Firesheep, and hostile governments eavesdropping on journalists and activists. For Microsoft to take such an enormous step backwards-- undermining the security of Hotmail users in countries where freedom of expression is under attack and secure communication is especially important--is deeply disturbing. We hope that this counterproductive and potentially dangerous move is merely an error that Microsoft will swiftly correct.
The good news is that the fix is very easy. Hotmail users in the affected countries can turn the always-use-HTTPS feature back on by changing the country in their profile to any of the countries in which this feature has not been disabled, such as the United States, Germany, France, Israel, or Turkey. Hotmail users who browse the web with Firefox may force the use of HTTPS by default--while using any Hotmail location setting--by installing the HTTPS Everywhere Firefox plug-in.
Microsoft Shuts off HTTPS in Hotmail for Over a Dozen Countries
EFF's latest HTTPS Everywhere plugin helps protect against ... Read the rest
The new version of the Electronic Frontier Foundation's excellent HTTPS Everywhere browser tool specifically protects against having your credentials to many popular sites lifted with Firesheep (as well as by deliberately malicious tools that actual bad guys make). Wherever a site allows for SSL throughout your session, HTTPS Everywhere will add this. I was recently at EFF and asked Seth Schoen, a staff technologist, to print my boarding card for the next day's flight from his computer. It took a long time. When I asked why this was, Seth told me that he'd realized that Continental didn't use SSL to transmit boarding cards by default, but that they supported it, so he was adding a HTTPS Everywhere rule to make sure all the HTTPS Everywhere users who used Continental's boarding pass service would be protected in future. EFF is adding new sites by the shovel-load, making the free/open HTTPS Everywhere indispensable.
Read the rest
This new version of HTTPS Everywhere responds to growing concerns about website vulnerability in the wake of Firesheep, an attack tool that could enable an eavesdropper on a network to take over another user's web accounts -- on social networking sites or webmail systems, for example -- if the browser's connection to the web application either does not use cryptography or does not use it thoroughly enough. Firesheep, which was released in October as a demonstration of a vulnerability that computer security experts have known about for years, sparked a flurry of media attention.
"These new enhancements make HTTPS Everywhere much more effective in thwarting an attack from Firesheep or a similar tool," said EFF Senior Staff Technologist Peter Eckersley.
Photo: Prasad Kholkute
Firesheep should freak you out, at least for a moment. It's a Firefox extension that lets any normal human being--I'm not talking about you, BoingBoing readers--install the add-on and then steal the active sessions of people using unencrypted browsing sessions with popular online services on the same Wi-Fi network. This involves no Wi-Fi foolery, because the necessary network traffic is openly available.
Walk into any busy coffeeshop, fire up the 'sheep, and a list of potential identities to assume at any of two dozen popular sites appears. Double-click, and you snarf their identifying token, and log in to the site in question as that person.
Firesheep is a business-model tour de force, not a zero-day technical one. It's a proof of concept that repackages and expands on earlier security research to expose a failure in the risk profile adopted by Web sites on behalf of their unsuspecting users. There's no money to be made by a Web site in fixing this problem for its customers or readers. Thus, only a security-conscious CIO might be able to push through the budget item necessary to bump the back-end systems up to the level needed.
Firesheep is a public relations exploit, too; it's so easy to use and to demonstrate that it shot round the world. Previous demonstrations spread the word in the tech community, and a little beyond. Firesheep is telegenic. Read the rest
The Electronic Frontier Foundation and The Onion Router (TOR) project have teamed up to release a new privacy-enhancing Firefox plugin called HTTPS Everywhere. It was inspired by Google's new encrypted search engine, and it ensures that whenever you visit a site that accepts encrypted connections, your browser switches into encrypted mode, hiding your traffic from snoops on your local network and at your ISP. HTTPS Everywhere covers Google search, Wikipedia, Twitter, Identi.ca, Facebook, EFF, Tor, Scroogle, DuckDuckGo, Ixquick and other smaller search engines. It's still in beta (what isn't?) but I've been running it all morning with no negative side effects.
Encrypt the Web with the HTTPS Everywhere Firefox Extension
Psiphon: critique from a crypto community member
EFF, AT&T and Google all on the same side of this privacy fight ...
What will happen to your crypto-keys when you die?
Pirate Bay offering crypto tools to fight Swedish spying laws ...
Scalia Scoffs at Calls for More Data Privacy Protection, Students ...
Talking About AT&T's Internet Filtering on AT&T's The Hugh ...
HOWTO protect your online privacy now that the Senate repealed the ...
HOWTO use TOR to enhance your privacy
Ada Lovelace Day hero: Cindy Cohn Read the rest