Become a Patron of Ask Leo! and go ad-free!
Transcript
Focusing on Security and Privacy
Hi, everyone. Leo Notenboom here for askleo.com. I’m not sure if you’ve heard anything about it but we recently had an election here in the United States. Now, before you panic, I’m not going to go political on you. That’s not a topic that I feel serves an Ask Leo! audience however, there are some, I’ll just call “ramifications” from the way things have turned out that I think warrant some understanding and potentially some action on all of our parts.
The concern is that the incoming administration will take less of a positive role on things like personal privacy or net neutrality or any of a number of things related to the freedoms that we tend to take for granted here in the United States and from my perspective, freedoms that we specifically take for granted on the internet.
So, as a result one of the things that I think over the coming weeks I’m going to at least touch on a few different times in a few different ways is how to secure your privacy in a world that is becoming slightly more threatening for that very privacy. Whether you consider that to be a function of government surveillance or lax regulation or enforcement of privacy rules, that’s fine. You may also consider this to be protection from corporations or from other folks who may not have your best interests at heart.
The bottom line is that privacy, increasing your privacy is something that I think in the near term, in the coming years is going to be something that we’re all going to want to do to a greater degree for a variety of reasons. So, with that in mind, what I want to introduce you to today is a software add-on for the Chrome and Firefox browsers called HTTPS Everywhere.
Now, I want to back up just a minute and explain why HTTPS matters. HTTPS solves two specific problems. One, it confirms that the site you’re visiting, using HTTPS is in fact, the site that it claims to be. It’s not a fake site. So, for example, when you go to PayPal.com, the HTTPS implementation there confirms that the certificate, the security certificate that is present, the is part of the conversation when you make an HTTPS connection, belongs to and could only belong to the real, honest PayPal.com. So that’s one thing.
Confirmation that you’re talking to who you think you’re talking to. The other is actually slightly more relevant for our privacy discussion and that is that HTTPS connections are encrypted. What that means is that you can see the conversation, the recipient, the other end of the conversation can see what you are saying and what data you’re exchanging but in-between, at all different points in-between from your ISP to other computers on your network to anybody who happens to be able to see if your internet traffic, they can’t see what it is. All they see is encrypted data that they cannot decrypt.
They can’t see what you’re saying. When you’re talking to somebody like a PayPal or your bank or so forth, that’s important because you’re sharing personal financial information across the internet. HTTPS protects you; it keeps it private. HTTPS keeps all of its conversations private if it’s used and used properly. Last year, I think it was, I implemented HTTPS on askleo.com. In part, it was an exercise to see what it would take but in part also, it’s a way that ensures that what you look for on askleo.com, what you happen to be asking, what you happen to be viewing is private. Nobody in-between your computer and my web server can see as long as you’re using an HTTPS connection.
Now, over the past few years, we’ve seen more and more sites start to use HTTPS. It of course, started with banking and financial institutions. It’s moved on to mail services, most reputable online mail services now use HTTPS as the connection mechanism. If you go to Google’s Gmail for example, that will be an HTTPS connection. You’re conversation, your email that’s going back and forth over the internet is private; it’s between you and Google.
Like I said, more and more sites are switching to HTTPS for a variety of reasons – privacy being one of them. Now, what I learned in implementing HTTPS on askleo.com is that it is both simple and complex; it’s hard to describe it in more detail than that going down to technical rabbit hole that honestly, wouldn’t really help here, but the point is that it’s possible, it is not that hard, but it does require some of level geekiness; some level of expertise to make sure you have all the eyes dotted and the T’s crossed when you implement an HTTPS website.
More and more websites are doing that. Software is becoming easier and easier for those websites to use but it still does require some expertise on the site management side that to be honest, not all sites have. What happens, what we see from time to time are sites will respond to both HTTP and HTTPS. So depending on how you connect, your conversation may or may not be private with that site.
What’s worse is that some sites will have an HTTPS enabled so that you can visit in using HTTPS but links within the site will be HTTP so without your doing anything wrong at all, all of a sudden you’ll find that you no longer have an HTTPS connection simply because the site itself linked the wrong way.
That’s where this browser add-on, HTTPS Everywhere, comes in. It does a couple of different things. One, is if you visit a site that is known to support HTTPS, HTTPS Everywhere will make sure you use the HTTPS version of that site. That cascades because then that also solves this other problem of a site that links to itself or any link to that site that happens to be HTTP, the browser extension will automatically convert that to HTTPS if that site is among the sites that are known to support HTTPS. Hence the name: HTTPS Everywhere. If a site can support HTTPS, if it does support HTTPS, then installing this browser extension simply ensures that your connection will always be HTTPS. It will improve your privacy because now nobody looking at the conversation between you and that site will be able to decipher its contents. It will all be encrypted.
So that is right now a thing I’m going to suggest you consider. Yes, it is a browser add-on. It does require, right now I believe, only Chrome or Firefox. It is available from theElectronic Frontier Foundation. I will have a link for it in the notes with this video. Consider it; consider doing it. I’ve been running for a while. I’ve actually experienced no negative side effects from having this. It’s a very simple thing for the extension to do and it takes your privacy up a notch, right off the bat.
So, with that as our first step down a path of privacy, I’d like to understand what other issues you might be concerned about when it comes to privacy, when it comes to the coming years, when it comes to your experiences on the internet. I do have some other topics in the wings – some things that I think will help improve both your security and your privacy but I think privacy is going to be a theme for a little while. It’s going to be pretty important because in a lot of ways, I think our privacy is at risk.
So, let me know what you think. As always, here’s a link to this article posted on askleo.com. That’s where I read all the comments; that’s where the discussion happens. Please come visit. Let me know what you think about privacy, privacy issues, technology to help solve that. I’d love to hear from you. Until next week, I’m Leo Notenboom for askleo.com. Stay safe, have fun and don’t forget to back up. Take care.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
In the UK the government requires ISP’s to log all sites visited by a user and to make such logs available to government agencies when required. HTTPS Everywhere won’t help secure your privacy against this level of monitoring. Presumably, you would need something like a VPN to truly protect your privacy.
That’s correct. VPN’s are on my list to discuss in the future.
I’m in Australia, and, although a Commonewalth (Federal) law is already in operation, requiring ISPs and other communications providers to log all traffic for a 2-year period, the logs are only required to record metadata, and not the actual content of the communications. Yet…
In the UK, a law has recently been passed empowering the Home Secretary, (similar to the US Secretary of State, or the Australian Foreign Minister), to requiring those same communications providers as well as communications device manufacturers to provide “back doors,” (basically, encryption keys), which would enable the secret services to decrypt the actual content of all communications.
I wonder how long it will be before the US Government along with other governments, (including Australia), will pass similar laws?
Here is a link to just one of many, many articles on this subject, from the well-kinown and highly-respected technology website, The Register:
http://www.theregister.co.uk/2016/11/30/investigatory_powers_act_backdoors/
Read it and weep…
Please also note that the UK Government wants all communications device manufacturers to provide back doors into all their devices, including mobile phones, SIM cards, routers, etc.
How long will it be before criminals will also obtain those same back doors?
Also, as an added bonus, the same back doors will also render VPNs useless.
Here is yet another article I received just a few minutes ago, again, from “The Register.”
http://www.theregister.co.uk/2016/12/06/parallel_construction_lies_in_english_courts/
Scary, isn’t it?
That was exactly the issue when the U.S. Government wanted Apple to unlock a terrorist’s phone. The “What happens next?”
It’s shocking. Too many people adopt the position, “So what? I’ve got nothing to hide.” But as Edward Snowden very rightly said, “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.”
The societal implications of mass surveillance are enormous. In fact, it could very well turn out to be the biggest issue of our time.
Right now there appears to be a problem with the HTTPS Everywhere 2016.11.30 for Chrome Version 55.0.2883.75 m.
It tells me “This extension may have been corrupted”
Repairing it does not work, as well as an uninstall/reboot/reinstall.
Anyone have any info?
(sigh) I know I’ll catch hell for saying this, but it seems disingenuous of you to say you’re not going to go political on us, only to then assert there are ramifications of the election resulting in concern “that the incoming administration will take less of a positive role on things like personal privacy or net neutrality or any of a number of things related to the freedoms that we tend to take for granted here in the United States and from my perspective, freedoms that we specifically take for granted on the internet.” Seriously?? How is alleging that the “incoming administration will take a less positive role on things…” not making an overt and derogatory political statement?
I disagree with your political assertions. But, as an everyday visitor to your site and occasional poster, I appreciate your no-nonsense and helpful tech-related advice. On that note, I too have just installed HTTPS EVERYWHERE in Firefox.
Yea, Leo, we really appreciate your unbiased opinions on computers, but if there is some information you have based this assertion on, please, at least share a link to an article that has the facts that has lead you to this kind of shocking conclusion.
I’d have you spend some time reviewing information on the https://eff.org website itself, as well as https://www.fightforthefuture.org/, as well as the communications from those types of sources.
One of the reasons that I’m trying very hard to avoid politics is that I’m not in a position to change anyone’s mind. Most people on both sides of the issues have their minds made up and are unwilling to entertain alternative possibilities. It’s sad, but only time will tell. As I said in another comment, I’m simply going to use this as an opportunity to focus a little more on personal privacy over the coming months. Whether you fear your ex, your employer, hackers, or the government itself, the principles all apply.
If people can’t see bad privacy laws coming out of Washington I don’t know what to say. That is the reason more and more computer sites are talking about privacy and how to protect your self the best you can. At the end of the day it is going to have to come down to better laws along with this, not worse.
I’ll just say that the claims by some that this might be the case or ramification of the new administration is a good reminder for us to revisit issues relating to privacy.
If I go to a site that uses HTTPS, I know my ISP or employer (really just another ISP) can see that I’m on the site but can they tell what I am doing there? So, if I am on PayPal, can they tell I am looking at my account? If I am on YouTube, can they tell what video I am watching? If I am on Gmail, can they tell I am reading email or even can they read my email? I know HTTPS gives you protection against an outsider but exactly how much protection/privacy does it give you against an insider like an ISP or employer.
No. The entire conversation between you and the remote site is encrypted and hidden from everyone in between, including your ISP.
Is the identity of the remote site hidden?
No. Your ISP can see who you are visiting with HTTPS. You can use a VPN to hide the identity of the remote site.
Thank you for promoting the HTTPS Everywhere add-on. Three comments:
1. Please note that according to the EFF, HTTPS Everywhere works with the Opera browser as well as Chrome and Firefox.
https://www.eff.org/HTTPS-everywhere
2. For any web site that uses HTTPS, especially login pages, I use the free Qualys SSL Server test, which checks the site’s configuration of security certificates. I have found quite a range of results, all the way from “F” (after I sent that site an email, they promptly upgraded and earned an “A-” grade) to “A+”. Basically, you copy and paste the URL of the HTTPS page you’re curious about into the Qualys test page, click “Submit,” and in a short while you get the results. Here’s the link to the Qualys SSL Server test:
https://www.ssllabs.com/ssltest/
FWIW, https://askleo.com/ earns an “A” (which is really good, if not the best possible score).
https://www.ssllabs.com/ssltest/analyze.html?d=askleo.com
3. What impact does HTTPS Everywhere have on third-party services used by many web sites (ads, e-commerce services, login services, etc.)?
2. That’s why I said it’s hard and technically involved. It’s easy to get sort-of right. And sort-of wrong. 🙂
3. Basically it should be insisting that these 3rd party sites also use https if available. (Most do now.) However if it can’t, it can’t, and your browser should give you a mixed content warning.
Hello Leo , I have Norton safe search , Is that in itself good enough ? Thank-you . Great Knowledge you give . Much appreciated .
“Good enough” for what? It’s not the same as https everywhere. It solves a different problem.
I enjoyed your discussion “Focus on security and privacy” and attempted to install “HTTPS Everywhere” to my chrome extensions. I repeatedly received a notice that the extension may have been corrupted and an option to repair. Choosing the repair option did not remove the potential corruption message. Any further thoughts on this extension? Thank you
At that point, I’d remove it and reinstall it and see if that works.
I’d remove it and not bother reinstalling. The extension addresses a problem that doesn’t need to be addressed and is frequently problematic (as can be seen from some of the other comments here). The bottom line it doesn’t do much at all to improve security in the real world.
I have found your items to be very helpful and this one is no exception. I started to follow you when I had my PC but now I have an Apple, while a lot of the subjects are transferable between platforms, this one does not address Safari, will you be doing so in the future?
Well, it’s not me that needs to do the work: EFF’s HTTP Everywhere doesn’t appear to support Safari. They would have to make it do so. I happen to use Google Chrome on my Mac where it works just fine.
Leo keep pushing with security and privacy. I’m sorry to say I think most people have gave up on privacy. They just fill like they don’t have a chance anymore protecting their privacy, and not with out good reason. The laws are bad if any, most don’t have the knowledge, and then they’re some that just don’t care.
We fight for so many things in the free world. Privacy should be there. It should be neutral ground for all of us to stand up for. How could it not be…
HI Leo, Thanks for a thought provoking article. I do have one question though. If your site is hacked and malicious code is put on it that can infect a users PC doesn’t that negate the use of https?
Depends on what you’re trying to protect. Your conversation with that site will likely remain private, being over https. That site may, however, download malware or what not that can do anything.
I understand that HTTPS Everywhere cannot hide the web sites that one visits, only the contents as long as HTTPS on that site is available. I use a product called, “Private Internet Access” that is supposed to hide my web accesses by routing them encrypted through their servers. Would these two tools together provide better protection from snooping ISPs or government agencies? I realize that there is always a way to get to the information, given enough resources and incentives. But in general, this may be a way. A Virtual Private Network is not the total solution unless the other end of my web link is sharing the same tool. But this may be a good compromise.
A VPN along with HTTPS should keep you pretty anonymous, with the VPN hiding the your IP address and from the websites you are visiting and the IP addresses of the sites your are visiting from your ISP, and HTTPS encrypting the entire communication between you and the website. And for those non HTTPS pages, at least your information transfer between you and the VPN is encrypted, so you still have some protection. And I might be going out on a limb saying this, but most sites which should be using HTTPS, financial institutions, Ask Leo! 🙂 etc. do use HTTPS.
Maybe. Sounds like it is a VPN.
A privacy issue you might like to consider is how Google tracks your activity.
Not only does Google track all your web Searches, but if you carry an Android mobile phone or Tablet, as I do, (possibly iPhones as well) then Google can track your movements around the country! This is truly scary!
I have just had a look at My Activity on Google, as suggested by an article, read and I was amazed that there was a list of addresses I had visited, and even maps of my journeys! I was able to delete these, but I am not confident that they will not continue to track me through my use of my devices! Sorry if my paranoia is showing!!
I should add, there is a way to stop Android devices reporting their locations, and that is to Turn Off “Locations” in the Settings. However, this may affect the operation of some Apps.
I keep location off when I’m not using Google Maps. I’m not too concerned about the tracking as much as preserving my battery, but the end result is the same.
Welcome to 1984!
Google’s Location History is interesting, eh, and certainly provides an indication of how much personal data companies collect. It’s worth noting that it’s not only Google that do this. Many – likely most, in fact – of the websites you visit use embedded third-party tracking systems to monitor your behaviour and activities. The tracking systems use cookies, device/browser fingerprinting and cache data to track not only your activity on a particular website, but also to track you across other websites – with all that data being linked back to your IP/location and, if you log in to any of the sites, possibly your identity too . You can also be tracked across devices in ways that make it impossible to opt out:
http://www.marketingmag.ca/tech/cross-device-tracking-is-the-next-big-threat-to-consumer-privacy-140588
The reality is that, unless you’re willing to take extraordinary measures, it’s almost completely impossible to avoid being tracked. While I don’t feel particularly comfortable with the amount of data that companies surreptitiously harvest, I also don’t worry too much about it. As I said, it’s almost completely unavoidable and the data is used for nothing more sinister than marketing purposes (at this point in time, anyway).
Dear leo, recently I have been facing a problem with your site while visiting from Firefox for Android. The problem is the pop up for subscription to your newsletter takes the whole space in the browser. And most of the time I can not get to the ‘x’ button as I have already subscribed to your newsletter. Your content is always great and helpful,and I really enjoy your articles.I hope you will look into this matter. Thank you.
It’s hard to understand exactly what you;re seeing – nothing’s changed at this end. Typing the ESC key should make it go away. (Also, you should only see it something like once a month, unless you’re clearing cookies.)
Truly appreciate your newsletter and the valuable information and insights it provides. I have tried to install the HTTPS Everywhere extension to Google Chrome but receive a message that the extension is corrupt. It will not resolve with repair extension. Is there a certain procedure required to install this extension? Using Windows 7 Home Premium 64-bit
It should install normally like any other extension. Not sure what to tell you.
You asked what concerns about privacy we have, and I thought I would bring up one. I don’t know if it’s been brought up on this web site, but maybe it could be a subject of a future video, and that is password strength. I’ve seen conflicting information on how secure a password is. I use Roboform and a Word document to store my passwords, and all passwords contain randomly picked strings, sometimes with special characters, depending if the site requires them. These kinds of passwords are the most secure of all, but the password I use to access the Roboform files isn’t as secure. Do you have a good source of finding out if a password is a secure password where a hack will be almost impossible?
“Do you have a good source of finding out if a password is a secure password where a hack will be almost impossible?” – This:
https://howsecureismypassword.net
Password length/complexity is actually not as important as many people think. Passwords mainly get compromised in one of three ways. Database theft and phishing are by far the most common, and the complexity of the password does nothing to help in such scenarios (a complex password can be stolen or phished as easily as a simple password). The third way is for it to be guessed or otherwise discovered by a dishonest friend/family member/co-worker. In this scenario, complexity does help, but a password does not need to be enormously complex to defeat the attacker.
Password checkers, such as the one I linked to above, assume that somebody will be running cracking tools against your password. In the real world, however, that simply does not happen (unless, that is, you’re specifically targeted because your laptop is loaded with trade secrets worth millions).
To be clear, I’m not suggesting that strong, long passwords shouldn’t be used – it’s easy to do, so you may as well do it – simply that it’s not necessarily as important as people think.
Actually there is an argument for complexity – or at least length – in the case of database theft: brute-force (or rainbow tables) in conjunction with poor password database design. The shorter/simpler your password is the more likely it is to be able for a hacker to try all possible passwords against a stolen database. At a minimum it’s trivial for them to try huge databases of known or common passwords. As I said, good database design can make this significantly more difficult – but the opposite, poor database design, can also make it next to trivial for the hackers. And, sadly, we keep hearing about compromises where it turns out the stolen database was implemented poorly.
This is one of the reasons I’ve started promoting length over complexity. A short 8 character password can now be compromised no matter how complex it is. The odds of a longer (say 16 character) password being compromised in that manner are significantly smaller.
And then…..
https://diogomonica.com/2014/10/11/password-security-why-the-horse-battery-staple-is-not-correct/
I think the best option for most people is to use a password manager to both create and remember passwords. While that may not prevent their accounts from being compromised, it’ll certainly make their lives easier.
Leo,
In this fairly recent, updated post that you made regarding PRIVACY (see https://askleo.com/should-i-upgrade-to-windows-10/ ) you state “You can find lots of rants and discussions on the topic all over the internet. It’s an area ripe for thoughtful discussion as well as paranoid knee-jerk reaction. My take: I’ll stick with what I’ve been saying for years: you and I just aren’t that interesting as individuals. For the vast majority of computer users, no one cares what you are doing, and no one is watching you – not Microsoft, not anyone else.”
I liked the above perspective on privacy that you posited in that post, i.e. that nobody really gives a hoot what we’re doing on the internet. But now you seem to have dramatically changed your long-standing mindset on this privacy issue.
Can you clarify?
“I liked the above perspective on privacy that you posited in that post, i.e. that nobody really gives a hoot what we’re doing on the internet.” – My take is that companies – and governments – absolutely give a hoot about what you’re doing on the internet, which is why billions is spent each year on tracking your activities, preferences, behaviour and logging it with your demographic data and whatever other personal information they can get their hands on. Today, that data is used for (mostly) innocuous purposes such as delivering ads that are based on your interests and preferences – but how will it be used tomorrow? Take a look at this:
http://www.businessinsider.com.au/the-incredible-story-of-how-target-exposed-a-teen-girls-pregnancy-2012-2
Consider too that impact that knowing you’re being surveilled may have on you. Would you still feel able to speak freely and criticize your government’s policies? In the US, you probably would – today, anyway – but in many other countries you would not.
To borrow some words from Edward Snowden, “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.”
Privacy is extremely important and is not something that should be taken for granted.
I’ve not dramatically changed at all. I still believe that we’re typically uninteresting. I do believe that today’s political climate has more people more interested in privacy than before, making it a topic worthy of deeper discussion.
Hello, can someone see my view logs or access logs from another pc? Like fore example my friends?
In the case of people you know, pretty much the only way they could do that is if they were able to sit down at your computer and install malware.
Hey there Leo,
i need to ask you a question so bear with me please. I have registered on one site using my gmail address. On the same site few days later i have also registered using my other gmail address. So somehow they have figured out that both my gmail addresses are connected and suspended me since they don’t allow duplicate profiles. My question is how do they know these two gmails are connected? There is no way to figure out these two are connected, they are not even recovery gmails.
well yeah but they specifically said to me it was a duplicate account and in mail wrote to me my other email address.
Probably your IP address, and perhaps the contents of your posts. It’s also pretty easy for them to watch for this using browser cookies.
Hmm well could be cookies or ip address but its not a site where you can post stuff so i don’t think thats the case. I am not actually sure what you mean by posts? ^^ But since ita not that kind of site, dont think thats the case.
Even sites you can’t post on sometimes place cookies on your computer. Sites which require registration and logging in need to use cookies to keep you logged in when accessing different pages on their site.
Is HTTPS Everywhere still relevant as all browsers use the HTTPS connection if it exists? If I enter askleo.com, it automatically goes to https://askleo.com.
It’s not the browsers that make the choice. They go exactly where you tell them, http or https.
In the case of askleo.com it’s my server that redirects you to the https version.
While most sites (and most links) are https these days, HTTPS everywhere continues to have some, though ever decreasing, value for the sites that don’t do things automatically for you.