Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Focusing on Security and Privacy

Become a Patron of Ask Leo! and go ad-free!

Transcript

Show Transcript

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio

Play

64 comments on “Focusing on Security and Privacy”

  1. After listening to this video, I clicked on Firefox add-ins to install the app. The first suggestion in the list was HTTPS Everywhere.

    Reply
  2. In the UK the government requires ISP’s to log all sites visited by a user and to make such logs available to government agencies when required. HTTPS Everywhere won’t help secure your privacy against this level of monitoring. Presumably, you would need something like a VPN to truly protect your privacy.

    Reply
      • I’m in Australia, and, although a Commonewalth (Federal) law is already in operation, requiring ISPs and other communications providers to log all traffic for a 2-year period, the logs are only required to record metadata, and not the actual content of the communications. Yet…

        In the UK, a law has recently been passed empowering the Home Secretary, (similar to the US Secretary of State, or the Australian Foreign Minister), to requiring those same communications providers as well as communications device manufacturers to provide “back doors,” (basically, encryption keys), which would enable the secret services to decrypt the actual content of all communications.

        I wonder how long it will be before the US Government along with other governments, (including Australia), will pass similar laws?

        Here is a link to just one of many, many articles on this subject, from the well-kinown and highly-respected technology website, The Register:

        http://www.theregister.co.uk/2016/11/30/investigatory_powers_act_backdoors/

        Read it and weep…

        Reply
        • Please also note that the UK Government wants all communications device manufacturers to provide back doors into all their devices, including mobile phones, SIM cards, routers, etc.

          How long will it be before criminals will also obtain those same back doors?

          Also, as an added bonus, the same back doors will also render VPNs useless.

          Reply
        • It’s shocking. Too many people adopt the position, “So what? I’ve got nothing to hide.” But as Edward Snowden very rightly said, “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.”

          The societal implications of mass surveillance are enormous. In fact, it could very well turn out to be the biggest issue of our time.

          Reply
  3. Right now there appears to be a problem with the HTTPS Everywhere 2016.11.30 for Chrome Version 55.0.2883.75 m.
    It tells me “This extension may have been corrupted”
    Repairing it does not work, as well as an uninstall/reboot/reinstall.
    Anyone have any info?

    Reply
    • I’ve never used HTTPS Everywhere, but I’ve seen numerous reports of it being buggy and problematic – excessive resource usage, breaking websites, being broken by browser updates, etc., etc. Additionally, all modern browsers have in-built mechanisms to mitigate the risks associated with mixed (secure and insecure) content on websites, so it really doesn’t provide much in the way of additional security. The pros of HTTPS Everywhere are outweighed by the cons, IMO, and it’s not an extension I’d recommend.

      Reply
    • I too have a problem installing HTTPS Everywhere into Chrome xxxxxx883.75. Using Win10 Pro. Get message from Chrome “This item has been disabled in Chrome.” It indicates that it has been added to Chrome by the authors of HTTPS Everywhere. Hmmm.

      Reply
  4. (sigh) I know I’ll catch hell for saying this, but it seems disingenuous of you to say you’re not going to go political on us, only to then assert there are ramifications of the election resulting in concern “that the incoming administration will take less of a positive role on things like personal privacy or net neutrality or any of a number of things related to the freedoms that we tend to take for granted here in the United States and from my perspective, freedoms that we specifically take for granted on the internet.” Seriously?? How is alleging that the “incoming administration will take a less positive role on things…” not making an overt and derogatory political statement?

    I disagree with your political assertions. But, as an everyday visitor to your site and occasional poster, I appreciate your no-nonsense and helpful tech-related advice. On that note, I too have just installed HTTPS EVERYWHERE in Firefox.

    Reply
    • Yea, Leo, we really appreciate your unbiased opinions on computers, but if there is some information you have based this assertion on, please, at least share a link to an article that has the facts that has lead you to this kind of shocking conclusion.

      Reply
      • I’d have you spend some time reviewing information on the https://eff.org website itself, as well as https://www.fightforthefuture.org/, as well as the communications from those types of sources.

        One of the reasons that I’m trying very hard to avoid politics is that I’m not in a position to change anyone’s mind. Most people on both sides of the issues have their minds made up and are unwilling to entertain alternative possibilities. It’s sad, but only time will tell. As I said in another comment, I’m simply going to use this as an opportunity to focus a little more on personal privacy over the coming months. Whether you fear your ex, your employer, hackers, or the government itself, the principles all apply.

        Reply
        • If people can’t see bad privacy laws coming out of Washington I don’t know what to say. That is the reason more and more computer sites are talking about privacy and how to protect your self the best you can. At the end of the day it is going to have to come down to better laws along with this, not worse.

          Reply
    • I’ll just say that the claims by some that this might be the case or ramification of the new administration is a good reminder for us to revisit issues relating to privacy.

      Reply
  5. If I go to a site that uses HTTPS, I know my ISP or employer (really just another ISP) can see that I’m on the site but can they tell what I am doing there? So, if I am on PayPal, can they tell I am looking at my account? If I am on YouTube, can they tell what video I am watching? If I am on Gmail, can they tell I am reading email or even can they read my email? I know HTTPS gives you protection against an outsider but exactly how much protection/privacy does it give you against an insider like an ISP or employer.

    Reply
  6. Thank you for promoting the HTTPS Everywhere add-on. Three comments:

    1. Please note that according to the EFF, HTTPS Everywhere works with the Opera browser as well as Chrome and Firefox.

    https://www.eff.org/HTTPS-everywhere

    2. For any web site that uses HTTPS, especially login pages, I use the free Qualys SSL Server test, which checks the site’s configuration of security certificates. I have found quite a range of results, all the way from “F” (after I sent that site an email, they promptly upgraded and earned an “A-” grade) to “A+”. Basically, you copy and paste the URL of the HTTPS page you’re curious about into the Qualys test page, click “Submit,” and in a short while you get the results. Here’s the link to the Qualys SSL Server test:

    https://www.ssllabs.com/ssltest/

    FWIW, https://askleo.com/ earns an “A” (which is really good, if not the best possible score).

    https://www.ssllabs.com/ssltest/analyze.html?d=askleo.com

    3. What impact does HTTPS Everywhere have on third-party services used by many web sites (ads, e-commerce services, login services, etc.)?

    Reply
    • 2. That’s why I said it’s hard and technically involved. It’s easy to get sort-of right. And sort-of wrong. :-)

      3. Basically it should be insisting that these 3rd party sites also use https if available. (Most do now.) However if it can’t, it can’t, and your browser should give you a mixed content warning.

      Reply
  7. Hello Leo , I have Norton safe search , Is that in itself good enough ? Thank-you . Great Knowledge you give . Much appreciated .

    Reply
  8. I enjoyed your discussion “Focus on security and privacy” and attempted to install “HTTPS Everywhere” to my chrome extensions. I repeatedly received a notice that the extension may have been corrupted and an option to repair. Choosing the repair option did not remove the potential corruption message. Any further thoughts on this extension? Thank you

    Reply
    • I’d remove it and not bother reinstalling. The extension addresses a problem that doesn’t need to be addressed and is frequently problematic (as can be seen from some of the other comments here). The bottom line it doesn’t do much at all to improve security in the real world.

      Reply
  9. I have found your items to be very helpful and this one is no exception. I started to follow you when I had my PC but now I have an Apple, while a lot of the subjects are transferable between platforms, this one does not address Safari, will you be doing so in the future?

    Reply
    • Well, it’s not me that needs to do the work: EFF’s HTTP Everywhere doesn’t appear to support Safari. They would have to make it do so. I happen to use Google Chrome on my Mac where it works just fine.

      Reply
  10. Leo keep pushing with security and privacy. I’m sorry to say I think most people have gave up on privacy. They just fill like they don’t have a chance anymore protecting their privacy, and not with out good reason. The laws are bad if any, most don’t have the knowledge, and then they’re some that just don’t care.

    We fight for so many things in the free world. Privacy should be there. It should be neutral ground for all of us to stand up for. How could it not be…

    Reply
  11. HI Leo, Thanks for a thought provoking article. I do have one question though. If your site is hacked and malicious code is put on it that can infect a users PC doesn’t that negate the use of https?

    Reply
    • Depends on what you’re trying to protect. Your conversation with that site will likely remain private, being over https. That site may, however, download malware or what not that can do anything.

      Reply
  12. I understand that HTTPS Everywhere cannot hide the web sites that one visits, only the contents as long as HTTPS on that site is available. I use a product called, “Private Internet Access” that is supposed to hide my web accesses by routing them encrypted through their servers. Would these two tools together provide better protection from snooping ISPs or government agencies? I realize that there is always a way to get to the information, given enough resources and incentives. But in general, this may be a way. A Virtual Private Network is not the total solution unless the other end of my web link is sharing the same tool. But this may be a good compromise.

    Reply
    • A VPN along with HTTPS should keep you pretty anonymous, with the VPN hiding the your IP address and from the websites you are visiting and the IP addresses of the sites your are visiting from your ISP, and HTTPS encrypting the entire communication between you and the website. And for those non HTTPS pages, at least your information transfer between you and the VPN is encrypted, so you still have some protection. And I might be going out on a limb saying this, but most sites which should be using HTTPS, financial institutions, Ask Leo! :-) etc. do use HTTPS.

      Reply
    • “I use a product called, “Private Internet Access” that is supposed to hide my web accesses by routing them encrypted through their servers. Would these two tools together provide better protection from snooping ISPs or government agencies?” – You’re basically substituting PIA for your ISP. Information that would previously have been visible to your ISP is now visible to PIA. So, what it really comes down do is who you trust more (or distrust least): your ISP or PIA?

      While VPNs certainly have their uses, privacy is not one of them. See my other comments to this post.

      Reply
  13. A privacy issue you might like to consider is how Google tracks your activity.
    Not only does Google track all your web Searches, but if you carry an Android mobile phone or Tablet, as I do, (possibly iPhones as well) then Google can track your movements around the country! This is truly scary!
    I have just had a look at My Activity on Google, as suggested by an article, read and I was amazed that there was a list of addresses I had visited, and even maps of my journeys! I was able to delete these, but I am not confident that they will not continue to track me through my use of my devices! Sorry if my paranoia is showing!!
    I should add, there is a way to stop Android devices reporting their locations, and that is to Turn Off “Locations” in the Settings. However, this may affect the operation of some Apps.

    Reply
    • I keep location off when I’m not using Google Maps. I’m not too concerned about the tracking as much as preserving my battery, but the end result is the same.

      Reply
    • Welcome to 1984!

      Google’s Location History is interesting, eh, and certainly provides an indication of how much personal data companies collect. It’s worth noting that it’s not only Google that do this. Many – likely most, in fact – of the websites you visit use embedded third-party tracking systems to monitor your behaviour and activities. The tracking systems use cookies, device/browser fingerprinting and cache data to track not only your activity on a particular website, but also to track you across other websites – with all that data being linked back to your IP/location and, if you log in to any of the sites, possibly your identity too . You can also be tracked across devices in ways that make it impossible to opt out:

      http://www.marketingmag.ca/tech/cross-device-tracking-is-the-next-big-threat-to-consumer-privacy-140588

      The reality is that, unless you’re willing to take extraordinary measures, it’s almost completely impossible to avoid being tracked. While I don’t feel particularly comfortable with the amount of data that companies surreptitiously harvest, I also don’t worry too much about it. As I said, it’s almost completely unavoidable and the data is used for nothing more sinister than marketing purposes (at this point in time, anyway).

      Reply
  14. Dear leo, recently I have been facing a problem with your site while visiting from Firefox for Android. The problem is the pop up for subscription to your newsletter takes the whole space in the browser. And most of the time I can not get to the ‘x’ button as I have already subscribed to your newsletter. Your content is always great and helpful,and I really enjoy your articles.I hope you will look into this matter. Thank you.

    Reply
    • It’s hard to understand exactly what you;re seeing – nothing’s changed at this end. Typing the ESC key should make it go away. (Also, you should only see it something like once a month, unless you’re clearing cookies.)

      Reply
  15. Truly appreciate your newsletter and the valuable information and insights it provides. I have tried to install the HTTPS Everywhere extension to Google Chrome but receive a message that the extension is corrupt. It will not resolve with repair extension. Is there a certain procedure required to install this extension? Using Windows 7 Home Premium 64-bit

    Reply
  16. You asked what concerns about privacy we have, and I thought I would bring up one. I don’t know if it’s been brought up on this web site, but maybe it could be a subject of a future video, and that is password strength. I’ve seen conflicting information on how secure a password is. I use Roboform and a Word document to store my passwords, and all passwords contain randomly picked strings, sometimes with special characters, depending if the site requires them. These kinds of passwords are the most secure of all, but the password I use to access the Roboform files isn’t as secure. Do you have a good source of finding out if a password is a secure password where a hack will be almost impossible?

    Reply
    • “Do you have a good source of finding out if a password is a secure password where a hack will be almost impossible?” – This:

      https://howsecureismypassword.net

      Password length/complexity is actually not as important as many people think. Passwords mainly get compromised in one of three ways. Database theft and phishing are by far the most common, and the complexity of the password does nothing to help in such scenarios (a complex password can be stolen or phished as easily as a simple password). The third way is for it to be guessed or otherwise discovered by a dishonest friend/family member/co-worker. In this scenario, complexity does help, but a password does not need to be enormously complex to defeat the attacker.

      Password checkers, such as the one I linked to above, assume that somebody will be running cracking tools against your password. In the real world, however, that simply does not happen (unless, that is, you’re specifically targeted because your laptop is loaded with trade secrets worth millions).

      To be clear, I’m not suggesting that strong, long passwords shouldn’t be used – it’s easy to do, so you may as well do it – simply that it’s not necessarily as important as people think.

      Reply
      • Actually there is an argument for complexity – or at least length – in the case of database theft: brute-force (or rainbow tables) in conjunction with poor password database design. The shorter/simpler your password is the more likely it is to be able for a hacker to try all possible passwords against a stolen database. At a minimum it’s trivial for them to try huge databases of known or common passwords. As I said, good database design can make this significantly more difficult – but the opposite, poor database design, can also make it next to trivial for the hackers. And, sadly, we keep hearing about compromises where it turns out the stolen database was implemented poorly.

        This is one of the reasons I’ve started promoting length over complexity. A short 8 character password can now be compromised no matter how complex it is. The odds of a longer (say 16 character) password being compromised in that manner are significantly smaller.

        Reply
  17. Leo,

    In this fairly recent, updated post that you made regarding PRIVACY (see https://askleo.com/should-i-upgrade-to-windows-10/ ) you state “You can find lots of rants and discussions on the topic all over the internet. It’s an area ripe for thoughtful discussion as well as paranoid knee-jerk reaction. My take: I’ll stick with what I’ve been saying for years: you and I just aren’t that interesting as individuals. For the vast majority of computer users, no one cares what you are doing, and no one is watching you – not Microsoft, not anyone else.”

    I liked the above perspective on privacy that you posited in that post, i.e. that nobody really gives a hoot what we’re doing on the internet. But now you seem to have dramatically changed your long-standing mindset on this privacy issue.

    Can you clarify?

    Reply
    • “I liked the above perspective on privacy that you posited in that post, i.e. that nobody really gives a hoot what we’re doing on the internet.” – My take is that companies – and governments – absolutely give a hoot about what you’re doing on the internet, which is why billions is spent each year on tracking your activities, preferences, behaviour and logging it with your demographic data and whatever other personal information they can get their hands on. Today, that data is used for (mostly) innocuous purposes such as delivering ads that are based on your interests and preferences – but how will it be used tomorrow? Take a look at this:

      http://www.businessinsider.com.au/the-incredible-story-of-how-target-exposed-a-teen-girls-pregnancy-2012-2

      Consider too that impact that knowing you’re being surveilled may have on you. Would you still feel able to speak freely and criticize your government’s policies? In the US, you probably would – today, anyway – but in many other countries you would not.

      To borrow some words from Edward Snowden, “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.”

      Privacy is extremely important and is not something that should be taken for granted.

      Reply
    • I’ve not dramatically changed at all. I still believe that we’re typically uninteresting. I do believe that today’s political climate has more people more interested in privacy than before, making it a topic worthy of deeper discussion.

      Reply
  18. Something worth noting. I just installed HTTPs Everywhere from the link provided for EFF at the very beginning of your newsletter. It seemed to have installed seamlessly, but after that I went on to click on a link of interest to me, namely “Turn off fast startup in Windows 10” just located in your “Previous issue section”. The result was a pop-up saying to check my internet connection or to reload the page. I tried the latter, the same error message came back again. So, I figured out that it has to do with the extension I had just added to Chrome.

    My reaction was to open Chrome’s extensions page and there I saw that “HTTPs Everywhere” was corrupted, just like many have reported in this post. To all intents and purposes, I decided to repair it first (That didn’t work) and finally to remove it. Then, on second thought, I said to myself let’s try to install directly from the chrome’s extensions page, which I did. Guess what, it worked this time around.

    Bottom line, for everyone having a corrupt extension, your best bet is to install it directly from Chrome.

    Reply
    • In the case of people you know, pretty much the only way they could do that is if they were able to sit down at your computer and install malware.

      Reply
  19. Hey there Leo,

    i need to ask you a question so bear with me please. I have registered on one site using my gmail address. On the same site few days later i have also registered using my other gmail address. So somehow they have figured out that both my gmail addresses are connected and suspended me since they don’t allow duplicate profiles. My question is how do they know these two gmails are connected? There is no way to figure out these two are connected, they are not even recovery gmails.

    Reply
    • Hmm well could be cookies or ip address but its not a site where you can post stuff so i don’t think thats the case. I am not actually sure what you mean by posts? ^^ But since ita not that kind of site, dont think thats the case.

      Reply
      • Even sites you can’t post on sometimes place cookies on your computer. Sites which require registration and logging in need to use cookies to keep you logged in when accessing different pages on their site.

        Reply
  20. Hello Leo,

    I’ve been using NordVPN for some time now and everything works really well for what it is. But I’ve been wandering, is there any way to protect my information even more? I have a quite paranoid mind so I constantly think that someone is “watching” especially with problems China is facing right now.
    I’m not doing anything illegal, I’m worried that my bank details might get stolen and my physical location could be leaked.

    Thank you.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.