The problem The NSA is exploiting weak links in Internet security to spy on the entire world, twisting the Internet we love into something it was never meant to be: a panopticon. The solution We can't stop targeted attacks, but we *can* stop mass surveillance, by building proven security into the everyday Internet. The plan First, get hundreds of sites & apps to add proven security (like SSL). Then on June 5, we'll run a splash screen *everywhere* to spread NSA-resistant privacy tools. Reset the Net How we secure the web (HTTPS, HSTS & PFS) 28 April 2014 For many of us, communicating, reading, working, and socializing on the Internet starts and ends with the web. So, any push to end mass surveillance must start there. HTTPS, HSTS, and PFS (perfect forward secrecy) are powerful tools that make mass spying much more difficult. Until websites use them, we’re sunk: agencies like the NSA can spy on everything. Once they’re ubiquitous, mass surveillance is much harder and more precarious—even if you’re the NSA. Here’s how sites can do their part to end mass surveillance, what it gets us, and why it matters so much to Reset the Net and the overall fight. 1. Sites need to use HTTPS The basic technology we use to secure the web is HTTPS, and we all use it every day, without even noticing it. You know that lock icon you see in your browser, especially on shopping sites but now, increasingly, everywhere? That’s HTTPS! If a site isn’t 100% HTTPS, anyone can spy on you. Police can do it. The FBI can do it. Really clueless governments can do it. Even random creepy dudes on the same public wifi network as you can do it. (And through a sort of strange quirk of how “logging in” works on the web, attackers can do even more than just spy: they can access your password-protected accounts as you.) Adding HTTPS is pretty easy to do. Unless you’re running a huge site it’s very inexpensive. If you are running a huge site, then with success comes responsibility: your site is too important not to have it. 2. Sites also need to use HSTS Now, the NSA has ways to keep on spying even when sites do the right thing and add HTTPS protection. Some of these methods are difficult or impossible to defend against. But right now, the hands-down easiest way to break HTTPS encryption is to trick people into not even using it, with a technique called SSLstrip. Here’s how it works. You type “facebook.com” into your browser, but somebody else tells your computer “I’m facebook.com”. You may think you’re talking to Facebook, but really you’re talking to the NSA. If you typed, “https://facebook.com” every time you went to Facebook, SSLstrip wouldn’t work. But who does that? Nobody. In theory, you could notice it was happening. But usually, nobody does. Even skilled hackers get tricked by SSLstrip. This is where HSTS comes to the rescue. HSTS tells every browser, “Hey, this site always uses HTTPS. If you ever get a version of this page that doesn’t, don’t load it, it’s fake.” The best thing about HSTS is that it’s easy to add, and doesn’t cost anything. As a stopgap measure, individuals can (and should!) install the HTTPS Everywherebrowser addon. But to resist the NSA, the web needs privacy built-in. We can’t depend on optional extras. 3. Sites should use Perfect Forward Secrecy (PFS). The security of any HTTPS connection depends on the security of private keys. Once the NSA or any attacker gets these keys, they can break HTTPS encryption until the site switches to new keys. Losing control of private keys is a catastrophe every site tries to avoid. But the security version of Murphy’s Law says it will happen eventually. Recently, the “Heartbleed” bug meant as many as 2 out of 3 sites on the Internet could have leaked their keys. So, it’s good to think about how to limit the damage when it happens. Perfect Forward Secrecy (PFS) limits damage, by protecting all the data sent before the keys leaked. To government spies an HTTPS connection could look like a bunch of encrypted, incomprehensible gobbledygook. But they can still collect it! With PFS, that old data is still safe. Only the new stuff is vulnerable. PFS even offers some protection afterkeys have leaked, by forcing attackers to perform active man-in-the-middle attacks rather than just decrypting traffic they collect with passive surveillance methods. In the case of a public bug like Heartbleed, sites will freak out and change their keys pretty fast. So in that common scenario, you only lose privacy for a short amount of time. Note: if you’re adding PFS on your site, there are some pretty significant problems with many implementations of PFS that could make sites easier to spy on. Whether you’re considering adding it or you already have, you should read this paper. Why everyone needs to do this. There’s no way to tell exactly how much HTTPS with HSTS and PFS limits the NSA’s ability to spy on the web. But we do know a few things. First, there are some known victories. HTTPS keeps data out of the hands of surveillance-friendly ISPs (telephone & cable companies) who are always the worstwhen it comes to handing over data. And it puts almost every government on the planet out of the mass surveillance business; only the most sophisticated governments, if any, can spy on HTTPS traffic. Second, we know that if the NSA can crack HTTPS on a large scale without being detected, it’s by exploiting specific bugs. If we can get every site using the latest security measures, they’ll upgrade when bugs are discovered. Then the NSA is in a precarious position. Once all traffic is encrypted, their mass surveillance apparatus depends on an ever-dwindling number of bugs in a small number of tools, extremely valuable bugs they are racing with other governments, organized crime, and security experts to discover. Once we get there, governments are always just a few technical fixes away from losing their mass surveillance capabilities. At that point, the odds tip in our favor, and victory becomes possible. For more information on the steps you should take to protect your service and your users from government surveillance, see the Data Security Action Plan from Access and their “Encrypt all the Things" campaign. [HASHTAG]#ResetTheNet[/HASHTAG]
Survivalmonkey to do list: HTTPS HSTS PFS I have not tested all of these suggested privacy tools: Reset The Net - Privacy Pack With HSTS enabled, if there were any shenanigans going on via StripSSL, you might see this warning (Chrome)
All 3 tasks complete - just implemented PFS Check SM against your bank... Qualys SSL Labs - Projects / SSL Server Test
And really not any slower that I can tell for all the crypto going on under the hood on both ends. BTs iPad may lose battery a little quicker
To be fair, some sites only SSL portions of their pages. Copy the URL from a login page and try it again - that should be as secure as they can get it.
Dear Fight for the Future member, There’s just thirty six hours left. That’s how long we have to get pro-Net Neutrality comments submitted to the FCC in front of their first comment period deadline — and save the Internet from the clutches of Comcast, Verizon, Time Warner, and their ilk. The deadline is tomorrow! Click here to submit your comments to the FCC right now. We're in a battle to for the Internet as we know it. Net Neutrality guarantees all websites — start-ups, blogs, independent media, lolcats — an even playing field. It’s essentially the First Amendment of the Internet. It’s what has made it so revolutionary, and it gives all of us a voice. But the cable companies want to gut Net Neutrality to increase their profits. Without Net Neutrality, those corporations can kill websites by relegating them to slow lanes if they don’t pay fees — or if they just don’t like the content they contain. That threatens not only the Internet that we love, but the very foundations of a free society. Take action here, it's easy: http://battleforthenet.com Cable companies are spending millions of lobbying dollars in an attempt to drown out the overwhelming cry of the public who are demanding that the FCC protect the Internet. Our best shot at winning this is to strike hard right now and flood the FCC with more comments than they’ve ever gotten before (even more than Janet Jackson.) We are so close to that goal already that if everyone reading this takes action, we’ll hit it by the end of the day. We made submitting an official comment to the FCC as easy as signing a petition. Click here to speak up for net neutrality before the July 15th deadline! Many of you have already signed petitions to the FCC — and so have literally millions of others. That’s incredible — and it’s had a huge impact. But the ISP monopolies are now we all need to go one step further and submit formal comments into the FCC’s Net Neutrality proceeding. It’s really quick and easy, and carries way more weight than the usual petition signature does. You’ll be a formal part of the process. Click here to submit a formal comment to the FCC before the end of this comment period — it’s over TOMORROW. Just a few months ago, FCC was poised to undermine Net Neutrality all together. Because we all pushed back, now they’re considering adopting rules that would save it, and protect the web for the long term. But they’ll only do so if we speak out again, even louder. The cable companies have armies of lobbyists and public relations firms -- and since they own so much of the communications infrastructure, it's especially easy for them to push their propaganda. But we have millions of people on our side — and our only chance of beating the cable companies is if we all take a stand, together. Click here to visit our brand new website and send the FCC a formal comment demanding support for Net Neutrality. It’ll only take a minute. With urgency and appreciation, The Fight for the Future team -Tiffiniy, Holmes, Evan, Kevin, Vasjen, Jessica, and Jeff
