[Cryptography] securethe.news -- deployment of HTTPS and HSTS

John Denker jsd at av8n.com
Fri Aug 18 13:23:16 EDT 2017 

Hi Folks --

There are some interesting resources at:
  https://securethe.news/

According to their report on 129 news sites:
 -- 46% "offer" HTTPS
 -- 36% default to HTTPS

The sites are graded and tabulated here:
  https://securethe.news/sites/

To get higher than a grade of "B" requires Strict Transport Security
(HSTS) -- a topic that has heretofore not been discussed very much
in this forum.
  https://tools.ietf.org/html/rfc6797

The report doesn't explain it, but I surmise that the difference
between the first two columns is this:  A site is marked as "valid"
but not "available" if HTTPS redirects to plain old HTTP.

Beware that their data is not 100% reliable.  For example, I
observe https://www.newyorker.com/ and https://www.vanityfair.com/
to be fully available, even though they are not marked as such
in the report.

Perhaps most interesting of all is good bit of guidance on how
to secure a large site:
  https://securethe.news/how/

=========================

Alas, as usual, they overstate the level of security that HTTPS
provides.  Note the contrast:
 ++ Yes, HTTPS is a good thing.  It protects against a fairly
  wide class of attacks.  It means the barista at your favorite
  internet café cannot easily tamper with your traffic.
 -- It does not protect against traffic analysis.  People really
  need to stop underestimating the power of traffic analysis.

If you are relying on HTTPS without Tor, the barista can trivially
tell whether you are surfing buzzfeed.com or infowars.com, and can
infer quite a lot from that.

What's worse, there are thousands of organizations with enough
resources to carry out traffic analysis /at network scale/, which
means they capture you along with everybody else, and can identify
not only the sites you visit but also the individual pages within
each site.

Here's one of my favorite maxims:
   Metadata is data.
   Stealing metadata is stealing.
   A cryptosystem that leaks metadata is a cryptosystem that leaks.

More information about the cryptography mailing list