Category: Internet Privacy and Security

Staying Safe Online: The Bare Minimum

You probably spend around the same amount of time on the internet as you do outside, if not more. Outside, you of course know what you are doing. For one, you know to be afraid of moving cars, not to walk on thin ice and maybe even what neighborhoods are safe and which are not. These things hopefully seem dreadfully obvious, but the digital analogs of these habits are anything but common which is why more than half of the US’ population was exploited last year and why the average cost of said hacks was $142 and a big headache. In this post I will outline the bare minimum you can do to protect yourself online and avoid becoming one of these victims.

Being safe on the internet is not as simple as installing a handful of programs and then going about your business. That said, if you are really here for the very bare minimum, these following programs make for a good start. As your browser will almost definitely be the mediator through which you access the internet the most, it is important that it is as safe as possible. To this end I will first recommend a browser and then two extensions. Secondly, I will outline proper account and password management, perhaps even more vital.

Continue reading

Internet hubris among Millennials proves costly

You will probably recognize Symantec as the company behind the rather awful anti-virus program Norton. Nevertheless, each year the company published a very interesting report detailing the cost of digital exploitation on consumers. This year’s compilation reported a total cost of 5 billion US dollars greater than the GDP of Iraq. I will admit that is rather an arbitrary comparison, but a colorful one. A more tangible number is instead the average cost of a single hack: $142 and nearly three full work days of ‘clean-up’ work for the victim. That might not seem all that bad but with more than half of the United States’ population affected, the numbers add up.

To me though, the demographics is the most interesting part of Symantec’s report and it is these numbers that this post concerns. Before reading the report, I assumed that my sweet great aunt to be at a substantially higher risk of being exploited on the internet than one of my Millennial (technically Generation Z) peers. However, according to Symantec’s report, it is entirely the opposite. 60% of Millennials experienced cyber crime last year while baby boomers and seniors were in fact the safest age groups.

Continue reading

You can now trust me (or at least my website)

This post was originally written for my Freshman Seminar ‘Big Brother is Watching: Internet Security and Privacy’ with Prof. Brian Kernighan. It’s written to be very accessible, but still caters to a somewhat technical audience. I recommend you check it out – you might just learn something!

This page that you are currently viewing was supplied to you by one of the most commonly used protocols on the Internet: HTTP. More specifically, HTTPS which is the real topic of this post, but more on this later. The HyperText Transfer Protocol is indeed rather amazing, facilitating nearly all information as viewed by visitors of my website and most other websites like it. However, HTTP is far from perfect and I will argue that it has become completely obsolete due to security risks. Anyone intercepting the information sent back and forth to my server hosted in Sweden can not only read it but also change it without the server nor the user knowing; let me explain.

HTTP was first developed at CERN in 1989 and since the standard has been altered and upgraded several times. The protocol is based on requests and responses between clients and servers; in this case that would be your browser and the software hosting my website on a computer somewhere in Sweden, respectively. The protocol facilitates the sending of a request by the browser asking for some information from the server. The server would then return a response consisting of general information and whatever was requested. Of course, all of this information is sent in clear text, meaning it is legible by any one of the possibly dozens of computers facilitating the transfer of the information between the server and the client. Furthermore, as these computers are relaying the information they can also alter it. This is generally referred to as a man-in-the-middle (MitM) attack.

Say for example that I wanted to start a fund-raising campaign by encouraging people to send Bitcoins to the Tor Project. Perhaps then I would post their Wallet Address on this website, to which you could then send your Bitcoin donations.

1NgiUwkhYVYMy3eoMC9dHcvdHejGxcuaWm

Until very recently, before I updated to HTTPS on this site, you should not have sent money to the address above, not because The Tor Project is not in need of support but because the wallet address above was supplied to you by way of HTTP – meaning it is subject to a MitM attack. If someone on your network decided they could make better use of your kind donation they could just intercept the page and replace the address with theirs, and you would have no way of knowing, nor would I.

This is where HTTPS (notice the S for Secure) comes in as an excellent solution. HTTPS uses either TLS or SSL for encrypting the data traveling between the server and the client – hindering any reading or altering of the information by any man, as it were, in the middle. The encryption works through the surprisingly straight-forward idea of a handshake. In turn, a handshake builds of the concept of asymmetrical cryptography. In its simplest form, it consists of a pair of keys, one private and one public. The public key belongs to the server and is shared with the client who uses it to encrypt data to be sent to the server. This data can then only be decrypted through the use of the private key in the safe hands of the server and the server only. After some technical negotiation between the server and the client, the latter sends a pre-cursor to a so called shared secret, encrypted with the server’s public key. The shared secret, in contrast to the private/public key pair can be used to both encrypt and decrypt information. As such a secure connection is established: the client generated the pre-cursor and sent it in encrypted form to the server, making them the only two entities who can calculate the shared secret. This key can now be used for however long they want to securely transmit information back and forth.

Of course, there is one last issue: how do you, the client, know that the public key that you received from the server was not compromised and replaced with someone else’s key? This would mean the secret you sent was received by someone else entirely, and that you were never communicating with the intended server at all. This is where certificates come into play. Instead of using any old public key, the server buys an authenticated certificate from a so-called Certificate Authority, clients can then consult the trusted authority on whether or not the server they are attempting to connect to are what they make themselves out to be.

Until recently, these certificates were rather costly as they were targeted toward large corporations. Furthermore, they required extensive legal work to supply authentication, again due to the fact that the services were targeted toward corporations with the required resources. Nowadays however, most anyone can find a cheap yet secure service, which in extension means there is no excuse for me, nor for anyone else, not to use HTTPS. Still I (until recently), and 38 of the top 100 websites on the Internet, do not use HTTPS – at least not correctly. Why is this?

Looks like it was worth it.

Looks like it was worth it. (s: https://www.whynopadlock.com/)

I will not pretend to be able to answer this question conclusively but I believe it comes down to two issues: lack of education and good old laziness. Before taking a Freshman Seminar on the subject of Internet Security and Privacy I simply did not realize the risks of not using HTTPS. I thought that since I did not have any login service there was no reason for me to worry about secure communications. Of course, there is more to be protected than just login credentials. The Bitcoin wallet example above is certainly a scary one. Another thing worth mentioning is the fact that HTTPS limits meta-data as well. No one would be able to see exactly what post you are viewing right now, only that you are on my website, had I been using HTTPS. This is useful for big sites like Wikipedia, a tracked user could read most anything on there, and someone monitoring the connection would not know, because the only unencrypted information would be ‘https://www.wikipedia.org’.

I just got HTTPS up and running last week. It was ridiculously easy now that my host implemented a quick way to migrate. It was literally as simple as the click of a button.

© 2019 Sten Sjöberg

Theme by Anders NorenUp ↑