PROJET AUTOBLOG

We Fight Censorship - L'info à l'abri de la censure

Archivé

source: We Fight Censorship - L'info à l'abri de la censure

⇐ retour index

Secure your browsing

lundi 10 juin 2013 à 18:30
Online Survival Kit

When you access the web on your laptop or computer, you use the http protocol (hyper text transfer protocol). A protocol is a set of rules and requirements that allow two machines to communicate with each other. Https is the secure version of the http protocol.

https?

When you visit a site whose URL begins with https, you can be sure of three things:

The site's authenticity Each https site has a certificate which it presents to your browser when your browser tries to access it. In turn, your browser has a database against which it checks the validity of the certificate presented. The certificate is the site's ID card and is unique for each https site. The confidentiality of data exchanged with the site. There are several intermediaries between you and the sites you visit: the Internet access provider; the server(s); any proxy servers, including malicious parties (particularly when you're connecting over unlocked Wi-Fi hotspots). Once the site's identity had been validated, an encrypted communication channel is established between your browser and the site which guarantees that no intermediaries can intercept the information exchanged, such as requested pages, their content and any passwords sent. The integrity of data Using the https protocol also guarantees that no one can modify the data which is sent.

Breaking https

There are a few ways of breaking the secure channel which is set up between an https site and your browser.

Blocking https connections

This is by far the easiest way of breaking https. Sites offering an https version can usually also be accessed via http. An attacker seeking to control the network you are connected to (your access provider or the shared Wi-Fi connection at your hotel, for instance) may simply close the https access and force you to use the unsecured http version.

Impersonating an https site

An attacker may position themselves between you and the site you want to access, and redirect you to a copy of the site using a fake certificate. This is known as a 'man-in-the-middle' attack.

If you go to Gmail, an attacker seeking to take control of the network and the DNS servers may reroute your request and redirect you to another site which looks just like the Google mail service. The only clue for avoiding such attacks is the security warning in your browser.

Your browser will indicate that the site's certificate is not valid and that the site is not what it claims to be.

Certificate theft

Within a man-in-the-middle attack, there is a very slight possibility that the attacker has a copy of the targeted site's certificate. This is an extremely sophisticated type of attack as it involves firstly stealing one or more certificates from a certification authority.

In August 2011, certificate authority DigiNotar was compromised and certificates were stolen. These were used mainly in Iran to carry out man-in-the-middle attacks on Google services. This type of attack is extremely effective as your browser is unable to detect the fraud and does not display any security warning.

Some solutions

There are some tips and software which can increase your browsing security.

Choose Firefox or Chrome

Mozilla, publisher of Firefox, and Google, publisher of Chrome, take particular care in terms of security. For example, they were the first to update their browser's certificate databases following the above-mentioned DigiNotar security breach. Firefox has the additional advantage of being a free software whose aim is to ensure the security and privacy of its users. Chrome also focuses on security but is not free and does not offer the same guarantees in terms of privacy.

Deactivate Java

Java is a cross-platform computing language which exists as a plug-in for all browsers. It poses lots of problems in terms of security. According to the publisher of Kaspersky, 50% of attacks reported in 2012 used flaws in the browsers' Java plug-in. If you do not need Java in your browser deactivate it, or even better uninstall it.

Boost your browser with some useful extensions

You can add features to Firefox and Chrome using plug-ins.

  • https everywhere: checks whether there is an https (encrypted) version for each site you visit and if so redirects you to it. This saves you having to manually add the “s” after http to each web address you visit, as in reality nobody actually manages to do this.
  • No script: enables you to control JavaScript scripts which are launched on the sites you visit. JavaScript is a programming language which is widely used on the web. It runs in your browser and can sometimes be used in certain attacks (XSS and XSRF). You can authorise certain sites to run JavaScript and the extension remembers your choice. This is tedious at first, but essential for secure browsing. Chrome's equivalent is ScriptSafe.
  • Web of trust: works on a crowdsourcing model (where information is collected from a wide circle of sources) and tells you whether a site is safe or not based on the opinions of other Internet users. If you land on a site known to contain malicious scripts, WOT will display a warning before the page loads.
  • Certificate Patrol: checks the certificates when you arrive at an https site and warns you when your browser detects a change in certificates. This is very useful against man-in-the-middle attacks.