The dangers of HTTPS

Discussion in 'privacy general' started by Paranoid2000, May 6, 2004.

Thread Status:
Not open for further replies.
  1. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
  2. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    I wouldn't rely on a Hosts file to block this type of tracking since it will only cope with complete matches, not subdomains - e.g. 122.2o7.net wouldn't match americanexpress.122.2o7.net or wesellourcustomersdowntheriver.122.2o7.net. Also, Hosts files have no effect if you are accessing the Internet via a proxy server (its own Hosts file, if present, would be used instead).

    Adding 122.2o7.net to a web filtering proxy should work but only if that proxy can be used with https traffic (like Proxomitron). It's not an easy thing to block which is probably why Omniture (and others) are using it.
     
  3. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Yes good points indeed Paranoid2000, but some are better than none i feel.

    Thanks for the illuminating thread.


    StevieO
     
  4. dylanfan

    dylanfan Registered Member

    Joined:
    Feb 10, 2006
    Posts:
    187
    Hi
    Is it really impossible that some site would trigger a https connection which would not require one of the certificates listed in Opera? In other words, checking these boxes in Opera is a sure and simple way to be asked when one of the known certificates is used, but what about non-certified https connections?
     
  5. dylanfan

    dylanfan Registered Member

    Joined:
    Feb 10, 2006
    Posts:
    187
    Let me guess... Opera would refuse any https attempt not using one of those certificates, right?
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Yes, I see this often.

    See my post #31 above.

    I've used a firewall custom address group for HTTPS sites for a long time. It's true, you sometimes have several prompts on a site, but I don't find that a bother.

    I was alerted this way on sites that use Google Analytics tracking mentioned in P2K's post #74 above.

    Google Tracking

    It's true that disabling javascript in Opera would block this instance, but on this site, and others I frequent, javascript is necessary for much of the site to work correctly.
     
    Last edited: Mar 26, 2006
  7. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    The tracking I've come across typically includes a web bug in the event of Javascript being disabled so I would not suggest relying on that alone.

    Having https: limited to specific sites only on your firewall is certainly one method of dealing with this, though it may not be practical for everyone.
    Any https connection requires a certificate, even if only a self-signed one from the site concerned. If the certificate did not come from a recognised authority (i.e. one listed in Tools/Preferences/Advanced/Security/Manage Certificates/Authorities) then Opera (and other browsers) would warn you about the connection.

    The configuration changes I suggest in the first post of the thread would make Opera prompt you on connections involving certificates from these authorities also, meaning that you would be prompted whenever an https: connection was attempted.

    Although I have tried to highlight abuses of this, there are also cases where this happens for perfectly good reason - for example, images on an https site may be stored on another server/domain (logging into ebay.co.uk results in a connection to ebaystatic.com for loading images). However when the URL used includes system or personal data or belongs to a third party, that is when the connection should be blocked.
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    I agree, which is why I specified for "this instance" - my example. BTW - I used to keep a list of sites with these types of web bugs, but it is outdated. Do you know some recent ones?

    Most of the time I can tell, for instance, I use Yahoo mail from time to time and usually get a prompt similar to below from this morning.

    http://www.rsjones.net/imgs/https.gif
     
  9. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
  10. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Rmus

    Urgent, please see my PM regarding your website !

    Paranoid2000

    Very interesting thread about Scan's handling of personal data you started on http://forums.hexus.net/showthread.php?t=75949 I don't see any follow up posts after post 7 on the 22-05-2006. Did you get it resolved ?

    I only went to the main page on http://www.scan.co.uk/ and there was 1 Web Bug which was killed by DesktopArmor. Some people might be surprised just how much tracking actually goes on with things like referells/cookies and WebBugs. Microsoft is just one example of a company that uses WebBugs on some of their pages, including Hotmail !


    StevieO
     
  11. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    It is still outstanding - if there is any progress, then that thread would be the first place to mention it.
     
  12. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Another example to add is Cahoot online bank - their logout page includes Javascript code linking to Nielsen NetRatings which triggers a connection to secure-uk.imrworldwide.com (WebTrends is used also, but this does not appear to involve any connection to other websites).
     
  13. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    hi, i've just started using proxomitron for the first time in awhile, but when i go to a page that uses ssl certificates, while using proxos ssl filtering, the sites certificate is replaced with proxos so the filtering can happen. so, how can i view the sites certificate if i need to see it?
     
  14. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    i just remembered after you have allowed proxos certificate proxo then shows you the sites certificate.
     
  15. tlu

    tlu Guest

    Well, I can't answer this question but I remember that using Proxomitron wasn't trivial. Why don't you consider the alternative I suggested here ?
     
  16. sundazing

    sundazing Registered Member

    Joined:
    Dec 5, 2006
    Posts:
    9
    Paranoid, I'm resurrecting this since it was posted in early 2005. What's the current status of the Paypal page today? (I'm working on securing my laptop and connections to do quick Paypal transactions from public hotspots as well as working on having an extra layer of encryption.) Thanks for any help you can give.
     
    Last edited: Dec 6, 2006
  17. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    I don't know - I've not used Paypal for a while. However the whole point of this thread is to empower people to find out for themselves, so I'd suggest you take the steps outlined in previous posts to protect yourself - not least since Paypal have been far from the only offenders.
     
  18. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Just made a purchase at mymemory.co.uk which was especially energetic with the referrals, trying to connect to:

    https://stat.DealTime.com/ROI/ROI.js?mid=...
    https://scripts.affiliatefuture.com/AFFunctions.js (extra parameters passed via Javascript)

    A quick look at their order confirmation webpage source showed in addition the following referrals which had been trapped by various Proxomitron filters I had active:

    https://www.googleadservices.com/pagead/conversion/...
    https://services.google.com/sitestats/en_GB.html
    https://www.emjcd.com/

    In 2 cases (emjcd and affiliatefuture) extra parameters showing merchant ID, order value, reference number and currency could be clearly identified. However the increasing presence of Google (via advertising and site statistic services) is also a concern since anyone allowing Google cookies to be set on their system would then have their previous search queries linked with whatever site and order data Google collect through these links.
     
  19. eyes-open

    eyes-open Registered Member

    Joined:
    May 13, 2005
    Posts:
    721
    @ Paranoid2000:-

    Were these filters part of an existing filter-set - or filters that you yourself created ?
     
  20. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Grypen's filterset, which I have customised a little...
     
  21. eyes-open

    eyes-open Registered Member

    Joined:
    May 13, 2005
    Posts:
    721
    Tks for reply - to be clear, without your customisation and in your experience, would you expect filters such as the default sets or customised sets such as Grypen's & Sidki's to have been able to pick up on these referrals ?

    .......... or was it down to the customised additions to the sets that you were able to identify these.

    If so, are these some additions to filters that we might all benefit from and which you could share ?
     
  22. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    In this case, my filters would not have made any difference. I have posted some over at the Castlecops Proxomitron forum and a few have been incorporated by Grypen into his filterset. If you have any specific examples to follow up on, I'd suggest you raise a query there.
     
  23. eyes-open

    eyes-open Registered Member

    Joined:
    May 13, 2005
    Posts:
    721
    Cheers Paranoid2000 - appreciate the info.
     
  24. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    A small update with Paypal (at least their UK branch...). Logging in resulted in a connection attempt to https://paypalssl.doubleclick.net/adj/paypal.uk/Login-outside;lang=en_GB;id=;sz=180x150;tile=1;ord=1000202789? - most likely just an advert, but anyone allowing it and Doubleclick cookies would allow Doubleclick to determine that they had a Paypal account.
     
  25. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Thanks for the info, Paranoid2000.

    Assuming one did allow the cookie,

    1) what could D-click to with it?

    2) and if the user clears all cookies after each session?


    Thanks,

    -rich
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.