Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/ErikvanStraten/statuses/113855823522377568">Erik van Straten (erikvanstraten@infosec.exchange)'s status on Monday, 20-Jan-2025 01:38:10 JST</a><a href="https://infosec.exchange/@ErikvanStraten" title="erikvanstraten@infosec.exchange"><img src="https://gnusocial.jp/avatar/279933-48-20240918100907.webp" width="48" height="48" alt="Erik van Straten" style="position: absolute; left: 0; top: 0;">Erik van Straten</a><div><a href="https://social.wildeboer.net/@jwildeboer/113855413503853848" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/79260" title="rmondello@hachyderm.io">Ricky Mondello</a></li></ul></div></section><article><p>In a post that disappeared, <a href="https://social.wildeboer.net/@jwildeboer">@jwildeboer</a> wrote:</p><p>"<a href="https://hachyderm.io/@rmondello">@rmondello</a> I do note that when I open mondello.com in my browser, I get a placeholder page that is http only, no https. This would be a reason that it *seems* that it is unreachable, because many browsers nowadays refuse to open sites without https."</p><p>Unfortunately, that is *not* true. Browsers unnecessarily make the internet LESS SAFE. IT'S CRAZY!</p><p>*Some* browsers will try https first when you type http:⧸⧸mondello.com (use // instead of ⧸⧸ I used to prevent Mastodon from showing http://). So far, so good.</p><p>However, if an AitM (Attacker in the Middle, such as on public WiFi) blocks traffic from your browser to TCP port 443 (https) on the server, the browser will *silently* try port 80 (http). Pwned.</p><p>This may happen in practice, for example on airports (<a href="https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/" rel="nofollow">https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/</a>).</p><p>Except for iOS and iPadOS, most browsers have an "https only" setting that is *OFF* by default, while it's name is misleading.</p><p>*On* means that you can still use http, but you'll have to manually agree (you can still access the http devices on your local network, or on the internet. But you will be WARNED).</p><p>However, Chrome appears to remember exceptions FOR EVER (I had to delete all browser data to make the last screenshot below. However, that also clears the browser's HSTS database).</p><p>On iOS/iPadOS, from Safari, Edge, Firefox and Chrome, only Chrome has this option. So only Chrome provides *some* protection. People do not type "https://" in front of domain names, and most QR-codes I check are insecure.</p><p>To test: open <a href="http://http.badssl.com" rel="nofollow">http://http.badssl.com</a>. Instead of immediately seeing a (red) webpage, your browser should protect you by asking whether you want to use an http-connection.</p><p>Alternative test-site (non-compliant with the Dutch law):<br><a href="http://gemeente.amsterdam" rel="nofollow">http://gemeente.amsterdam</a><br>(Gemeente translates to municipality).</p><p>(Exactly that is why I wrote this, in Dutch: <a href="https://infosec.exchange/@ErikvanStraten/113855174617111536" rel="nofollow">https://infosec.exchange/@ErikvanStraten/113855174617111536</a> earlier this afternoon).</p><p>Note: Firefox on Android seems to forget "http allowed" exceptions when the browser is fully closed (good).</p><p><a href="https://hachyderm.io/@rmondello">@rmondello</a> </p><p><a href="https://infosec.exchange/tags/httpsOnly" rel="tag">#httpsOnly</a> <a href="https://infosec.exchange/tags/HSTS" rel="tag">#HSTS</a> <a href="https://infosec.exchange/tags/httpsvshttp" rel="tag">#httpsvshttp</a> <a href="https://infosec.exchange/tags/iOS" rel="tag">#iOS</a> <a href="https://infosec.exchange/tags/iPadOS" rel="tag">#iPadOS</a> <a href="https://infosec.exchange/tags/Safari" rel="tag">#Safari</a> <a href="https://infosec.exchange/tags/Firefox" rel="tag">#Firefox</a> <a href="https://infosec.exchange/tags/Edge" rel="tag">#Edge</a> <a href="https://infosec.exchange/tags/Chrome" rel="tag">#Chrome</a> <a href="https://infosec.exchange/tags/Insecure" rel="tag">#Insecure</a> <a href="https://infosec.exchange/tags/Infosec" rel="tag">#Infosec</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4403908#notice-8616022">In conversation</a><time datetime="2025-01-20T01:38:10+09:00" title="Monday, 20-Jan-2025 01:38:10 JST">about 2 months ago</time> <span>from <span><a href="https://infosec.exchange/@ErikvanStraten/113855823522377568" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@ErikvanStraten/113855823522377568">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/1249757">Untitled attachment</a></label><br></li><li><article><header><div>No result found on File_thumbnail lookup.</div><h5><a href="http://mondello.com/">mondello.com</a></h5><div></div></header><div></div><footer></footer></article></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/3958465">Safari on iOS has opened
  http://http.badssl.com
without warning for not using https.</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/855/673/482/315/182/original/837ea779109906b2.jpg" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/855/673/482/315/182/original/837ea779109906b2.jpg</a></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/3958466">Firefox on iOS has opened
  http://http.badssl.com
without warning for not using https.</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/855/673/482/798/495/original/515113ab6ce8c6a7.jpg" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/855/673/482/798/495/original/515113ab6ce8c6a7.jpg</a></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/3958467">Edge on iOS has opened
  http://http.badssl.com
without warning for not using https.</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/855/673/482/813/167/original/0b560a18ed608aae.jpg" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/855/673/482/813/167/original/0b560a18ed608aae.jpg</a></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/3958468">Chrome on iOS, configured to use "https only", warns when trying to open
  http://http.badssl.comThe page (generated by Chrome) has a gray triangle with a white exclamation mark at the top of the page, followed by the following text:The connection to
http.badssl.com is not secure
You are seeing this warning because this site does not support HTTPS. Learn more about this warningTwo buttons are visible below that:
1. Go Back (default button)
2. Continue to site</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/855/673/486/148/568/original/db63127ebeb1c192.jpg" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/855/673/486/148/568/original/db63127ebeb1c192.jpg</a></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/3958469">Untitled attachment</a></label><br></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/3958470">Untitled attachment</a></label><br></li><li><article><header><div>No result found on File_thumbnail lookup.</div><h5><a href="http://http.badssl.com/">http.badssl.com</a></h5><div></div></header><div></div><footer></footer></article></li><li><article><header><div>Domain not in remote thumbnail source whitelist: media.infosec.exchange</div><h5><a href="https://infosec.exchange/@ErikvanStraten/113855174617111536">Erik van Straten (@ErikvanStraten@infosec.exchange)</a></h5><div> from <span>Erik van Straten</span></div></header><div>Attached: 2 images#NOS: http -&gt; https: *ÉÉN* lettertje!Om te beginnen: ik stel het op prijs dat op het NOS journaal van 12:00 en 13:05 éérst een Palestijnse meneer aan het woord werd gelaten!(Daarna een Joodse Janker over de vrij te laten gijzelaars en "terroristen": vanochtend wéér tientallen Gazanen gewond of gedood door de Israeli Destruction Forces, en ook nog geen namenlijst van de door *Israël* vrij te laten, middels "administratieve detentie" in martelmortuaria, gegelijzelde Palestijnen - waaronder kinderen, vrouwen, artsen en journalisten).On topic: kap met http links!Opmerkingen:• De (open) broncode en instructies voor de "App" in het tweede plaatje vind u in https://www.security.nl/posting/829026/iOS+QR-scanner%3A+DHZ%21.
Nb. u hoeft er geen app voor te installeren! Zo'n "opdracht" kan in principe iedereen (met een iDevice) zelf (wel met veel geduld) in elkaar knutselen.• Als je op een iPhone of iPad een andere dan Safari als voorkeurbrowser hebt ingesteld, ziet u niet welke informatie  (zoals een URL) er in een QR-code verstopt zit. Vooral dan is zo'n QR-code lezer erg handig (maar http-&gt;https is ook verstandig, vooral als u van public WiFi gebruik maakt).• Als u Chrome gebruikt op uw iDevice, ga dan in Chrome naar "Instellingen" &gt; "Privacy en Beveiliging" en zet "Altijd beveiligde verbindingen gebruiken" AAN. Dit werkt niet feilloos maar meestal wel. Chrome zet dan zelf http altijd om in https, en als een vetbinding dan niet lukt, vraagt Chrome u of u http wilt proberen. Meer info in https://www.security.nl/posting/803597/werk_nl%3A+geen+https en in "Veilig inloggen": https://www.security.nl/posting/840236/Veilig+inloggen.• Onder Android en Windows ondersteunen meer browsers "https only" - een misleidend begrip, want http kan gewoon - alleen moet u daar zelf eerst (handmatig) toestemming voor verlenen.#NOS #httpsvshttp #QR #QRcode</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Erik van Straten (erikvanstraten@infosec.exchange)'s status on Monday, 20-Jan-2025 01:38:10 JSTErik van Straten
in reply to
- Jan Wildeboer 😷:krulorange:
- Ricky Mondello
In a post that disappeared, @jwildeboer wrote:
"@rmondello I do note that when I open mondello.com in my browser, I get a placeholder page that is http only, no https. This would be a reason that it *seems* that it is unreachable, because many browsers nowadays refuse to open sites without https."
Unfortunately, that is *not* true. Browsers unnecessarily make the internet LESS SAFE. IT'S CRAZY!
*Some* browsers will try https first when you type http:⧸⧸mondello.com (use // instead of ⧸⧸ I used to prevent Mastodon from showing http://). So far, so good.
However, if an AitM (Attacker in the Middle, such as on public WiFi) blocks traffic from your browser to TCP port 443 (https) on the server, the browser will *silently* try port 80 (http). Pwned.
This may happen in practice, for example on airports (https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/).
Except for iOS and iPadOS, most browsers have an "https only" setting that is *OFF* by default, while it's name is misleading.
*On* means that you can still use http, but you'll have to manually agree (you can still access the http devices on your local network, or on the internet. But you will be WARNED).
However, Chrome appears to remember exceptions FOR EVER (I had to delete all browser data to make the last screenshot below. However, that also clears the browser's HSTS database).
On iOS/iPadOS, from Safari, Edge, Firefox and Chrome, only Chrome has this option. So only Chrome provides *some* protection. People do not type "https://" in front of domain names, and most QR-codes I check are insecure.
To test: open http://http.badssl.com. Instead of immediately seeing a (red) webpage, your browser should protect you by asking whether you want to use an http-connection.
Alternative test-site (non-compliant with the Dutch law):
http://gemeente.amsterdam
(Gemeente translates to municipality).
(Exactly that is why I wrote this, in Dutch: https://infosec.exchange/@ErikvanStraten/113855174617111536 earlier this afternoon).
Note: Firefox on Android seems to forget "http allowed" exceptions when the browser is fully closed (good).
@rmondello
#httpsOnly #HSTS #httpsvshttp #iOS #iPadOS #Safari #Firefox #Edge #Chrome #Insecure #Infosec
In conversationabout 2 months ago from infosec.exchangepermalink
Attachments
1. Untitled attachment
2. No result found on File_thumbnail lookup.
  mondello.com
3. Safari on iOS has opened http://http.badssl.com without warning for not using https.
  https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/855/673/482/315/182/original/837ea779109906b2.jpg
4. Firefox on iOS has opened http://http.badssl.com without warning for not using https.
  https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/855/673/482/798/495/original/515113ab6ce8c6a7.jpg
5. Edge on iOS has opened http://http.badssl.com without warning for not using https.
  https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/855/673/482/813/167/original/0b560a18ed608aae.jpg
6. Chrome on iOS, configured to use "https only", warns when trying to open http://http.badssl.com The page (generated by Chrome) has a gray triangle with a white exclamation mark at the top of the page, followed by the following text: The connection to http.badssl.com is not secure You are seeing this warning because this site does not support HTTPS. Learn more about this warning Two buttons are visible below that: 1. Go Back (default button) 2. Continue to site
  https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/855/673/486/148/568/original/db63127ebeb1c192.jpg
7. Untitled attachment
8. Untitled attachment
9. No result found on File_thumbnail lookup.
  http.badssl.com
10. Domain not in remote thumbnail source whitelist: media.infosec.exchange
  Erik van Straten (@ErikvanStraten@infosec.exchange)
  from Erik van Straten
  Attached: 2 images #NOS: http -> https: *ÉÉN* lettertje! Om te beginnen: ik stel het op prijs dat op het NOS journaal van 12:00 en 13:05 éérst een Palestijnse meneer aan het woord werd gelaten! (Daarna een Joodse Janker over de vrij te laten gijzelaars en "terroristen": vanochtend wéér tientallen Gazanen gewond of gedood door de Israeli Destruction Forces, en ook nog geen namenlijst van de door *Israël* vrij te laten, middels "administratieve detentie" in martelmortuaria, gegelijzelde Palestijnen - waaronder kinderen, vrouwen, artsen en journalisten). On topic: kap met http links! Opmerkingen: • De (open) broncode en instructies voor de "App" in het tweede plaatje vind u in https://www.security.nl/posting/829026/iOS+QR-scanner%3A+DHZ%21. Nb. u hoeft er geen app voor te installeren! Zo'n "opdracht" kan in principe iedereen (met een iDevice) zelf (wel met veel geduld) in elkaar knutselen. • Als je op een iPhone of iPad een andere dan Safari als voorkeurbrowser hebt ingesteld, ziet u niet welke informatie (zoals een URL) er in een QR-code verstopt zit. Vooral dan is zo'n QR-code lezer erg handig (maar http->https is ook verstandig, vooral als u van public WiFi gebruik maakt). • Als u Chrome gebruikt op uw iDevice, ga dan in Chrome naar "Instellingen" > "Privacy en Beveiliging" en zet "Altijd beveiligde verbindingen gebruiken" AAN. Dit werkt niet feilloos maar meestal wel. Chrome zet dan zelf http altijd om in https, en als een vetbinding dan niet lukt, vraagt Chrome u of u http wilt proberen. Meer info in https://www.security.nl/posting/803597/werk_nl%3A+geen+https en in "Veilig inloggen": https://www.security.nl/posting/840236/Veilig+inloggen. • Onder Android en Windows ondersteunen meer browsers "https only" - een misleidend begrip, want http kan gewoon - alleen moet u daar zelf eerst (handmatig) toestemming voor verlenen. #NOS #httpsvshttp #QR #QRcode

Public

Embed Notice

HTML Code

Corresponding Notice