A little tool that I use with Firefox is ForceTSL, can be found here http://forcetls.sidstamm.com/ and can also be added via the Firefox addon section, in a nutshell it forces your browser to first use HTTPS assuming the site allows it, works autonomously in the background.
Seems to work so fareā¦ Kind Regards Peter Atkin (C.T.O) cfts.co (u) ltd. Get I.T.Right +256-772-700781 | Skype: peter2cfu www.cfts.co.ug <http://www.cfts.co/> | location details <http://www.cfts.co/contacts.html> | <http://ug.linkedin.com/in/peteratkin> view my profile From: [email protected] [mailto:[email protected]] On Behalf Of Benjamin Tayehanpour Sent: Saturday, June 08, 2013 1:59 PM To: Uganda Linux User Group Subject: Re: [LUG] CERT was [NITA site hacked!] HTTPS is effective only when fully and properly implemented. For this to happen, the client (and the user) must be aware of how HTTPS works, and how things are supposed to behave when everything is as it should. I can, in practice, see three obvious weaknesses, and therefore three ways to defeat HTTPS as a method of securing a connection to a web service. There are others, both more effective and less so, but these are the most obvious ones: 1. A MITM attack with a self-signed certificate. This will generate a security alert in the user's browser, but many users are ignorant and will ignore this. This is the least effective and most conspicuous attack, but it is cheap and easy. 2. A MITM attack with no certificate at all. Let me elaborate on this. When a user wants to go to e. g. Twitter, she usually types "twitter.com" into the address field. Due to the mechanics of intelligent autocompletion (which I detest, by the way, due to issues like these), this will, in normal cases, take her to an HTTP page, which will redirect her to the HTTPS page. If an MITM attack is performed, the attacker could simply skip the redirection step and manufacture a passable replica of the Twitter login page which goes over HTTP. No certificate security warning will be shown, because there is no secure connection to begin with. On some browsers this will generate a "you are sending form data unencrypted over the Internet, you moron" warning, but in most browsers this dialog has been disabled. This is as easy as attack 1, but should have a higher rate of success. This will, of course, not be effective at all if the user explicitely requests an HTTPS connection. Not many do, though. Sadly, most people expect technology to do their thinking for them. 3. A MITM attack with a perfectly valid certificate from a compromised certificate authority. Compromising a CA is tricky business, but it is certainly not unheard of. The point here is that *any* recognised Certificate Authority can issue a valid certificate for, say, twitter.com. If *one* CA is compromised, and there are loads of CAs based in shady countries with patchy legal protection from the state, the entire chain of trust is broken until that CA has had its root certificate revoked and that revokation has been pushed to all clients. This is a fundamental weakness of the CA web-of-trust system in place now, and there is little one can do about it. Luckily, when DNSsec and DANE is finally implemented, we'll be rid of central CAs entirely, the actual validation going through DNS instead. This means two things: a) The above mentioned weakness will be eliminated, and b) Certificates will be completely free to implement for domain name owners, as the process of setting one up will be a routine DNS procedure. When that time comes, there will be no valid excuses whatsoever not to implement connection encryption. Not that there are any valid excuses for that now, mind. Not implementing TLS ("HTTPS") is despicable. On 8 Jun 2013 10:42, "Kyle Spencer" <[email protected]> wrote: Well, let's think about this: 1) I highly doubt Facebook, Google, Twitter et al will give the Ugandan government backdoor access to their systems. 2) Most major social networking services default to HTTPS (i.e. your traffic to/from these platforms is encrypted) thus the content of your messages cannot easily be intercepted at the ISP/network level. In light of the above, it would appear that this team would be limited to: 1) Looking at publicly available content (e.g. Twitter posts, Facebook posts marked public, etc). 2) Cracking user account passwords or otherwise breaking into user accounts. 3) Tricking you into accepting them as a 'friend' on Facebook et al so that they can see your private posts. Anyone else have any thoughts on this? On Jun 8, 2013 11:31 AM, "Jake Markhus" <[email protected]> wrote: >From what I gather, this is political control extended to cyberspace. Sincerely James Makumbi Billable Ltd 0790834364 / 0712780817 http://www.coderbits.com/jmakumbi http//:ug.LinkedIn.com/in/jmakumbi On Jun 8, 2013 9:36 AM, "Kyle Spencer" <[email protected]> wrote: I'd like to learn more about the methods they intend to use. Anyone with a clue here? On Jun 8, 2013 8:22 AM, "Jake Markhus" <[email protected]> wrote: WHY SOCIAL MEDIA SURVEILLANCE? Just participate and contribute. The "big brother is watching" bs bores me. Just a bunch of navel gazing people paid to do nothing. I would rather they setup standards and best practices for development of government websites. I would rather they tested Ugandas service providers and not only CERTified them but periodically checked them for compliance. They should EMPHASIZE the use of local hosting as a first option with failover to Switzerland. If they want a white Nordic guy, let them host with Reinier (hi Reinier:-)). Everybody dreams of being James bond when all we need is a decent gate watchman. Sincerely James Makumbi Billable Ltd 0790834364 / 0712780817 http://www.coderbits.com/jmakumbi http//:ug.LinkedIn.com/in/jmakumbi On Jun 8, 2013 8:06 AM, "Neil Blazevic" <[email protected]> wrote: Techpost has a story on the launch today, including a link to the website, http://www.ug-cert.ug/ http://www.techpost.ug/3263/uganda-launches-cyberspace-security-programme/ Worth noting their social media surveillance plans which seems to be a part of it. Neil On Jun 8, 2013 2:37 AM, "joachim Gwoke" <[email protected]> wrote: > Message: 5 > Date: Thu, 6 Jun 2013 18:58:57 +0300 > From: Mike Barnard <[email protected]> > To: Uganda Linux User Group <[email protected]> > Subject: [LUG] CERT was [NITA site hacked!] > Message-ID: > <cadhh34rfdcwr7unb-srfjsgb_4hjevlmhnlp9tgojmm6aw7...@mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > Any one know any details about this CERT team that was > created. > > On 29 May 2013 21:38, joachim Gwoke <[email protected]> > wrote: > > > People, > > Uganda created a CERT last year( I am not joking), I recall an event last year with the Prime Minister and NITA talking of the creation of CERT. My assumption was that considering what we are going through this body was already created/launched by now. regards Joachim _______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way. _______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way. _______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way. _______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way. _______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way. _______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way. __________________________________________________________________________________ This e-mail is company confidential and may contain legally privileged information. If you are not the intended recipient, you should not copy, distribute, disclose or use the information it contains. Please e-mail the sender immediately and delete this message from your system. Note: e-mails are susceptible to corruption, interception and unauthorized amendment; we do not accept liability for any such changes, or for their consequences.
_______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.
