The other day my neighbor headed to a United Airlines affiliated site in Chrome to book a trip and was greeted with “Server has a weak ephemeral Diffie-Hellman public key.” Full stop. She could not continue on to the site. This is occurring because there is an attack in the wild that takes advantage of a flaw in the Transport Layer Security protocol (a fancy way of saying the supposedly secure way in which a web server communicates to your browser) in order to watch your traffic. This is called a Man in The Middle Attack. Essentially it inserts itself between you and your destination and logs your conversation. You can read more about this here.
The solution is, unfortunately, out of your hands. Your browser isn’t broken – The site you’re trying to get to is. And, as evidenced by it affecting a United Airlines site, there are some heavy hitters who are vulnerable. Any site that’s running 1024 bit or less encryption needs to upgrade to 2048 to close the hole.
But in the meantime, what if you really, really need to get to that site? I’d tell you to try to contact the site owners and tell them to get it together, but realistically that’s not so easy (can you imagine calling United’s customer service and saying to the phone jockey who answered “Hey, y’all need to upgrade your public keys on your site because currently it’s vulnerable to the Logjam attack and any decent browser isn’t allowing your site to resolve.” Yeah, you’ll get traction there). So how do you get to the site? So far there doesn’t appear to be a way to tell Chrome to continue. You can try switching from HTTPS to HTTP, but most likely you’re hitting a login page and will be forced back to HTTPS (and the error). You can, however, weaken Firefox to allow navigation on these sites. Open a new tab and in the address field enter:
This opens the browser’s sekrit settings. Get past the warning, and then locate these two settings:
By default these are set to True. Change them to False and you’ll be able to hit the effected site. I STRONGLY recommend only doing this on a site you absolutely trust, and only in situations where there’s absolutely no other recourse, and I recommend changing these back to True as soon as you’re done on that site.
Surely you’ve already read that Windows 10 includes some pretty disappointing user tracking baked into it. Microsoft is also pushing this tracking down to its Windows 7 and 8 operating systems.
Aside: I get the Win 10 thing. It’s free. Do what you want with your free operating system. But quietly inserting anti-privacy shit into operating systems that people have already paid for? Ludicrous. Offensive. Ridiculous. It’s prompted me to finally get off my ass and move all the machines I can off of Windows and onto Linux, for good.
Anyway, yeah, MS is pushing this stuff into your operating system without really giving you any indication. The current list of updates that should trouble you are as follows:
You can remove these updates via command line thusly:
In fact, you can save the above to a .bat file and run it. This takes them off, but unfortunately doesn’t prevent them from presenting themselves for install in the future. To fix that you’ll have to head to Windows Update, let it scan what you’re missing, and then go through that list hunting for each of these. When you come across one, right click it and choose to hide it.
This is the list for now… I sincerely doubt this is where it will end, however. Have you tried Linux lately?
Microsoft is slipping into Windows 7 and 8 the same data mining and privacy violating tracking that has made news for being a part of Windows 10. I’m in the midst of absorbing it all, but for now further info, including updates to block, can be found here.
Also, instructions on how to opt-out of their CEIP (Customer Experience Improvement Program) which if you’ve installed Office you’ve surely inadvertently joined, can be found here.
I use Google Authenticator extensively, as I’m a big fan of multi-factor authentication. In fact, I wish I could use it everywhere I’m required to input a password.
But when using it with your Google account it can get in the way of applications requiring access. A thick mail client, for instance. An app that publishes to YouTube. An addon that syncs contacts.
They’ve solved this problem by allowing the creation of app specific passwords. Works great. But, as per usual with Google, finding the information you need can be problematic. So, log into your Google account and head here:
Online privacy’s been a thing for me for years now. Not because I’m doing anything “wrong,” but simply because I feel it’s my right – and your right – not to be snooped on.
I don’t pretend to be an expert at this (or at anything, for that matter), but here are a few things I use and recommend to try to keep prying eyes away:
Use Firefox. I used to be a Chrome fan, but Google’s a big part of the problem. No organization is perfect, but Mozilla – thus far – seems much more interested in our individual well being than that of any other browser offering. And the very first step in locking down Firefox is to navigate to Tools > Options > Privacy and choose “Tell sites that I do not want to be tracked.”
Next, a slew of Firefox add-ons:
HTTPS Everywhere – An EFF offering (and are you a member of EFF? You should be.) that forces a secure connection to your surfing destination whenever possible.
AdBlock Plus – perhaps not so much so for privacy, but for sanity. Surfing the web without ABP freaks me out.
DuckDuckGo – Make DuckDuckGo your search engine of choice. Simply go to the site, and then click the icon next to the search field (to the right of the URL field in Firefox) and add it.
Other security/privacy conscious items I use include:
TrueCrypt – I use TC for create encrypted containers to store all my sensitive data, personal and client related. It adds a much needed layer of comfort to using sync services such as Dropbox or Windows Live. Granted, it makes it a pain in the ass to sync (the whole container must be resynced rather than just the changed files within it), but with a decent connection and some common sense container sizing it’s worth it. I also use TC whole disk encryption on all my family’s laptops. If someone swipes your ‘top, at least they’re not getting your data!
VPN – Securitykiss is but one of many VPN services. I can’t speak to their effectiveness specifically – I include them only as an example. A Google search will pull up a wealth of free and paid VPN options, along with plenty of reviews. VPN is essentially a tunnel between your computer and a remote gateway, through which your online requests are routed. The theory is that your traffic is effectively anonymized by way of emanating from a shared point of entry to the ‘net (the gateway), meaning it’s undifferentiated from the traffic of everyone else utilizing the gateway. The tunnel between you and the gateway is also secured via encryption. Ultimately the effectiveness of VPN relies on the provider, as they have the ability to log your activity in their tunnel. In other words, do your research and choose wisely.
There are lots of other privacy options out there, like TOR, but the few things I’ve listed above are the simplest ways to start securing your privacy.