Dad forwarded an email he got from Symantec today. The subject line was “Breaking: New legislation affects your online privacy” and went on to suggest he could subscribe to their “Norton WiFi Privacy” product to stop his Internet Service Provider from selling his browsing data.
My take is that he should save his money. This is just Symantec doing some very opportunistic, and cynical, marketing. The place where a VPN is most valuable is when you’re using a network you don’t know whether to trust (e.g. the free WiFi at your neighborhood sub shop).
For now at least, Comcast, Verizon, AT&T and probably others are making a big deal about how they’re not collecting/selling your web browsing behavior (though they’re certainly leaving room to change that once the furor dies down — they did after all spend a huge amount of money lobbying against those rules).
Even without VPN, when you visit a web site that uses HTTPS (and more than half of the web does now), your internet provider can’t tell what you did there. They can certainly tell that you visited https://www.mybank.com, but because it’s https:// instead of http://, they can’t tell what specific pages you visited.
USA Today had a good article about some ways to protect your online privacy. Subscribing to a VPN service wasn’t one of them.
So, I woke up this morning to an email from Troy Hunt, or rather, a message from his Have I Been Pwned? service. It seems that my account was one of the 68,648,009 compromised in the Dropbox breach.
From the sound of things, there’s some mixed news. The bad news is, at the time of the breach, four years ago, many passwords were still being stored as SHA-1 (MD5) hashes. The good news is that they appear to have been salted hashes and the hash values weren’t included in the breach.
Dropbox did send out an alert a few days ago saying that they had reset passwords for anyone who hadn’t updated their password in the past four years (guilty!). The email said it was done as a precaution, but didn’t go into detail about what it was a precaution again. To find that out, you had to click through and read a blog post.
I’m probably OK. My password probably wasn’t as secure as it might have been, but thankfully, the lack of salt values for the SHA1 passwords should make them quite difficult to break. And perhaps most importantly, I’ve never used that same password anywhere else.
(But yes, I changed my password to something a bit more secure. It’s now 40 random characters generated by KeePass.)
Some important takeaways:
- Change your Dropbox password.
- Don’t use the same password in more than one place.
- Consider a password manager. I’m mostly happy with KeePass, but also hear good things about LastPass.
- Consider turning on two-factor authentication.
- Consider also signing up with Have I Been Pwned?
- Why are you still reading this? Go change your Dropbox password!
(Photo from Pexels, free for non-commercial use.)
Today I was internet-famous for slightly more than three minutes; just long enough for Richard Cambell and Carl Franklin to read and reply to a comment on an episode of the .Net Rocks Podcast.
Back in January, I left a comment on their website, regarding StartSSL and Let’s Encrypt, two providers of SSL certificates they’d mentioned during the show. Today, show 1287 came out, covering the topic of “InfoSec for Developers” and they used my comment (right about the 5:40 mark) as the segue to the conversation with their guest, security professional Kim Carter. (Interestingly, he turns out to be using security certificates from one of the sources I’d commented on.)
So if you don’t know that’s all about, an “SSL certificate” is one of the things you need in order to setup a secure website using HTTPS. This is part of what triggers the lock icon to appear when you’re viewing a secure web site. (You do look for that when buying things online, right?)
Richard made a valid point that a paid-for certificate really doesn’t get a whole lot more validation than what the free ones get, so if you’re able to take advantage of the free ones, there’s not really a lot of incentive not to. (it does leave the question of what extra value you get with a paid SSL certificate.)
The self-signed certificates mentioned in my question don’t have anyone vouching for their authenticity, though it’s not clear that the free or even the paid for certificates have anyone vouching for them either. There is another kind of certificate though, the “Extended Validation” certificate (which is what your bank should be using) which does involve some in-depth checking of identity.
One thing that does distinguish third-party (i.e. “real”) certificates from the self-signed ones is that if something goes wrong (e.g. the private key is stolen), a third-party certificate can be revoked. Since the webmaster is the only one vouching for a self-signed certificate, there’s no way to tell whether the person saying the certificate is valid is who they say they are. The third party certificates come from a source which has been validated, and there’s a secure chain of connections for verifying that the certificate can be trusted.