Secure Web Browsing - Computerphile
ฝัง
- เผยแพร่เมื่อ 28 ก.ย. 2024
- Websites & https what difference does the "s" make anyway? - Dr Richard Mortier of the University of Cambridge Computer Laboratory explains.
Follow the Cookie Trail: • Follow the Cookie Trai...
Man in the Middle / Superfish: • Man in the Middle Atta...
Botnets: • Botnets - Computerphile
Object Oriented Programming: • Pong & Object Oriented...
3D Rock Art Scanner: • 3D Rock Art Scanner - ...
Mixed Reality Continuum: • Mixed Reality Continuu...
/ computerphile
/ computer_phile
This video was filmed and edited by Sean Riley.
Computer Science at the University of Nottingham: bit.ly/nottscom...
Computerphile is a sister project to Brady Haran's Numberphile. More at www.bradyharan.com
The call's coming from... inside the server!
Yesh
It would be amazing if, because I'm living and working in China now, a video with Dr. Mortier explaining the Great Firewall of China and how it works and how its evolving and if possible to answer how VPN services are trying to stay 1 step ahead of the firewall implementation.
Clue, you're gonna need more than a vpn if you want to get around the deep, dark places of the world.
They still make paper like that??? lol
computerphile, more videos by Tom Scott?
i really liked him, check his channels "Thom scot" and another one just dont remember the name
+Nirup Iyer His channel is fantastic.
+Nirup Iyer plus 1 to Tom Scotts channel. He just did a great video about how many videos youtube can have before running out of address space.
+Nirup Iyer It was easier in the past when Tom was more closely linked to the university. Nowadays, Tom is a freelancer and has his own channel to think about.
no
Also, get the HTTPS Everywhere browser add-on!
No, not really. Since when did every domain on the planet start supporting https, by default??
We hear talk about teaching our kids programming in school but stuff like this what they should be taught. I don't mean that programming is not important but it's not what everyone needs. You don't need programming to safely use social media, you don't need programming to safely visit websites, you don't need programming to fix problems with your operating system's normal functions, you don't need programming to know how to update your smart phone and the list can go on.
What you need is understanding of all the basic principals of what makes your life with computers and smart phones tick. You need to know how to identify malware, know when a program is trying to cheat you, know how to get rid of malicious programs, how to safely do online shopping and what are the legal channels you can seek help. I have two younger sisters (20 and 14) and these are the issues I need to deal on regular basis. Just search The IT Crowd - "The Laptop from the Exorcist" and you know what I mean.
Oh and I do know that officials keep spouting "it's not just programming we teach to our children, but the other important things too". But... Well... Did they name it "Programming" so it sells better because it sounds fancier than "Common computer skills"? The more complex our systems become the more important it is to be well edumacated. We geeks are rushing ahead while general population just surfs on the top waves enjoying sunshine while sharks below prepare for attacks. Just like demonstrated on this video.
Hijacking ad space, impersonating a server o.O. How is any of this legal for ISPs to do? And if it's not, how are they getting away with that? ISPs, it seems to me, are rather easy to reach organizations.
+Vaidas Šukauskas It's not, it's an act of wire fraud in USA and just fraud elsewhere. These ISP's are doing man-in-middle attacks on their own customers. But most courts staff have VCRs that blink 12:00...
+PsychoticusRex yea, they kinda just get away with it
JakesDen Gaming what do you mean? That's what he said
+Vaidas Šukauskas In not-so-developed countries where the digital world is still lawless you can get away with everything online. That's why cyber crime is usually based in those countries, the authorities just go "Crime? What crime? This person has never been to your country, get lost."
+Vaidas Šukauskas this kind of attack (man-in-the-middle) can be also done by a tor exit node. This scenario might be more realistic.
Computerphile is just a rabbit hole :3
Brady, can you do a video on certificates? Love your videos
Should have used Netscape as the browser icon
Boy, that SCaLE 14 shirt design is real nice. Can this be ordered somewhere?
Redirecting an ad server to a blank page, and by doing so cutting off a large portion of that convoluted web of recursive advertser scripts hosted on different servers, is a very useful thing to do. I'm afraid than in the not so distant, ideal future where everything is under SSL, cetificates, authenticated and encrypted, and probably even the browser is locked down, the user will be forced to accept all web junk. But users will be convinced that all that security is for their own benefit. It will probably get to a point were Windows will refuse to run a unauthenticated, hacked software...
I really hate SSL on normal discussion and entertainment sites, where it creates a delay before a connection can be established, proportional to the distance to the server. I've disabled OCSP and revocation lists to cut down the extra commonication, and now I see an open padlock most of the time.
If the ISP is chatty, and likes to notify user about payments and stuff on websites, then it is a bad ISP, and should be changed. An ISP like that is probably likely to disallow some other options, such as use of an alternate DNS server or servers on certain ports like 25 or 80.
pk is self signed to begin with?
I'm assuming this is the kind of stuff used in DMZ's, so what could one do to circumvent such measures?
using VPN's opendns or onion is common knowledge these days but, What other options are there And what are the essentials to compromise these systems :)
would love to hear tom scott's take on it, purely for intellectual entertainment
+90hijacked ... Only an SSH connection could conceivably get by it. a big part is knowing who's a threat or not; conceivably you could do an ssh connection to a proxy on a safe network and avoid your ISPs fraud and then proceed normally....
Why No-One is talking about Reliability of Internet Service Providers who enforce Questionable List of Interferences to their Clients? Does Citizens and People Voted for these Changes to Begin With.
Please tell me that the "e" symbol used to represent the browser does not refer in any way to Internet Explorer. Please.
+DoctorDARKSIDE Should have used an N if he meant to go back in time.
Elliot Grey Or an N with a curved line at the bottom. That's clearly too hard.
+Cadde Fair enough. :)
+DoctorDARKSIDE
Pretty sure the e stands for Edge ;)
ubiquity air os, always loads as https, always a certificate error..
Ads must be blocked, and that's all there is to it. Without blocking ads (or any and every cross-site request, only selectively allowing those that are needed for the site to work), the web is absolutely unusable - like a triangular wheel, or something like that.
...but you can still block and replace
Make a video about how to use vpn's to go on Tor and stay secure
It seems weird how few views these videos get in 5 hours, compared to the number of subscribers.
pine apple
Certificate Pinning FTW!
What we really need is to stop spam email!!!
And this is how to do it:
Email starts from some email client, through a series of servers as it crosses the world, and ends at an email client.
Each time a server passes an email along to the next server, it includes its own IP address. The receiving server or email client does a little handshake with the sending server, "Did you just send me this email?" "Yes I did. please send it on its way to the next server."
But if the answer is, "No, I didn't send you that email. It spoofed my IP," the email gets dropped.
With this mechanism in place, you can trace it back to either the spam client or to a server that vouched for an email in error. It has to be one or the other. And whichever it is gets blacklisted.
Viola! No more spam!
The fact that this obvious solution has never been implemented makes me suspect that Microsoft and all the other big corps are really on the side of the spammers...
+Hungry Guy Email headers already include the IPs of every server they were relayed through. People don't spoof 'from' IPs, because it's far easier to just use a random open relay. Relaying legitimate mail through multiple Random Servers on the Internet is really uncommon these days; it's usually the various boxes within a sender's network that relay traffic to the mail servers on the edge of the network, and then straight to the recipient's mailserver, then through whatever setup they have there.
Validation of sender IPs is the problem SPF is designed to fix: a domain lists a TXT record in spf format, and recipients can judge whether or not the sender was permitted to send based on this value. Unfortunately, the majority of spam comes from open relays, often being run on compromised PCs, and has garbage envelope senders for point at a domain that doesn't list anything -- because it doesn't have to.
this video was really confusing :-(
First
+Paul Naama First!
The worst thing about ads (as long as they're static images, without any movement or sound etc) is the tracking. If there weren't any tracking, those kind of unobtrusive ads needn't be blocked.
I really want to buy bob's socks for some reason.
Actual advice for the end user: get a "Force HTTPS" plugin for your browser. Works like a charm.
Will there be a second video about how the authentication works?
🥶
There is the SSL Observatory. It is part of HTTPS Everywhere. Pretty much when you get a certificate, it will check it against the Observatories copy of the certificate. If it is different, it will send the certificate to the Observatory along with the DNS information and ISP. The idea being that it will catch if a signed certificate is forged.
he used 'e' to represent browser.. damn internet explorer users
+Nirup Iyer it's called Edge now and it's totally not just internet explorer!
+Zudo It actually really isn't bad. They rebuilt the engine from scratch and it works pretty well.
+iandonaldpaul Well, AFAIK Edge is made from scratch, but it's was made to be basic enough that they couldn't make the same mistakes.
- I give up. It's been 10 years. 10 YEARS SINCE I STARTED TRYING. I will never learn how to cook steak.
- Hey what if I teach you how to make a ham sandwich instead?
- Great idea!
+Zudo Oh, it's not perfect, but it's a huge step up from IE.
+Waniou fair enough, but Chrome still wins the race by a big shot
0:50 unless I've misunderstood, the browser Brave does the Ad replacement to fund their development. (having the options, native-Adblock Ad-Replace and Normal browsing.) Would be interesting to see your input, is it legal(if adblock is then this should be right?) .
I did test Brave once and found it to be really fast. (lacked extensions I "need" and I hadn't heard enough about the developers to feel safe using their software.)
+Jim R. Didriksen It's not entirely the same. This is because ads are grabbed separate from the main webpage, and what most ad blocking software does is it stops that initial request so the ad company records wont show you as a bought customer. basically ad companies only pay for what they get so the one hosting the webpage is the one losing profit.
"Lets go old school", nope, more like "lets go dangerous!" ;)
Ps, what happened to the recording at 5:54? Oh, I see, you rotated the universe around to make the paper straight. :D
Yeah the writing was a bit close to the end of the page so I had to fold space...
The writing sound is terrible :( Why don't use a normal pen :(
Great talk ;-)
I would love to hear a talk on HSTS, certificate thumbprints, and site Content-Security-Policy header tagging.
I'd also like to hear about pre-shared keys and HTML5 client certificate generation.
We hear talk about teaching our kids programming in school but stuff like this what they should be taught. I don't mean that programming is not important but it's not what everyone needs. You don't need programming to safely use social media, you don't need programming to safely visit websites, you don't need programming to fix problems with your operating system's normal functions, you don't need programming to know how to update your smart phone and the list can go on.
What you need is understanding of all the basic principals of what makes your life with computers and smart phones tick. You need to know how to identify malware, know when a program is trying to cheat you, know how to get rid of malicious programs, how to safely do online shopping and what are the legal channels you can seek help. I have two younger sisters (20 and 14) and these are the issues I need to deal on regular basis. Just search The IT Crowd - "The Laptop from the Exorcist" and you know what I mean.
Oh and I do know that officials keep spouting "it's not just programming we teach to our children, but the other important things too". But... Well... Did they name it "Programming" so it sells better because it sounds fancier than "Common computer skills"? The more complex our systems become the more important it is to be well edumacated. We geeks are rushing ahead while general population just surfs on the top waves enjoying sunshine while sharks below prepare for attacks. Just like demonstrated on this video.
+Nyyppis Programming is a means to an end. They should be taught programming and be encouraged to reverse engineer stuff to show just how easy it is to break something and use it for their own purposes.
The first "hack" i learned with computers was deleting a database file containing user information before starting a program. Unfortunately i don't recall the program used but it was a text-based GUI under DOS.
Once the file was gone, you gained automatic "SUPER USER" access when you started the program and could thus edit all the scripts and stuff that still was around after deletion of the user file.
In those scripts were passwords for network shares on the school's server. This meant i now had access to certain stuff on the server that i shouldn't have access to. Such as each students private work folders with all their essays in them etc.
If you are taught programming you also learn how easy it is to break stuff. If you are taught to write binary data files, you also learn how to read binary data files and as such you learn how to use a hex editor and with a hex editor you can look into stuff you shouldn't look into. It also lets you do all kinds of other stuff to break programs.
I NOP'ed a certain function in a program using a disassembler when i was tired of it nagging me about buying a licence.
In conclusion, if you learn programming you learn HOW to break stuff and that teaches you how to defend against the most common/simple hacks and cracks. You also learn that NOTHING is unbreakable, given enough knowledge, time and ideas. As such, the only way to win is to not participate. Just like War Games.
Yeah, I get your point and agree that the things you mentioned are important. I was trying to say that programming is just a small part of what should actually be taught. And that's why I don't approve calling it "programming" in the curriculum. I'll try to elaborate.
To understand this video you don't need to understand any coding. But if you wanted to test the concepts of this video... Well then you need coding skills. How many hours of self educational playing around with computers you did before you could pull off the hack? How many basic concepts of computers you thought to yourself before you even knew you could execute a hack like that? Most likely you haven't even thought about how much you first had to know to be able to pull off that hack because it's all mixed up with the things you learned after. And I don't mean this in a bad way. That's just what happens when you learn a lot of stuff. It becomes instinctive and becomes a blur. I'm actually a bit jealous because you pulled off such a fun hack. I never did anything remotely so fun.
So yeah. What I was trying to say: Teach universal and basic skills to all students and give the most interested ones voluntary extra courses for a chance to enhance their skills. The above mentioned basics include some programming too. And that's when courses called Programming become relevant. I must admit that it looks like I bashed down programming entirely but that's not it. It's just that curriculum's have very limited time and you need to make most of it.
Great job, keep it up! Excited for the botnet video.
Rogers used to do something like this, if you were supposed to get an HTTP 404 error Rogers would redirect you to their own branded search engine advertising a bunch of crap.
Nowhere is safe! Only Safer
~ Conspiracy Theorists
*One of the things that I am sure to get 75% approval*
P.S. the last statement above is not based on an objective analysis. Take it with a grain of salt
does tls use the public pk to decrypt?
hey man, can you do one on safe bank transfers on websites, a way to tell if its safe to use your paypal and how to create a paypal online... i just have 0 trusts with sites that ask u for ur card details and some warning advice and tips would be so useful and stress free since theres a few things i want via online but i just dont trust it online so i cant get it...
Can't get over the fact that the users browser is represented by 'E'. IE? really? LOL.
Do all browsing in a VM ... done ...
Oh wait ... bank details..
If you do everything in a VM, and that VM gets hacked, isn't that a distinction without a difference?
Tyler Swagar What I was thinking is that they can't mine your computer for data, if every time you step away from it, you delete the VM. So nothing can grab saved data. But yeah a VM would still have those issues.
@@WIImotionmasher VM+VPN+HTTPS
"Secure Web Browsing" LOL
If data is being transferred back and forth you are not secure.
Why did somebody send the link to mr
Could you add subtitles on the videos? The english subtitle. I'm not a native speaker and sometimes I don't understand what the people says.
Thank you.
You literally just clarified everything. Thank you.
The main issue with these warnings is that they are so interrupting even though they just mean: don't trust what is written there and don't share your data there. It doesn't mean you should not access it. It's just the same as an unencrypted website. Which the browser would load happily anyway.
Flash, flash, flash. Then wait for it. Nothing for a while. Wait for it. Double flash.
An ISP that manipulates its user's traffic on the content level is an ISP that doesn't need or want customers.
A few arsehats ruining it for everyone, as usual. :)
Thanks for another interesting and useful video.
The browser itself should handle all passwords and show the root-secure domain name in larger font...
Anyone else look up at their address bar while watching the video?
Thanks for the video
Awesome Shirt 🙏
Interesting topic, thank you computerphile
There's literally no company I have to trust as much as my ISP. If my ISP pulled off shit like that, I'd dump them faster than they could say "extraordinary notice of cancellation".
+Penny Lane Which is why i used to trust an ISP that advocated that they would never share private information with anyone, not even the authorities.
Problem though was that they had really awful customer service and so i switched when they didn't respond to a simple request in over a week.
I dunno why i wanted to share that, i guess it's just that hard to find an ISP that cares both about you as a customer and your rights on the internets.
Soon i will start watching all videos of this channel . These videos are really lot informative for me and also something new and interesting .
what is a doctor saying? gp offline? duh huh
I just stared at his shirt for the whole video…
Any thoughts on the seif project?
Sick shirt tbh
does this noticeably slow down/reduce responsiveness when browsing the web? (shouldn't be more than double the ping time right?)
+teekanne15 Because TH-cam uses https, you're using this right now. It's not much slower =)
+teekanne15 Not really. In fact, thanks to the fact that many browsers only support HTTP/2 over HTTPS, HTTPS can actually be _faster_ than plain HTTP in some cases.
Andrew Meyer Oh hey, I had no idea. Learn a new computery thing every day, I guess =)
dot matrix paper
maidsafe
6:29 the way he writes doubleT-P :D
Standard since I was a kid. Maybe even before. :)
5:53 What the hell is that thing on the right?
+Meb8Rappa it's a ghost.
My site has none of that shit. All my assets come from my server.
Well many websites do
+Marcel Robitaille Even external assets, such as jquery, etc? CDN's can have a great effect on the load speed of pages you know.
Joe Westcott I don't use jQuery. Vanilla js all the way.
+Marcel Robitaille Exactly how proud were you of your single point of failure setup?
+Jim Pörn (TheOfficialZip) 12
I used letsencrypt.org the other week for a web server and it automatically configured my apache2 site so quick I almost forgot I was in debian.
"Banner across the bottom"
uwot
+I'm Not A Xenophobe, Back In My Day It Was Called "Patriotism" What are you referring to? There is no banner.
foobars It's at the beginning of the video.
For Pete's sake, level that mug on the shelf!
Frists tst xdDD