Incorrect Information in "Does HTTPS REALLY Keep You Safe?"

[LAwLz]

2 hours ago, leadeater said:

All I can do is show you, there are more after these but this is sufficient enough. Below included since that specifically needs addressing.

None of those quotes are me saying they aren't putting in effort.

You have to really stretch and read between the lines to try and extract "LAwLz said they aren't putting in effort" from those statements.

 

What I said, and what I meant, is that they were not qualified to make a video about the subject. That it is a bad idea for someone who doesn't grasp the subject to try and teach others, especially under the type of restrictions (like time limit) they imposed on themselves.

Do you not agree with that statement?

 

That does not mean they didn't try, nor does it mean I am saying they should give up. If anything, my saying they should redo the video is the exact opposite.

 

 

2 hours ago, leadeater said:

As someone who has seen the feedback given to the LMG TQ team and saw SSL Full Inspection information provided to them by multiple different people I know for a fact, 100%, that is is NOT BS and they were linked multiple sources of information from multiple different firewall vendors on SSL Full Inspection which is the source of this statement in the video.

 

You are talking about a different thing.

Doing full SSL inspection is not the same as reading that information from an HTTPS session. It is literally breaking the session, decrypting the HTTPS stream, and then re-encrypting it again. That's what the firewalls you are referring to do.

 

 

What the video said is that an attacker can in some case see which specific webpage you visit because that information isn't encrypted in HTTPS.

What you are saying is that if a network administrator breaks the HTTPS stream by doing a MITM attack, they can see the specific webpage.

 

Clearly, this is not the same thing. This might have been LMG is understanding what others are saying, but the reality is very different from what was presented in the video.

The impression I get from the video (because they say this during the section where they say HTTPS doesn't encrypt medatada) is that they are saying that if you visit a website using HTTPS, someone like an attacker will be able to see which specific webpage you visited because HTTPS does not encrypt that information. That is wrong.

The only way for someone to see the specific webpage is if they do what you described and set up an MITM attack which breaks the HTTPS session.

That's why the firewalls you are referring to give warnings like this when you try and enable said function:

 

You are talking about a different thing than the video talks about. Firewalls can't extract the full URL from the unencrypted metadata like the video claims they can. they have to break the encryption to get that information.

 

Maybe this was another case of someone trying to correct them, and that led to more confusion and misinformation being put into the video?

[wanderingfool2]

1 hour ago, LAwLz said:

What I said, and what I meant, is that they were not qualified to make a video about the subject. That it is a bad idea for someone who doesn't grasp the subject to try and teach others, especially under the type of restrictions (like time limit) they imposed on themselves.

Do you not agree with that statement?

Overall they didn't get anything wrong to any terrible level; just a level which is more technically not correct but overall doesn't mean too much.

 

What IS bad though, is how you claim to be a network and security consultant; and yet your very first dispute with their statement is one that is very much dangerous if people were to take you for your word about WPA2.  When talking about security, it's always better to err on the side of caution than to blindly assume some form of security about a standard (and rely on that assumption).  For your sake, I really hope  you haven't been telling your clients this.

 

The only real biggest issue I've seen is the statement on URL vs domain; which I think was the biggest one.  While I do agree some clarification on the workplace looking at https traffic...the only clarification would be that on a workplace device (as I do feel a personal device would send up red flags of cert issues).  Although depending on the site and age of browser I guess HTTPS downgrading would still be a thing.

 

Anyways, the issues they had weren't terribly bad.  Nothing that I would say would be harmful mistakes at least...one I think could teach as long as they recognize not to say harmful mistakes (which in this case I doubt any of the statements they made arise to harmful to anyone)

[LAwLz]

31 minutes ago, wanderingfool2 said:

Overall they didn't get anything wrong to any terrible level; just a level which is more technically not correct but overall doesn't mean too much.

I think them saying that attackers can see which precise webpage you visit using HTTPS metadata is a pretty big mistake, and that is something that actually means a lot.

 

I also think them saying encrypted DNS will make it so that the domain name can't be seen in HTTPS traffic is also very wrong. Not just on an "uhm achually" level but in a "people will get the completely wrong idea about the fundamentals of how this works if they listen to this misinformation" level.

 

Other details like the part about "Chrome displaying ERR_CERT_AUTHORITY_INVALID" as a way to push HTTPS would be an example of a mistake that in the end doesn't matter that much for the content of the video, but one I do think is disappointing to see nonetheless. Especially if this is supposedly a fact-checked and validated release using their new program to avoid this type of thing from happening.

 

 

31 minutes ago, wanderingfool2 said:

What IS bad though, is how you claim to be a network and security consultant; and yet your very first dispute with their statement is one that is very much dangerous if people were to take you for your word about WPA2.  When talking about security, it's always better to err on the side of caution than to blindly assume some form of security about a standard (and rely on that assumption).  For your sake, I really hope  you haven't been telling your clients this.

Yeah, I did assume WPA2 provided more security than it does regarding the unique key used for each client. My mistake.

But don't worry, we typically go with certificates for Wi-Fi logins, and I don't work with Wi-Fi that often. 

 

 

31 minutes ago, wanderingfool2 said:

Anyways, the issues they had weren't terribly bad.  Nothing that I would say would be harmful mistakes at least...one I think could teach as long as they recognize not to say harmful mistakes (which in this case I doubt any of the statements they made arise to harmful to anyone)

I would argue some of the mistakes in this video are harmful. It might not cause people to have their banking information stolen or anything, but spreading misinformation about how something works is still harmful in a sense. It makes people dumber.