Tim McCormack says words
It's 2017. Most sites that I visit now support HTTPS, and even redirect to it from insecure HTTP. What does this change? I have one suggestion: Software that autolinks bare domain names as URLs should default to https:// instead of http://.
Welcome back. If you missed the first in this two-part series, you may wish to read the intro to that post first, because I'm just going to dive right in.
One of my hobbies is finding security vulnerabilities in websites—it's a relaxing way to unwind in the evening. A few months ago I asked a friend at Imzy if they'd like me to poke around. Imzy was intended as a place for online communities that don't suck. The community was in fact super nice, but unfortunately this was one of the many startups that Madeth It Not. They're shutting down soon. In any event, I had a good time and found some fun bugs.
The other day I had an unpleasant realization about curl, and how I use it. I'm going to guess most programmers have had this experience:
tim@puter:~$ curl -sS https://www.example.com/whatever?foo=bar&baz
[1] 638
bash: baz: command not found
tim@puter:~$ <!doctype html>
<html>
<head>
<title>Example Domain</title>
...
...and immediately have the reaction "oh dammit I forgot to quote the URL", because that innocuous little ampersand is getting interpreted in bash as "run the preceding as a command in the background".
This has happened to me from time to time for years, but it was only this week that I realized how *dangerous* it is.
Yesterday the internet learned that Cloudflare had been randomly spewing the contents of some connections through their services into other HTTP responses. What fun! Now we need to change all our passwords, rotate our keys, expire sessions, etc. because someone used C code in a sensitive context. But I have hundreds of passwords, and I don't want to change all of them. Here's how I found a set of candidates that could have been affected, using Firefox's password store.
Update 2017-02-24: Uses later date to only check sites in high-risk period.
Update 2017-02-24: Now actually checks if each identified site currently uses Cloudflare, and uses later date.