I've been using 1.1.1.1 for years. It's easy to type and seems to call up interstitial screens fast, especially the NYC subway wifi portal, where seconds count.
Of course this thread makes me wonder if I've been doing it wrong.
1.1.1.1 is assigned to APNIC Labs in Australia. It isn't always reachable for their own reasons.
Using 1.1.1.1 makes a http request, which lets the captive portal take over, so good job, but you are actually hitting a group that actually exists, and what if they suddenly launch a HTST site on that IP? It might break your method.
Actually, it shouldn't matter. A trailing dot in a hostname signifies a fully-qualified domain name, rather than a relative domain name. Without the dot the router's dns service could technically return 'cbc.ca.some.othersite.net.' as the FQDN.
They meant the period in the middle (as in, "can you type the full thing, including the period in the middle, with one hand?"). I read it the same way as you did, initially.
I did, too, and I was the original replyer (is that a word?). But, if you visit cbc.ca once, you can do it with one hand in the future as it's the first option in the autocomplete dropdown.
because those are likely to be extraordinarily well-maintained and reliable.
Unfortunately sometimes some captive portals allow just this one site through and not the others. Looking at you, United WiFi, which whitelists gstatic.com, but fortunately not msftncsi.com.
http://purple.com - also useful for seeing if someone's internet is working over the phone or not. "Go to purple.com and tell me what you see". Is the answer "purple"? Hooray!
Google Chrome is supposed to soon start flashing a "not secure" warning on HTTP sites that have password forms [0]. That's probably at least one motivation for these publisher moves to HTTPS
if those pages are not secure, then they will display "not secure" in the address bar.
They're not trying to force everything over to https, they're just trying to make warnings more sane. And if a page is not secure, marking it as such makes sense.
There's gonna be a small "not secure" label next to the URL (like there's now the "secure" label on HTTPS websites in Chrome/Chromium). It's not like you're not going to be able to open the webpage or anything.
This is an issue we're encountering. One solution is trust on first use of a self signed cert, which makes the scary untrusted page a one time cost. This isn't terribly easy in the browser though. With more IOT devices entering the market, this could become a more common issue.
Using https for a local network connection will also be more common, in the case you decide you don't trust the network.
I think for the case of the home router admin page (or really any admin page on your local network), the browser can easily detect that it's being served a page on the local net, and could provide a less scary warning that has some text that acknowledges that you're on your local net and that either ignoring the password form security warning (for http) or accepting the self-signed cert (for https) is probably ok. Whether they'll do this is another question...
It absolutely makes sense not to display warnings that HTTPS isn't in use in circumstances where HTTPS is not feasible - i.e. local addresses. It's simple enough for a browser to determine. I don't think conditionally accepting a self-signed cert is necessary.
Is that still a thing? My understanding was that https these days adds very little to the cost of hosting a site, given hardware accelerated crypto being more prevalent, and other niceties.
'Glorified blog'? The only big difference I can tell is that those 'glorified blogs' are not being printed on real paper. I'm not sure how that makes those newspaper who also have a 'glorified blog' anything more or less than that (plus a physical paper). None of this tells us anything about the quality of the 'glorified blog'.
The Intercept and Quartz each only publish a few articles per day. Each runs entirely on a single instance of Wordpress. Each covers only a few topics. Each has only a few templates, and simple ad inventory, if any.
A paper like the New York Times publishes many hundreds of stories every day, on almost every topic you can think of. They publish to wide variety of platforms, including print. They have a high volume of widely varying ad inventory. They have legacy content going back decades, in all sorts of legacy formats, perhaps even sitting in old CMS instances on separate servers.
TECHNOLOGICALLY SPEAKING, they are much more complex. Therefore transitioning to HTTPS is more difficult.
None of this is a commentary on the quality or social/cultural value of their content.
I don't see how anyone can monetize user privacy without NYT's permission, with or without HTTPS. All of the monetization methods, ad trackers on NYT pages, browser fingerprinting, malware on your computer, etc works with or without HTTPS.
Without HTTPS, whoever owns the LAN you use, its ISP, and various intermediary networks can easily track everything that appears in your web browser by reading the same traffic your browser reads.
This is more than a hypothetical concern, too: back in 2011 a number of ISPs came under fire for hijaacking certain search keywords[1], Comcast has injected ads into hotspot traffic[2], and Andreas Gal has alleged that smaller search engines were buying aggregate Google search result data from ISPs trying to improve their result quality[3].
Thanks. And even those issues underplay the magnitude of the problem. Look up Deep Packet Inspection, for example. It doesn't take much to read and record the content, and nothing stops them from doing it in the U.S. (AFAIK).
Your mention of how it was 'impossible with HTTPS' to inject ads into web traffic made me recall how, two years ago, Lenovo shipped laptops with software ('Superfish') that injected ads into encrypted webpages:
Random coffee shop / hotel / etc wifi owners and other users on the network will only know that you're reading nytimes.com, and not which particular section/article.
Yes, that's assumed in what I meant. Vendors that track their users, such as Google and maybe the NYT, by implementing HTTPS are basically saying: We don't want to share that data with anyone else (e.g., 'random coffee shop / hotel / etc wifi owners'); we want to keep the monetization of our users' privacy to ourselves.
The wifi owners can see that you're reading nytimes.com, but they can also see how much data was transmitted. All they need to do is look up the length of each article, and compare that with how much data the server returned.
Of course, I'm not too worried about hotel owners. I can imagine this technique is already being used by a lot of governments around the world.
They say HTTPS is complex to enable and imply they've been working on it for up to two years. And they finally get it done nine days before Trump.
Some people and organizations are panicking, either about his behavior or that net neutrality is out the window or about some boogeyman. That's why this story is relevant, now, because it's an indication that NYT may feel the internet will soon be a much more hostile environment.
They mention it has been a complex undertaking and not complete yet - does anyone know why they can't just sit a traffic manager in front of everything with SSL offloading?
Also does anyone know what the new personalisation features are that they mention being able to offer now HTTPS in place?
Third party content. You have ad providers that won't agree to you delivering their content. They want to keep control over that (which is by the way a huge security risk on its own, but that's the state of things).
This is likely an organizational, rather than a technical problem. Having worked for large media organizations, often different parts of the site are different deployable applications that share only a hardware device or small nginx or haproxy layer if they're on the same subdomain. It may be that in order to enable SSL on all parts of nytimes.com you need to affect ssl termination at a higher layer on a number of different servers/deploy locations which requires time and testing.
It's also possible that terminating the SSL and then passing through unsecured traffic lower in the stack is not ideal due to where the different parts of the site are hosted - e.g. passing traffic unsecured back and forth between private DC and public cloud.
Note: All speculation based on having implemented SSL migrations at large media companies.
> Also does anyone know what the new personalisation features are that they mention being able to offer now HTTPS in place?
Not sure what features the NYT is referencing specifically, but Chrome has certain features [like the Geolocation API][1] disabled for pages loaded over HTTP. See [Deprecating Powerful Features on Insecure Origins][2].
For our media website, it took us one year before we could move to HTTPS, mainly because of the AdServers which wasn't ready. We had to talk to each ad provider in order to ask them to upgrade to HTTPS. Unfortunately as media companies have most of their revenue from ads you just can't switch like that.
Also, features that are now available once the HTTPS by default on a website, is the AMP, Notifications, HTTP2 (faster loading) and, of course, the little advantage that Google gives to the HTTPS websites.
Google started the process of enforcing HTTPS on AdX about 2.5 years ago. Not implementing HTTPS in that large timeframe is rather inexcusable. It's just technical debt that you need to acknowledge, and then get rid of it.
Nowadays an Ad Server can call another one and so one, due to programmatic. So you might have one Ad server enforcing and serving their tags in HTTPS, but in the end the little local Ad Server which is part of a bigger network doesn't have the HTTPS and so his material isn't delivered.
>Ask any developer at a major media organization what the biggest hurdle to HTTPS adoption is, and the answer is always going to be advertising. However, unless you understand the ins-and-outs of how digital advertising is implemented, it’s difficult to see why this presents a challenge.
Fortunately, even that is changing. Google forced advertisers who want to buy inventory through AdX to switch their creatives to HTTPS in 2015 already. In my experience, any non-compliance to that comes from shitty agencies that haven't gotten the memo that you're better off just switching everything to HTTPS these days.
At any large media organization, there are tremendous amounts of content no longer connected to any CMS that may have hard-coded insecure links/resources in them. Some of them may live on obscure servers or domains. Or the developers/journalists who worked on them and have knowledge of their construction are long gone. These pages are very laborious to find and update.
If you don't mind 404ing or breaking a ton of your old content, it's probably not too difficult. But if you're the newspaper of record, it's a big deal that URLs live on and continue to work as expected.
You also mention "insecure resources", wich I think is a big deal too. I'd imagine there'd be the oddA hard-coded http link to an image that serves an important purpose to an article... that suddenly going missing because a browser refuses to load it would be bad.
But I think you hit the nail on the head -- being the "newspaper of record" means you want to ensure that all your content displays like it did the day it was published.
Well, in our case that was the easiest thing to pick, thanks to the Report-Only option on the CSP header, we enabled it and in about a week, we got all our insecure links and resources.
We could also set a header forcing the browser to upgrade to secure when the resources are in the same domain.
A nice farewell gift for Chris Soghoian's time at ACLU (during which he constantly tried to get news organizations, law firms, and government agencies to use HTTPS and STARTTLS).
The thing the NYT needs to fix (as of earlier last year) is the fact that you can't cancel your subscription without calling them (which is not the case for signing up). I spent 20 minutes[1] on the phone telling them that yes, I really did want to cancel. It was a worse experience than dealing with Comcast, not least because I felt bad for the poor woman who obviously had some financial incentive to get me to stay on with them.
[1] This number is approximate. Could have been less, could have been more; it was a while ago.
edit: I feel kinda bad now that this is the top comment in a thread about something positive the NYT did; if anyone tells me that they've since added online unsubscribe, I will change this comment accordingly.
That's what companies fail to consider when they deploy these "retention strategies." Every roadblock you put between me and cancelling is ALSO a roadblock between me and resubscription in the future.
I've subscribed and cancelled Hulu+ three or four times when there was a lull in the content. But I'd have no hesitation in signing up again because I remember how hassle free it was to cancel.
Contrast that against LogMeIn which has the same strategy as NYT by the sounds of it (call to cancel, takes 15+ minutes). When I needed LogMeIn for a new project, I looked around for alternatives instead because I remembered how big of a hassle it was to cancel. Ultimately LogMeIn didn't get my repeat business, not due to the financial cost, but the hassle cost of them.
Plus of course word of mouth like this is hugely damaging for these strategies. I won't be getting a NYT subscription now.
Same for me and WoW - I'll start up every expansion, play a couple months, and unsubscribe no sweat. I do it again and again because I know I'm not really "committing" to 15 bucks a month, because it'll be easy to cancel.
In the case of WoW, those temporary re-subscriptions for 2-6 months upon release of new expansions is the business model that sustains the game. If Blizzard didn't allow pausing and resuming billing at any time, the game would have died off many years ago.
I believe there is a customer service chat online where you can also terminate a subscription.
I almost did once, but they gave me a discount that I took. All in 10 minutes while reading HN.
Yeah, that's a Comcast-level move, though to be fair, I tried to unsubscribe from The Economist a few years back and it was a nightmare as well [1], so maybe it's just that the news media industry puts all it's eggs in a different basket when it comes to UX.
I tell you what, it sure made me wary of signing up for any more news media subscriptions, now or in the future. It seems almost hypocritical to complain about how people don't want to pay for quality news and then treat them like crap when they do (not that I'm ascribing this to any one person or organization).
Don't sign up for Adobe either then: They've had massively huge CC leaks (shows a lack of care for security) and their unsubscription page has been broken for years.
Huh. I had a trial subscription, found I don't have the time for a daily newspaper plus the Economist, and shot them an email that I wanted to cancel. Received a confirmation the next day.
Echoes of Comcast ... the NYT is constantly promoting 50% off the posted rates for new subscribers, without ever offering such terms to existing customers. But if you're a "frustrated" long-time customer who's on the verge of canceling, then suddenly the 50% discount is rolled out.
In most other industries, loyal customers get better treatment. Or it's the same deal for everyone. These sorts of inverted pricing structures may squeeze more revenue out of a few long-term, inattentive customers, but the hidden cost in churn, irritation and haggling is considerable.
> But if you're a "frustrated" long-time customer who's on the verge of canceling, then suddenly the 50% discount is rolled out.
Yes, IIRC the reason it was such an exhausting call is that they offered me a series of no less than 3, maybe more, progressively larger discounts. I simply wasn't interested, for my own reasons which are even less relevant to this thread than my original comment was.
Yes (although I should clarify that I'm referring to car / house / contents insurance here). Typically the premium offered at renewal time will increase every year, but if you come in as a new customer you can get a substantially lower premium.
If we get only one chance to be a "new customer," then it would be a reasonably fair system. But most of these churn-inducing systems are run in such a way that the Customer Acquisition Teams are quite willing to book you at the new customer rate, again and again.
The internal incentives (worth an entirely separate post) reward phone reps disproportionately for heroic "saves" of accounts that were about to quit. The big promotion within these call centers is to get to work on the Customer Rescue team.
I don't know why the finance guys haven't figured out that they are rotting out their core revenue by doing this.
Same problem in the Uk; The Times was the best online news site by a long stretch but when they went behind a paywall the biggest disincentive to subscribe was the phone only cancellation policy.
As a comparison (although not directly related), I think this is where Netflix gained traction initially here because despite having an uninspiring catalogue the option of a frictionless cancellation made in it an, almost, no-risk proposition.
This is one reason I'm actually a big fan of the fact that Apple News supports news subscriptions in iOS 10 (though of course not everyone supports Apple News's subscriptions stuff, including NYT). It ensures these shenanigans don't happen as much, since the payment goes through Apple, and Apple's subscribe/unsubscribe flows are generally very good because the UX they aim for is very different and independent of the particular subscription.
Ugh, their customer service is terrible. I can understand from a business perspective how they aren't incentivized to make it easier to cancel subscriptions... but I'm a paying customer and have had frequent delivery problems (I like to get the actual paper paper), and the people at the call center are just totally unable to do anything to help.
I suppose that's the irony of declining business... after a while you can't even afford to take good care of your existing customers, which further accelerates the decline.
When you go to the contact page to get the number to unsubscribe, if you hang out for a few seconds an option to talk to someone over chat eventually pops up. They'll try to keep you, hard sell you on other services, etc. just keep saying you'd like to cancel and they'll eventually do it.
It'd still be nice to have a one-click option, but at least it's a bit easier to do passively than needing to call someone.
Similar issue, but they kept billing me. Then cancelled again, and they kept billing me again. Wasn't until the 3rd time that they stopped. I was able to get reimbursed via chargebacks but still, terrible experience.
For all newspaper subscriptions (and all other semi-shady companies), I use Privacy.com. It allows you to create silo-ed credit card numbers and specify how much each card is allowed to charge you per week/month/overall.
When I want to cancel a newspaper subscription and it's impossibly difficult, I just email them telling them I'd like to cancel the subscription delete the associated credit card. Not my problem anymore
May be different in the US, but if you did that in the UK and they didn't read your email or whatever, you're likely have them sell the debt to a collection agency which will then place a marker on your credit record.
It's then a huge pain in the ass undoing the credit record mark. I still have a default on my record thanks to the cable company here not cancelling our service properly. They even sent an courier to pick the equipment up but despite a trillion emails explaining this they insist they can't do anything about it because they have sold it to a collections agency. What a load of gibberish.
Yes, they can (and sometimes will, depending on the type of service) keep billing you, and then eventually send you to to collections if you didn't actually cancel your account.
For future reference, I just tell people I understand that they are supposed to go through a script but I consider the subscription cancelled because that's what I've requested.
This is why I only pay for news subscriptions via the App Store (or the Kindle store, if reading a magazine there): I know I can cancel anytime, with a few taps, and without a phone call. And, I know they won't mail me random stuff since all I want is the digital content.
It's the best way right now, and it's silly because the news apps have to eat the Apple Tax just because their own internal policies keep me from signing up through them directly.
This is what I like about Netflix. In their Help section, the top question under Account is how to cancel. But this probably reflects the fact that Netflix has money pouring in, while the NYT has more trouble finding paying subscribers.
This happened when I subscribed to the UK Times. But I emailed them to tell them I was in South Africa and wasn't going to waste money phoning them they did end up helping me via email.
Interestingly, Certificate Patrol warned me that the certificate at that site changed from a "Domain Validation" to an "Organization Validation" certificate from the same CA.
Why did they do that change, and what would be the advantage for them of an OV instead of a DV certificate?
OV are considered more secure than DV due to the higher registration requirements[0]. Additionally a DV certificate is good for a single domain, OV certificates are good for all of that organisation's domains. For example the NYT's certificate is valid for:
DNS Name=nytimes.com
DNS Name=*.blogs.nytimes.com
DNS Name=*.blogs.stg.nytimes.com
DNS Name=*.dev.nytimes.com
DNS Name=*.nyt.com
DNS Name=*.nytimes.com
DNS Name=*.stg.nytimes.com
To be fair, it's more secure in the sense that someone who gets access to their domain name service can't generate their own OV cert without more access.
They could however create their own DV cert.
So while it uses the same technology, if you see an OC cert you can be more sure that it's the actual organization and not a cert that just proves that the domain is the domain.
But unless clients or humans do anything in response to the extra OV information, or in response to a lack of the extra OV information, that information has no security value.
No browsers do anything with OV data unless humans manually take action to examine the certificate. So I'm comfortable saying they offer negligible security value.
I think if a browser said "hey, this site used to have an OV cert, but now has a DV cert", and explained why that could be bad, that could be useful, though many non-technical users would probably not get the distinction. Sure, they don't do that now, but UI/UX around TLS has been improving a lot over the past few years.
(Certificate Patrol's noting of the reverse is a little silly though; why would you flag a change that denotes an increase in security...?)
DV certs can certainly have wildcards and multiple domains, and no, OV certs are not "more secure" - they simply contain additional fields which suggest that a CA has taken some amount of effort to verify that the domains belong to a given organisation, which the end user can read. This is generally more-or-less useless, as I'm pretty sure we all know that nytimes.com is owned by the New York Times.
And who reads the certificate anyway? I've never heard that an end user actually reads the content of the certificate. They just look for the green lock.
It would often be confusing anyway, as the legal entities the certificate is issued to can be named very different from the brand.
Yeah, one would think that it's an easy job, but media organizations tend to have different projects, CMSs, designs, sometimes even (sub)domains for different things.
Media websites are constantly-evolving beasts, with a small tech team trying to hack shit up to make them work, and killing older content is never even an option.
At the end, with a limited amount of (mostly human) resources, you kind of have to draw the line somewhere and introduce the change, otherwise you will end up postponing it for possibly months.
No need, who would like to read the Lügenpresse securely anyway. People must be really uninformed to even pay for their own propaganda and then get a Comcast like experience like described below when wanting to cancel.
And of course a comodo cert, the worst incompetent thing you can get. https://www.youtube.com/watch?v=pDmj_xe7EIQ. I would prefer Letsencrypt over anything and not at all because its free.
So I am a Neo-Nazi for using a the word Lügenpresse for press the lies and lies over and over again?
And of course you link another fake news article claiming this word has roots on Nazi Germany when in fact this is a lie, its roots are in fact from earlier. But why care and do some actual research when you can just read political correct MSM Lügenpresse?
This guild by association BS does not work on people who can actually think for themselves. Because certain people in history used a word, does not mean everybody who uses it again is also part of this group/believe/mindset/... . But that of course how you political correct people tick. In your minds you create this tainted words nobody should dare to touch ever again because god beware someone evil used them brefore. Your creating a mind prison for yourselves its ridiculous!
Is HN a save space for PCs? I will find out sooner then later I guess.
'Are you a neo-Nazi?' No-one here knows, but you certainly sound like one. The swastika carries a very potent and toxic meaning today that it didn't until the last century or so. If you think symbolism and language are namby pamby liberal constructs with no inherent meaning, I'd encourage you to spray paint one on your house or have one tattooed on your forehead and see if the people you encounter as a result share your disdain for 'political correctness'.
I doubt you are a neo-Nazi. But words have meaning, and while this may just be an abstract game of righteous keyboard warfare to you, perhaps if you have an issue with the objectivity or accuracy of the media it would be best to say that plainly. Code words and innuendo directed at other members of your clique won't convince anyone and may well offend people with a better grasp on history (though that was likely your intention).
I sound like one for the use of a world in a modern completely different context then the Nazis did? In fact much of the modern world is very Fascist, and I am against that. But thanks for being the poster child for exactly of that mindset I meant. I like the word because I am for one German, and I agree with its general meaning in this modern age in regards to MSM. And I will continue to use it.
The swastika is a very beautiful spiritual symbol used in India and all over the world. What are you trying to say? That its great how society tainted it to be never to be used again because some idiot used it for his sick crap in the past? Why use Autobahn then to drive cars on, Hitler build them they are pure evil you MUST NOT TOUCH EVER!
You use the fact that most people will not get any other use then to display allegiance to nazis (at least in most places, no idea about India and other places like that TBH) as a argument? This is a the very way of thinking I hate.
In fact it should be possible to use it (in steet art, on your house-wall, on your forehead ...). But people like to be slaves to their own minds, and they even like it. Its pathetic.
Oh I you think I use it as a "Code Word" thats funny. Not at all but think what you like. And here I thought there would be some intelligent ppl on MH.
Did you have a public crying thread around here when Hillary lost? lol (Not a Trump supporter BTW)
You can tattoo a swastika on your forehead if you want. That's perfectly legal in the US. But I, and most people, will assume you're a neo-nazi. You can tell me and everyone you meet how that assumption is wrong, but that will be their initial impression regardless. Do with that information what you will.
For one I don't live in the US and I would have tremendous respect for anyone who would actually do this without being a nazi, trying to break the conditioning.
A beautiful women with an nice artistic face tattoo should do it, that could work I guess.
In Germany you need to be very crazy to do this, here you are legally forbidden to question anything about the Holocaust, I am not speaking of denial here, I speak of actually presenting any sort of evidence to a court. If you question anything about whats written in history books, lets say the number of Jews killed by the Nazis you are going to jail without a trail. You will be not allowed to submit anything to court. If you not blindly believe anything they tell you, your a criminal. You are not allowed to question anything about it at all. Now imagine how people react of you have a swastika on your head. Its probably illegal, I don't know but things are that crazy here. Swastikas were removed from video games where you actually fight the Nazis! People are crazy.
What is called conservative in the US and is perfectly normal for you, is called far right here. The political mid here what you call radical left. So in Germany's PC think I might actually be a Nazi.
Speaking of doing research, you might find actually reading the link undercuts your attempt to claim fake news: the second paragraph, for example, makes it clear that the term predates Nazi Germany by almost a century before noting ‘Lügenpresse refers to any medium that does not reflect the user’s own worldview, and must therefore be propagated by a hated “Other”.’.
The reason why I used “neo-Nazi” was that, again as noted in the article and many other sources, the term was avoided for years until various extremist groups started using it. Until Trump supporters started trying to normalize hatred for the media, I only saw it used by people who were also sharing anti-Semitic slurs and cartoons, racist memes, etc.
I'm sure, of course, that you already know the negative implications and were just trying to get a reaction but that doesn't mean there's any value to dragging that particular mess into this thread. There are plenty of corners of the internet where you can scratch that particular itch without polluting a discussion about a website enabling a security feature.
They were hacked in 1998 by "H4ck1ng F0r G1rl13z", by Adrian Lamo in 2012, by the Syrian Electronic Army in 2013, and claimed Russia attempted to hack them 5 months ago (and in the same breath said they have no evidence of this). Glad their security team is on the ball with this new-fangled encryption thingy.
Enabling HTTPS is a benefit even if it's not perfect. The integrity and authentication it provides are alone a MASSIVE benefit (especially for a news site).
Now you'll know that your news is coming from their servers, and nobody else is tampering with it.
Then taking into account that it does provide confidentiality, you get rid of "dragnet" style data gathering and inspection.
You'd need to be targeted by someone who not only has a lot of time, but also is very up to date on the pages of NYT and their sizes to be able to track your article by its size.
No matter what, it's still harder than it was before to snoop on what you are doing.
"Now you'll know that your news is coming from their servers, and nobody else is tampering with it."
I'm a HTTPS noob, can you explain how or why someone would tamper it on normal HTTP? Who would care to target me and what are the chances that NYT has been tampered with ever before?
I'll leave the "how" to any of the many resources out there that describe how HTTPS works. As to why, there's probably low likelihood that someone is tampering with your connection to the NYT. It's good practice, however, and is (largely) transparent to the user. My house may not have ever been broken into before, and likely not going to be broken into in the future, though I still lock my door.
And as that last link points out, this isn't a theoretical thing.
Not only do ISPs do it, but wifi hotspots, dodgy wifi routers, malware on anything in-between, and in some (admittedly rare cases) your government.
And the why isn't just ads. But passive tracking (ISPs have been known to analyze your traffic passively and sell that information), active tracking (the famous Verizon super cookie), "page optimization" which frequently breaks sites, and in some cases malware injection into images, executables, or anything else the bad actor could do automatically.
"Now you'll know that your news is coming from their servers, and nobody else is tampering with it."
I'm a HTTPS noob, can you explain how or why someone would tamper it on normal HTTP? Who would care to target me and what are the chances that NYT has been tampered with ever before?
That's an interesting point. An eavesdropper would be able to figure out which article you're reading. It might sound silly to worry about this, but you need to be careful in some countries.
This is an interesting puzzle. How much data do you need to add to a page before it becomes impossible (or at least, reasonably difficult) to guess which article someone is reading?
Eporner.com did it recently. I'm not sure if they are the first or how big they are compared to pornhub etc., but I happened to notice other day because they asked feedback on their frontpage about https.
HTTP/2 only supports HTTPS, which means HTTP connections don't benefit from HTTP/2's speed improvements. In addition, recent versions of Chrome only allow use of the location API by sites served over HTTPS. These are just two immediate examples that come to mind, but more exist.
166 comments
[ 3.4 ms ] story [ 227 ms ] threadhttps://github.com/yarrick/iodine
Of course this thread makes me wonder if I've been doing it wrong.
Using 1.1.1.1 makes a http request, which lets the captive portal take over, so good job, but you are actually hitting a group that actually exists, and what if they suddenly launch a HTST site on that IP? It might break your method.
I think specifically this url: http://www.apple.com/library/test/success.html
For those interested, learn more at: http://www.dns-sd.org/trailingdotsindomainnames.html https://en.wikipedia.org/wiki/Fully_qualified_domain_name
http://gstatic.com (Chrome uses http://gstatic.com/generate_204 , which returns a 204 No Content)
http://www.msftncsi.com (Windows, desktop and mobile, uses http://www.msftncsi.com/ncsi.txt. NCSI is "Network Connectivity Status Indicator")
http://captive.apple.com (macOS / iOS)
because those are likely to be extraordinarily well-maintained and reliable.
Unfortunately sometimes some captive portals allow just this one site through and not the others. Looking at you, United WiFi, which whitelists gstatic.com, but fortunately not msftncsi.com.
NYTimes now joins a small club, alongside the Guardian and the Washington Post.
Here's a dev blog post on the WaPo moving to https: https://developer.washingtonpost.com/pb/blog/post/2015/12/10...
And one on the Guardian moving to https: https://www.theguardian.com/info/developer-blog/2016/nov/29/...
[0] https://security.googleblog.com/2016/09/moving-towards-more-...
https://bugzilla.mozilla.org/show_bug.cgi?id=1319119
The change is to set it on by default.
They're not trying to force everything over to https, they're just trying to make warnings more sane. And if a page is not secure, marking it as such makes sense.
https://security.googleblog.com/2016/09/moving-towards-more-...
Using https for a local network connection will also be more common, in the case you decide you don't trust the network.
https://securethe.news/sites/
The Intercept and Quartz each only publish a few articles per day. Each runs entirely on a single instance of Wordpress. Each covers only a few topics. Each has only a few templates, and simple ad inventory, if any.
A paper like the New York Times publishes many hundreds of stories every day, on almost every topic you can think of. They publish to wide variety of platforms, including print. They have a high volume of widely varying ad inventory. They have legacy content going back decades, in all sorts of legacy formats, perhaps even sitting in old CMS instances on separate servers.
TECHNOLOGICALLY SPEAKING, they are much more complex. Therefore transitioning to HTTPS is more difficult.
None of this is a commentary on the quality or social/cultural value of their content.
If so, this change amounts to not protecting user privacy as much as insisting that only the NYT can monetize their users' privacy.
All of that is impossible with HTTPS.
1. https://www.eff.org/deeplinks/2011/07/widespread-search-hija...
2. http://arstechnica.com/tech-policy/2014/09/why-comcasts-java...
3. https://andreasgal.com/2015/03/30/data-is-at-the-heart-of-se...
http://www.theregister.co.uk/2015/02/19/superfish_lenovo_spy...
Lenovo got approximately $250,000 for installing the malware:
http://www.forbes.com/sites/thomasbrewster/2015/02/27/lenovo...
"If so, this change amounts to not protecting user privacy as much as insisting that only the NYT can monetize their users' privacy."
The cookie is now hidden from the MITM. Before, not only could they see what pages you see, but they could login as you.
The wifi owners can see that you're reading nytimes.com, but they can also see how much data was transmitted. All they need to do is look up the length of each article, and compare that with how much data the server returned.
Of course, I'm not too worried about hotel owners. I can imagine this technique is already being used by a lot of governments around the world.
They say HTTPS is complex to enable and imply they've been working on it for up to two years. And they finally get it done nine days before Trump.
Some people and organizations are panicking, either about his behavior or that net neutrality is out the window or about some boogeyman. That's why this story is relevant, now, because it's an indication that NYT may feel the internet will soon be a much more hostile environment.
Also does anyone know what the new personalisation features are that they mention being able to offer now HTTPS in place?
It's also possible that terminating the SSL and then passing through unsecured traffic lower in the stack is not ideal due to where the different parts of the site are hosted - e.g. passing traffic unsecured back and forth between private DC and public cloud.
Note: All speculation based on having implemented SSL migrations at large media companies.
Not sure what features the NYT is referencing specifically, but Chrome has certain features [like the Geolocation API][1] disabled for pages loaded over HTTP. See [Deprecating Powerful Features on Insecure Origins][2].
[1]: https://developers.google.com/web/updates/2016/04/geolocatio...
[2]: https://www.chromium.org/Home/chromium-security/deprecating-...
Also, features that are now available once the HTTPS by default on a website, is the AMP, Notifications, HTTP2 (faster loading) and, of course, the little advantage that Google gives to the HTTPS websites.
>Ask any developer at a major media organization what the biggest hurdle to HTTPS adoption is, and the answer is always going to be advertising. However, unless you understand the ins-and-outs of how digital advertising is implemented, it’s difficult to see why this presents a challenge.
from https://developer.washingtonpost.com/pb/blog/post/2015/12/10...
If you don't mind 404ing or breaking a ton of your old content, it's probably not too difficult. But if you're the newspaper of record, it's a big deal that URLs live on and continue to work as expected.
But I think you hit the nail on the head -- being the "newspaper of record" means you want to ensure that all your content displays like it did the day it was published.
We could also set a header forcing the browser to upgrade to secure when the resources are in the same domain.
[1] This number is approximate. Could have been less, could have been more; it was a while ago.
edit: I feel kinda bad now that this is the top comment in a thread about something positive the NYT did; if anyone tells me that they've since added online unsubscribe, I will change this comment accordingly.
I was going to get a subscription for the first time starting in February. I'll have to reconsider that.
[1] Actually I said "earlier this year", which is incorrect as of Jan 1.
I've subscribed and cancelled Hulu+ three or four times when there was a lull in the content. But I'd have no hesitation in signing up again because I remember how hassle free it was to cancel.
Contrast that against LogMeIn which has the same strategy as NYT by the sounds of it (call to cancel, takes 15+ minutes). When I needed LogMeIn for a new project, I looked around for alternatives instead because I remembered how big of a hassle it was to cancel. Ultimately LogMeIn didn't get my repeat business, not due to the financial cost, but the hassle cost of them.
Plus of course word of mouth like this is hugely damaging for these strategies. I won't be getting a NYT subscription now.
In the "My Apps & Games" menu > "Subscriptions" > "NYT Digital Access" > "Manage Subscription" > "Cancel" > "Confirm".
[1] http://www.economist.com/help/manageprintsubscription#cancel...
In most other industries, loyal customers get better treatment. Or it's the same deal for everyone. These sorts of inverted pricing structures may squeeze more revenue out of a few long-term, inattentive customers, but the hidden cost in churn, irritation and haggling is considerable.
Yes, IIRC the reason it was such an exhausting call is that they offered me a series of no less than 3, maybe more, progressively larger discounts. I simply wasn't interested, for my own reasons which are even less relevant to this thread than my original comment was.
If you've ever gotten the discount once, you aren't treated worse than new customers.
The internal incentives (worth an entirely separate post) reward phone reps disproportionately for heroic "saves" of accounts that were about to quit. The big promotion within these call centers is to get to work on the Customer Rescue team.
I don't know why the finance guys haven't figured out that they are rotting out their core revenue by doing this.
As a comparison (although not directly related), I think this is where Netflix gained traction initially here because despite having an uninspiring catalogue the option of a frictionless cancellation made in it an, almost, no-risk proposition.
I block a lot of sites which started to personalize content in an unwanted way.
I suppose that's the irony of declining business... after a while you can't even afford to take good care of your existing customers, which further accelerates the decline.
It'd still be nice to have a one-click option, but at least it's a bit easier to do passively than needing to call someone.
When I want to cancel a newspaper subscription and it's impossibly difficult, I just email them telling them I'd like to cancel the subscription delete the associated credit card. Not my problem anymore
May be different in the US, but if you did that in the UK and they didn't read your email or whatever, you're likely have them sell the debt to a collection agency which will then place a marker on your credit record.
It's then a huge pain in the ass undoing the credit record mark. I still have a default on my record thanks to the cable company here not cancelling our service properly. They even sent an courier to pick the equipment up but despite a trillion emails explaining this they insist they can't do anything about it because they have sold it to a collections agency. What a load of gibberish.
It's the best way right now, and it's silly because the news apps have to eat the Apple Tax just because their own internal policies keep me from signing up through them directly.
Why did they do that change, and what would be the advantage for them of an OV instead of a DV certificate?
[0] https://www.ssl.com/article/dv-ov-and-ev-certificates/
Nonsense. OV is no more secure than DV, just more expensive.
They could however create their own DV cert.
So while it uses the same technology, if you see an OC cert you can be more sure that it's the actual organization and not a cert that just proves that the domain is the domain.
No browsers do anything with OV data unless humans manually take action to examine the certificate. So I'm comfortable saying they offer negligible security value.
(Certificate Patrol's noting of the reverse is a little silly though; why would you flag a change that denotes an increase in security...?)
It would often be confusing anyway, as the legal entities the certificate is issued to can be named very different from the brand.
Media websites are constantly-evolving beasts, with a small tech team trying to hack shit up to make them work, and killing older content is never even an option.
At the end, with a limited amount of (mostly human) resources, you kind of have to draw the line somewhere and introduce the change, otherwise you will end up postponing it for possibly months.
And of course a comodo cert, the worst incompetent thing you can get. https://www.youtube.com/watch?v=pDmj_xe7EIQ. I would prefer Letsencrypt over anything and not at all because its free.
http://www.economist.com/news/europe/21710866-1848-1939-hist...
And of course you link another fake news article claiming this word has roots on Nazi Germany when in fact this is a lie, its roots are in fact from earlier. But why care and do some actual research when you can just read political correct MSM Lügenpresse?
This guild by association BS does not work on people who can actually think for themselves. Because certain people in history used a word, does not mean everybody who uses it again is also part of this group/believe/mindset/... . But that of course how you political correct people tick. In your minds you create this tainted words nobody should dare to touch ever again because god beware someone evil used them brefore. Your creating a mind prison for yourselves its ridiculous!
Is HN a save space for PCs? I will find out sooner then later I guess.
I doubt you are a neo-Nazi. But words have meaning, and while this may just be an abstract game of righteous keyboard warfare to you, perhaps if you have an issue with the objectivity or accuracy of the media it would be best to say that plainly. Code words and innuendo directed at other members of your clique won't convince anyone and may well offend people with a better grasp on history (though that was likely your intention).
The swastika is a very beautiful spiritual symbol used in India and all over the world. What are you trying to say? That its great how society tainted it to be never to be used again because some idiot used it for his sick crap in the past? Why use Autobahn then to drive cars on, Hitler build them they are pure evil you MUST NOT TOUCH EVER!
You use the fact that most people will not get any other use then to display allegiance to nazis (at least in most places, no idea about India and other places like that TBH) as a argument? This is a the very way of thinking I hate.
In fact it should be possible to use it (in steet art, on your house-wall, on your forehead ...). But people like to be slaves to their own minds, and they even like it. Its pathetic.
Oh I you think I use it as a "Code Word" thats funny. Not at all but think what you like. And here I thought there would be some intelligent ppl on MH.
Did you have a public crying thread around here when Hillary lost? lol (Not a Trump supporter BTW)
A beautiful women with an nice artistic face tattoo should do it, that could work I guess.
In Germany you need to be very crazy to do this, here you are legally forbidden to question anything about the Holocaust, I am not speaking of denial here, I speak of actually presenting any sort of evidence to a court. If you question anything about whats written in history books, lets say the number of Jews killed by the Nazis you are going to jail without a trail. You will be not allowed to submit anything to court. If you not blindly believe anything they tell you, your a criminal. You are not allowed to question anything about it at all. Now imagine how people react of you have a swastika on your head. Its probably illegal, I don't know but things are that crazy here. Swastikas were removed from video games where you actually fight the Nazis! People are crazy.
What is called conservative in the US and is perfectly normal for you, is called far right here. The political mid here what you call radical left. So in Germany's PC think I might actually be a Nazi.
The reason why I used “neo-Nazi” was that, again as noted in the article and many other sources, the term was avoided for years until various extremist groups started using it. Until Trump supporters started trying to normalize hatred for the media, I only saw it used by people who were also sharing anti-Semitic slurs and cartoons, racist memes, etc.
I'm sure, of course, that you already know the negative implications and were just trying to get a reaction but that doesn't mean there's any value to dragging that particular mess into this thread. There are plenty of corners of the internet where you can scratch that particular itch without polluting a discussion about a website enabling a security feature.
Source: https://twitter.com/matthew_d_green/status/53504312624809574...
Enabling HTTPS is a benefit even if it's not perfect. The integrity and authentication it provides are alone a MASSIVE benefit (especially for a news site).
Now you'll know that your news is coming from their servers, and nobody else is tampering with it.
Then taking into account that it does provide confidentiality, you get rid of "dragnet" style data gathering and inspection.
You'd need to be targeted by someone who not only has a lot of time, but also is very up to date on the pages of NYT and their sizes to be able to track your article by its size.
No matter what, it's still harder than it was before to snoop on what you are doing.
It's a net gain in just about every single way.
I'm a HTTPS noob, can you explain how or why someone would tamper it on normal HTTP? Who would care to target me and what are the chances that NYT has been tampered with ever before?
How? By being the user's ISP.
Why? To inject adverts.
What are the chances it affected nytimes.com? Almost certain.
Behold: http://arstechnica.com/tech-policy/2014/09/why-comcasts-java... - and that's not the only case of it.
Not only do ISPs do it, but wifi hotspots, dodgy wifi routers, malware on anything in-between, and in some (admittedly rare cases) your government.
And the why isn't just ads. But passive tracking (ISPs have been known to analyze your traffic passively and sell that information), active tracking (the famous Verizon super cookie), "page optimization" which frequently breaks sites, and in some cases malware injection into images, executables, or anything else the bad actor could do automatically.
I'm a HTTPS noob, can you explain how or why someone would tamper it on normal HTTP? Who would care to target me and what are the chances that NYT has been tampered with ever before?
This is an interesting puzzle. How much data do you need to add to a page before it becomes impossible (or at least, reasonably difficult) to guess which article someone is reading?
I tried to figure out, but then I remembered that I don't know anything about statistics. Oh well, I had fun: https://github.com/ndbroadbent/nyt_privacy