Pornhub and Youporn now turns on encryption by default
29 replies, posted
[IMG]https://cdn0.vox-cdn.com/thumbor/w1A4FxtIgs6wtSRxwkG_aIbklt0=/0x0:740x741/920x613/filters:focal(311x312:429x430)/cdn0.vox-cdn.com/uploads/chorus_image/image/53989929/pornhub-billboard-1-sq.0.0.jpg[/IMG]
[QUOTE]The announcement comes just days after Congress successfully voted to reverse an FCC privacy rule that will soon allow internet service providers to buy consumers’ web browsing data (the resolution just needs President Trump’s signature to become final. If you want to know which goobers members of Congress made that possible, here’s a full list.) While HTTPS won’t prevent ISPs from tracking what websites you’ve visited, it does prevent them from seeing what specific section of the website you looked at. In Pornhub’s case, ISPs will still know if you were on Pornhub, but it won’t know what kinds of videos you were watching.[/QUOTE]
[QUOTE]"As one of the most viewed websites in the world, it is our duty to ensure the confidentially and safety of our users," Brad Burns, vice president of YouPorn, said in a press statement. “The transition to HTTPS will go a long way in solidifying our users’ privacy and protecting them against various types of malware. The data on our webpages will now be encrypted, [B]making it significantly harder for third parties to penetrate.[/B]”[/QUOTE]
[URL="http://www.theverge.com/2017/3/30/15125048/pornhub-youporn-https-encryption-privacy"]http://www.theverge.com/2017/3/30/15125048/pornhub-youporn-https-encryption-privacy[/URL]
That's great. I didn't actually know there was a difference between HTTP and HTTPS, so that's fascinating. However;
[Quote]"The data on our webpages will now be encrypted, making it significantly harder for third parties to penetrate.”[/QUOTE]
Now since when has pornhub been in the business of [i]stopping[/i] penetration :v:
[QUOTE=Mister Sandman;52036463]That's great. I didn't actually know there was a difference between HTTP and HTTPS, so that's fascinating. However;
Now since when has pornhub been in the business of [i]stopping[/i] penetration :v:[/QUOTE]
Ever since government has been trying to fuck their userbase :v:
Good, there is no reason for a site to not utilize HTTPS specially now that you can do it for free with [url=https://letsencrypt.org/]letsencrypt[/url] (not the strongest but hey, its free).
[QUOTE=Mister Sandman;52036463]That's great. I didn't actually know there was a difference between HTTP and HTTPS, so that's fascinating. However;
Now since when has pornhub been in the business of [i]stopping[/i] penetration :v:[/QUOTE]
They just don't want someone random to come penetrate you when you don't want that.
[QUOTE][B]significantly harder for third parties to penetrate[/B][/QUOTE]
Every single press release, I swear. And I love them for this.
[QUOTE=chipsnapper2;52036536]Every single press release, I swear. And I love them for this.[/QUOTE]
Pornhub's PR and marketing teams have the best jobs in the whole world
Good thing but in the end your ISP will still know that you visited pornhub, what specific video you watched and what searches you did as those show in the title and URL.
[QUOTE=ThatSprite;52036545]Pornhub's PR and marketing teams have the best jobs in the whole world[/QUOTE]
-So what you do for a living
>I work in the Marketing department at PornHub.
>By the way you need to chill it on the Overwatch porn. You're freaking us out at the office.
[QUOTE=Mitsuma;52036594]Good thing but in the end your ISP will still know that you visited pornhub, what specific video you watched and what searches you did as those show in the title and URL.[/QUOTE]
The amount of people on the internet that don't know the different between HTTP and HTTPS is both alarming and disappointing.
Your ISP doesn't give that much of a shit about what type of midget porn you like to MITM all your connections. They don't get the title. They don't get the url. They get the domain name you are connecting to and in the case of SNI certificates, they don't even get a domain name.
[QUOTE=Reagy;52036493]Good, there is no reason for a site to not utilize HTTPS specially now that you can do it for free with [url=https://letsencrypt.org/]letsencrypt[/url] (not the strongest but hey, its free).[/QUOTE]
I'm almost certain that letsencrypt isn't meant for websites that take in millions of users every day
Wonder if Facepunch and other websites like imgur will do the same and follow?
[QUOTE=RocketSnail;52036639]I'm almost certain that letsencrypt isn't meant for websites that take in millions of users every day[/QUOTE]
It's not meant for any specific purpose. It's just another CA that just happens to be free.
The only limitation afaik is that it won't work for internal applications (maybe with a specific configuration though) because the domain verification requires it to be accessible from the internet.
[QUOTE=Sims_doc;52036676]Wonder if Facepunch and other websites like imgur will do the same and follow?[/QUOTE]
Facepunch and imgur already support https - don't know if it's 'turned' on by default though
Those glorious fuckers. I salute them for using such potent protection.
[QUOTE=zoox;52036732]Facepunch and imgur already support https - don't know if it's 'turned' on by default though[/QUOTE]
It's always been enabled by default for me, may depend on your browser though.
Also, I thought PH had supported HTTPS for ages.
Not that I'd know of course
Pornhub is a class act. Must be embarrassing being some moral guardian conservative and getting beat by a site dedicated to pornography.
[QUOTE=Sims_doc;52036676]Wonder if Facepunch and other websites like imgur will do the same and follow?[/QUOTE]
If anyone knows anything about penetrating it's garry
[QUOTE=gk99;52036925]If anyone knows anything about penetrating it's garry[/QUOTE]
A confirmed serial penetrator. He makes his victims suffer for a lifetime.
"https on by default" really means that http urls redirect to their https counterparts:
[code]~ $ curl -i http://pornhub.com
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://www.pornhub.com/
Connection: close
[/code]
Browsers can also decide to try https urls for themselves, not sure which browsers do this when.
And for the people who still don't get it; https means http over ssl, which is an encryption layer. (the S still stands for "secure" in a way, since ssl means secure sockets layer)
This was going to happen sooner or later. Finding big websites that don't automatically redirect to HTTPS is becoming increasingly more difficult with every passing day.
It's the way it should be. After discovering how [url=https://en.wikipedia.org/wiki/Ettercap_(software)]trivial it is to steal people's data by MITMing their HTTP traffic[/url], I refuse to use a non-HTTPS connection where any kind of log in credentials are involved.
[QUOTE=Mitsuma;52036594]Good thing but in the end your ISP will still know that you visited pornhub, what specific video you watched and what searches you did as those show in the title and URL.[/QUOTE]
Untrue. The title of the page is part of the HTML code, which is encrypted. The URL is part of the header, which is also encrypted.
At best, your ISP will see the domain you connect to (if you rely on them for DNS lookup or they just use reverse lookup on the IP if you have a different DNS server).
All the traffic between your browser and the webserver is completely encrypted on protocol level.
[QUOTE=windwakr;52037981]The domain + subdomains are sent in plaintext during the tls handshake, so your ISP doesn't need to do any DNS shenanigans to see the domain.[/QUOTE]
Not true. The handshake is done just above TCP level, before the application layer. All the handshake contains are negotiations for what encryption and compression methods to use and then sharing the public keys. After that, all traffic is encrypted.
Wait they seriously didn't have https until now?
wow
[QUOTE=thelurker1234;52039054]Wait they seriously didn't have https until now?
wow[/QUOTE]
I normally ask this about a lot of services and sites, I've heard many people end up concerned about the speed behind the encryption which is actually wild. I'm not exactly sure what fuels this "if it aint broke don't fix it" attitude but I've seen a number of people against pushing their site to carry a HTTPS protocol because "it's too much work for something so small"
it's very win - win at this point in my opinion, there's numbers of cert authorities that are meant for small businesses and encryption hasn't been 'slow' since the late 2000s in many cases
[QUOTE=thelurker1234;52039054]Wait they seriously didn't have https until now?
wow[/QUOTE]
They had, it just wasn't default option.
[QUOTE=thelurker1234;52039054]Wait they seriously didn't have https until now?
wow[/QUOTE]
Not providing https isn't the same as not redirecting http to https. They've had https for a while (I assume).
[QUOTE=Reagy;52036493]Good, there is no reason for a site to not utilize HTTPS specially now that you can do it for free with [url=https://letsencrypt.org/]letsencrypt[/url] (not the strongest but hey, its free).[/QUOTE]
In terms of encryption/privacy it's as strong as any other decent solution, unless they massively messed up somewhere.
The one thing it doesn't offer is offline identity verification, but to circumvent it you'd still need an active attack instead of just network sniffing.
(A server operator could also somewhat easily harder their service against most active attacks after the first connection, but I don't think that's widespread yet.)
[editline]1st April 2017[/editline]
[QUOTE=windwakr;52038909][url]https://en.wikipedia.org/wiki/Server_Name_Indication[/url]
[editline]...[/editline]
You can verify this yourself in two seconds with something like Wireshark.[/QUOTE]
That's quite a design error. In terms of cryptography, it should be very easy to put it after the key exchange but before the certificate check.
Sorry, you need to Log In to post a reply to this thread.
