Secure Web Browsing - Computerphile

Подписаться 2,4 млн

Просмотров 200 тыс.

50% 1

Websites & https what difference does the "s" make anyway? - Dr Richard Mortier of the University of Cambridge Computer Laboratory explains.
Follow the Cookie Trail: • Follow the Cookie Trai...
Man in the Middle / Superfish: • Man in the Middle Atta...
Botnets: • Botnets - Computerphile
Object Oriented Programming: • Pong & Object Oriented...
3D Rock Art Scanner: • 3D Rock Art Scanner - ...
Mixed Reality Continuum: • Mixed Reality Continuu...
/ computerphile
/ computer_phile
This video was filmed and edited by Sean Riley.
Computer Science at the University of Nottingham: bit.ly/nottscomputer
Computerphile is a sister project to Brady Haran's Numberphile. More at www.bradyharan.com

Опубликовано:

21 мар 2016

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 160

@TheHoaxHotel 8 лет назад

The call's coming from... inside the server!

@Dragoon77 3 года назад

Yesh

@Seegalgalguntijak 8 лет назад

The worst thing about ads (as long as they're static images, without any movement or sound etc) is the tracking. If there weren't any tracking, those kind of unobtrusive ads needn't be blocked.

@Wulcat 8 лет назад

Soon i will start watching all videos of this channel . These videos are really lot informative for me and also something new and interesting .

@logicawe 8 лет назад

Great job, keep it up! Excited for the botnet video.

@Mikehanson21 8 лет назад

There is the SSL Observatory. It is part of HTTPS Everywhere. Pretty much when you get a certificate, it will check it against the Observatories copy of the certificate. If it is different, it will send the certificate to the Observatory along with the DNS information and ISP. The idea being that it will catch if a signed certificate is forged.

@Real_Tim_S 8 лет назад

Great talk ;-) I would love to hear a talk on HSTS, certificate thumbprints, and site Content-Security-Policy header tagging. I'd also like to hear about pre-shared keys and HTML5 client certificate generation.

@metaparcel 8 лет назад

It would be amazing if, because I'm living and working in China now, a video with Dr. Mortier explaining the Great Firewall of China and how it works and how its evolving and if possible to answer how VPN services are trying to stay 1 step ahead of the firewall implementation.

@inactivekick5579 7 лет назад

Clue, you're gonna need more than a vpn if you want to get around the deep, dark places of the world.

@giovannilicameli3561 5 лет назад

You literally just clarified everything. Thank you.

@Garbaz 8 лет назад

Will there be a second video about how the authentication works?

@thecommonsdecrypted 8 лет назад

Interesting topic, thank you computerphile

@NextLevelNoob 7 лет назад

Brady, can you do a video on certificates? Love your videos

@cMaXeJIJIo 8 лет назад

Actual advice for the end user: get a "Force HTTPS" plugin for your browser. Works like a charm.

@reububble 8 лет назад

I really want to buy bob's socks for some reason.

@peterfiser 8 лет назад

Boy, that SCaLE 14 shirt design is real nice. Can this be ordered somewhere?

@nirup96 8 лет назад

computerphile, more videos by Tom Scott?

@jaapaarts1007 8 лет назад

i really liked him, check his channels "Thom scot" and another one just dont remember the name

@JacobSmith_emjds 8 лет назад

+Nirup Iyer His channel is fantastic.

@Mikehanson21 8 лет назад

+Nirup Iyer plus 1 to Tom Scotts channel. He just did a great video about how many videos youtube can have before running out of address space.

@RealCadde 8 лет назад

+Nirup Iyer It was easier in the past when Tom was more closely linked to the university. Nowadays, Tom is a freelancer and has his own channel to think about.

@Bruno_Noobador 3 года назад

@jim0_o 8 лет назад

0:50 unless I've misunderstood, the browser Brave does the Ad replacement to fund their development. (having the options, native-Adblock Ad-Replace and Normal browsing.) Would be interesting to see your input, is it legal(if adblock is then this should be right?) . I did test Brave once and found it to be really fast. (lacked extensions I "need" and I hadn't heard enough about the developers to feel safe using their software.)

@Cieric 8 лет назад

+Jim R. Didriksen It's not entirely the same. This is because ads are grabbed separate from the main webpage, and what most ad blocking software does is it stops that initial request so the ad company records wont show you as a bought customer. basically ad companies only pay for what they get so the one hosting the webpage is the one losing profit.

@fobusas 8 лет назад

Hijacking ad space, impersonating a server o.O. How is any of this legal for ISPs to do? And if it's not, how are they getting away with that? ISPs, it seems to me, are rather easy to reach organizations.

@PsychoticusRex 8 лет назад

+Vaidas Šukauskas It's not, it's an act of wire fraud in USA and just fraud elsewhere. These ISP's are doing man-in-middle attacks on their own customers. But most courts staff have VCRs that blink 12:00...

@calfischer1149 8 лет назад

+PsychoticusRex yea, they kinda just get away with it

@calfischer1149 8 лет назад

JakesDen Gaming what do you mean? That's what he said

@UltimatePwnageNL 8 лет назад

+Vaidas Šukauskas In not-so-developed countries where the digital world is still lawless you can get away with everything online. That's why cyber crime is usually based in those countries, the authorities just go "Crime? What crime? This person has never been to your country, get lost."

@ChristianSchadewald 8 лет назад

+Vaidas Šukauskas this kind of attack (man-in-the-middle) can be also done by a tor exit node. This scenario might be more realistic.

@tilmanroeder609 8 лет назад

Any thoughts on the seif project?

@Adamantium9001 8 лет назад

Also, get the HTTPS Everywhere browser add-on!

@inactivekick5579 7 лет назад

No, not really. Since when did every domain on the planet start supporting https, by default??

@logical-functionsmodel9364 8 лет назад

Thanks for the video

@jaydenritchie1992 Год назад

does tls use the public pk to decrypt?

@RockWolfHD 4 года назад

Computerphile is just a rabbit hole :3

@EmbeddedSorcery 8 лет назад

They still make paper like that??? lol

@jaydenritchie1992 Год назад

pk is self signed to begin with?

@Trancecend 8 лет назад

Should have used Netscape as the browser icon

@voltare2amstereo 8 лет назад

ubiquity air os, always loads as https, always a certificate error..

@Sonekkah 8 лет назад

Could you add subtitles on the videos? The english subtitle. I'm not a native speaker and sometimes I don't understand what the people says. Thank you.

@mohamedhabas7391 Год назад

Awesome Shirt 🙏

@maxkillers26 8 лет назад

hey man, can you do one on safe bank transfers on websites, a way to tell if its safe to use your paypal and how to create a paypal online... i just have 0 trusts with sites that ask u for ur card details and some warning advice and tips would be so useful and stress free since theres a few things i want via online but i just dont trust it online so i cant get it...

@stensoft 8 лет назад

The main issue with these warnings is that they are so interrupting even though they just mean: don't trust what is written there and don't share your data there. It doesn't mean you should not access it. It's just the same as an unencrypted website. Which the browser would load happily anyway.

@DoctorDARKSIDE 8 лет назад

Please tell me that the "e" symbol used to represent the browser does not refer in any way to Internet Explorer. Please.

@RealCadde 8 лет назад

+DoctorDARKSIDE Should have used an N if he meant to go back in time.

@RealCadde 8 лет назад

Elliot Grey Or an N with a curved line at the bottom. That's clearly too hard.

@otakuribo 8 лет назад

+Cadde Fair enough. :)

@Freakschwimmer 8 лет назад

+DoctorDARKSIDE Pretty sure the e stands for Edge ;)

@90hijacked 8 лет назад

I'm assuming this is the kind of stuff used in DMZ's, so what could one do to circumvent such measures? using VPN's opendns or onion is common knowledge these days but, What other options are there And what are the essentials to compromise these systems :) would love to hear tom scott's take on it, purely for intellectual entertainment

@PsychoticusRex 8 лет назад

+90hijacked ... Only an SSH connection could conceivably get by it. a big part is knowing who's a threat or not; conceivably you could do an ssh connection to a proxy on a safe network and avoid your ISPs fraud and then proceed normally....

@TechyBen 8 лет назад

"Lets go old school", nope, more like "lets go dangerous!" ;) Ps, what happened to the recording at 5:54? Oh, I see, you rotated the universe around to make the paper straight. :D

@seanski44 8 лет назад

Yeah the writing was a bit close to the end of the page so I had to fold space...

@anayahaysom8156 2 года назад

Why did somebody send the link to mr

@petetong3166 7 лет назад

Make a video about how to use vpn's to go on Tor and stay secure

@teekanne15 8 лет назад

does this noticeably slow down/reduce responsiveness when browsing the web? (shouldn't be more than double the ping time right?)

@oliviamay 8 лет назад

+teekanne15 Because RU-vid uses https, you're using this right now. It's not much slower =)

@AndrewMeyer 8 лет назад

+teekanne15 Not really. In fact, thanks to the fact that many browsers only support HTTP/2 over HTTPS, HTTPS can actually be _faster_ than plain HTTP in some cases.

@oliviamay 8 лет назад

Andrew Meyer Oh hey, I had no idea. Learn a new computery thing every day, I guess =)

@UntouchedWagons 8 лет назад

Rogers used to do something like this, if you were supposed to get an HTTP 404 error Rogers would redirect you to their own branded search engine advertising a bunch of crap.

@CatnamedMittens 8 лет назад

Sick shirt tbh

@j7ndominica051 8 лет назад

Redirecting an ad server to a blank page, and by doing so cutting off a large portion of that convoluted web of recursive advertser scripts hosted on different servers, is a very useful thing to do. I'm afraid than in the not so distant, ideal future where everything is under SSL, cetificates, authenticated and encrypted, and probably even the browser is locked down, the user will be forced to accept all web junk. But users will be convinced that all that security is for their own benefit. It will probably get to a point were Windows will refuse to run a unauthenticated, hacked software... I really hate SSL on normal discussion and entertainment sites, where it creates a delay before a connection can be established, proportional to the distance to the server. I've disabled OCSP and revocation lists to cut down the extra commonication, and now I see an open padlock most of the time. If the ISP is chatty, and likes to notify user about payments and stuff on websites, then it is a bad ISP, and should be changed. An ISP like that is probably likely to disallow some other options, such as use of an alternate DNS server or servers on certain ports like 25 or 80.

@bikalimark 6 лет назад

6:29 the way he writes doubleT-P :D

@dannygjk 6 лет назад

Standard since I was a kid. Maybe even before. :)

@nirup96 8 лет назад

he used 'e' to represent browser.. damn internet explorer users

@iandonaldpaul 8 лет назад

+Nirup Iyer it's called Edge now and it's totally not just internet explorer!

@Waniou137 8 лет назад

+Zudo It actually really isn't bad. They rebuilt the engine from scratch and it works pretty well.

@nodezsh 8 лет назад

+iandonaldpaul Well, AFAIK Edge is made from scratch, but it's was made to be basic enough that they couldn't make the same mistakes. - I give up. It's been 10 years. 10 YEARS SINCE I STARTED TRYING. I will never learn how to cook steak. - Hey what if I teach you how to make a ham sandwich instead? - Great idea!

@Waniou137 8 лет назад

+Zudo Oh, it's not perfect, but it's a huge step up from IE.

@seamusfrederick2927 8 лет назад

+Waniou fair enough, but Chrome still wins the race by a big shot

@wingszepoon8418 8 лет назад

I just stared at his shirt for the whole video…

@pauliusnarkevicius9959 11 месяцев назад

Why No-One is talking about Reliability of Internet Service Providers who enforce Questionable List of Interferences to their Clients? Does Citizens and People Voted for these Changes to Begin With.

@Azyx90 8 лет назад

We hear talk about teaching our kids programming in school but stuff like this what they should be taught. I don't mean that programming is not important but it's not what everyone needs. You don't need programming to safely use social media, you don't need programming to safely visit websites, you don't need programming to fix problems with your operating system's normal functions, you don't need programming to know how to update your smart phone and the list can go on. What you need is understanding of all the basic principals of what makes your life with computers and smart phones tick. You need to know how to identify malware, know when a program is trying to cheat you, know how to get rid of malicious programs, how to safely do online shopping and what are the legal channels you can seek help. I have two younger sisters (20 and 14) and these are the issues I need to deal on regular basis. Just search The IT Crowd - "The Laptop from the Exorcist" and you know what I mean. Oh and I do know that officials keep spouting "it's not just programming we teach to our children, but the other important things too". But... Well... Did they name it "Programming" so it sells better because it sounds fancier than "Common computer skills"? The more complex our systems become the more important it is to be well edumacated. We geeks are rushing ahead while general population just surfs on the top waves enjoying sunshine while sharks below prepare for attacks. Just like demonstrated on this video.

@RealCadde 8 лет назад

+Nyyppis Programming is a means to an end. They should be taught programming and be encouraged to reverse engineer stuff to show just how easy it is to break something and use it for their own purposes. The first "hack" i learned with computers was deleting a database file containing user information before starting a program. Unfortunately i don't recall the program used but it was a text-based GUI under DOS. Once the file was gone, you gained automatic "SUPER USER" access when you started the program and could thus edit all the scripts and stuff that still was around after deletion of the user file. In those scripts were passwords for network shares on the school's server. This meant i now had access to certain stuff on the server that i shouldn't have access to. Such as each students private work folders with all their essays in them etc. If you are taught programming you also learn how easy it is to break stuff. If you are taught to write binary data files, you also learn how to read binary data files and as such you learn how to use a hex editor and with a hex editor you can look into stuff you shouldn't look into. It also lets you do all kinds of other stuff to break programs. I NOP'ed a certain function in a program using a disassembler when i was tired of it nagging me about buying a licence. In conclusion, if you learn programming you learn HOW to break stuff and that teaches you how to defend against the most common/simple hacks and cracks. You also learn that NOTHING is unbreakable, given enough knowledge, time and ideas. As such, the only way to win is to not participate. Just like War Games.

@Azyx90 8 лет назад

Yeah, I get your point and agree that the things you mentioned are important. I was trying to say that programming is just a small part of what should actually be taught. And that's why I don't approve calling it "programming" in the curriculum. I'll try to elaborate. To understand this video you don't need to understand any coding. But if you wanted to test the concepts of this video... Well then you need coding skills. How many hours of self educational playing around with computers you did before you could pull off the hack? How many basic concepts of computers you thought to yourself before you even knew you could execute a hack like that? Most likely you haven't even thought about how much you first had to know to be able to pull off that hack because it's all mixed up with the things you learned after. And I don't mean this in a bad way. That's just what happens when you learn a lot of stuff. It becomes instinctive and becomes a blur. I'm actually a bit jealous because you pulled off such a fun hack. I never did anything remotely so fun. So yeah. What I was trying to say: Teach universal and basic skills to all students and give the most interested ones voluntary extra courses for a chance to enhance their skills. The above mentioned basics include some programming too. And that's when courses called Programming become relevant. I must admit that it looks like I bashed down programming entirely but that's not it. It's just that curriculum's have very limited time and you need to make most of it.

@rkpetry 8 лет назад

The browser itself should handle all passwords and show the root-secure domain name in larger font...

@MaxGuides 8 лет назад

...but you can still block and replace

@Azivegu 8 лет назад

Flash, flash, flash. Then wait for it. Nothing for a while. Wait for it. Double flash.

@Zaphodox 5 лет назад

dot matrix paper

@AtheistsAreActuallyTheistsProo 8 лет назад

"Banner across the bottom" uwot

@foobars3816 8 лет назад

+I'm Not A Xenophobe, Back In My Day It Was Called "Patriotism" What are you referring to? There is no banner.

@AtheistsAreActuallyTheistsProo 8 лет назад

foobars It's at the beginning of the video.

@Seegalgalguntijak 8 лет назад

Ads must be blocked, and that's all there is to it. Without blocking ads (or any and every cross-site request, only selectively allowing those that are needed for the site to work), the web is absolutely unusable - like a triangular wheel, or something like that.

@Seegalgalguntijak 8 лет назад

An ISP that manipulates its user's traffic on the content level is an ISP that doesn't need or want customers.

@Meb8Rappa 8 лет назад

5:53 What the hell is that thing on the right?

@aakksshhaayy 8 лет назад

+Meb8Rappa it's a ghost.

@drcookie5492 Год назад

🥶

@unvergebeneid 8 лет назад

There's literally no company I have to trust as much as my ISP. If my ISP pulled off shit like that, I'd dump them faster than they could say "extraordinary notice of cancellation".

@RealCadde 8 лет назад

+Penny Lane Which is why i used to trust an ISP that advocated that they would never share private information with anyone, not even the authorities. Problem though was that they had really awful customer service and so i switched when they didn't respond to a simple request in over a week. I dunno why i wanted to share that, i guess it's just that hard to find an ISP that cares both about you as a customer and your rights on the internets.

@IstasPumaNevada 8 лет назад

A few arsehats ruining it for everyone, as usual. :) Thanks for another interesting and useful video.

@WIImotionmasher 8 лет назад

Do all browsing in a VM ... done ... Oh wait ... bank details..

@swagar 8 лет назад

If you do everything in a VM, and that VM gets hacked, isn't that a distinction without a difference?

@WIImotionmasher 8 лет назад

Tyler Swagar What I was thinking is that they can't mine your computer for data, if every time you step away from it, you delete the VM. So nothing can grab saved data. But yeah a VM would still have those issues.

@djsensacion7 5 лет назад

@@WIImotionmasher VM+VPN+HTTPS

@zundappchef 8 лет назад

pine apple

@oliviamay 8 лет назад

It seems weird how few views these videos get in 5 hours, compared to the number of subscribers.

@B4K4157 8 лет назад

Anyone else look up at their address bar while watching the video?

@niccatipay 6 лет назад

Nowhere is safe! Only Safer ~ Conspiracy Theorists *One of the things that I am sure to get 75% approval* P.S. the last statement above is not based on an objective analysis. Take it with a grain of salt

@overwrite_oversweet 8 лет назад

Certificate Pinning FTW!

@DeJayHank 8 лет назад

I used letsencrypt.org the other week for a web server and it automatically configured my apache2 site so quick I almost forgot I was in debian.

@AmnonSadeh 8 лет назад

For Pete's sake, level that mug on the shelf!

@HungryGuyStories 8 лет назад

What we really need is to stop spam email!!! And this is how to do it: Email starts from some email client, through a series of servers as it crosses the world, and ends at an email client. Each time a server passes an email along to the next server, it includes its own IP address. The receiving server or email client does a little handshake with the sending server, "Did you just send me this email?" "Yes I did. please send it on its way to the next server." But if the answer is, "No, I didn't send you that email. It spoofed my IP," the email gets dropped. With this mechanism in place, you can trace it back to either the spam client or to a server that vouched for an email in error. It has to be one or the other. And whichever it is gets blacklisted. Viola! No more spam! The fact that this obvious solution has never been implemented makes me suspect that Microsoft and all the other big corps are really on the side of the spammers...

@subtropical-yearning 8 лет назад

+Hungry Guy Email headers already include the IPs of every server they were relayed through. People don't spoof 'from' IPs, because it's far easier to just use a random open relay. Relaying legitimate mail through multiple Random Servers on the Internet is really uncommon these days; it's usually the various boxes within a sender's network that relay traffic to the mail servers on the edge of the network, and then straight to the recipient's mailserver, then through whatever setup they have there. Validation of sender IPs is the problem SPF is designed to fix: a domain lists a TXT record in spf format, and recipients can judge whether or not the sender was permitted to send based on this value. Unfortunately, the majority of spam comes from open relays, often being run on compromised PCs, and has garbage envelope senders for point at a domain that doesn't list anything -- because it doesn't have to.