On Tuesday 11 January 2011 14:58:51 Marshall Eubanks wrote:
On twitter right now there are frequent claims that all https is blocked (presumably a port blocking).
A quick search pulls up. http://www.cpj.org/internet/2011/01/tunisia-invades-censors-facebook-other-a... Since Gmail defaults to HTTPS, and many other sites left to their own devices, it is necessary for an attacker to try and force clients to use HTTP or start conversation using HTTP (so that no one notices when the important bit isn't encrypted, or to enable javascript from a third part to be injected). NoScript for Firefox has a force HTTPS for a domain feature. http://noscript.net/faq#qa6_3 But what clients really need is a way for servers to say "always use encryption". http://noscript.net/faq#STS Of course when it gets to the level of countries, it is quite plausible your browser may already trust a certificate authority under their jurisdiction so all bets are off. I think I'm saying HTTPS doesn't quite hack it in browsers yet, but it will be "secure enough" real soon now.