Why Livejournal's Loss of HTTPS Is A Thing
What's new about LJ is that they've turned off secured browsing (HTTPS ) so when you log into your account, your password can be seen by anyone monitoring the site and anyone else long the way (in transit). The payment page still seems to be encrypted (for now). The lack of HTTPS security also means anything you post under lock is also accessible and your personal identity can be stolen
In the end my advice: make a new password just for LJ, do not pay anything through them and realize that anything you post or read there there can be intercepted by others
http://mashable.com/2011/05/31/https-web-security/#bVkObrMWb5qf
"There’s an important distinction between tweeting to the world or sharing thoughts on Facebook and having your browsing activity going over unencrypted HTTP. You intentionally share tweets, likes, pics and thoughts. The lack of encryption means you’re unintentionally exposing the controls necessary to share such things. It’s the difference between someone viewing your profile and taking control of your keyboard.....
...If my linguistic metaphors have left you with no understanding of the technical steps to execute sniffing attacks, you can quite easily execute these attacks with readily-available tools. A recent one is a plugin you can add to your Firefox browser. The plugin, called Firesheep, enables mouse-click hacking for sites like Amazon, Facebook, Twitter and others. The creation of the plugin demonstrates that technical attacks can be put into the hands of anyone who wishes to be mischievous, unethical, or malicious.
To be clear, sniffing attacks don’t need to grab your password in order to impersonate you. Web apps that use HTTPS for authentication protect your password. If they use regular HTTP after you log in, they’re not protecting your privacy or your temporary identity"
Edited: install HTTPS EVERYWHERE which can be found at eff.org. It won't magically replace missing security (like what is happening on Livejournal), but it will turn on security if it is available. Ex: Up until 2013, on Facebook you had the option to have secured browsing. Or not. HTTPS Everywhere will toggle it on for you in case you mess up your default security settings
[A Dreamwidth post with
comments | Post or read on Dreamwidth| How to use OpenID]
In the end my advice: make a new password just for LJ, do not pay anything through them and realize that anything you post or read there there can be intercepted by others
http://mashable.com/2011/05/31/https-web-security/#bVkObrMWb5qf
"There’s an important distinction between tweeting to the world or sharing thoughts on Facebook and having your browsing activity going over unencrypted HTTP. You intentionally share tweets, likes, pics and thoughts. The lack of encryption means you’re unintentionally exposing the controls necessary to share such things. It’s the difference between someone viewing your profile and taking control of your keyboard.....
...If my linguistic metaphors have left you with no understanding of the technical steps to execute sniffing attacks, you can quite easily execute these attacks with readily-available tools. A recent one is a plugin you can add to your Firefox browser. The plugin, called Firesheep, enables mouse-click hacking for sites like Amazon, Facebook, Twitter and others. The creation of the plugin demonstrates that technical attacks can be put into the hands of anyone who wishes to be mischievous, unethical, or malicious.
To be clear, sniffing attacks don’t need to grab your password in order to impersonate you. Web apps that use HTTPS for authentication protect your password. If they use regular HTTP after you log in, they’re not protecting your privacy or your temporary identity"
Edited: install HTTPS EVERYWHERE which can be found at eff.org. It won't magically replace missing security (like what is happening on Livejournal), but it will turn on security if it is available. Ex: Up until 2013, on Facebook you had the option to have secured browsing. Or not. HTTPS Everywhere will toggle it on for you in case you mess up your default security settings
[A Dreamwidth post with
comments | Post or read on Dreamwidth| How to use OpenID]