This Week in Security: Non-Private Private Zones and Dead-Simple SSL Options

Triangulating Strava Users

Last week the news was revealing details of guard patrols and the active use of secret military facilities; this week the news is about leaking user’s private locations they try to keep the service from revealing. Strava, the popular athletic activity-tracking app, allows users to establish “privacy zones” to hide their activity near certain locations, such as residences or workplaces. The idea is sound, for users deserve to control the visibility and sharing of their location information, especially to keep something like a home address private.

However, the implementation is too precise. While the location information within the privacy zone may not be shared, the paths that users exercise on are stopped at a precise distance from the center of the privacy zone. The home address may not directly be shared, but it can be precisely recovered by triangulating it using the starting/stopping points of only a few paths.

We may try to protect certain information from becoming public while we openly share other related information, but obviously properly keeping things private isn’t so easy. This all begs the question: can this kind of information sharing ever not be harmful?

Just Use HTTPS Already

Encrypting communication to a web server has long been easy to do, providing security and privacy gains at a continually decreasing cost. But even still, in 2018, there are services and sites that don’t use HTTPS by default. Based on Google’s analytics, anywhere from 68% to 78% of web traffic is protected with HTTPS, meaning there’s still an uncomfortably large portion – 22% to 32% – that isn’t.

Starting in June of this year, Google Chrome will be alerting users of non-HTTPS sites that the communication is not secure, putting pressure on site operators to just get a cert already and enable (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Cylance Research and Intelligence Team. Read the original post at: Cylance Blog