Secure version of the forum

[giosif]

Hi all,

I am a new member of the forum and I noticed that, although using https://... for the forum URL does work to some degree, it doesn't seem to be fully implemented.
Is this intentional/expected or an unintended problem?

I'm just thinking that at least my login credentials and PM's would be something I want to keep private, especially when accessing the forum via a hotspot.

Thanks,
George

[ve7xen]

+1

[miguelvp]

It's always a good idea to use different credentials for different sites. Https won't prevent an SQL injection. Not saying that it's possible in SMF but if there was an exploit that could be used to get the user's data SSL won't prevent it.

That said, Https will prevent people from intercepting your packets but then they will have to be able to gain access to the networks between you and the server, which is probably not hard since hostmonster and hostgator (same datacenter I believe) offer shells for those that need them.

[EEVblog]

Never considered it before.

[johansen]

I don't think there is really any reason to build a secure forum.

This isn't a chemistry forum, where LEOs are looking for folks with contraband three necked flasks.

[n45048]

Never considered it before.

I never noticed it before! I think it should be HTTPS by default for sure!

Also, I'm a little concerned about how many of the topics can be viewed without a login (and indexed on Google).

[David_AVD]

Also, I'm a little concerned about how many of the topics can be viewed without a login (and indexed on Google).

I suspect that's the way Dave likes it. 

[ovnr]

I never noticed it before! I think it should be HTTPS by default for sure!

Also, I'm a little concerned about how many of the topics can be viewed without a login (and indexed on Google).

Hah, really? If this was some locked-down forum where you couldn't view images or search or do anything without registering, I'd certainly not have joined in the first place. I expect the same applies to several others; I really detest the forums with those practices.

And why in the world would you be concerned about google of all things being able to index the forum? If they weren't, any searches would only turn up the front page - with keywords for that - not threads like the E4 hack, and the like.


On HTTPS: It's a forum. It's public. If you have even remotely good password habits (not reusing things which matter), getting your login credentials stolen is not a big deal. And who sends secret things via the PM system? Really? No, there'd be a ton of other things I'd have liked to see fixed here before full HTTPS support even entered into it.

[EEVblog]

Also, I'm a little concerned about how many of the topics can be viewed without a login (and indexed on Google).

It's a "free and open forum".

[Rick Law]

...
On HTTPS: It's a forum. It's public. If you have even remotely good password habits (not reusing things which matter), getting your login credentials stolen is not a big deal. And who sends secret things via the PM system? Really? No, there'd be a ton of other things I'd have liked to see fixed here before full HTTPS support even entered into it.
...

I think ovnr is right.  This is just a forum.  Communication here is for public to read even without password - so securing message from eavesdrop is pointless.  As to the log-on part, I can't imagine a scenario here where someone would stole a password just to post a note or read the personal message here.

Besides, why waste resources.  Two kinds of resource:

1. Don't care what broadband you use, there is always an upper limit on speed, be it net or CPU;  Encryption will use more data-bandwidth.  If your connection is by volume, it will hurt.

2. Some servers (PC's, smartphones, etc.) somewhere is going to burn cycle (ie:electrical power) just to deal with the overhead in transmit, encrypt, and decrypt things that is open and public.

It will be a stupid waste of resources and added trouble for admin or users for no good reason.

[Richard Crowley]

So is some proponent going to propose some legitimate reason to make this secure?
Else, it just sounds like free-floating anxiety. 

[Rigby]

Arguments about overhead are made only by people who have not measured it.  Bandwidth and CPU overhead for encryption is effectively zero. No one complains about gzip compressed http streams, which have a significant CPU overhead in comparison, and servers that serve gzip compressed http are extremely common.

More concerning to me are the people here trying to convince me that ANYTHING I do on the web should be done in the clear, even if it is just a forum.

[gnif]

Arguments about overhead are made only by people who have not measured it.  Bandwidth and CPU overhead for encryption is effectively zero. No one complains about gzip compressed http streams, which have a significant CPU overhead in comparison, and servers that serve gzip compressed http are extremely common.

Clearly you have not been exposed to large scale hosting setups, even enabling gzip on a site that is handling large amounts of traffic can cause CPU load issues. Also RSA accelerator cards still do exist and are still used in heavy hosting environments as RSA is a slow problem to compute, which is the entire point. I have deployed at least two of these over the last 6 months.

In this instance though, what is the point?

Positives:
  * Nobody can listen in and seal your credit card details... oh wait, this site doesnt use them.

Negatives:
  * Higher CPU usage overall
  * Each page load will invove SSL handshakes slowing down page loads for everyone
  * Since the service is proxied via CloudFlare, you can double that.
  * Harder to debug if there is HTTP connection problems
  * Anything inlined that is non ssl (ie, inlined images/videos from non SSL external servers) will cause SSL warnings and can (atleast with chrome) prevent the content loading.

More concerning to me are the people here trying to convince me that ANYTHING I do on the web should be done in the clear, even if it is just a forum.

I would be more concerned with the fact that the remote server is usually the point of attack, and it is where all your communication is decrypted back into clear. How do you know you can trust the remote server has not been compromised and is stealing your sensative data, or even storing it in the clear (yes, this does happen, look at the Sony PSN fiasco).

[HackedFridgeMagnet]

Once you get the certificate cant you just allow https for those users who do want it but still use http for the other 90%.
Also you can use one of your openssl certs I suppose to save a few dollars.

For example people posting from work may not want to send stuff in plain text.

[gnif]

Once you get the certificate cant you just allow https for those users who do want it but still use http for the other 90%.
Also you can use one of your openssl certs I suppose to save a few dollars.

For example people posting from work may not want to send stuff in plain text.

So you want us to fix every 'http' to 'https' across the entire forum & website since the beginning of time, just so the few paranoid users can use HTTPS when there is really no point?

Do you want your newspaper to come encrypted to your front door each day too?

If you are posting from work and you don't want your employer to know, doesn't that mean you are doing something suspicious anyway? And if you are that worried, a simple SSH tunnel to a remote server running a proxy such as squid would be the way to go.

SMTP, POP3 and IMAP are protocols that were originally all clear text, including password authentication. Recently SSL has become quite widely available for these... but if you send an email, servers still communicate between each other using SMTP with NO encryption. Now most in the field know it is not a good idea to send passwords/details via email, but many many many still do, some even take credit card details via email. So before we switch every public HTTP website to HTTPS, how about we fix other glaring holes in the way we do things.

[HackedFridgeMagnet]

I just thought it was a fairly simple change, but then again I have never run a forum.
My only experiences were running apache and IIS years ago on smaller web sites. I remember it being a relatively easy change.

I acknowledge you are in the best position to know how difficult the change is.

As to the moral side of things, I don't think posting on eevblog is immoral.
But some bosses may not like being talked about on EEVblog, or may see EEVBlog as a time wasting activity. I disagree.
Some posters who posting because they are bored@work may think it best to keep snoopers out of the loop though.

[ve7xen]

Encryption by default is a good policy, and where sensible should be adopted. In large part because trusting people with their own security is a good way to ensure they are not secure at all. Most people should know by now about good password policy, but of those, who exercises it? Especially on low-value accounts like EEVblog. I would wager that >> 75% of users here use the same password here as at least 5 other sites, probably many more. Some of those will be web e-mail accounts that lead to identity theft or blah blah blah. Defense in depth and don't trust the user: secure everything as well as you can without major hardship, regardless of perceived value.

And as "useless" as this account is, it would still be quite annoying if it were compromised, and not necessarily only for me, but for the EEVblog moderators as well.

On top of that, there are decent arguments for proxy traversal, privacy at work, etc.

There are few good reasons these days to do anything in the clear, even something as mundane as this. I'm kind of surprised to see the backlash on this thread, adding crypto is usually nothing but good.

That said, the embedding remote content issue is a problem, but the way forward is to offer your local content via HTTPS, not reject the idea and commit to the status quo forevermore.

Also: CloudFlare will handle SSL termination for you, along with all the performance implications for your backend. Use relative URIs in generated content and everything should "just work", aside from remote content.

[ve7xen]

SMTP, POP3 and IMAP are protocols that were originally all clear text, including password authentication. Recently SSL has become quite widely available for these... but if you send an email, servers still communicate between each other using SMTP with NO encryption. Now most in the field know it is not a good idea to send passwords/details via email, but many many many still do, some even take credit card details via email. So before we switch every public HTTP website to HTTPS, how about we fix other glaring holes in the way we do things.

Because the weak point is generally the end user's access. Aside from corrupt employees, obtaining sufficient access to a service provider network to sniff this traffic is a huge barrier to doing this kind of attack against a home user. When the attacker controls the access network (ie. your workplace) or when the access network is multiple-access (ie. WiFi), it is trivial.

Opportunistic SSL in SMTP is also fairly widely implemented these days, at least by the big boys. Google, Yahoo and Hotmail all do it.

Also EEVblog doesn't offer e-mail services, so those problems are not ones that can be addressed by its administrators.

[gnif]

There are few good reasons these days to do anything in the clear, even something as mundane as this. I'm kind of surprised to see the backlash on this thread, adding crypto is usually nothing but good.

It is not backlash, just pointless. As for SSL termination at CF, CF still needs a secure way to talk to the HTTP server, it does not terminate at CF, otherwise someone could just sniff the traffic between CF and the HTTP server.

Also EEVblog doesn't offer e-mail services, so those problems are not ones that can be addressed by its administrators.

That was not the point, it was an example of people thinking things are secure just because their connection to the server is secure.

In short, SSL will not be enabled on the server for the reasons stated previously.

[ve7xen]

It is not backlash, just pointless. As for SSL termination at CF, CF still needs a secure way to talk to the HTTP server, it does not terminate at CF, otherwise someone could just sniff the traffic between CF and the HTTP server.

Exactly. Which is comparatively extremely difficult, unless Dave decides to move the server to a coffee shop. Some security >> no security. Of course you could do it right, but you're railing against that idea, so the CF solution that requires basically zero effort and causes zero performance impact seems appealing.

That was not the point, it was an example of people thinking things are secure just because their connection to the server is secure.

The point is that a) people are fixing these problems and b) how about fixing the ones you can fix instead of deflecting to ones you can't. Anyway, there is no "secure", it's a continuum from airgapped, underground, TEMPEST-shielded vault to a machine with no passwords that does everything in the clear. Securing the "last metre" goes a long, long way to increasing the difficulty for this sort of thing. Most of the "attackers" are bored teenagers camping out at coffee shops, they're not going to start social engineering service provider networks to get that traffic another way if people start encrypting everything on the wireless. Neither are 99% of the criminals, it's a crime of opportunity and they're just going to move on to something else.

If you're not part of the solution, you're part of the problem.

In short, SSL will not be enabled on the server for the reasons stated previously.

It already is (or it is at CF, anyway), but semi broken. Google might even be directing traffic there, now that they're paying attention to HTTPs, since it is up and working just referencing insecure assets, so they can probably still index. Fix the absolute references to JS etc. and it will probably just work. Or we could stay in the 90s, it'll go with our test gear collections .

Edit: expand.

[SirNick]

SSL certs cost money to buy and maintain every year.  Maybe ~$100 a year is no big deal to Dave, but it's a non-zero sum of money that would be spent to protect a low-value resource.  (That being the passwords of forum users.)  The MUCH better solution would be to set your password here to "DavesForum12" or something like that, and not use it elsewhere.  That would sidestep the potential damage from sniffing and server cracking.

On a busy site, SSL overhead can be significant.  Especially if that busy site is on a shared hosting platform.  I dunno if Dave's server is dedicated, but either way it gets a lot of hits.  I've also deployed dedicated reverse proxy boxen in a former job role to mitigate the performance effects of encryption.  (The web servers were virtualized, so keeping their CPU usage low was beneficial.)

Finally, if Dave's site is in fact on a shared server, having an SSL cert would usually require having a dedicated IP, and IPv4 addresses are getting to be a scarce commodity.

In short, I don't see a pressing need for security here.  In most forum software, the actual password is exchanged fairly rarely anyway -- provided you allow persistent logins.  ("Remember me" on the site, and don't kill your cookies with fire every five minutes.)  Most of the time it's just a token that is mostly worthless to anyone else.

If you want to make the world a more secure place, it would be much more worthy of your time to focus on the pervasive practice of allowing password recovery with "security questions."  Remember -- don't write down your password, and don't use something easy to guess, but we'll let you reset it by providing some personal information that is often public record.

[ve7xen]

SSL certs cost money to buy and maintain every year.  Maybe ~$100 a year is no big deal to Dave, but it's a non-zero sum of money that would be spent to protect a low-value resource.  (That being the passwords of forum users.)  The MUCH better solution would be to set your password here to "DavesForum12" or something like that, and not use it elsewhere.  That would sidestep the potential damage from sniffing and server cracking.

Free certificates can be had from StartCom. Purchased ones can be had for < $15/yr. EEVBlog is hosted through CloudFlare which provides a free certificate, which they even provision and keep updated for you. Notice that https connections work today, with a validated cert.

Finally, if Dave's site is in fact on a shared server, having an SSL cert would usually require having a dedicated IP, and IPv4 addresses are getting to be a scarce commodity.

Most browsers that people actually use support SNI now, and this is a dedicated server anyway, so this is moot. Performance I already addressed. It can be an issue, but probably isn't, but this is moot because CF will do it for you if you don't care about end-to-end encryption (not advocating for it).

In short, I don't see a pressing need for security here.  In most forum software, the actual password is exchanged fairly rarely anyway -- provided you allow persistent logins.  ("Remember me" on the site, and don't kill your cookies with fire every five minutes.)  Most of the time it's just a token that is mostly worthless to anyone else.

The token can of course still be used to steal your session. This does not address any of the privacy issues.

There doesn't seem to be any argument for not fixing the minor absolute URI issues and letting CF frontend SSL requests as they already are. It's free, will benefit some users, and requires little work to get to 99% functional. Much embedded content can even work (YouTube, imgur etc.) if referenced properly.

If you want to make the world a more secure place, it would be much more worthy of your time to focus on the pervasive practice of allowing password recovery with "security questions."  Remember -- don't write down your password, and don't use something easy to guess, but we'll let you reset it by providing some personal information that is often public record.

I hate security questions, but can do little to get rid of them. Always put random strings in there. I can however advocate for crypto everywhere which will both make people more secure and make crypto less of an indicator of 'interesting activity' or people thinking you're a terrorist because you encrypt your hard drive. In most cases there is very little reason not to do it, and in those cases, I think we should.

[justanothercanuck]

Another issue with SSL is that you can't use a proxy (ie: squid) to cache text (posts) and images (in posts, as well as avatars, emoticons).  Well, you could, but it would involve MITM'ing everything that passes through the proxy (bad - some orgs do it, but it's not recommended).

[miguelvp]

Encryption is hardly pointless for this forum. In the UK ISPs are required by law to monitor the domain name of every site you visit, and scan every URL to matches against a secret blacklist using a system called Cleanfeed. More over it is known that the security services monitor the URLs that people access to profile them. Considering the crap that Dave got just for ordering some electronic components recently, I can see how someone accessing some "suspicious" URLs or making some "suspicious" posts here and then placing a Farnell order could cause them a lot of trouble.

In the post-Snowden world we have to re-build the internet to be resistant to mass surveillance. Encrypting everything, no matter how trivial, when possible is a good start. If it was not a major hassle (it shouldn't be) then the forum should use HTTPS by default, as all sites should.

And then there is this:
http://www.bbc.com/news/technology-29950946

Good luck on building your own internet or getting people to pay for the infrastructure of a freedom internet.
And even if you build it, you have to hook it to the actual net because you can't prevent the forwarding of data. It used to be a problem before until it was regulated so packets that don't originate or are destined for your network can use other networks so they can get there faster without having direct connectivity.

Kind of having to provide a public path on your property if that's the only way to access your destination.

[sunnyhighway]

There are only two valid reasons for using SSL encryption.

#1: Making sure you are looking at the EEVblog and not some imitation website who wants to trick you into thinking it is the real deal.
#2: Making sure the data you enter (like a password) cannot be intercepted by the Man In The Middle who now can start trolling under your name.

As for argument #1, this would cost the culprit a lot of money... to what avail?
Argument #2 would make some sense. Nobody would like his good name to be smeared by some troll who took the effort. But lets be realistic, wouldn't it be more easy for that wannabe troll to create a new account and start trolling away?

[Rigby]

Virtually everything should be TLS (NOT SSL) all the time unless there is a very good reason otherwise.

To teach that security isn't necessary is, to me, to teach that privacy is not important.  We all know when we shut the door in the bathroom that privacy is important.  We all know when we wonder if that email is an attempt to scam us that privacy and security are important.

Use of HTTPS needs to be the rule rather than the exception.  It should be expected for any site which requires a password.

[janoc]

I think a reasonable compromise should be having SSL/TLS enabled on the login page, so that the login credentials are secure in transit. Sure, your cookie could still be captured afterwards, but who cares? The culprit could post some BS in your name at best until you relog/session expires. Moreover, the chance of that is fairly low.

Enabling encryption on the entire forum is an overkill, IMHO. If you are afraid to post because you are at work and your boss is sniffing the traffic, maybe wait until you are at home to get your fix?

The secret services profiling/Snowden/whatever paranoia - sorry, let's get real. Borking an entire forum only to mitigate a 0.0001% chance risk you get targeted there is a poor trade-off. I think those folks care about different stuff than our FTDIgate flamewars. If this was GMail or something like that, sure. But this is nothing else but a glorified chatroom ...

[sunnyhighway]

Use of HTTPS needs to be the rule rather than the exception.  It should be expected for any site which requires a password.

This website doen NOT require a password, it is a public website for everyone to see. ONLY if you want to post something you are required to log in.

It would make some sense to protect the transmission of your password. But you have to ask yourself what a culprit could do with your password? And even more, is it worth the trouble for that culprit?
I'd say there are much better targets than the EEVblog that offer a much better return on investment for the culprit.

If Dave would choose to use SSL for the EEVblog, the only page what would need SSL protection is the login page. Nothing else because the rest is public.

[Rigby]

OK since I didn't make it clear, I will rephrase.

HTTPS should be used on any website that requires a password for any reason.

[urlkrueger]

I just read a news article the other day which talked about how the people who reposes automobiles are now driving around with cameras,  recording license plates and where they were observed, keeping this info in a database and selling the info to anybody willing to pay the price.  People have learned from Google, and others, just how valuable information can be and are wanting their little piece of the pie. 

It won't be long now before you will be able to get on the internet and for $25 obtain a complete dossier on a friend, a neighbor or an ex-girl/boyfriend.  You will be able to obtain there movements, which stores/banks they frequent, who their friends are, the websites they frequent and a lot more.  Eventually AI will be able to digest all this information and provide you with various profiles, depending on your interests.  There will be very very few secrets.

So what?  Why should I care if somebody knows a bunch of trivia about me?

There are people out there, criminals, governments, corporations and such who will, and are using this info for their own gain and our detriment.  And......AND, they are doing it with the tax money and profits they obtain from us!  The least we can do is make it more difficult for them.

As the Inventors, Developers and Implementers of the technology that allows this to happen I believe we should be setting examples for the non-iniatiates as to how this technology should be used.  In that vein I believe that all internet traffic, including this forum, should be encrypted.

Earl...

Now will somebody get that soapbox out of here before I trip on it again!

[Stonent]

If this is done Dave will have to buy traceable certificates back to Verisign, Thawte, or other major cert signer. Otherwise Firefox and Chrome will get pissed off and try to block you from going to the site. You can still bypass it but it will do it every time you log in.

[madires]

That said, Https will prevent people from intercepting your packets but then they will have to be able to gain access to the networks between you and the server, which is probably not hard since hostmonster and hostgator (same datacenter I believe) offer shells for those that need them.

There are well known MITM attacks. We also know that some of the three-letter agencies retrieved the private SSL keys of a few companies and that the agencies of some countries got forged keys signed by CAs. We've seen many examples how the whole CA conecpt is broken and misused. We also know about security flaws in the design of SSLv2 and v3. Unfortunately a lot of web servers still support those insecure SSL versions. When taking all that into consideration, https offers just two benefits. Data (credentials) isn't sent in clear text and a signed certificate offers some weak authentication of the web site. It's better than http but not bullet proof. The drawback is the higher CPU load for the handshake (needs most) and encyption (not so much, symmetrical encyption).

[Richard Crowley]

I just read a news article the other day which talked about how the people who reposes automobiles are now driving around with cameras,  recording license plates and where they were observed, keeping this info in a database and selling the info to anybody willing to pay the price.  People have learned from Google, and others, just how valuable information can be and are wanting their little piece of the pie. 

It won't be long now before you will be able to get on the internet and for $25 obtain a complete dossier on a friend, a neighbor or an ex-girl/boyfriend.  You will be able to obtain there movements, which stores/banks they frequent, who their friends are, the websites they frequent and a lot more.  Eventually AI will be able to digest all this information and provide you with various profiles, depending on your interests.  There will be very very few secrets.

This is an interesting overview of hacking PEOPLE.   http://youtu.be/hqKafI7Amd8
The presentation is concluded with some very interesting info about hacking applied to solving some of society's biggest problems. Recommended.

So what?  Why should I care if somebody knows a bunch of trivia about me?

There are people out there, criminals, governments, corporations and such who will, and are using this info for their own gain and our detriment.  And......AND, they are doing it with the tax money and profits they obtain from us!  The least we can do is make it more difficult for them.

TED: State Sanctioned Hacking - The Elephant in the Room  - Hacking 101: Frank Heidt at TEDxMidwest
http://youtu.be/nnKh6SFEaLg

The discussion in this thread and watching those TED presentations has rather changed my mind. Secure the forum (the entire EEV website, IMHO).  I am doing nothing illegal or even shady, but that is only the current opinion of the Government.

[jeremy]

How many hits/sec does this forum get? If it is only a few hundred, I can't even understand why this is a point of discussion; just enable it! It's like 3 lines in the nginx config and a free certificate from StartSSL.

Also, the argument that ISP/enterprise level caching should be maintained is a bit odd to me; this website is mostly text content  on a niche topic and the text changes regularly. On top of this, the users are geographically spread out and are unlikely to be using the same upstream provider. Pretty sure your browser can handle all of the caching you need with only a few megabytes of disk. The only real strong point would be that it makes the server bill a bit less, but cloudfront already handles that...

Although I do enjoy this forum, let's be honest, in terms of hits/sec and bandwidth requirements this ain't no youtube.

[geppa.dee]

...Some ISPs record every URL you visit for marketing purposes (a US ISP was caught doing it recently, I forget which, probably Comcast) and HTTPS stops them doing it...

Sorry to partially disappoint... that's not exactly how https works. It will encrypt the content in transit but only part of the URL. The Hostname and dest. port will be visible in plain text (and probably still useful to some extent for surveillance purposes). It will hide the path, query and fragment locator though. Only encrypting tunnelling (ie VPN) hides everything (if done right).  Aside from that, I wholeheartedly agree with you.

If this is done Dave will have to buy traceable certificates back to Verisign, Thawte, or other major cert signer. Otherwise Firefox and Chrome will get pissed off and try to block you from going to the site. You can still bypass it but it will do it every time you log in.

StartSSL's CA certs are in all current browsers (have been for some years so no issues) and the level 1 certs they give (enough for encrypting traffic) are free.

[ctz]

If this is done Dave will have to buy traceable certificates

No, Cloudflare provide free certs. https://www.eevblog.com/ already works, just needs the links fixing to be protocol-neutral.

[gnif]

I made a some changes to nginx which fixes the majority of the SSL issues for those of you that insist on using it. Note that it is mostly un-tested and any issues using SSL will not be supported. Also these is NO encryption between CloudFlare and this server, which means that the security you recieve is still not trusted, and can be intercepted/read in the clear by anyone between CF and this server.

[miguelvp]

It doesn't prevent it though, but if it makes you feel better then that's all it matters

[justanothercanuck]

Pretty sure your browser can handle all of the caching you need with only a few megabytes of disk.

May I remind you that SSL isn't cached.  Anywhere.  Whether it be a proxy server, or your browser. 

[gnif]

Pretty sure your browser can handle all of the caching you need with only a few megabytes of disk.

May I remind you that SSL isn't cached.  Anywhere.  Whether it be a proxy server, or your browser. 

Which is another reason why this is an opt-in thing. People think that the entire world has fast unlimited internet and forget that much of the world pay through the nose for downloads, espessially on wireless plans. Those of us that do have true unlimited are limited in speed by the local infrastructure, and often are also sharing their link with multiple people in the same house. SSL while I like the idea of the entire internet on it in general, I believe is impractical and another instance of trying to force people to use technology they do not need.

If this is to stop the government spying, whats to stop them from tapping the data feeding CF and just logging it at that point? Honestly it is a load of marketing hype and has if anything made SSL more vulnerable as you no longer know if a site is truly on SSL or being proxied via some third party and the last leg of the link is unencrypted and across the public internet.

Honestly, how many website owners truly understand how SSL works? The majority of them will be thinking, wow, we get free SSL if we use CF, we can now process sensative data! Unknowingly exposing their clients data to the public network in the clear. Advertising SSL on the server, and the browser verifying that SSL is working and their connection to the target server is secure... which it isn't, is just down right dangerous and stupid IMHO. It is worse then storing unsalted MD5 hashes, or unencrypted passwords in a database as far as I am concerned, the chain of trust which SSL is designed to ensure is being thwarted and there is no way for website visitors to know.

Edit: I know, it is TLS not SSL these days, but people still use SSL as a general term for 'HTTPS' or 'The Padlock'.

[gxti]

May I remind you that SSL isn't cached.  Anywhere.  Whether it be a proxy server, or your browser. 

This is 110% false. Browsers can, should, and DO cache content retrieved over a secured connection.

https://stackoverflow.com/questions/174348/will-web-browsers-cache-content-over-https

Secure-by-default is important enough that HTTP 2 will make TLS mandatory (although HTTP 2 itself is not mandatory of course). Considering the biggest name in "big internet" (Google) drove the specification, you know they care about stuff like caching.

I understand that not every site owner has the time or the experience to configure TLS for their site, but as far as I'm concerned there is no argument against doing it if you do.

[gnif]

May I remind you that SSL isn't cached.  Anywhere.  Whether it be a proxy server, or your browser. 

This is 110% false. Browsers can, should, and DO cache content retrieved over a secured connection.

Not quite since he stated that proxy servers can not cache, you only mention browsers.

I understand that not every site owner has the time or the experience to configure TLS for their site, but as far as I'm concerned there is no argument against doing it if you do.

I agree that SSL should be implemented across the board, but what CF are doing is a joke, it makes the websites seem aparrently secure, when it is not. Think about this scenario.

High profile website has SSL setup through CF, this website is accepting credit card details amongst other personal details. The site operator believes that this is safe and secure as they are not well informed as to how CF SSL works. A malicious attacker discovers the server's real IP (not hard, just hit direct.example.com as this is normally setup per CF recomendations, or a MX record, etc...) and rents a server at the same premesis, and starts sniffing the data (i know there are ways used to prevent this, but it is not good to rely on these). The attacker will be able to record every transaction in clear text between the CF server and the HTTP server.

This just provides a false sense of security, and a glaring hole to be abused by attackers. What CF are doing is providing a means to break SSL, not make it better. It should be offered as an option that REQURIES server side configuration to enable it, not just enable it for every site and pretend the entire link is secure.

Edit: Here is a good writeup of the problem and how you can configure CF to fix it.

[redtails]

Although https serves no direct reason for a completely open forum, you cannot deny that your Google ranking is negatively affected if you don't support https on your website.

This has been implemented since summer 2014

[miguelvp]

If this is to stop the government spying, whats to stop them from tapping the data feeding CF and just logging it at that point? Honestly it is a load of marketing hype and has if anything made SSL more vulnerable as you no longer know if a site is truly on SSL or being proxied via some third party and the last leg of the link is unencrypted and across the public internet.

I think you misunderstand what the goal is. The government will spy on people if it wants to, and I think most people would argue that spying on certain people is acceptable. What is not acceptable is mass surveillance of everyone all the time.

By implementing encryption everywhere we can we increase the cost of mass surveillance. Those wishing to spy on us not can't simply demand that ISPs do their dirty work for them, they need to hack in to the backbone and do extensive traffic filtering/decoding. If those links become encrypted to they are forced to start hacking service providers and hosting companies. They probably have some zero day exploits they could use, but doing so would risk making them public.

Encrypting where we can makes mass surveillance impractically difficult and expensive.

The only problem with that is that they'll ask for a bigger budget diverting our tax money to more resources and probably increasing our taxes. So in essence you are just feeding the fire to help them grow more by helping them justify a higher budget.

SSL, TLS has not been a concern for national agencies for a while. What are you going to propose next, Tor access to the EEVBlog?

The only way you can achieve what you want is to make it illegal, so good luck going into politics so you can push that agenda if you even get support for it.

And that might be your goal, but it's hardly a concern to many.

[miguelvp]

You underestimate Eve's capabilities no matter what Wendy reported.
Even so Eve, as evil as you portray her, can protect you from Chuck but not from Mallory, so I wouldn't worry  much about Eve, it's Mallory that Bob and Alice should be worried about. And no one knows what Mallory's capabilities are but it's greater than Eve's.

But all in all it keeps Oscar and Walter fed, it's a multi billion dollar industry and SSL/TLS is nothing more than the transport.

[giosif]

Hi all,

Sorry for being silent the past few days!

My main reason for raising this topic was to protect my credentials and any private info in my PM's from the easy/simple eavesdrops - i.e. script kiddies running a wireless sniffer near public hotspots.

I made a some changes to nginx which fixes the majority of the SSL issues for those of you that insist on using it. Note that it is mostly un-tested and any issues using SSL will not be supported. Also these is NO encryption between CloudFlare and this server, which means that the security you recieve is still not trusted, and can be intercepted/read in the clear by anyone between CF and this server.

And I think this is good enough for that.
Thanks, gnif!

Regards,
George

[SirNick]

Although https serves no direct reason for a completely open forum, you cannot deny that your Google ranking is negatively affected if you don't support https on your website.

Google's insistence on HTTPS has been a thorn in the side of a lot of organizations.

Take schools for example.  Access to Google.com is considered essential, as are Gmail and Docs.  However, there's often justifiable cause to block Youtube.  This is very difficult to do, though, since Google uses large, consecutive blocks of IPs, and (AFAIK) doesn't provide any documentation on how they allocate those IPs to services.  With everything defaulting to HTTPS, most of the existing proxy appliances that have been deployed can't distinguish URLs.  And, motivated teenagers have found you can see all kinds of neat stuff with Google Images, with SafeSearch off, via HTTPS.

So the usual "fix" is to block HTTPS entirely, allowing their proxies to work as intended.  Of course, now there are a lot of folks sending their logins and email text over the Internet in clear text.  Hurray for progressive security!

[miguelvp]

Before ChucK and Mallory came along we used to put our username and password right on the url even without SSL.

So it would have been something like this:

http://user:pass@www.eevblog.com/forum/

Of course it makes more sense to use https in that case, that gave Craig a reason to be. Then online banking came along and adopted ssl (or tls or whatever it's pretty much the same handshake)

I'll admit that as long as you keep that private key, well... private, then you might be safe, but, sometimes things don't work as you think they do. What if what was generating those private keys used something stupid like say the process id where they were running.

So you if what would it take to break those private keys if you knew the seed to the random number generator was that pid? how many pid's do you think a linux system have? even if it was 100, and since you have the code for the random number generator and other events the key is based on, just with that you can create a handfull of keys that will pretty much give you a private key that is compatible with those other private keys and accept the same public key.

But you will think that's impossible and will never happen? well it did, and not too long ago either, and for a long amount of time. Yeah it's fixed now (hopefully deployed everywhere) but still you have to understand who the cryptography players are, and when they come out with some algorithm that is unbreakable and non reversible, should you trust them that it's not the case? After all, you just have to take a lot of math to prove it wrong and of course someone would have found the flaw that they might keep in a need to know bases?

Nah, it's all secure and we have nothing to worry about. Home Depot uses SSL, so does Target, and Sony .... there are other attack vectors and just pure social engineering will just get you where you need to be because it's the way things are.

Security now is more about pen testing than even cryptography and everyone wears all kinds of hats and it's a stupid way to generate more and more so called security jobs that only keeps the cycle in perpetuation.

Worries make a ton of money flow, that's the bottom line.

[EEVblog]

According to CloudFlare, my site is now using SSL?

Dear CloudFlare customer:

We’ve got some exciting news to share. In our efforts to help build a better Internet, CloudFlare recently released a new product called Universal SSL. SSL (Secure Socket Layer) is the standard security technology for establishing an encrypted link between a web server and a browser.

CloudFlare’s Universal SSL provides all our Free Plan customers with SSL security encryption for their web traffic at no cost. Universal SSL is on by default. Your web traffic is now encrypted and secure—you don’t have to install or configure anything.

Aside from keeping your web traffic safe from snooping and tampering, having SSL on your site may help boost your Google search rankings.

[gnif]

According to CloudFlare, my site is now using SSL?

Hi Dave, yes it is, but please be aware that the way that CF have implemented it is broken and should not be trusted, I would not advertise that the site is on SSL unless you are prepared to buy a SSL cert for the server and then enable Strict SSL in the CF interface.

[EEVblog]

Hi Dave, yes it is, but please be aware that the way that CF have implemented it is broken and should not be trusted, I would not advertise that the site is on SSL unless you are prepared to buy a SSL cert for the server and then enable Strict SSL in the CF interface.

Yep, I expected it would be half arsed.
I don't see any need for SSL on a forum.

[johansen]

I don't see any need for SSL on a forum.

on this forum, i agree,

head over to sciencemaddness.. there's a thread at least once a month about some unlucky folk getting his house raided because he bought some bs online.
within 10 years oscopes will be in the same regard as heating mantles.

[gxti]

You don't need to buy a "real" certificate to take advantage of secured transport between CloudFlare and your backend server. A self-signed certificate is sufficient unless you put CF in strict mode; this is what I'm doing for my own (tiny, irrelevant) sites.

I think they mentioned in a blog post that they'd have support for certificate pinning at some point in the future, which would make the backend transport actually more secure than using a CA-signed cert while also being free. But for the time being, the unverified certificate is still a lot more secure than a plaintext connection, because passive snoopers are by far the biggest threat.

[gnif]

You don't need to buy a "real" certificate to take advantage of secured transport between CloudFlare and your backend server. A self-signed certificate is sufficient unless you put CF in strict mode; this is what I'm doing for my own (tiny, irrelevant) sites.

At the moment this is sub optimal since CF wont verify the self-signed cert is valid. An attacker could perform a MITM attack since there is no way to verify the certificate is valid, or has been intercepted and changed.

[tjb1]

Yep, I expected it would be half arsed.
I don't see any need for SSL on a forum.

After your Element 14 order was held up for extra terrorism checks? Could be random or systematic I suppose, or could be your name is on a list due to profiling...

You never fail to make me money on my aluminum foil stocks, thanks!

[gxti]

Sub-optimal maybe, but 99% as good. MITMing traffic between two servers is incredibly difficult. Raising the difficulty of stealing data from "tap the fiber and vacuum up all the data" to active, detectable attacks like cache poisoning or tampering with connections is a huge win. Security is always about tradeoffs, and this huge benefit of denying passive attacks comes at a cost of zero dollars.

Or to think about it from the opposite angle -- the added verification of using strict mode is that the attacker needs a certificate signed by a real CA. Attackers who can do MITMs on inter-server traffic are probably state actors who can procure a false CA certificate in seconds anyway. Having a non-CA method of verifying the certificate, e.g. checking the certificate fingerprint against a whitelist, is much much more secure. This is called "certificate pinning" and I'm looking forward to CF rolling it out in the future.

[miguelvp]

Not that hard if you get shell access in one of those data centers.
And of course the do offer shell access, or a dedicated server, some others allow co-location and others virtual machines hosting.

So it's not that difficult, the thing is who should you worry about? Eve (the Evesdroper?) Chuck (malicious intent but without a lot of capabilities) or Mallory (malicious attacker with unknown agenda and capabilities).

I think Eve although it infringes in our privacy would be the least of our concerns, and Eve might help us to fend Chuck out, but the Mallory's out there are what will cause the most harm and Eve sometimes is lucky getting rid of those too.

A lot of money is involved with all this white,grey,black hats, it's fascinating the money all of that generates for the security sector of the industry.

[gnif]

Sub-optimal maybe, but 99% as good. MITMing traffic between two servers is incredibly difficult. Raising the difficulty of stealing data from "tap the fiber and vacuum up all the data" to active, detectable attacks like cache poisoning or tampering with connections is a huge win. Security is always about tradeoffs, and this huge benefit of denying passive attacks comes at a cost of zero dollars.

I am stating that while they have raised the difficulty slightly, they are providing a false sense of security, point and case. This is a BAD idea, CF should default to strict SSL so that they do not make people that are uneducated start advertising that they have SSL enabled when really, they only have it 1/2 enabled. This is also not at all hard to do... just setup a nginx reverse proxy and proxy to CF... nobody would even know the extra proxy is there.

Or to think about it from the opposite angle -- the added verification of using strict mode is that the attacker needs a certificate signed by a real CA. Attackers who can do MITMs on inter-server traffic are probably state actors who can procure a false CA certificate in seconds anyway. Having a non-CA method of verifying the certificate, e.g. checking the certificate fingerprint against a whitelist, is much much more secure. This is called "certificate pinning" and I'm looking forward to CF rolling it out in the future.

It is NOT hard to do MITM on inter-server traffic, just rent a server in the same datacenter and start sniffing the wire, that doesnt work? Get a shell on a target box that can see the traffic on the network. The certificate pinning is well understood by those in the industry, there is no need to explain it here, it is however a mute point as at current CF does not support it.

[gxti]

I am stating that while they have raised the difficulty slightly, they are providing a false sense of security, point and case. This is a BAD idea, CF should default to strict SSL so that they do not make people that are uneducated start advertising that they have SSL enabled when really, they only have it 1/2 enabled. This is also not at all hard to do... just setup a nginx reverse proxy and proxy to CF... nobody would even know the extra proxy is there.

You're arguing against unencrypted backends, and I'm arguing in favor of the unvalidated encrypted backends as a 99% good enough improvement. I do agree that the unencrypted mode is probably misguided on CF's part.

It is NOT hard to do MITM on inter-server traffic, just rent a server in the same datacenter and start sniffing the wire, that doesnt work? Get a shell on a target box that can see the traffic on the network.

Not since the late 90s, which was the last time that hubs were useful. You cannot passively sniff unicast traffic if you are connected to a switch because switches only send packets to the correct port. There are abnormal circumstances in which traffic can be leaked (MAC tables full, STP topology changes causing a flush), and there are active attacks like ARP poisoning that let you take control of a stream if you are in the right place. Competent providers wall customers off from each other using VLANs so they can't do nasty stuff to each other, and monitor for nefarious activity, but even the dumb ones (which most likely is most of them) would have to try really hard to let a passive sniffer see other people's traffic.

[miguelvp]

Actually now they have hardware load balancers and they keep the PAT set so it can talk to the same server if it's multiserver, but even if it's a single server it will be mapped.

Anyways, you are assuming they have big switches instead of hubs, you can't really assume that, and even if they did, once you are on the datacenter network then other things are viable.

For example, I did get a notification about one of my databases affecting the performance of other sites, and I fixed it, does that mean my database lives on the same place as others? Why will a bad table that I did affect other customers.

Granted this was for hostmonster, but they are located on the same datacenter as hostgator, so it might be even share other things.

Now we are not talking Terramark, or Google cloud or AWS, or Rackspace or the other dozen billion dollar + companies, we are talking about hostgator and hostmonster.

[miguelvp]

For example, I did get a notification about one of my databases affecting the performance of other sites, and I fixed it, does that mean my database lives on the same place as others? Why will a bad table that I did affect other customers.

Virtual servers running out of cpu/memory or bandwidth limits in the network. You share resources.
This does not mean you can gather access to the data/network packets of other customers.

Again, we are not talking about the dozen big player names here. we are talking about hostmonster and hostgator. I just opened an ssh session to my server and did a netstat at the prompt.

So far is listing 1000 connections and it's resolving who is connected, they are shared servers not virtual ones.

The difference between < $10 month or over $100 for a virtual server is cheaper infrastructure. I guess I could do a tcpdump or nmap to prove it but I don't want to raise any alarms at my provider

but ifconfig returns 65 different servers on my server, so I could intercept anything that is going on at least on those servers, maybe even their full network.


Edit: BTW my server which has no traffic other than once in a blue moon, the ethernet port has transmitted 11.6 TiB (hate that term) so 10.55 TB  and received 1.27 TB of data and that is bytes not bits. I don't get that much traffic on my puny server

[ve7xen]

Again, we are not talking about the dozen big player names here. we are talking about hostmonster and hostgator. I just opened an ssh session to my server and did a netstat at the prompt. You may be able to see in-flight connection state, but that's about it and certainly doesn't amount to sniffing traffic.

So far is listing 1000 connections and it's resolving who is connected, they are shared servers not virtual ones.

Dave's server is dedicated. On a shared server, you won't have permissions to sniff traffic without compromising the server, which is out of scope of this discussion.

The difference between < $10 month or over $100 for a virtual server is cheaper infrastructure. I guess I could do a tcpdump or nmap to prove it but I don't want to raise any alarms at my provider

No, you're revealing your ignorance. You clearly have no idea what you're talking about. Nobody uses hubs any more, at any price point. They are literally extinct and haven't been made for 20 years or more. On a switched LAN passive attacks are not practical. Active attacks are possible, but pretty non-trivial and disruptive and someone will likely notice. That still requires you be on the same layer 2 segment as the attacker, which is fairly unlikely.

but ifconfig returns 65 different servers on my server, so I could intercept anything that is going on at least on those servers, maybe even their full network.

No you can't.

Edit: BTW my server which has no traffic other than once in a blue moon, the ethernet port has transmitted 11.6 TiB (hate that term) so 10.55 TB  and received 1.27 TB of data and that is bytes not bits. I don't get that much traffic on my puny server

xiB = base 2. Your unit conversion is wrong.

By a massive margin, the likely attack is on the access side. Open wifi, office networks with unscrupulous IT folks or just asshole bosses. Nobody is going to bother going to the extent required to sniff the traffic between CloudFlare and a small-time operator. Maybe if they make themselves a target like LavaBit or something, but the bar is many, many orders of magnitude higher than running aircap on a laptop at a busy Starbacks and seeing what you get.

Will it protect you against the knowledgable, well-funded attacker making a specific effort to see your traffic? No. But it certainly doesn't hurt against that attacker, and will protect you completely from the kid in the coffee shop, who for most people is probably the only threat they ever face.

I agree it's probably not a good default configuration for CF, and it would be nice if there were a way to indicate "crypto not used everywhere" in the browser, but it's ridiculous to say that it doesn't do anything for security. It's a massive difference in risk than doing nothing at all.

[miguelvp]

Again, we are not talking about the dozen big player names here. we are talking about hostmonster and hostgator. I just opened an ssh session to my server and did a netstat at the prompt. You may be able to see in-flight connection state, but that's about it and certainly doesn't amount to sniffing traffic.

So far is listing 1000 connections and it's resolving who is connected, they are shared servers not virtual ones.

Dave's server is dedicated. On a shared server, you won't have permissions to sniff traffic without compromising the server, which is out of scope of this discussion.

The difference between < $10 month or over $100 for a virtual server is cheaper infrastructure. I guess I could do a tcpdump or nmap to prove it but I don't want to raise any alarms at my provider

No, you're revealing your ignorance. You clearly have no idea what you're talking about. Nobody uses hubs any more, at any price point. They are literally extinct and haven't been made for 20 years or more. On a switched LAN passive attacks are not practical. Active attacks are possible, but pretty non-trivial and disruptive and someone will likely notice. That still requires you're on the same segment as the attacker, which is fairly unlikely.

but ifconfig returns 65 different servers on my server, so I could intercept anything that is going on at least on those servers, maybe even their full network.

No you can't.

Edit: BTW my server which has no traffic other than once in a blue moon, the ethernet port has transmitted 11.6 TiB (hate that term) so 10.55 TB  and received 1.27 TB of data and that is bytes not bits. I don't get that much traffic on my puny server

xiB = base 2. Your unit conversion is wrong.

Ok, so xiB is base 2 but it's not my fault they decided to change it.

on the other things yes I can, I did a capture and I get all the traffic for all 65 nodes by targeting eth0 where all those domains where.

as far as hubs vs switches I get what you are saying, you can't even purchase hubs for home products, but  rack mount they are still deployed, that said, I'm not about to sniff the network beyond my server because it's just the wrong thing to do. Edit: but if they use modern equipment I'll give you that, they are using switches but still I'm on the network and there are other attack angles once i'm in there

as far as Dave's server even if hostmonster is on the same data center as hostgator, the only thing preventing me for potentially sniffing those packets is that he is hosted by cloudflare so I don't know the ip of his server in the data center, do I want to take this further? nope, I rather not. but if, and only if I would attempt to capture network events on my host and I was successful, it will be just a  matter of sending a message and parsing for it, because the SSL/TLS handshake is just between the client and CF, it will be in the clear on the server. But I'm at good stands with hostmonster so I'm not willing to sniff their network beyond the server I'm at, and just did a 10 second capture and discard it after the fact just check if I could capture what is going on without going to the actual network, could I attempt to capture packets in their network? I guess I could but don't want to.

Anyways, hostmonster and hostgator are not on the same realm as Azure, AWS and the like. It's not virtualized and I'm doubting they even have hardware load balancers after all.

[miguelvp]

on another note, I can get detailed info from within the network on the hardware used, I guess I could look for exploits based on the version reported to my server, still not breaking their policies, anymore effort from me will break those policies so I won't try to go further.

Edit: and of course I can get access to all the system's memory, can't change it but I can read it

Edit again: And just found a cert in one of the ports, since I have access to the memory I guess I could find the private key, nah, I'm going to sleep and keep working on the seek because today it was a wash regarding my progress on that subject.

[ve7xen]

on the other things yes I can, I did a capture and I get all the traffic for all 65 nodes by targeting eth0 where all those domains where.

How did you perform a capture on shared infrastructure? If you have root, the infrastructure is pwned anyway and talk of crypto is moot. If you don't, you can't do a packet capture. Come on man, stop with the BS.

as far as hubs vs switches I get what you are saying, you can't even purchase hubs for home products, but  rack mount they are still deployed, that said, I'm not about to sniff the network beyond my server because it's just the wrong thing to do. Edit: but if they use modern equipment I'll give you that, they are using switches but still I'm on the network and there are other attack angles once i'm in there

They are not still deployed in any scenario. There are other attack angles indeed, most of them will cause network disruptions for the target and will only work in some scenarios. At a large data centre, your odds of having everything line up to "steal" a specific machine's traffic are pretty low. And that's if they don't protect their customers from these kind of attacks as competent networks should. This is not low-hanging fruit. It's the kind of attack that needs to be targeted and pulled off by a well-funded adversary. You can't just rent a server at the same DC and expect the traffic to come to you. It doesn't work like that.

as far as Dave's server even if hostmonster is on the same data center as hostgator, the only thing preventing me for potentially sniffing those packets

You are hopeless and don't understand networking, just give it up. This is not possible.

Anyways, hostmonster and hostgator are not on the same realm as Azure, AWS and the like. It's not virtualized and I'm doubting they even have hardware load balancers after all.

Shared hosting is not very secure and there are probably other easy ways to attack a site that is hosted such, but you will not be able to capture traffic in/out of a shared machine without root.

[linux-works]

at this point in the internet's lifecycle, EVERYTHING should go encrypted.

first of all, ISP's love to spy on you and some want to inject ads or change your packets on the fly.  if you run https, they can't do that.

second, its no one's business what you do online.  that includes the company are are at during the day, the isp and also your government.

the question is not about why you would want to have a secure end-to-end link, its why NOT have one?  what harm does it do to have a secure link to all your endpoints?  if you don't care about privacy, encryption does not hurt you in any way; but for those who want to see the net be less spyable by various agencies and corps, https is, right now, the only way forward.

please consider offering https.  its the way forward for all network resources.  get onboard or get passed over.

[miguelvp]

You don't need root, just root group access. If you think sys admins button up their servers you'll be amazed on how many things are left as the default configuration.

[ve7xen]

You don't need root, just root group access. If you think sys admins button up their servers you'll be amazed on how many things are left as the default configuration.

You need root permission, it doesn't matter if that comes from logging in as uid 0 or using sudo or similar. Unless the administrator has intentionally done something monumentally stupid, you won't have that on a shared server, even a poorly administered one. If you do have such, the crypto (or lack thereof) that we're talking about is moot anyway, since you can just look at the unencrypted stream or the data right in the database/filesystem.

Your initial argument was that it was easy to sniff traffic on the server side just by being in the same data centre. It's not. It takes a very knowledgeable and dedicated attacker, and some particular luck and/or failure on the service provider's side.

[miguelvp]

I guess I did imply easy for someone that knows what they are doing and there are plenty out there that can come up with hundreds of attack vectors once they are inside the datacenter.
which btw some offer colocation services.

[Rick Law]

You don't need root, just root group access. If you think sys admins button up their servers you'll be amazed on how many things are left as the default configuration.

No. A professional installed system is up-to-date, patched, hardened, maintained and well administrated. But, of course, you can always find bad examples.

For large corp which likely are more bureaucratic, setup and maintenance are the type of work that may not attract too many creative types nor hard-driving types.

From what I've seen, I would suspect at least 50% of the "professionals" doing set-up are probably vocational school trained or college student interns and don't know the difference between IP address vs MAC address.  They do the setup, then it get checked by "a more experienced guy" - who is in a race to see if he can complete the entire check between a single breath.

What have you seen?  Perhaps my observations are atypical.

Rick

[EEVblog]

please consider offering https.  its the way forward for all network resources.  get onboard or get passed over.

Can you point to another similar BBS forum that runs entire https ?
Also, can you cite an example of why it's important? i.e. forums where any useful user info has been stolen because they didn't use https?

[gnif]

please consider offering https.  its the way forward for all network resources.  get onboard or get passed over.

Can you point to another similar BBS forum that runs entire https ?
Also, can you cite an example of why it's important? i.e. forums where any useful user info has been stolen because they didn't use https?

These people believe that encryption should be enabled just because... the only vunerable point is when someone logs into the website, their password might get stolen. This topic IMO should be locked and closed as this discussion is just ridiculous for a forum that is 100% public and does not process any sensitive information.

Worse case: Someone steals a user's password and spams the forum with their account.
Easier option: Someone creates an account and spams the forum with it.

If you are using this website from a location where the internet is controlled/monitored then perhaps you are using this site where you should not be. If this is a concern, use a SSH tunnel, or tor, or a VPN, or some other means of encrypting your link.

I also know of many organisations I have worked for that monitor the internet install a trusted root CA to all their office computers. They perform a trick similar to squid's SSL bump allowing them to filter and monitor SSL traffic. They generate certificates on the fly that match the requested domain name and auto sign them with their locally trusted key. Think this is a privacy issue? well think again, most corporate contracts have an acceptible use segment that dictate your usage of the work network, which usually includes allowing them to monitor and filter the network traffic.

How many of you honestly have actually bothered to even check if your local root key store has any unknown keys in there?

[EEVblog]

These people believe that encryption should be enabled just because... the only vunerable point is when someone logs into the website, their password might get stolen. This topic IMO should be locked and closed as this discussion is just ridiculous for a forum that is 100% public and does not process any sensitive information.

Yep.
The crux of it is that hardly anyone is going to care whether or not this forum uses SSL, and for the couple who do care for whatever reason, I'd be willing to bet they wouldn't be using it correctly anyway. And then, at best it's protecting just their password, which should be a one-off for this forum anyway. And as you said, worst case someone spams the forum with their account, which hasn't even happened yet in 5 years on this unsecured forum to my knowledge. And if that happens, it can be detected and fixed easily. So it's all just pointless.

[alimirjamali]

If this is a concern, use a SSH tunnel, or tor, or a VPN, or some other means of encrypting your link.

I do not recommend using tor as CloudFlare detects it and asks user to solve an annoying reCAPTCHA even for reading. If you take time while posting, you may have to solve another reCAPTCHA and you will lose your post.

Socks 5 tunnel over SSH or VPN will be fine as VPS prices are dirt cheap these days. I also think that this topic should be closed. Otherwise people will start to ask for Forum as a tor hidden service .
p.s. There is nothing fancy in the hidden Support Lounge of Forum. Only a bunch of nerds planning to take over the world .

[linux-works]

please consider offering https.  its the way forward for all network resources.  get onboard or get passed over.

Can you point to another similar BBS forum that runs entire https ?
Also, can you cite an example of why it's important? i.e. forums where any useful user info has been stolen because they didn't use https?

I think soylent news (spinoff of slashdot) allows https.

but my point is to just let users choose.  provide both port 80 and 443.  why not??  for those that want end to end privacy, they will go 443 and for those who don't care, give them 80.  everyone's happy.

do I enjoy the fact that my isp, comcast, listens in on every packet I send?  is it any of their business to see this?  why would you, the site operator, want to have any say in how much privacy I want in my net comms?

I find it odd to have to argue for privacy in net comms these days.  one should never have to justify why they want to avoiding having to run a network protocol in the clear. 

ISPs (like verizon) are being caught trimming your packets, removing starttls flags, injecting ads, collecting your connectivity matrix.  why encourage isp's to keep spying and data-collecting on you?

please don't trot out the old and faded 'if you are doing nothing wrong, you have nothing to hide' bs.  please don't.  if you don't want network privacy in your data links, that's your choice, but please consider offering it to those that DO want it.

you watch: over the next few years, the internet set of protocols will start to include more encrypted and authenticated streams.  people don't like DPI and being spied on.  people don't like their packets changed on the fly by some 3rd party.  the days of trusted cleartext online are going to end and we'll see secure protocols starting to be preferred.

[SirNick]

Someone called "Lightages" just posted a thread titled "Anynoe else want to burn down Chanel HQ?".

In the UK you can be arrested and prosecuted for that: http://en.wikipedia.org/wiki/Twitter_Joke_Trial

Every action that makes mass surveillance harder is an important step to protecting our freedom.

There is arguably good reason for that.  You forget that, often, if it is against some law somewhere, there's a valid reason for it to be so.  If you were the agency in charge of keeping your country's residents safe (at whatever level -- be that local law enforcement, or national security), your job is to sort through those BS posts on forums to differentiate between the dumb-**** that threatens individuals or entities as a joke, and the ones that are one snide comment away from strapping on percussive clothing.

I really don't know where I stand on the whole "should they be able to see what I do?" debate.  On one hand, I don't really want everything I do to be subject to scrutiny at the whims of some man in black.  OTOH, I also like not having my home attacked by terrorists.  So....  there's gotta be some give and take there.  Warrants are nice in theory, but there are no shortage of books, TV shows, movies, etc., where you see someone caught in red tape and the "bad guy" gets away.  Real life is just not that clean and neat, and sometimes it gets tough to differentiate between good and evil.  Some have called for large-scale discussion on this topic, and I think it's high time people were more aware of the reality.  Surveillance isn't new, it's just a little more high-profile now.  Not much has changed but the public's awareness of what's going on.

On the topic of ISPs being invasive chodes, well... you likely have anywhere from 30 to 100 ways per month to indicate your distaste for that practice.  I have worked for two ISPs now.  Once, we instituted a ban on outgoing SMTP unless you owned a static IP.  The intention was to prevent the unintended distribution of spam from all the many, many, many zombified clients we had.  Several of our customers let us know what they thought of that policy, and management was forced to consider the opposing viewpoint.  At my last gig, we didn't filter, period.  Having worked alongside a lot of techs, I can tell you, we as a general rule have absolutely no ambition to snoop on or molest your data -- and are usually opposed to any such suggestion.  If your ISP does otherwise, call them up, cancel your account, and tell the operator precisely why you're leaving when they ask.  Encryption is the wrong solution to that problem.

[linux-works]

Yep.
And then, at best it's protecting just their password, which should be a one-off for this forum anyway.

dave, I have a lot of respect for you, overall; but here, you are being quite ignorant.

its not the password that many of us care about, its what we write, when we write it, and the simple fact that its no one's business (not an isp or a core router owner or a transport owner) what my online activities are.

maybe I post a joke and maybe someone who spies on my data stream takes it way out of context.  maybe they store it for future use to be used against me.

please just trust us who have some background in data comm and networking.  data collection is not going to ever HELP us, the users; but surely it can and will be used against us, if the powers in charge so choose to, later on.  why feed the monster more data about ourselves?

yes, the forum is public and anyone can read what everyone else writes.  but that's quite a different thing from starting at point of origin (my demarc point) and seeing what *I* write, realtime, and being able to log it.  if the datastream is encrypted, they will know that I'm connecting to your site, but that's ALL they'll ever get out of my datastream.  what's that guy's username?  can't tell!  what's he posting about?  can't tell!  is he posting or reading?  can't tell!

please reconsider giving privacy to the datastreams for those who realize that its in all of our best interest to stay as under the radar as possible.  those in charge who can sniff data are pretty damned evil and I don't trust them any farther than I can throw them.  the sooner we all go encrypted, the better.  the days of trusting the networks are OVER!

[linux-works]

On the topic of ISPs being invasive chodes, well... you likely have anywhere from 30 to 100 ways per month to indicate your distaste for that practice.  I have worked for two ISPs now.  Once, we instituted a ban on outgoing SMTP unless you owned a static IP.  The intention was to prevent the unintended distribution of spam from all the many, many, many zombified clients we had.  Several of our customers let us know what they thought of that policy, and management was forced to consider the opposing viewpoint.  At my last gig, we didn't filter, period.  Having worked alongside a lot of techs, I can tell you, we as a general rule have absolutely no ambition to snoop on or molest your data -- and are usually opposed to any such suggestion.  If your ISP does otherwise, call them up, cancel your account, and tell the operator precisely why you're leaving when they ask.  Encryption is the wrong solution to that problem.

forgive me if I offend, but I'm guessing you know nothing about american isp's and the monopoly they now have.  almost none of us, now, can choose our isp anymore!  the local governments sign contracts - exclusive ones! - that lock us into ONE isp per area.  ok, two, if you consider cable modems vs dsl; but cable modems won and dsl is quickly dying.  so that really gives us one choice: the cable company.  are you seriously believing that we can change isp's?  and given that they are all mega-isp's now, none of them vary all that much.  and all are going to give-in if there is a NSL put out in your name.  not one of them will buck the system.

in fact, I run a vpn, daily, and this hides what I do from my isp (comcast).  and yet, when I run the vpn, I find that my connection is killed after a few hours, requiring the modem to be rebooted.  when I was not using the vpn, this didn't happen.  comcast is hostile to non-business users and employs dpi and is damned proud of it.  my vpn thwarts that and it pisses them off.  so, they try to punish me.  of course, I have a work-around (auto detection of my default router being unpingable and then I launch a job to reboot the modem, log the event and carry on).  but still, they are hostile toward vpn users.  should I switch isp's?  of course.  but CAN I?  not really.

20 yrs ago, we had choices (in the US, at least) about isp's.  there were many mom-and-pop small shops that offered net connectivity.  now, they are all swallowed up by the big guys and the big guys are all run but evil bastards.  the techs are not evil.  they are just techs.  but the BUSINESS GUYS are all nasty assholes and they are the ones who dictate policy.

you or I threatening to 'leave' will just make them laugh.

encryption IS the solution.  I find it so strange for anyone to argue AGAINST online privacy.  what the HELL, people??

[miguelvp]

What prevents anyone to use an anonymizing proxy service?

Edit: also I vpn to work every now and then and my provider doesn't reset me ever.

[Whales]

What prevents anyone to use an anonymizing proxy service?

Edit: also I vpn to work every now and then and my provider doesn't reset me ever.

Nothing does, but keep in a mind a few other things people need to weigh up:

• You need to place trust in the people running the proxy/routing service (if you can't run one yourself)
• Complexity

I hope no one scoffs at the latter argument     The end purpose of encryption is privacy in some form -- trouble occurs when that privacy is broken and used against a person.  But most people don't know or care how to prepare for this: it's highly unlikely for it to occur for any one particular individual.

Herein lies the problem: lots of people use this site and people rightly assume there is safety in numbers.  Encryption as an option won't necessarily help people who don't expect problems, but encryption by default could protect the small proportion that are going to be caught out.  I'm assuming here that >=1 person will have their actions on the EEVblog forums used against them somehow at some point, please feel free to argue this


The most important thing to keep in mind for debates like this
No one is stupid, only ignorant.  Not ignorant of your or my particular arguments, but ignorant of the fact almost all of what people argue is true.  What matters is the magnitude the arguments -- and how they stack up compared to each other.

Look at some of the arguments: many conflict with each other, yet they still have some semblance of being true if you consider them on their own:

• You should not need encryption, because you are not committing a crime
• Your actions should be private until you actively choose otherwise
• This is a public forum, there is no need for encryption
• Your password should be kept secure so it cannot be intercepted
• It should not matter if your password is stolen, because it's just a forum identity
• etc

The problem is that we are all weighing up the magnitude of each of these issues based off our personal preferences and experiences -- very few of us have first hand experience or data.  Some people here with a strong personal engagement with (stereotype) internet privacy movements  are probably putting forward that encryption's needs are more important than everything else.  On the other hand other (stereotype) less computer-culture interested users don't think the pros outweigh the cons.

 For everyone: how did you come to your answer?  Why do you think your weighing up is better than what other people said?

[gxti]

you watch: over the next few years, the internet set of protocols will start to include more encrypted and authenticated streams.  people don't like DPI and being spied on.  people don't like their packets changed on the fly by some 3rd party.  the days of trusted cleartext online are going to end and we'll see secure protocols starting to be preferred.

HTTP 2 is already going to be TLS-only. The protocol is not finalized yet, but Google has been pushing it (formerly as SPDY, now it's progressing to standards track). Google handles a ludicrous amount of traffic so you know they care about every iota of performance and arguments like "it's slow" or "it can't be cached" are things they address. Same goes for Facebook and many other "big sites". Modern CPUs have builtin AES acceleration that really does make it cheap, and features like ECDHE and session resumption make the handshake cheaper too. Many sites like Github that don't even have high privacy concerns are going HTTPS-only. This is just the way the internet is going to be -- encryption is essentially free, so there's no technical reason not to use it.

I'm not going to attempt to address any moral aspects, I'm not going to tell anyone that if they don't make HTTPS available they are violating my privacy rights or that HTTPS is necessary to combat the NSA or anything asinine like that. I just want to dispel any myths people might have about the technology of HTTPS. Dave and gnif have already made up their minds so attempting to convince them of the virtues of heading in that direction appears to be a lost cause. It's your site, you call the shots and ultimately I'm not invested enough in this issue to make a fuss about it, but I still believe you're making the wrong decision.

[Rigby]

Saying that encryption is unnecessary in any circumstance whatsoever is tantamount to saying that privacy is unnecessary in any circumstance whatsoever.

I want encryption on this forum, but I'm not going to demand it.  I pick my battles and there are things much more worthy of my attention.  That does not, however, change my mind on the issue.  I accept that Dave isn't willing to do that at this point.  Fine.  His site and I can leave any time I choose.  I choose to stay because this site provides value to me, and I, hopefully, provide value to others occasionally.

All of that said, privacy is important to me.  Asking for HTTPS wherever I can will say to whomever is listening that I value my privacy.  It's a right in many ways (thought not here) and I will use my rights wherever I can.

When a policeman pulls me over while driving, and he asks if he can search my car, I always demand a warrant.  It's my right, and if he wants some access to something that he doesn't have the right to access, I'm going to make sure that officer does what is required to gain access to my car.  NOT doing so is the same as saying "I do not value my right to privacy."

I value my right to privacy even when I am hiding nothing.

[miguelvp]

Only problem with that is that the Internet is not your private property, so warrants do not apply. Also the EEVblog is a public forum and all you do and say is as public as if you are in the public street.

Use hidemyass or similar services you only have one point that you have to trust and problem solved.

What I find strange is that people that want privacy for themselves are vocal about making information public and letting information free.

I want to know what everyone is doing and what kind of secret plots are they up to, but I don't want anyone prying on my private affairs.

[madires]

Sending login credentials in clear text? This is 2014, not the 90s. It's like putting the key under the door mat.

[jeremy]

Well in light of this continued discussion, let me add this article from a google engineer:

https://www.imperialviolet.org/2010/06/25/overclocking-ssl.html

The ‘S’ in HTTPS stands for ‘secure’ and the security is provided by SSL/TLS. SSL/TLS is a standard network protocol which is implemented in every browser and web server to provide confidentiality and integrity for HTTPS traffic.

If there's one point that we want to communicate to the world, it's that SSL/TLS is not computationally expensive any more. Ten years ago it might have been true, but it's just not the case any more. You too can afford to enable HTTPS for your users.

In January this year (2010), Gmail switched to using HTTPS for everything by default. Previously it had been introduced as an option, but now all of our users use HTTPS to secure their email between their browsers and Google, all the time. In order to do this we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that.

If you stop reading now you only need to remember one thing: SSL/TLS is not computationally expensive any more.

[SirNick]

And that is exactly why mass surveillance is bad. They looked at this one tweet in isolation, rather than doing a proper investigation.

That is the issue that needs to be fixed, then.  It's a harder problem, but laziness, ignorance, and bias are the root of a lot of turbulent social issues at the moment.

Has your home ever been attacked by terrorists? In the scheme of things your chance of dying at the hands of a terrorist are pretty small.

Nope, and I've never been hassled by the authorities for buying acetone, paint thinner, fertilizer, or an Arduino.  Both positions (men in black vs. terrorism) were equally exaggerated, intentionally.

You are seriously arguing that the plots of books, TV shows and movies are justification for massive, Orwellian scale invasion of privacy? David Cameron made the same ridiculous argument...

No, but subtlety is often lost in debate, so I'll be more direct:  I'm arguing that hiding is not the proper response to tyranny.

The thing that frustrates me more than any other aspect of modern social culture is how there are leagues of people whom all feel oppressed, but in the US midterm elections, something like 40% of people voted, and the issue foremost on people's minds around election day was how tired they were of advertisements.  It's no wonder people are being taken advantage of then.  The oppression they feel must be the weight of their own apathy.

THIS is why I argue against "privacy".  I feel like I shouldn't need to draw the shades and turn off the lights to talk about electronics.  I feel like it's reasonable to draw the line when my ISP starts manipulating the traffic I send.  I believe in freedom -- actual freedom -- not the ability to effectively avoid being caught being free.  That concept is f'ing ridiculous to me, and I would rather live in a society that collectively puts their foot down at injustice than one that is really good at not drawing attention to themselves.  The only thing that approach will achieve is an ever-smaller corner in which you can feel safe.  No thank you.

[SirNick]

It’s just far too easy to abuse that kind of power and its happening right now, just not to you so you don’t give a shit.

That would be an erroneous conclusion.  I care deeply, I just have a different fix in mind.

I believe strongly that absolute power corrupts absolutely.  But, I also believe that observation is necessary to some degree.  What degree?  Honestly, I don't know.  This is something that society needs to address, and there need to be consequences for exceeding that threshold.  Consequences that are reasonable and rational, but nonetheless firm.

The thing that concerns me most about where we, as a civilization, are headed is not the lack of privacy, it's the lack of community.  We really don't need any more walls.  It becomes way more difficult to have empathy for your fellow man when you have no idea who they are, much less know their story.  That's not to say I feel like it's my right to go through your trash bins and read your mail.  On the contrary, I think the thing that should stop me from doing so is not a sufficiently secure lock, but decency and respect for your privacy.  If those attributes are missing in those of authority, then why isn't FIXING THAT the number one priority of everyone?

They're not overnight fixes, and mankind will never be truly trustworthy, but that doesn't mean you give up and hide.  That's no way to live.

[miguelvp]

The fix is to make the taping illegal, not to bring more encryption, that just feeds the fire and increases the budgets of the parties involved.

[HackedFridgeMagnet]

If there's one point that we want to communicate to the world, it's that SSL/TLS is not computationally expensive any more. Ten years ago it might have been true, but it's just not the case any more. You too can afford to enable HTTPS for your users.

While this may be true for Google it definitely doesn't apply to every web server. For instance an embedded web server.
It's misleading to imply that it does.

[Richard Crowley]

The fix is to make the taping illegal,

Alas, that requires us to trust the people who make and enforce the laws to actually abide by them.
We don't seem to be doing very well with that in our country. 
I suspect many other people here have the same problem in their countries, also.

[ve7xen]

The fix is to make the taping illegal, not to bring more encryption, that just feeds the fire and increases the budgets of the parties involved.

As has repeatedly been brought up, state actors are one threat. Making tapping illegal is going to take a rather long while, and may not ever happen, and there are complicated jurisdictional issues as well. I don't ever expect the entire world to agree on the rules and actually follow them. There is a practical technical solution that makes these issues, for the most part, moot and can be done today. The two tacks are not mutually exclusive, and I don't think implementing crypto should stop efforts to reduce the warrantless tapping, but will in the end likely be more effective. State actors are also by no means the only threat, or even a likely threat.

Further, a fairly strong argument can be made on security alone, ignoring the privacy implications. I'm much more concerned about a shared-medium, public-access network being used to gather credentials and/or "dox" people than I am about the NSA.

Personally I don't understand why people are arguing against crypto, there aren't really any significant cons and you get privacy, some protection against forgery, and increased security.

[miguelvp]

Encryption is a false sense of privacy and doesn't change the problem. Think about it, who designed the cyrptos? Are you sure we aren't just taking that they are not reversible at face value?

For all we know anything they designed has countermeasures in place in case it get's into the wild and used by others against the designers of the algorithm.

Even someone well versed in math unless they put a lot of effort might not see the security holes in the algorithm.

I know one example where a company sends communications in the clear if they are generated by a user probably because they didn't want to give their secret crypto algo away. That company now uses standard SSL/TLS and they no longer require to send the communication in the clear. That tells me that there is no concern from the actors in the play about SSL/TLS.

[Rigby]

Lots and lots of people attack TLS and everything else all the time.  The people who know a great deal more about this than you or I trust certain algorithms wholly.  Encryption is not imaginary.

[ve7xen]

Lots and lots of people attack TLS and everything else all the time.  The people who know a great deal more about this than you or I trust certain algorithms wholly.  Encryption is not imaginary.

It does depend on some unproven assumptions, but the basic principles have held for decades. A great deal of cryptanalysis has been done on important production ciphers, and few weaknesses are found, most being reduced-keyspace attacks which merely reduce the brute force effort from heat-death-of-the-universe levels to collapse-of-the-sun levels.

If the crypto we depend on is actually broken in a major way, it is a carefully guarded secret and will not be revealed without national security level cause. Or it will be revealed to everyone via responsible disclosure and we can do something about it.

Anyway, even if you suspect the crypto is broken, how the fsck is no crypto at all better than crypto that might be weak? I can guarantee you that even if an attack exists against modern crypto, it's going to be non-trivial, which increases the cost of performing it en-masse as can be done with cleartext.

[miguelvp]

Lots and lots of people attack TLS and everything else all the time.  The people who know a great deal more about this than you or I trust certain algorithms wholly.  Encryption is not imaginary.

TLS/SSL is no encryption is just the handshake protocol for security. The actual encryption is negotiated and it's based on X.509 certificates.
TLS 1.0 is pretty much SSL 3.0.
Current algorithms in TLS 1.2 are all designed by you know who.

Just because you or I can't break the encryption, we don't know if they where designed with countermeasures in place in case the tech was used against the designers and they are not truly asymmetrical, or they are asymmetrical but can be circumvented by the designers.

[Rigby]

AES wasn't designed by "you know who" but by two Belgian dudes.

AES is used in TLS 1.2. 

AES is also highly trusted and under continual scrutiny by researchers.

Again, it is trusted by people who know a hell of a lot more about this than you or I.

[miguelvp]

And approved/consulted by you know who
But who am I to say the NIST is compromised? not me. Maybe the New York Times was just blowing hot air:
http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html

Anyways, I really don't know or care much, I just act the same as if I'm in public view because to me the internet is as public as it gets.

[ve7xen]

You can't just speak of AES and TLS in isolation. It is a cryptosystem and the transport protocol, asymmetric crypto, key exchange is intimately intertwined with the symmetric cipher and block chaining mode used for the bulk data. Crypto failures in the wild are usually related to failures in the cryptosystem, not any particular component of it. They are bugs relatively easily fixed, not a flaw in the crypto itself.

All of this is negotiated between client & server in a fairly flexible manner. Don't like AES because NSA? Use Camellia.

Just because you or I can't break the encryption, we don't know if they where designed with countermeasures in place in case the tech was used against the designers and they are not truly asymmetrical, or they are asymmetrical but can be circumvented by the designers.

The ciphers are open and well documented. Cryptanalysis is done by white- grey- and black-hats from all over the world. They often publish their findings, and some weaknesses in popular ciphers have been found. AES has been in heavy production use for over 15 years, under constant attack the entire time, and is not 'broken'. Likewise for the fundamentals of RSA and Diffie-Hellman, but on even longer time scales.

So they've stood up to decades of attack by serious mathematicians, and to the best of our knowledge haven't been broken, but the fact that they are not provably unbreakable is a good reason to use cleartext instead? WTF man.

[miguelvp]

ve7xen, I'm not saying to use clear text for everything, but for this kind of forum is silly to use encryption just in case you are targeted and later prosecuted or whatever scenario they are talking about that involves big brother.

And I know how it's all negotiated, it's not rocket science. Well the cryptos kind of are, and yeah the algorithms are solid, the implementations might have bugs and the certificate production might be compromised, so?

One thing I know is that the more complicated the cryptos become and there are less exploits the more money is going to be thrown at it, do I want my tax money to go that route? not really I just want secure banking so that Chuck can't get to my credentials online.
Eve I don't mind her at all. Mallory well I would be a fool to trust self signed certificates to begin with. And Oscar just like to show off at the chaos communication congress, maybe he will steal some pocket money from my bus card or prevent me to get a text message if I happened to be in the area just as a proof of concept

[linux-works]

this restaurant I know of sells 2 kinds of ice cream: chocolate and vanilla.

I think it would be silly to pick vanilla.

(do you see my point?)

if you provide both, you keep both kinds of people happy.

its just that simple.  to argue against choice is pretty bizarre, when https is nearly free in every sense of the word.

you don't care about your data stream to forums.  fine!  won't you allow for others to keep their comms from prying eyes?

go lookup the famous youtube video 'dont talk to cops' (part 1 and 2).  the lawyer in that video gives a good simple explanation of why even innocent 'info' can be used against you in ways you didn't think of.

do you disagree?  then put everything of yours in cleartext.  that's YOUR choice.  but it sounds like you want to make my choice for me.  THAT is where I get really annoyed.

[TheEnd]

The simile would be a place that does vanilla and Madagascan gluten free fair trade vanilla.

You get the same thing out at the end, but some people will claim that the fair trade vanilla is better for everyone and the world in general.

If you are bothered about what you are writing on a forum, don't write it. You're essentially pushing your choice of excessive security onto others, and complaining that they are being unfair but not changing to your demands.

[linux-works]

who's being unfair?  me??

for asking for a 2nd choice?

I totally entirely 100% fail to see your logic, here.  what kind of 'forcing' am I doing, exactly??

[linux-works]

btw, I was right about soylent news, they DO provide https.  check out this link:

https://soylentnews.org/article.pl?sid=14/11/14/1934208

its appropriate to our discussion, too, and its a fresh topic on that forum.

it is about comcast modifying packets, just like verizon has started to do.

if you run https to your remote endpoint, THEY CANNOT MODIFY YOUR PACKETS.

more and more, this is going to be a good idea - to secure your comms from your isp and your government.  the government is not modifying packets (yet) but isp's are all hip to do that.  I work at a networking company (doing some SDN stuff) and I'm very aware of how easy it is to write code that runs on routers that will modify packets via user code.  yes, you can now deploy user written apps (if you have privs to the router) that will direct packets that fit your filter criteria to a host, the host will run some 'logic' and change what it wants, then reinject the data back.  soon, every router vendor will support stuff like this and isp's are drooling over this ability.  first there was DPI but now there is dynamic data re-routing and modification on the fly.  that's what comcast is now doing, apparently, and I find it disgusting!

maybe it will only hit home with you dissenters once you fall prey to this via your own isp.  but imagine that your isp is going to start doing this.  not only listening in, but changing your data on the fly, as they desire.

[miguelvp]

...
but it sounds like you want to make my choice for me.  THAT is where I get really annoyed.

Nope, use a hidemyass or other anonymous web proxy that you trust or even TOR and everyone is happy.

And it's not like I do want to make the choice for you, you make the choice coming to a public forum, whatever you post here it's going to be immediately in the public domain, because anyone can snatch it. it's not like every message comes with digital permissions that only people with the right key can see it.

Also you can use https as well, it's implemented all the way to CF for what I saw already in this thread.

[linux-works]

I guess I will never see your point and you can't see mine.

you tell me to use an anon proxy or vpn (which I already do use); but can you explain why offering type A and type B connections on a website HURTS or BOTHERS you?

really.  why does allowing other people to have their choice bother you?

that's the crux of the issue.  what does it take away FROM YOU to make those of us who want https, happy?

how does this reduce YOUR quality of life?

those who try to think for others and force their views on others are the most stubborn of people.  it seems you are one of those controlling types that sees a way that works for you, and therefore you find other choices 'silly'.  care to explain what this controlling nature is all about, in you?

my request for https does nothing to hurt you.  it deprives you of NOTHING.  why, then, would you want to deprive me of MY choice?

boggle.  super boggle, in fact.

[miguelvp]

It doesn't hurt me or bother me at all, I just don't see the value.

It is not my site and not my decision to make, my only point is that the forum is public so anything posted here pretty much is public domain. Even PM's are not just under your control, the recipient can choose to make them public.

If it's about credentials then you know better not to reuse the same ones, you never know when a site (accessed by TLS or not) can cope with SQL injections while someone with their loic bots are aiming to it, then even if the passwords are not in the clear the hash can be brute force decoded without a lot of effort. I take you know the interwebs, security of them is mostly an illusion, you can pretend it's not but we all know better than that.

Maybe EEVblog should support OAUTH 2.0 so we can give permissions to groups or individuals to access what we want them to access on a temporary bases.

[linux-works]

do you see the difference between being able to come to the forum with posts already in-place - versus being able to track each user by his ip-addr, place and time?

my isp does not know what username I login as (assuming I'm running ssl as a transport).  they can surely visit the forum all they want, but I've limited what they can know about ME, their customer, by running ssl over the wire.  they probably have no idea what forums I visit, what I say, what my thoughts are, what my preferences are, etc.  and I like it that way!

maybe its too subtle for some people to see this point.  but there is definitely a difference between being able to real-time track a user vs seeing the work already done (postings) and having to spend time and effort creating the binding between the posts and the user who is the isp customer.

I see no reason to make anything easier for those who make it their business to spy and track people in everything they do.  at least I remove the realtime tracking that they want and so, I've raised the bar in the amount of effort they'd have to go thru to create history on me.

I know that you don't care and that you don't 'get it'; but at least allow those of us who do want to limit what the spies know about us to have our way, especially when it does not affect you in any way, shape or form.  you lose nothing by allowing us our privacy.  you should actually have no say in the matter, in fact; since you have chosen not to avail yourself of any privacy online.  you made your choice.  let us make ours the way we want to.

[hammy]

I just don't see the value.

 

I suppose you are payed by you know who.

[madires]

Please see https://www.iab.org/2014/11/14/iab-statement-on-internet-confidentiality/ !

[janengelbrecht]

I always use a fake IP (using various methods including VPN ) .... so i cant see any issues Well i never seek to be anonymous on the internet...its just not so nice to be hacked
But secure forum ? Hmm why not..it could never do any harm 

[linux-works]

a previous company I worked for made its money from being a man-in-the-middle (MitM) during network exchanges.  their tricks would only work if you ran cleartext protocols; the minute you ran https, they could no longer play their games.

my day-job field was, for a long time, network management based and when I was out interviewing over the last 15 yrs or so, I was seeing a trend in companies who make boxes that do the MitM stuff.  companies that give you a laptop almost always will include their own certs preinstalled and so when you -think- you got an end to end lock icon on your browser, what really happened is that you authenticated with the company's firewall/router and THAT is where your data gets intercepted and logged and possibly sniffed and tracked.  at this point, any corp-given laptop or pc that I would be given has to be assumed to be 'compromised' and I wont' trust using those systems for online banking or anything where I really want a secure channel between me and the remote net peer.  you have to do a fresh install, yourself, with known good media (original windows disc, mac disc or linux distro) if you want to trust the 'lock icon'.

its because so many companies that are in the switch/router and netmgt space are SO heavily into dpi and user tracking/analysis that I am trying to push back against this evil and dangerous trend.  I try to educate people about how pervasive this is and how you can fight back against this.

having sites offer https shows that they are sympathetic to this issue.  and like that IAB link that was just posted, the networking guys now know they have to fix the trust issue with cleartext protocols.

eevblog is a big site and gets a lot of attention.  think how useful it would be to have eevblog make a statement that they want to join the new century and protect user's privacy as much as possible, at least in terms of unauthorized realtime data collection.

I ask dave to take a leadership position.  others will do this, over time.  why not start now?

[miguelvp]

I just don't see the value.

 

I suppose you are payed by you know who.

Right, because I don't agree, that automatically makes me an agent, get real
I'm not connected in any shape or form with any governmental agency.

Anyways, it's really up to Dave.

[Galaxyrise]

I made a some changes to nginx which fixes the majority of the SSL issues for those of you that insist on using it.

Thanks! Even knowing the real risk was very low, I always felt a little weird visiting the forums over open wifi (like airports) so I've switched to https.

[Rick Law]

...
On HTTPS: It's a forum. It's public. If you have even remotely good password habits (not reusing things which matter), getting your login credentials stolen is not a big deal. And who sends secret things via the PM system? Really? No, there'd be a ton of other things I'd have liked to see fixed here before full HTTPS support even entered into it.
...

I think ovnr is right.  This is just a forum.  Communication here is for public to read even without password - so securing message from eavesdrop is pointless.  As to the log-on part, I can't imagine a scenario here where someone would stole a password just to post a note or read the personal message here.

Besides, why waste resources.  Two kinds of resource:

1. Don't care what broadband you use, there is always an upper limit on speed, be it net or CPU;  Encryption will use more data-bandwidth.  If your connection is by volume, it will hurt.

2. Some servers (PC's, smartphones, etc.) somewhere is going to burn cycle (ie:electrical power) just to deal with the overhead in transmit, encrypt, and decrypt things that is open and public.

It will be a stupid waste of resources and added trouble for admin or users for no good reason.

******************************  ******************************

Okay - I now withdraw my statement above and change my position to support providing/using https (or whatever enhanced security) because of this line of posts made by linux-work cited below.  The part of quote from linux-works I bold/colored are particularly significant in my changing of my point of view.

Mr. Lunux-Work, your argument is convincing.  I can't help but to agree with you!

Rick

******************************  ******************************

...
forgive me if I offend, but I'm guessing you know nothing about american isp's and the monopoly they now have.  almost none of us, now, can choose our isp anymore!  the local governments sign contracts - exclusive ones! - that lock us into ONE isp per area.
...
in fact, I run a vpn, daily, and this hides what I do from my isp (comcast).  and yet, when I run the vpn, I find that my connection is killed after a few hours, requiring the modem to be rebooted.  when I was not using the vpn, this didn't happen.  comcast is hostile to non-business users and employs dpi and is damned proud of it.  my vpn thwarts that and it pisses them off.  so, they try to punish me.  of course, I have a work-around (auto detection of my default router being unpingable and then I launch a job to reboot the modem, log the event and carry on).  but still, they are hostile toward vpn users.  should I switch isp's?  of course.  but CAN I?  not really.
...

do you see the difference between being able to come to the forum with posts already in-place - versus being able to track each user by his ip-addr, place and time?

my isp does not know what username I login as (assuming I'm running ssl as a transport).  they can surely visit the forum all they want, but I've limited what they can know about ME, their customer, by running ssl over the wire.  they probably have no idea what forums I visit, what I say, what my thoughts are, what my preferences are, etc.  and I like it that way!
...
I see no reason to make anything easier for those who make it their business to spy and track people in everything they do.  at least I remove the realtime tracking that they want and so, I've raised the bar in the amount of effort they'd have to go thru to create history on me.

I know that you don't care and that you don't 'get it'; but at least allow those of us who do want to limit what the spies know about us to have our way, especially when it does not affect you in any way, shape or form.  you lose nothing by allowing us our privacy.  you should actually have no say in the matter, in fact; since you have chosen not to avail yourself of any privacy online.  you made your choice.  let us make ours the way we want to.

[lapm]

You people really really should not post anything on internet you want to keep secret. Seriously secrets will come out. There was recently study published that 80% of TOR user can be identified with simple traffic analysis...

Google recently published article how most used SSL protocol is practically useless. It docent provide real protection...

Problem on internet is, someone will always know who you are. And any government agency that really really want to know who you are will traverse that chain up until they find the one that can point finger at you. Even server you use for anonymity relias on isp to provide internet and that isp probably keeps traffic logs.

That is assuming you don't go extremes on protecting your identity. Use public wifis all the time, use second hand bought laptop so your mac-address cant be traced back to sell order, etc...

Yes i'm all for offering options. But i also understand that Dave is not exactly genius on computers. You want more options, then explain it to Dave so he understands why its good idea and actually needed. Also might help if your willing to shell money to pay the damn ssl certificate.

He is after all our favorite ELECTRONICS ENGINEER. Not computer scientist. Most normal people are just clueless about internet.

[hammy]

For Firefox you can use this extension: HTTPS Everywhere

The ruleset file for the eevblog site and forum:

<ruleset name="EEVBlog">
  <target host="*.eevblog.com" />
  <rule from="^http://(www\.)?eevblog\.com/" to="https://www.eevblog.com/"/>
</ruleset>

Cheers
hammy

[linux-works]

today's slashdot has a relevant story:

http://it.slashdot.org/story/14/11/18/1830229/launching-2015-a-new-certificate-authority-to-encrypt-the-entire-web

headline:

Today EFF, Mozilla, Cisco, and Akamai announced a forthcoming project called Let's Encrypt. Let's Encrypt will be a certificate authority that issues free certificates to any website, using automated protocols (demo video here). Launching in summer 2015, we believe this will be the missing piece that deprecates the woefully insecure HTTP protocol in favor of HTTPS.

[hammy]

The forum is not reachable over https any more. 

[madires]

The forum is not reachable over https any more. 

I can confirm that. It started about 4 days ago.

[EEVblog]

The forum is not reachable over https any more. 

I can confirm that. It started about 4 days ago.

That coincides with me turning off cloudflare. Just turned it back on now.
BTW, I still don't understand why anyone wants to access the site using https? Why does it matter?

[hammy]

That coincides with me turning off cloudflare. Just turned it back on now.

Thank you very much, that is very kind of you! 

BTW, I still don't understand why anyone wants to access the site using https? Why does it matter?

Yes, sorry for that. Unfortunately we are living in a country where this difference matters.

Cheers
hammy

[linux-works]

The forum is not reachable over https any more. 

I can confirm that. It started about 4 days ago.

BTW, I still don't understand why anyone wants to access the site using https? Why does it matter?

for those that don't care, it does not matter.

but for those of us who do want our comms to be unsniffable, defeating our ISP's snooping, denying them insight into what sites we visit, and also denying them the ability to INJECT THEIR OWN ADS and mess up the content along the way - it does matter  to us!

see, if you run end-to-end encryption, you can know that what you see on the page is what was really there.  but if you let ISPs edit your data packets on-the-fly, more and more of them want to insert ads or change your content.  or, later, who knows - maybe even slow-lane you if you are not connecting to one of their preferred or partner sites.

the world HAS to convert to an entirely encrypted model.  it will frustrate and deny the spy agencies and its our only way to ensure the free internet STAYS a free internet.

sorry for the political-style reply but this is real stuff.  the sooner the whole net converts over, the sooner the spooks will realize that mass surveillance is not something we want and we will do all we can to deny them this unethical power they just assumed, and did not deserve.

don't get bogged down in 'but this is just a hobby site'.  it does not matter.  it does not matter if you are visiting a cooking site or a politics site.  privacy is privacy and we all deserve the right to shield our comms from prying ISPs and other agencies.  what we visit does not matter, its our right to privacy and global internet freedom.

[Mechanical Menace]

but for those of us who do want our comms to be unsniffable, defeating our ISP's snooping, denying them insight into what sites we visit,

The only way to do that is to use a secure proxy, and then the proxy owners know exactly what site you're visiting anyway so you're only moving the problem, not fixing it. The internet wasn't designed to keep that sort of thing secret.

and also denying them the ability to INJECT THEIR OWN ADS and mess up the content along the way - it does matter  to us!

Wait, wtf? American ISPs actually do that? Hope you get a discount on your service for it.

[linux-works]

but for those of us who do want our comms to be unsniffable, defeating our ISP's snooping, denying them insight into what sites we visit,

The only way to do that is to use a secure proxy, and then the proxy owners know exactly what site you're visiting anyway so you're only moving the problem, not fixing it. The internet wasn't designed to keep that sort of thing secret.

and also denying them the ability to INJECT THEIR OWN ADS and mess up the content along the way - it does matter  to us!

Wait, wtf? American ISPs actually do that? Hope you get a discount on your service for it.

I actually do run a VPN (using one now, in fact).  and yes, it pushes the exit point 'over there' instead of 'over here' (I could make a joke, "lets tunnel the packets over there so that we don't have to tunnel them over here".  americans may get that joke..) but my vpn provider has zero interest (in fact, its their business model NOT to mess with your data stream, and in many cases, not even log any of your logins or transits) in my data.  my ISP, otoh, definitely wants to sniff my traffic.  all american ISPs want that, whether they deserve it or not.

and yes, they are starting to inject ads.  look up a bit where I posted such a link, a few months ago, about wireless carriers getting caught doing this (att and verizon).  comcast is also doing this, or starting to.  others will follow.  with SDN (software defined networking) and DPI (deep packet inspection) they all have the ability to do this.  I worked on some SDN tech at a company I was at (not an isp, thankfully) and so I'm pretty aware of what SDN can do, and it has an evil side to it, no doubt about it.

discount for them injecting ads?  are you serious?  they'll probably start charging MORE since they'll phrase it as 'adding value to your internet experience' (I'm using the kind of weasel words they would likely use).,

[Mechanical Menace]

and yes, they are starting to inject ads.  look up a bit where I posted such a link, a few months ago, about wireless carriers getting caught doing this (att and verizon).  comcast is also doing this, or starting to.

I've only seen that here using free WiFi hotspots, and TBH in my view that's fair enough. I also know paid subscribers to those services don't get the ads...

And yeah, almost every useful tool can be misused.

EDIT

I hope your fight to keep net neutrality goes the right way. Otherwise I bet your VPN will end up in the slow lane.

[madires]

That coincides with me turning off cloudflare. Just turned it back on now.
BTW, I still don't understand why anyone wants to access the site using https? Why does it matter?

The problem with http is that logins are in cleartext, e.g. sniffing the network traffic will get you the login credentials easily. It's like using telnet instead of ssh over the internet, or like putting the key under the door mat.

But since it seems that cloudflare simply acts as a proxy (like a MITM attack) the SSL encryption is worthless. Let's check the SSL certificate. It's for cloudefaressl.com. So the connection between your PC and the nearest cloudfare proxy is https, but between the proxy and the forum's server it's http.   

[madires]

but for those of us who do want our comms to be unsniffable, defeating our ISP's snooping, denying them insight into what sites we visit, and also denying them the ability to INJECT THEIR OWN ADS and mess up the content along the way - it does matter  to us!

https doesn't hide which sites you visit. It hides what you're receiving or sending.

[miguelvp]

And only hides that to cloudfare, the communication between couldfare and the blog is in the clear, so nothing stops couldfare or the site from monetizing your browsing via adsense.

Actually even going to full implemented https sites won't block adsense, so if you look at a scope, be prepared to see scope ads no matter where you go on the interwebs

[hammy]

I also exchange private messages (pm) inside this forum with other forum users about hacking scopes and other devices. It is not just about the stuff I read here, it is about the stuff I write here in public and in private.
It's a matter of principle. I also use envelopes for my letters. And I insist to get my salary statement inside an envelope.

If the government wants to see my stuff, ok, I cannot do much against that. But the mailman does not need to know how much my income is or which scopes I hack. My ISP (or other people with a tap) does not need to know what I read or write somewhere.
Again: It's a matter of principle.

[manzini]

BTW, I still don't understand why anyone wants to access the site using https? Why does it matter?

Matters.... public wifi, for non EE people bored at work, and now in some EU countries, ISP / country laws about some questions like hack.

Also, I think google has said, using https will be prioritized in the search engine results.

[n45048]

If the government wants to see my stuff, ok, I cannot do much against that.

Encrypt it properly and they can't read it without due legal process. That's the key here - they can screw your life up enough to force you to hand over encryption keys etc, but only if they either go through the legal process or break the law. At the moment they seem to favour the latter, so we have to fight back and block it.

In Australia there is actually legislation which through a court would force you to hand over any passwords or encryption keys or face further prosecution. We tend to do things legally rather than through corruption :-) Being dodgy is just too messy.

[Tandy]

I really don't get what all the fuss is about?

Some people seem to be concerned about people tracking what they have written. I don't get this at all, why would you post ANYTHING in a public forum that you would not want someone to see? Surely the whole point of posting in a public forum is to be part of an open discussion that anyone can read and contribute to so that people can learn from each others experience? What do I care if some spy agency, my employer or my grandma are watching what I have posted. The very fact that the forum is public means I will only ever say something that I am happy for the entire world to read.

Some people say, but my employer might see what I am doing and think I am wasting time or not like what you have written. So you are at work using your employers equipment and internet connection, while being paid to do some kind of work and you think it is unfair that they don't want you doing something they are not paying you to do? If you don't like it that your employer has a strict monitoring policy of their internet use you have a few options open to you. Use the forum in your own time on your own internet connection, or explain to your boss why the forum is useful to your work, or perhaps leave that job and find an employer with a more relaxed attitude towards what you do with your time.

But it all seems a bit of a waste of time carrying on the discussion anyway as Dave clearly doesn't see any need to bother with a full https implementation on the forum and as it is his forum that is how it is. As this is one of the best EE forums on-line I suggest you just have to live with the decisions that have been made by the owners and take them in to consideration when you use the forum such as using a unique password and maybe even a disposable email address and not start posting about guns, bombs and drugs in case the security agencies think that you are a person of interest.

[opty]

It has all been said above. But I will repeat.

.... I don't get this at all, why would you post ANYTHING in a public forum that you would not want someone to see? Surely the whole point of posting in a public forum...

Some folks want their private messages stay private...
Related: Have you read latest Lenovo news? We want https so my internet provider doesn't track what I'm posting, reading nor can inject ads. It is just a matter of principles, even if i'm posting/reading a public forum.

...But it all seems a bit of a waste of time carrying on the discussion anyway as Dave clearly doesn't see any need to bother with a full https implementation on the forum and as it is his forum that is how it is. As this is one of the best EE forums on-line I suggest you just have to live with the decisions that have been made by the owners and take them in to consideration when you use the forum such as using a unique password and maybe even a disposable email address and not start posting about guns, bombs and drugs in case the security agencies think that you are a person of interest.

I agree this is the best EE forum .  We do not threaten to leave it. I'm just asking for https support. Is anything wrong with this kind suggestion?

And where the heck did you get that guns and bombs from? That is a typical demagogy. Just because I don't want to be eavesdropped it must mean I'm a bad person. Oh man, stop it.

Opty 

[EEVblog]

So did turning back on Cloudflare fix the issue?
I personally don't use nor care about https support for the forum so never see any issue.

[EEVblog]

I agree this is the best EE forum .  We do not threaten to leave it. I'm just asking for https support. Is anything wrong with this kind suggestion?

IIRC this was discussed at length in another thread somewhere.
The conclusion was that:
a) Few other technical forums offer proper https support
b) Very few people actually want or need it
c) There are technical issues that preclude it being implemented properly

[EEVblog]

Some folks want their private messages stay private...

In that case I suggest you bypass the forum messaging entirely and use secure encrypted email.

[Tandy]

Some folks want their private messages stay private...

Personally I never consider private messages on a forum to be private, I use them to send messages to people that I feel would be of interested to that person only but would not add to the discussion topic for other people. For example someone might mention a particular multimeter in a thread and rather than take the tread off topic by telling them I have the same meter and asking if they have the manual as I would like a copy. This is something of interest only really to me and the other person but I don't care one bit if someone else can read it as it is not private.
[/quote]

[madires]

Some people seem to be concerned about people tracking what they have written. I don't get this at all, why would you post ANYTHING in a public forum that you would not want someone to see? Surely the whole point of posting in a public forum is to be part of an open discussion that anyone can read and contribute to so that people can learn from each others experience? What do I care if some spy agency, my employer or my grandma are watching what I have posted. The very fact that the forum is public means I will only ever say something that I am happy for the entire world to read.

That's basically right! But it's just plain stupid to send login credentials in plaintext over the internet. This is 2015 and not the 1990s anymore.

Some people say, but my employer might see what I am doing and think I am wasting time or not like what you have written. So you are at work using your employers equipment and internet connection, while being paid to do some kind of work and you think it is unfair that they don't want you doing something they are not paying you to do? If you don't like it that your employer has a strict monitoring policy of their internet use you have a few options open to you. Use the forum in your own time on your own internet connection, or explain to your boss why the forum is useful to your work, or perhaps leave that job and find an employer with a more relaxed attitude towards what you do with your time.

https won't hide your eevblog usage, just the content of your traffic. The firewall can see and log the connections to the forum. And it would be easy to run the firewall in a MITM https attack scenario to see the traffic in cleartext too (that's what cloudfare is doing to proxy the forum).

[madires]

So did turning back on Cloudflare fix the issue?

Yes, https is working again. But there's a security issue with the way how cloudfare works. Cloudfare runs proxy servers. If you connect to the forum, you actually connect to one of the proxy servers which caches the forum's web pages. That means that cloudfare is able to see everything including your login credentials. For https it's the same because the https connection is between your browser and cloudfare's proxy server, not the forum's server (https isn't enabled on the forum's server). When the proxy server gets a page from the forum's server on behalf of the user the connection is http, i.e. not encrypted. So https isn't end-to-end which renders it mostly useless in this case. The question is: do you trust cloudfare?

[EEVblog]

The question is: do you trust cloudfare?

I don't have to, because I don't care about https!
Same for almost all of the users of this forum.
This was never meant to be a secure private forum, and I think people expecting it to be are just asking for too much.
As I mentioned, IIRC, even with cloudflare removed the issues does not stop there. Gnif, the resident server penguin would need to fill in that detaiil.

[Richard Crowley]

At least here in the US, there is no expectation of "privacy" on the internet.  https is like a flimsy lock. It keeps the honest people honest, but is no significant deterrent to someone with serious intent.  You can just assume that somebody can spy on you whenever they wish.
And then there are the thousands of laws already on the books that appear to be selectively enforced. You can be arrested for anything at any time.

[EEVblog]

So you don't have online banking in the US? There is no expectation of privacy, so presumably no one wants their banking details exposed...

This forum is not a bank, and expecting it to have the same level security is IMO not reasonable.

[linux-works]

I really don't get what all the fuss is about?

encryption seems to have a polarizing effect on a lot of people.  they either fully 'get it' or they totally don't get it at all.

you're in the 2nd camp.  and that's fine, we can't convince you to get it if you're not ready or willing.  and you are free to make your choice for yourself.

what those of us in camp-1 ask is that you don't limit our ability, while choosing your own option not to encrypt.

we dont' ask that you understand us, we ask that you allow for our 'silliness' (if you want to think of it that way).  don't deny the use of both http and https and let the user pick what way they want to access the internet.

arguing about encyption and privacy is like religion.  you won't change anyone's mind, but can't we just allow each other their own style and not try to force a limit on the other camp?

allowing for https puts no limits on camp-2 but if camp-2 wants to deny https, that does limit what camp-1 can do.  and that's anti-freedom.

anyway, the whole idea of mass communication across the world is pretty new to mankind.  we are still working out the details and its all a huge social experiment, in a way.  the notion of 'no privacy while online' is NOT a given and NOT a done-deal by any means.  we are still deciding, as a worldwide community, what it means to live in the modern connected age.

lets allow people the right of choice, shall we?  regardless of whether you can understand their viewpoint or not.

[Richard Crowley]

encryption seems to have a polarizing effect on a lot of people.  they either fully 'get it' or they totally don't get it at all.

No that is not true.  We (or at least SOME of us) "get it". 

But we also realize that there are certain TLAs (Three-letter-agencies) that can break https whenever they please.  Just last week I watched a legitimate documentary on the NSA that showed how they have their own cleanroom fab where they develop their own full-custom chips specifically designed for cryptology.  I work at arguably the most leading-edge fab on this planet, and even that (rather dated) glimpse around their fab looked pretty impressive to me.  Ref:  http://youtu.be/N6Ex8Jr7Bzc?t=1h8m30s

Furthermore, if only PART of the link between EEVblog and you (the part between CloudFlare and you) is https encrypted, but the OTHER part (between EEVblog and CloudFlare) is clear, what sense of security do you get from that?  I guess you could say that is the part I don't get.

And yes, I get that implementing https would have little/no affect on us doubters, but that NOT having it completely deprives you of the security you desire.  But as other (including Dave) said, this isn't a bank. It is a PUBLIC forum!  Certainly I wouldn't use a bank (or make a credit-card purchase) using a link that was not AT LEAST secured by https, but that just keeps the amateurs out.

[alimirjamali]

Guys, please consider encrypted version of the forum will have additional costs on Dave's side :

• It would cost to have a valid SSL certificate signed by a certificate authority (Almost negligible)  .
• The web server will have to encrypt the communication over SSL/TLS which means more CPU power will be needed (better CPU costs more)
• https usually means that it would not be possible to use a reverse caching proxy which means more bandwidth and direct request load on Dave's server .
• ClouldFlare (which appears that many people do not trust here) is an exceptional caching proxy which supports different level of SSL.
• If Dave keeps CloudFlare enabled, you can use CloudFlare Flexible SSL connection (right now).
• The connection between you and CloudFlare is secure, your ISP or Coffee Shop can not sniff on it.
• Connection between Dave's server and CloudFlare is insecure (and we have to trust CloudFlare)
• It would be possible to implement Full SSL or Full SSL (strict) with CloudFlare; however, Dave is definitly not a Linux guy and we would better let him use his time for better things.

Let's wait for Dave's Mini-Me to show on the forum. If he is a Penguin guy, we can push him for this issue and few other things.

[Stupid Beard]

But we also realize that there are certain TLAs (Three-letter-agencies) that can break https whenever they please. <snip>

Furthermore, if only PART of the link between EEVblog and you (the part between CloudFlare and you) is https encrypted, but the OTHER part (between EEVblog and CloudFlare) is clear, what sense of security do you get from that?  I guess you could say that is the part I don't get.
<snip>

Not that I want to get drawn into this, and I cut out some of your post to concentrate on the main points, but ...

Consider the scenario where you're sat somewhere using public wifi. In that scenario it is trivial for anybody with a laptop and a wifi card to see 100% of the traffic between your laptop/phone/tablet and the access point.

You may not care about your posts being public, but if the forum login doesn't use https (I couldn't be arsed to check) then your forum account and password is broadcast over the air in the clear for anyone to see. If you use the same password on another site (e.g. the bank) where it actually matters, then you are pretty screwed.

How much that matters to you personally depends on your password hygiene and how much care you take on insecure networks.

[alimirjamali]

Consider the scenario where you're sat somewhere using public wifi. In that scenario it is trivial for anybody with a laptop and a wifi card to see 100% of the traffic between your laptop/phone/tablet and the access point.

Please see my point 4,5,6 and the description on CloudFlare website. You are currently protected against such attacks.

[Richard Crowley]

.... if the forum login doesn't use https (I couldn't be arsed to check) then your forum account and password is broadcast over the air in the clear for anyone to see. If you use the same password on another site (e.g. the bank) where it actually matters, then you are pretty screwed.

Agreed.  But anyone who is paying attention to the Modern World knows that re-using PINs/passwords for different things (particularly for sensitive things) is a pretty stupid thing to do.  And it doesn't take public sniffing of unencrypted coffee-shop WiFi to compromise that. We have seen many companies (and government agencies) reveal that kind of data from their data stores through means that have nothing to do with (and were not protected by) https.

[Mechanical Menace]

At least here in the US, there is no expectation of "privacy" on the internet.

And you should never expect the infrastructure to deliver it, it's anathema to the very concept of how the internet was meant to work.


Services that use it though, if they advertise a certain level of privacy then it is reasonable to expect it.

[Stupid Beard]

Consider the scenario where you're sat somewhere using public wifi. In that scenario it is trivial for anybody with a laptop and a wifi card to see 100% of the traffic between your laptop/phone/tablet and the access point.

Please see my point 4,5,6 and the description on CloudFlare website. You are currently protected against such attacks.

As I said, I couldn't be arsed to check I was just commenting as a general reason why someone would want to care about more than just TLAs so it didn't really matter.

.... if the forum login doesn't use https (I couldn't be arsed to check) then your forum account and password is broadcast over the air in the clear for anyone to see. If you use the same password on another site (e.g. the bank) where it actually matters, then you are pretty screwed.

Agreed.  But anyone who is paying attention to the Modern World knows that re-using PINs/passwords for different things (particularly for sensitive things) is a pretty stupid thing to do.  And it doesn't take public sniffing of unencrypted coffee-shop WiFi to compromise that. We have seen many companies (and government agencies) reveal that kind of data from their data stores through means that have nothing to do with (and were not protected by) https.

They should, but yet still the most common passwords include things like 'password' and '123456' 

[Rigby]

Encryption is becoming the default. It's not just GCHQ/NSA spying, it's ISPs being asshats and spying on users for commercial purposes and that sort of thing.

Yep, it's easy for an ISP to inject ads on unencrypted pages.  It's easy for them to monitor all of your web browsing and all content to & from your house if it is unsecured.

I sometimes think of it more like "they don't need to know" even though I'm not doing anything worth looking at.

All traffic on the internet should be encrypted all the time, imho.

[linux-works]

again, https is broken here.  was working for a while, but now its getting a gateway error of some kind.

admins, do you need to change a setting?  was there a reboot lately where a setting may not have been made non-volatile?

[miguelvp]

It's a cloudfare setting, the actual server never had https setup, and for what is worth I just tried it and it works

[n45048]

HTTPS works for me -- Although I don't think it always used to.

[SeanB]

Resurrecting this old thread, it seems now that certain US ISP's are looking to monetise the user base by inserting advertising in the non SSL traffic going to their customers, as a money making method.

No guesses as to which one, but you probably will be right.

Thus it probably would be a good idea to use SSL on all web pages by default, as then at least the advertising is going to actually bring in income to Dave, as opposed to going to the ISP's coffers.

Not sure I would like such an ISP, but as they often are the monopoly in an area and the choice is them, them, them or them as far as you can cast your eye it might be difficult to change ISP without moving and getting a job where they are not the incumbent.

[linux-works]

sooner or later, all wise website owners WILL be enabling ssl.  some don't understand (dave really should; he's technical enough!) but the more progressive ones already are.

its not about cost, its not about cpu cycles, its not about wasting bandwidth (none of those are remotely significant).

its about having a clear uninterrupted path from you to your target destination.  as more isp's go the evil way of DPI (deep packet inspection), expect more 'inserted content' on unsecured paths.

at some point, people will say ENOUGH OF THIS SHIT! and the webmasters will have no choice but to join the modern era and turn on https.

it boggles my mind that dave does not care about this.  "MY isp does not do this, why should I care about yours?" is the drift I get from his lack of caring.  what a shame.  sometimes really smart people can be stubborn for no good reason at all ;(

dave, we look forward to your joining the modern age and removing the isp's ability to change and insert content on the fly.   on the day you enable website ssl mode, I'll donate a nice chunk of change to you, as a thank-you. 

[Bud]

HTTPS works for me -- Although I don't think it always used to.

Congratulations with getting a man-in-the-middle in your browser. That is not the right certificate from the Cloudflare site. I have attached a screenshot below with yours (bogus) at the left and the proper one at the right. You can see it is the same cloudflare web site at the chain end but the upstream certificate chain is totally different. The proper certificate was issued by a public Certificate Authority "Comodo" which can be validated up the trust chain to another public CA "UserTrust". The bogus one was from a proprietary company "Kaspersky" and it was NOT issued to Cloudflare, it was issued to you, as the "Personal" keyword suggests. Yes I know who Kaspersky is but for now keep reading.

What appears to happen in your case is your local antivirus hijacked your certificate store and installed itself at the Root, decrypting and re-encrypting your https traffic,  therefore acting effectively as a man-in-the-middle between secure web sites and your browser . You are now in full merci of Kaspersky firm to do with your traffic whatever they feel like today.

It was just recently that exact same type of thing caused big problems to computer manufacturer Lenovo who was installing adware on their computers. If you have not heard of it and/or want to understand how this sh!t works, google for "Lenovo superfish scandal" and read a few articles. While reading, replace "Superfish" to "Kaspersky" and you will get the picture of what's happening to you.

Yes, some people may say "Kaspersky is a well respected antivirus company so it is OK". Let me ask you though if you really feel comfortable knowing that all your online banking/shopping/passwords are now not point-to-point anymore and are being decrypted by some man-in-the-middle program on your computer and then re-encrypted before delivered to your browser.   

if you dont, I'd say look in your antivirus program settings to disable scanning https traffic, if it is possible at all, then re-check https site certificates now point to a proper public CA and not some "personal" certificate.

As to the subject of this topic you can see with this and Lenovo case that https does not guarantee you confidentiality, it can be hijacked.

[Bud]

at some point, people will say ENOUGH OF THIS SHIT!

I am already saying it and I use an http firewall called Safesquid. It is not too easy to setup this product but should not be much of a problem for a technical person. Good thing is once you learn it is quite flexible.
I have attached a screenshot of an excerpt from the log resulted from processing eevblog home page as a sample.

[dsolodov]

I bypass my ISP's DPI by routing all traffic external to my LAN through a VPN vendor unrelated to my ISP. Some VPN vendors do not even require registration...

[linux-works]

eevblog admins: better get onboard soon or mozilla will leave you behind:


https://soylentnews.org/article.pl?sid=15/05/05/1222255

I said it many times; the web WILL be all encrypted sooner rather than later.  snowden helped a lot by informing us how wrong it was to trust the carriers/etc.

now, more sites are turning on encryption; and it looks like mozilla/firefox will help lead the way in getting people there.

guys, please turn on https - and not just via that cloud CDN stuff; that's not end to end https by any stretch.