Secure version of the forum

[TheEnd]

The simile would be a place that does vanilla and Madagascan gluten free fair trade vanilla.

You get the same thing out at the end, but some people will claim that the fair trade vanilla is better for everyone and the world in general.

If you are bothered about what you are writing on a forum, don't write it. You're essentially pushing your choice of excessive security onto others, and complaining that they are being unfair but not changing to your demands.

[linux-works]

who's being unfair?  me??

for asking for a 2nd choice?

I totally entirely 100% fail to see your logic, here.  what kind of 'forcing' am I doing, exactly??

[linux-works]

btw, I was right about soylent news, they DO provide https.  check out this link:

https://soylentnews.org/article.pl?sid=14/11/14/1934208

its appropriate to our discussion, too, and its a fresh topic on that forum.

it is about comcast modifying packets, just like verizon has started to do.

if you run https to your remote endpoint, THEY CANNOT MODIFY YOUR PACKETS.

more and more, this is going to be a good idea - to secure your comms from your isp and your government.  the government is not modifying packets (yet) but isp's are all hip to do that.  I work at a networking company (doing some SDN stuff) and I'm very aware of how easy it is to write code that runs on routers that will modify packets via user code.  yes, you can now deploy user written apps (if you have privs to the router) that will direct packets that fit your filter criteria to a host, the host will run some 'logic' and change what it wants, then reinject the data back.  soon, every router vendor will support stuff like this and isp's are drooling over this ability.  first there was DPI but now there is dynamic data re-routing and modification on the fly.  that's what comcast is now doing, apparently, and I find it disgusting!

maybe it will only hit home with you dissenters once you fall prey to this via your own isp.  but imagine that your isp is going to start doing this.  not only listening in, but changing your data on the fly, as they desire.

[miguelvp]

...
but it sounds like you want to make my choice for me.  THAT is where I get really annoyed.

Nope, use a hidemyass or other anonymous web proxy that you trust or even TOR and everyone is happy.

And it's not like I do want to make the choice for you, you make the choice coming to a public forum, whatever you post here it's going to be immediately in the public domain, because anyone can snatch it. it's not like every message comes with digital permissions that only people with the right key can see it.

Also you can use https as well, it's implemented all the way to CF for what I saw already in this thread.

[linux-works]

I guess I will never see your point and you can't see mine.

you tell me to use an anon proxy or vpn (which I already do use); but can you explain why offering type A and type B connections on a website HURTS or BOTHERS you?

really.  why does allowing other people to have their choice bother you?

that's the crux of the issue.  what does it take away FROM YOU to make those of us who want https, happy?

how does this reduce YOUR quality of life?

those who try to think for others and force their views on others are the most stubborn of people.  it seems you are one of those controlling types that sees a way that works for you, and therefore you find other choices 'silly'.  care to explain what this controlling nature is all about, in you?

my request for https does nothing to hurt you.  it deprives you of NOTHING.  why, then, would you want to deprive me of MY choice?

boggle.  super boggle, in fact.

[miguelvp]

It doesn't hurt me or bother me at all, I just don't see the value.

It is not my site and not my decision to make, my only point is that the forum is public so anything posted here pretty much is public domain. Even PM's are not just under your control, the recipient can choose to make them public.

If it's about credentials then you know better not to reuse the same ones, you never know when a site (accessed by TLS or not) can cope with SQL injections while someone with their loic bots are aiming to it, then even if the passwords are not in the clear the hash can be brute force decoded without a lot of effort. I take you know the interwebs, security of them is mostly an illusion, you can pretend it's not but we all know better than that.

Maybe EEVblog should support OAUTH 2.0 so we can give permissions to groups or individuals to access what we want them to access on a temporary bases.

[linux-works]

do you see the difference between being able to come to the forum with posts already in-place - versus being able to track each user by his ip-addr, place and time?

my isp does not know what username I login as (assuming I'm running ssl as a transport).  they can surely visit the forum all they want, but I've limited what they can know about ME, their customer, by running ssl over the wire.  they probably have no idea what forums I visit, what I say, what my thoughts are, what my preferences are, etc.  and I like it that way!

maybe its too subtle for some people to see this point.  but there is definitely a difference between being able to real-time track a user vs seeing the work already done (postings) and having to spend time and effort creating the binding between the posts and the user who is the isp customer.

I see no reason to make anything easier for those who make it their business to spy and track people in everything they do.  at least I remove the realtime tracking that they want and so, I've raised the bar in the amount of effort they'd have to go thru to create history on me.

I know that you don't care and that you don't 'get it'; but at least allow those of us who do want to limit what the spies know about us to have our way, especially when it does not affect you in any way, shape or form.  you lose nothing by allowing us our privacy.  you should actually have no say in the matter, in fact; since you have chosen not to avail yourself of any privacy online.  you made your choice.  let us make ours the way we want to.

[hammy]

I just don't see the value.

 

I suppose you are payed by you know who.

[madires]

Please see https://www.iab.org/2014/11/14/iab-statement-on-internet-confidentiality/ !

[janengelbrecht]

I always use a fake IP (using various methods including VPN ) .... so i cant see any issues Well i never seek to be anonymous on the internet...its just not so nice to be hacked
But secure forum ? Hmm why not..it could never do any harm 

[linux-works]

a previous company I worked for made its money from being a man-in-the-middle (MitM) during network exchanges.  their tricks would only work if you ran cleartext protocols; the minute you ran https, they could no longer play their games.

my day-job field was, for a long time, network management based and when I was out interviewing over the last 15 yrs or so, I was seeing a trend in companies who make boxes that do the MitM stuff.  companies that give you a laptop almost always will include their own certs preinstalled and so when you -think- you got an end to end lock icon on your browser, what really happened is that you authenticated with the company's firewall/router and THAT is where your data gets intercepted and logged and possibly sniffed and tracked.  at this point, any corp-given laptop or pc that I would be given has to be assumed to be 'compromised' and I wont' trust using those systems for online banking or anything where I really want a secure channel between me and the remote net peer.  you have to do a fresh install, yourself, with known good media (original windows disc, mac disc or linux distro) if you want to trust the 'lock icon'.

its because so many companies that are in the switch/router and netmgt space are SO heavily into dpi and user tracking/analysis that I am trying to push back against this evil and dangerous trend.  I try to educate people about how pervasive this is and how you can fight back against this.

having sites offer https shows that they are sympathetic to this issue.  and like that IAB link that was just posted, the networking guys now know they have to fix the trust issue with cleartext protocols.

eevblog is a big site and gets a lot of attention.  think how useful it would be to have eevblog make a statement that they want to join the new century and protect user's privacy as much as possible, at least in terms of unauthorized realtime data collection.

I ask dave to take a leadership position.  others will do this, over time.  why not start now?

[miguelvp]

I just don't see the value.

 

I suppose you are payed by you know who.

Right, because I don't agree, that automatically makes me an agent, get real
I'm not connected in any shape or form with any governmental agency.

Anyways, it's really up to Dave.

[Galaxyrise]

I made a some changes to nginx which fixes the majority of the SSL issues for those of you that insist on using it.

Thanks! Even knowing the real risk was very low, I always felt a little weird visiting the forums over open wifi (like airports) so I've switched to https.

[Rick Law]

...
On HTTPS: It's a forum. It's public. If you have even remotely good password habits (not reusing things which matter), getting your login credentials stolen is not a big deal. And who sends secret things via the PM system? Really? No, there'd be a ton of other things I'd have liked to see fixed here before full HTTPS support even entered into it.
...

I think ovnr is right.  This is just a forum.  Communication here is for public to read even without password - so securing message from eavesdrop is pointless.  As to the log-on part, I can't imagine a scenario here where someone would stole a password just to post a note or read the personal message here.

Besides, why waste resources.  Two kinds of resource:

1. Don't care what broadband you use, there is always an upper limit on speed, be it net or CPU;  Encryption will use more data-bandwidth.  If your connection is by volume, it will hurt.

2. Some servers (PC's, smartphones, etc.) somewhere is going to burn cycle (ie:electrical power) just to deal with the overhead in transmit, encrypt, and decrypt things that is open and public.

It will be a stupid waste of resources and added trouble for admin or users for no good reason.

******************************  ******************************

Okay - I now withdraw my statement above and change my position to support providing/using https (or whatever enhanced security) because of this line of posts made by linux-work cited below.  The part of quote from linux-works I bold/colored are particularly significant in my changing of my point of view.

Mr. Lunux-Work, your argument is convincing.  I can't help but to agree with you!

Rick

******************************  ******************************

...
forgive me if I offend, but I'm guessing you know nothing about american isp's and the monopoly they now have.  almost none of us, now, can choose our isp anymore!  the local governments sign contracts - exclusive ones! - that lock us into ONE isp per area.
...
in fact, I run a vpn, daily, and this hides what I do from my isp (comcast).  and yet, when I run the vpn, I find that my connection is killed after a few hours, requiring the modem to be rebooted.  when I was not using the vpn, this didn't happen.  comcast is hostile to non-business users and employs dpi and is damned proud of it.  my vpn thwarts that and it pisses them off.  so, they try to punish me.  of course, I have a work-around (auto detection of my default router being unpingable and then I launch a job to reboot the modem, log the event and carry on).  but still, they are hostile toward vpn users.  should I switch isp's?  of course.  but CAN I?  not really.
...

do you see the difference between being able to come to the forum with posts already in-place - versus being able to track each user by his ip-addr, place and time?

my isp does not know what username I login as (assuming I'm running ssl as a transport).  they can surely visit the forum all they want, but I've limited what they can know about ME, their customer, by running ssl over the wire.  they probably have no idea what forums I visit, what I say, what my thoughts are, what my preferences are, etc.  and I like it that way!
...
I see no reason to make anything easier for those who make it their business to spy and track people in everything they do.  at least I remove the realtime tracking that they want and so, I've raised the bar in the amount of effort they'd have to go thru to create history on me.

I know that you don't care and that you don't 'get it'; but at least allow those of us who do want to limit what the spies know about us to have our way, especially when it does not affect you in any way, shape or form.  you lose nothing by allowing us our privacy.  you should actually have no say in the matter, in fact; since you have chosen not to avail yourself of any privacy online.  you made your choice.  let us make ours the way we want to.

[lapm]

You people really really should not post anything on internet you want to keep secret. Seriously secrets will come out. There was recently study published that 80% of TOR user can be identified with simple traffic analysis...

Google recently published article how most used SSL protocol is practically useless. It docent provide real protection...

Problem on internet is, someone will always know who you are. And any government agency that really really want to know who you are will traverse that chain up until they find the one that can point finger at you. Even server you use for anonymity relias on isp to provide internet and that isp probably keeps traffic logs.

That is assuming you don't go extremes on protecting your identity. Use public wifis all the time, use second hand bought laptop so your mac-address cant be traced back to sell order, etc...

Yes i'm all for offering options. But i also understand that Dave is not exactly genius on computers. You want more options, then explain it to Dave so he understands why its good idea and actually needed. Also might help if your willing to shell money to pay the damn ssl certificate.

He is after all our favorite ELECTRONICS ENGINEER. Not computer scientist. Most normal people are just clueless about internet.

[hammy]

For Firefox you can use this extension: HTTPS Everywhere

The ruleset file for the eevblog site and forum:

<ruleset name="EEVBlog">
  <target host="*.eevblog.com" />
  <rule from="^http://(www\.)?eevblog\.com/" to="https://www.eevblog.com/"/>
</ruleset>

Cheers
hammy

[linux-works]

today's slashdot has a relevant story:

http://it.slashdot.org/story/14/11/18/1830229/launching-2015-a-new-certificate-authority-to-encrypt-the-entire-web

headline:

Today EFF, Mozilla, Cisco, and Akamai announced a forthcoming project called Let's Encrypt. Let's Encrypt will be a certificate authority that issues free certificates to any website, using automated protocols (demo video here). Launching in summer 2015, we believe this will be the missing piece that deprecates the woefully insecure HTTP protocol in favor of HTTPS.

[hammy]

The forum is not reachable over https any more. 

[madires]

The forum is not reachable over https any more. 

I can confirm that. It started about 4 days ago.

[EEVblog]

The forum is not reachable over https any more. 

I can confirm that. It started about 4 days ago.

That coincides with me turning off cloudflare. Just turned it back on now.
BTW, I still don't understand why anyone wants to access the site using https? Why does it matter?

[hammy]

That coincides with me turning off cloudflare. Just turned it back on now.

Thank you very much, that is very kind of you! 

BTW, I still don't understand why anyone wants to access the site using https? Why does it matter?

Yes, sorry for that. Unfortunately we are living in a country where this difference matters.

Cheers
hammy

[linux-works]

The forum is not reachable over https any more. 

I can confirm that. It started about 4 days ago.

BTW, I still don't understand why anyone wants to access the site using https? Why does it matter?

for those that don't care, it does not matter.

but for those of us who do want our comms to be unsniffable, defeating our ISP's snooping, denying them insight into what sites we visit, and also denying them the ability to INJECT THEIR OWN ADS and mess up the content along the way - it does matter  to us!

see, if you run end-to-end encryption, you can know that what you see on the page is what was really there.  but if you let ISPs edit your data packets on-the-fly, more and more of them want to insert ads or change your content.  or, later, who knows - maybe even slow-lane you if you are not connecting to one of their preferred or partner sites.

the world HAS to convert to an entirely encrypted model.  it will frustrate and deny the spy agencies and its our only way to ensure the free internet STAYS a free internet.

sorry for the political-style reply but this is real stuff.  the sooner the whole net converts over, the sooner the spooks will realize that mass surveillance is not something we want and we will do all we can to deny them this unethical power they just assumed, and did not deserve.

don't get bogged down in 'but this is just a hobby site'.  it does not matter.  it does not matter if you are visiting a cooking site or a politics site.  privacy is privacy and we all deserve the right to shield our comms from prying ISPs and other agencies.  what we visit does not matter, its our right to privacy and global internet freedom.

[Mechanical Menace]

but for those of us who do want our comms to be unsniffable, defeating our ISP's snooping, denying them insight into what sites we visit,

The only way to do that is to use a secure proxy, and then the proxy owners know exactly what site you're visiting anyway so you're only moving the problem, not fixing it. The internet wasn't designed to keep that sort of thing secret.

and also denying them the ability to INJECT THEIR OWN ADS and mess up the content along the way - it does matter  to us!

Wait, wtf? American ISPs actually do that? Hope you get a discount on your service for it.

[linux-works]

but for those of us who do want our comms to be unsniffable, defeating our ISP's snooping, denying them insight into what sites we visit,

The only way to do that is to use a secure proxy, and then the proxy owners know exactly what site you're visiting anyway so you're only moving the problem, not fixing it. The internet wasn't designed to keep that sort of thing secret.

and also denying them the ability to INJECT THEIR OWN ADS and mess up the content along the way - it does matter  to us!

Wait, wtf? American ISPs actually do that? Hope you get a discount on your service for it.

I actually do run a VPN (using one now, in fact).  and yes, it pushes the exit point 'over there' instead of 'over here' (I could make a joke, "lets tunnel the packets over there so that we don't have to tunnel them over here".  americans may get that joke..) but my vpn provider has zero interest (in fact, its their business model NOT to mess with your data stream, and in many cases, not even log any of your logins or transits) in my data.  my ISP, otoh, definitely wants to sniff my traffic.  all american ISPs want that, whether they deserve it or not.

and yes, they are starting to inject ads.  look up a bit where I posted such a link, a few months ago, about wireless carriers getting caught doing this (att and verizon).  comcast is also doing this, or starting to.  others will follow.  with SDN (software defined networking) and DPI (deep packet inspection) they all have the ability to do this.  I worked on some SDN tech at a company I was at (not an isp, thankfully) and so I'm pretty aware of what SDN can do, and it has an evil side to it, no doubt about it.

discount for them injecting ads?  are you serious?  they'll probably start charging MORE since they'll phrase it as 'adding value to your internet experience' (I'm using the kind of weasel words they would likely use).,

[Mechanical Menace]

and yes, they are starting to inject ads.  look up a bit where I posted such a link, a few months ago, about wireless carriers getting caught doing this (att and verizon).  comcast is also doing this, or starting to.

I've only seen that here using free WiFi hotspots, and TBH in my view that's fair enough. I also know paid subscribers to those services don't get the ads...

And yeah, almost every useful tool can be misused.

EDIT

I hope your fight to keep net neutrality goes the right way. Otherwise I bet your VPN will end up in the slow lane.