EEVblog Electronics Community Forum
General => General Technical Chat => Topic started by: sam1275 on February 02, 2017, 05:01:42 pm
-
I know I can force https by modify the address, but the most annoying thing is it's not even persist, every time on a link click, it revert back to http. Since it's already support TLS, why not use it by default?
-
I know I can force https by modify the address, but the most annoying thing is it's not even persist, every time on a link click, it revert back to http. Since it's already support TLS, why not use it by default?
Apart from PMs and logging in, why would you need a secure protocol to access a public forum?
-
I know I can force https by modify the address, but the most annoying thing is it's not even persist, every time on a link click, it revert back to http. Since it's already support TLS, why not use it by default?
Apart from PMs and logging in, why would you need a secure protocol to access a public forum?
https://en.m.wikipedia.org/wiki/Firesheep
Don't know if this forum has a workaround for it or not.
-
I know I can force https by modify the address, but the most annoying thing is it's not even persist, every time on a link click, it revert back to http. Since it's already support TLS, why not use it by default?
Apart from PMs and logging in, why would you need a secure protocol to access a public forum?
If you're not doing anything suspicious, then you have nothing to worry about...
Not that EEVBlog should be a big risk item for anyone, but the fact is this: it generalizes. There is a positive, nonzero risk associated with leaking one's information, and encryption provides a positive, nonzero reduction in that risk. There is no disadvantage to the user, and to the operator and owner, only the difficulty of setting it up.
Tim
-
Wasn't this brought up before? IIRC there was some technical reason for why things are the way they are.
Agreed that if you manually type in https, it should use that. As long as I can still use http...
-
I know I can force https by modify the address, but the most annoying thing is it's not even persist, every time on a link click, it revert back to http. Since it's already support TLS, why not use it by default?
Apart from PMs and logging in, why would you need a secure protocol to access a public forum?
To stop lowlife ISP's injecting their own unwanted Javascript and tracking cookies into the forum content? To make sure the ads actually come from Dave's sponsor companies and are not booby-trapped phonies? To stop ad-click fraud (doesn't affect Dave or the viewer, but cheats the sponsors)?
That sort of thing
-
Wasn't this brought up before? IIRC there was some technical reason for why things are the way they are.
Agreed that if you manually type in https, it should use that. As long as I can still use http...
Why would you choose to use HTTP over HTTPS?
-
"Secure connection error", it's not a choice. (I guess the choice is not reinstalling the whole system and upgrading libraries.)
-
"Secure connection error", it's not a choice. (I guess the choice is not reinstalling the whole system and upgrading libraries.)
Well if you will insist on living in the 90s.
-
"Secure connection error" means in this case that the server and browser both support encryption, initiated a handshake, but couldn't agree on what to do.
There's been new crypto added and a move towards getting rid of older methods lately, in order to be more secure against snooping, with the result here being breaking both encryption and authentication for someone who won't or can't constantly update.
I wish we would have just done it right the first time instead and made some sort of crypto plugin infrastructure on the TCP level instead of leaving it up to the web devs.
-
"Secure connection error" means in this case that the server and browser both support encryption, initiated a handshake, but couldn't agree on what to do.
There's been new crypto added and a move towards getting rid of older methods lately, in order to be more secure against snooping, with the result here being breaking both encryption and authentication for someone who won't or can't constantly update.
And I don't for a minute believe you can't keep a system up to date with security packages, which means you refuse to.
Removal of broken crypto has been continuously occuring for years.
-
Keeping up to date means upgrading OpenSSL, everything that depends on it, and sorting out all the dependency conflicts that have been introduced. It's a pain in the ass. Luckily it doesn't matter whether you believe me or not...
-
Keeping up to date means upgrading OpenSSL, everything that depends on it, and sorting out all the dependency conflicts that have been introduced. It's a pain in the ass. Luckily it doesn't matter whether you believe me or not...
Which means you're running Gentoo, Slack, or LFS. Anything else should deal with it for you. If you're running one of those three you should've kept on top of things, and you should really sort things out now before it gets worse.
-
Do you think you're contributing any new information here or are you just trying to convince yourself it's okay to ignore a different perspective?
It's a cost/benefit thing. It tends to be web nerds who go crazy about these security upgrades - I've seen personal blogs that refuse to load, but never a bank site - so I'm not too worried about it.
And FWIW I'm not running Linux.
Edit: I guess we've gone off topic. PM if you want to continue?
-
And FWIW I'm not running Linux.
Ah, BSD guy? Or something I'm not thinking of? Rare to find on the desktop..
-
Regardless of whether people think it's necessary or not, or whether it's a pain in the arse to maintain server-side, I think HTTPS-by-default here is going to need to happen sooner or later for two big reasons:
1. Google Chrome, as of version 56 (i.e. current version), flags non-HTTPS sites with a "Not Secure" tag in the address bar.
2. Mozilla Firefox, as of version 51 (also the current version), also flags non-HTTPS sites with a insecure padlock icon in the address bar.
Now, granted, this only applies to pages that contain password fields - but this is every page of the forum when not logged in. And, both browser makers have indicated that eventually, in future versions, they will start to flag any page served over plain HTTP, regardless of content, as insecure. Additionally, Firefox is planning to implement an intermediary stage where password fields on non-HTTPS pages will pop-up another little warning notice when clicked into, which will make it even more obvious.
Google has also for a while now been boosting search rankings for sites that are HTTPS-by-default, and they've stated they aim to increase the weight of this factor in future. I'm sure Dave doesn't want to lose out where SEO is concerned.
More info:
https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html
https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/
https://security.googleblog.com/2014/08/https-as-ranking-signal_6.html
-
Here we go again...
-
And, both browser makers have indicated that eventually, in future versions, they will start to flag any page served over plain HTTP, regardless of content, as insecure.
Which will simply condition users to ignore it altogether. |O A complete non-issue.
-
Wasn't this brought up before? IIRC there was some technical reason for why things are the way they are.
Agreed that if you manually type in https, it should use that. As long as I can still use http...
Why would you choose to use HTTP over HTTPS?
better speed/latency ? (I have no idea how much difference it makes in practice - anyone know ?)
-
We had this discussion several times in this forum. :horse:
Reminds me about the security problems in alarm systems, car entertainment systems and IoT devices. A common EE knows next to nothing about fundamental security concepts and still lives in the 90s, using Windows XP and old browsers. Windows XP users are nowadays like anti-vaxxer.
Several years after Snowden most people still stroke their pink unicorn. SSL? Why? Nothing to hide! |O
-
I know I can force https by modify the address, but the most annoying thing is it's not even persist, every time on a link click, it revert back to http. Since it's already support TLS, why not use it by default?
Apart from PMs and logging in, why would you need a secure protocol to access a public forum?
Yes this has been brought up several times in the past. Quite frankly though, the "why do you need it" argument is null and void. I wish people would stop crapping on about it. If someone wants to use HTTPS, then it's their choice. I personally would prefer it too. If you don't like it, don't use it, simple. There are far more valid reasons for using HTTPS then there are against.
Dave and gnif have been looking at it but it's a bit of a bitch to configure from what I can see. Not sure where they got up to with that but it's not exactly a priority at the moment.
-
Dave and gnif have been looking at it but it's a bit of a bitch to configure from what I can see. Not sure where they got up to with that but it's not exactly a priority at the moment.
Can't they speak for themselves?
I'm sure they can (and have in other threads). So far they haven't in this thread. What was the point you were trying to make? Everyone can tell Dave has his hands full with other things most of the time.
-
Dave and gnif have been looking at it but it's a bit of a bitch to configure from what I can see. Not sure where they got up to with that but it's not exactly a priority at the moment.
Can't they speak for themselves?
I'm sure they can (and have in other threads). So far they haven't in this thread. What was the point you were trying to make? Everyone can tell Dave has his hands full with other things most of the time.
He doesn't have one, he just like to provoke, especially when it involves me personally in some way.
-
[Tree hugger mode:ON]
Save the planet, do NOT turn it on, every page rendered will waste xxxx watt of cpu power.
[Tree hugger mode:OFF] ... duck & run ....
-
The site is pretty broken with HTTP as it is.
Here is what you see when you click "EEVblog Electronics Community Forum" from any thread, when the thread loaded with HTTP:
502 - Bad Gateway
We are sorry for the inconvenience that this error may be causing you. We are aware of the issue and are working to resolve it, please be patient.
There is no need to report this error.
Thank you for your patience,
Dave & gnif
When you force the thread to load using HTTPS, it works fine.
-
The site is pretty broken with HTTP as it is.
Here is what you see when you click "EEVblog Electronics Community Forum" from any thread, when the thread loaded with HTTP:
502 - Bad Gateway
We are sorry for the inconvenience that this error may be causing you. We are aware of the issue and are working to resolve it, please be patient.
There is no need to report this error.
Thank you for your patience,
Dave & gnif
When you force the thread to load using HTTPS, it works fine.
Ahhh, No.
Your browser needs resetting.
-
Unrelated, but forum-concerning, question for Dave/gnif:
Why are all the forum links absolute?
Tim
-
Your browser needs resetting.
Instead of forcing the user to solve web developers' problems for them, the correct way is to follow the RFC and use the Expires: header.
-
Wasn't this brought up before? IIRC there was some technical reason for why things are the way they are.
Agreed that if you manually type in https, it should use that. As long as I can still use http...
Why would you choose to use HTTP over HTTPS?
better speed/latency ? (I have no idea how much difference it makes in practice - anyone know ?)
TLS involves a couple extra round trips when opening the connection, iirc, beyond that, utterly trivial. Add in something else nice and modern, like HTTP/2.0, and things get substantially better: Multiple requests over one connection, compression (including headers), etc..
-
The site is pretty broken with HTTP as it is.
Here is what you see when you click "EEVblog Electronics Community Forum" from any thread, when the thread loaded with HTTP:
502 - Bad Gateway
When you force the thread to load using HTTPS, it works fine.
Works fine for me.
-
Unrelated, but forum-concerning, question for Dave/gnif:
Why are all the forum links absolute?
What do you mean?
In any case the answer is mostly likely "because that's what SMF does".
This forum is a stock standard install of Simple Machines Forum
-
The site is pretty broken with HTTP as it is.
Here is what you see when you click "EEVblog Electronics Community Forum" from any thread, when the thread loaded with HTTP:
502 - Bad Gateway
When you force the thread to load using HTTPS, it works fine.
Works fine for me.
Because you have not lately hit that error to get it stuck in your cache and/or that of the CloudFail instance.
-
@Halcyon. And I do have a point. What's wrong with waiting for Dave to have his say? His opinion matters when it comes to HTTPS on the forum. Yours, not so much. (with due respect)
Maybe you thought "Here we go again" was a pretty lame response to an issue that seems to be gaining traction amongst forum members and you tried to step up to defend him and deflect further criticism. Fine.
I thought it was lame. I thought he needed to do better and I want to hear what he has to say. For what it's worth that is my way of stepping up. I'm no obsequious fanboy. I'm just a fan.
I won't turn this into a back and forth argument so I'll provide this one response so we can get back on-topic.
There is absolutely nothing wrong for waiting for Dave to have his say. I just offered my knowledge on the issue based on what Dave has already covered elsewhere on the forum. I wasn't posting for Dave, I wasn't posting on his behalf, I just offered my own thoughts.
I also don't agree with your view that Dave's opinion matters more than anyone else. If you live your life judging people like that, you'll miss out on some pretty amazing people. We are all here because of Dave, no one is arguing that, but you'll find many users who simply signed up to contribute something meaningful from their corner of the world. You have free access to experts across many specialised fields on this forum.
I try to keep each and every post I make informative, factual and to the point (occasionally I'll post a funny image or video). Your post "Can't they speak for themselves?" offers nothing in terms of substance. You may as well have not posted it. It's petty comments like that which tend to rub people up the wrong way.
I welcome any further comments you might have but I suggest you respond by way of a PM to me so we're not derailing this topic and posting nonsense.
-
Remember, Cloudflare uses distributed caching proxies to deliver the EEVblog forum, so going pure HTTPS will seriously impact the forum's performance and probably increase both Dave's hosting and CDN costs. See https://scotthelme.co.uk/tls-conundrum-and-leaving-cloudflare/ (https://scotthelme.co.uk/tls-conundrum-and-leaving-cloudflare/) for a discussion of some of the issues.
IMHO the balance is right at the moment - Dave doesn't have to pay extra monthly fees to support HTTPS over CDN securely, ordinary users get the full benefit of CloudFlare's CDN caching HTTP pages, Users on legacy browsers or low performance devices can still easily access the forum, but those users who really *NEED* HTTPS can use a browser extension like HTTPS Everywhere.
A possible improvement would be to swap out the username+password fields on every 'guest' mode page for a login button leading to a separate login page to avoid the issues with newer browsers flagging HTTP pages as insecure.
-
IMHO the balance is right at the moment - Dave doesn't have to pay extra monthly fees to support HTTPS over CDN securely, ordinary users get the full benefit of CloudFlare's CDN caching HTTP pages, Users on legacy browsers or low performance devices can still easily access the forum, but those users who really *NEED* HTTPS can use a browser extension like HTTPS Everywhere.
I think you make a good point. I personally VPN back to home if I'm using public Wi-Fi for example, that way, HTTPS or not, it's fairly secure, so I'm not too bothered either way.
Some people don't have that luxury though and sometimes group policies etc... don't allow browser extensions to be installed or VPNs to be used (fairly common among corporate networks).
-
Remember, Cloudflare uses distributed caching proxies to deliver the EEVblog forum, so going pure HTTPS will seriously impact the forum's performance and probably increase both Dave's hosting and CDN costs. See https://scotthelme.co.uk/tls-conundrum-and-leaving-cloudflare/ (https://scotthelme.co.uk/tls-conundrum-and-leaving-cloudflare/) for a discussion of some of the issues.
IMHO the balance is right at the moment - Dave doesn't have to pay extra monthly fees to support HTTPS over CDN securely, ordinary users get the full benefit of CloudFlare's CDN caching HTTP pages, Users on legacy browsers or low performance devices can still easily access the forum, but those users who really *NEED* HTTPS can use a browser extension like HTTPS Everywhere.
A possible improvement would be to swap out the username+password fields on every 'guest' mode page for a login button leading to a separate login page to avoid the issues with newer browsers flagging HTTP pages as insecure.
But there's no point using HTTPS right now, because everything is plaintext once you get past CloudFnargle. A little security is not a replacement for actual security.
Sadly, even with 'strict' SSL enabled, CloudFlail still see everything in plaintext - But it's okay, nobody would ever think to target a giant, paid-for man-in-the-middle.
-
The site is pretty broken with HTTP as it is.
Here is what you see when you click "EEVblog Electronics Community Forum" from any thread, when the thread loaded with HTTP:
502 - Bad Gateway
When you force the thread to load using HTTPS, it works fine.
Works fine for me.
Actually, I've been getting this on and off for a while. It'll go through a day where I pretty much have to force refresh on each link after it returns a 502 and then it'll be fine for a month.
Personally I don't give a toss about https, but *I* see the same errors, so it's not restricted to a single user or their configuration.
-
The site is pretty broken with HTTP as it is.
Here is what you see when you click "EEVblog Electronics Community Forum" from any thread, when the thread loaded with HTTP:
502 - Bad Gateway
When you force the thread to load using HTTPS, it works fine.
Works fine for me.
Actually, I've been getting this on and off for a while. It'll go through a day where I pretty much have to force refresh on each link after it returns a 502 and then it'll be fine for a month.
Personally I don't give a toss about https, but *I* see the same errors, so it's not restricted to a single user or their configuration.
They indeed pop up randomly. Server may or may not still be having issues, CloudFleece caches on the other hand..
I'm beginning to get tired of thinking up F words, perhaps I should give them a break
-
@Dave. How have I provoked you personally?
Yes, so many times I had to tell you to bugger off once and then you apologised and said you wouldn't do it again.
You've also mentioned once that you wouldn't be surprised if I banned you for it.