mr.crow
National Hazard
Posts: 884
Registered: 9-9-2009
Location: Canada
Member Is Offline
Mood: 0xFF
|
|
Let's Encrypt
Instead of the ghetto self-signed HTTPS certificate maybe Sciencemadness could consider using Let's Encrypt https://letsencrypt.org/.
Eventually you should be able to get a real certificate automatically for free. Its developed by the EFF to promote widespread encryption and fight
global surveillance and censorship.
Double, double toil and trouble; Fire burn, and caldron bubble
|
|
|
aga
Forum Drunkard
Posts: 7030
Registered: 25-3-2014
Member Is Offline
|
|
What for ?
Is there something to hide here on this publicly viewable website ?
|
|
|
Bert
Super Administrator
Posts: 2821
Registered: 12-3-2004
Member Is Offline
Mood: " I think we are all going to die. I think that love is an illusion. We are flawed, my darling".
|
|
https://pando.com/2014/07/16/tor-spooks/
We've had a couple of other go 'rounds in the last year or so about communication security.
Apparently, a nice single solution that everyone can use is very efficient- For the people breaking that security. Even more so when those interested
paid for nearly all the development and were in on the ground floor.
Let the flaming begin...
https://pando.com/2014/11/14/tor-smear/
Rapopart’s Rules for critical commentary:
1. Attempt to re-express your target’s position so clearly, vividly and fairly that your target says: “Thanks, I wish I’d thought of putting it
that way.”
2. List any points of agreement (especially if they are not matters of general or widespread agreement).
3. Mention anything you have learned from your target.
4. Only then are you permitted to say so much as a word of rebuttal or criticism.
Anatol Rapoport was a Russian-born American mathematical psychologist (1911-2007).
|
|
|
Bert
Super Administrator
Posts: 2821
Registered: 12-3-2004
Member Is Offline
Mood: " I think we are all going to die. I think that love is an illusion. We are flawed, my darling".
|
|
"The wicked flee when no man pursueth: but the righteous are bold as a lion."
Rapopart’s Rules for critical commentary:
1. Attempt to re-express your target’s position so clearly, vividly and fairly that your target says: “Thanks, I wish I’d thought of putting it
that way.”
2. List any points of agreement (especially if they are not matters of general or widespread agreement).
3. Mention anything you have learned from your target.
4. Only then are you permitted to say so much as a word of rebuttal or criticism.
Anatol Rapoport was a Russian-born American mathematical psychologist (1911-2007).
|
|
|
chemrox
International Hazard
Posts: 2961
Registered: 18-1-2007
Location: UTM
Member Is Offline
Mood: LaGrangian
|
|
and here goes the first step to totalitarianism. It is best expressed by, "if you don't have anything to hide.."
This is not personal aga.. it's meant to be reflective. Encryption is the digital equivalent of entering a club room to discuss club business or more
generally, putting a letter in an envelope. Transparency depersonalizes communication and promotes the mores held by the most vocal and powerful.
Edited to add: https sites abound; I see no stigma attached to https
I'm in favor of an encryption protocol that is easy to use and effective against brute force attacks. Exchanging key pairs seems too tortuous a path.
I wonder if we might be able to secure the site better than it is but I favor being able to surf the site without joining and making joining
relatively easy.
[Edited on 8-11-2015 by chemrox]
"When you let the dumbasses vote you end up with populism followed by autocracy and getting back is a bitch." Plato (sort of)
|
|
|
Polverone
Now celebrating 21 years of madness
Posts: 3186
Registered: 19-5-2002
Location: The Sunny Pacific Northwest
Member Is Offline
Mood: Waiting for spring
|
|
I have been planning to use Let's Encrypt since I first heard about it. I will set it up after it's out of beta.
PGP Key and corresponding e-mail address
|
|
|
aga
Forum Drunkard
Posts: 7030
Registered: 25-3-2014
Member Is Offline
|
|
Erm, however you connect to this site, it is publicly viewable once you make a Post.
What is the Point of encrypting the connection that posts it ?
Your pervy U2Us ?
Edit:
Hopefully not some vague notion that you're Safe !
[Edited on 8-11-2015 by aga]
|
|
|
gdflp
Super Moderator
Posts: 1320
Registered: 14-2-2014
Location: NY, USA
Member Is Offline
Mood: Staring at code
|
|
Quote: Originally posted by aga  | Erm, however you connect to this site, it is publicly viewable once you make a Post.
What is the Point of encrypting the connection that posts it ?
Your pervy U2Us ?
Edit:
Hopefully not some vague notion that you're Safe !
[Edited on 8-11-2015 by aga] |
It protects your browsing history, so that you can't be tracked by prying eyes who may either incorrectly connect the dots between your viewing
history and your intentions, or investigate you further simply because of an apparent interest in certain topics. It also helps to secure the content
in References and Whimsy.
|
|
|
aga
Forum Drunkard
Posts: 7030
Registered: 25-3-2014
Member Is Offline
|
|
Oh dear.
All Safety is an Illusion.
Whatever you do on t'Internet, however you do it, you are tracked, traceable and accountable.
It is all digital, all easy, all tapped.
Depend on it.
Edit:
Self-signing is obviously Less secure than relying on an External, Global organisation is it ?
Think harder, faster, smarter - whatever it takes to realise how SSL works.
[Edited on 8-11-2015 by aga]
|
|
|
Bert
Super Administrator
Posts: 2821
Registered: 12-3-2004
Member Is Offline
Mood: " I think we are all going to die. I think that love is an illusion. We are flawed, my darling".
|
|
I'm going to shut the heck up until I know what I'm talking about... Might be a few years.
Rapopart’s Rules for critical commentary:
1. Attempt to re-express your target’s position so clearly, vividly and fairly that your target says: “Thanks, I wish I’d thought of putting it
that way.”
2. List any points of agreement (especially if they are not matters of general or widespread agreement).
3. Mention anything you have learned from your target.
4. Only then are you permitted to say so much as a word of rebuttal or criticism.
Anatol Rapoport was a Russian-born American mathematical psychologist (1911-2007).
|
|
|
mr.crow
National Hazard
Posts: 884
Registered: 9-9-2009
Location: Canada
Member Is Offline
Mood: 0xFF
|
|
| Quote: Originally posted by aga |
Think harder, faster, smarter - whatever it takes to realise how SSL works.
[Edited on 8-11-2015 by aga] |
I know you are a forum personality so I am going to accept this comment for what it is
Encryption is not about keeping forum messages a secret. Its about saying NO to people who think its ok to spy on everything you do for their own
ends. This information is incredibly easy to abuse.
For example the UK openly wants to be able to read every communication in the country and block internet porn. If you are against this you must be a
terrorist or a kiddy fiddler right?
Giving up is not an option. Its like those people who say they don't vote because it doesn't matter. Its literally the only thing you can do, don't
throw it away.
Double, double toil and trouble; Fire burn, and caldron bubble
|
|
|
kecskesajt
Hazard to Others
Posts: 299
Registered: 7-12-2014
Location: Hungary
Member Is Offline
Mood: No Mood
|
|
We have HTTPS but it doesn't really need certification.
There is a pop-up but that doesnt really matter.
(Offtopic: I rooted phone, downloaded dSploit, started it and then logged in to SM by my PC. I could immediately see my password on my phone...)
|
|
|
aga
Forum Drunkard
Posts: 7030
Registered: 25-3-2014
Member Is Offline
|
|
Accept it for what it is : the ramblings of a drunkard.
Having worked on and in this t'internet madness since it began, take it from me that whatever you do on the Internet, however you do it, you are being
watched.
All OpenSource source code is subject to scrutiny by people Other than the contributors.
Quite often people think that encryption is a magic-bullet.
It isn't. At the very least you're going to connect to an IP address, and that is logged, along with the protocol(s) you use to connect to that IP.
The amount of data you send/receive, when that happens, which ports you're using - it's all logged.
Simple statistical analysis pops up a list of the things people are likely to be doing and quickly highlights those connections worthy of deeper
analysis.
|
|
|
unionised
International Hazard
Posts: 5102
Registered: 1-11-2003
Location: UK
Member Is Offline
Mood: No Mood
|
|
I'm prepared to believe that there is someone somewhere with a legitimate reason to send information without it being read by others and without
anyone knowing to whom he sent it.
It doesn't matter much who he is, or what the data is.
I understand that he can use something like TOR to do that.
https://en.wikipedia.org/wiki/Tor_(anonymity_network)
But if he was the only one using it, the system wouldn't work. (It's a bit like being the only one wearing camouflage gear- you stick out)
It needs to have lots of other traffic to "bury" his contribution.
So, perhaps we should use systems like TOR in order to protect those who really need to use it.
The irony is that it's quite possible than no two of us would agree on who we should help in this way- but it doesn't matter.
|
|
|
aga
Forum Drunkard
Posts: 7030
Registered: 25-3-2014
Member Is Offline
|
|
Oh !
Stupid me.
Of course entrusting unknown entities on the internet with your security is obviously the Best Security Plan Ever.
(this is absolute Sarcasm, just in case anyone gets confused)
|
|
|
The Volatile Chemist
International Hazard
Posts: 1981
Registered: 22-3-2014
Location: 'Stil' in the lab...
Member Is Offline
Mood: Copious
|
|
Why don't we use PGP on our U2Us too?!?!?! (This, too, is sarcasm).
It doesn't really matter. If you've ever logged in with HTTP, then everybody knows you use the site and who you are. If any single person were to be
able to get in and send content to someone interested, security would be breached. I don't think using letsencrypt is that big of a deal.
Also, 'Pervy U2Us' and 'ghetto self-signed HTTPS' are hilarious, and indirectly oxymoronic (not to be confused with oxyanions).
|
|
|
Polverone
Now celebrating 21 years of madness
Posts: 3186
Registered: 19-5-2002
Location: The Sunny Pacific Northwest
Member Is Offline
Mood: Waiting for spring
|
|
The site is now live with Let's Encrypt for HTTPS connections. I have not yet made HTTP-to-HTTPS redirects automatic but I plan to in the future.
At the same time I performed a number of other upgrades:
* Host machine's underlying virtualization technology switched from Xen to KVM
* RAM upgraded to 4 GB from 2 GB
* Upgraded to Ubuntu 16.04 from 14.04
During the database updates I ran out of disk space for temporary tables. This meant I had to delete the forum archive to make room. I am re-uploading
the archive again now but it will take a few days over my slow home connection.
PGP Key and corresponding e-mail address
|
|
|
Oscilllator
National Hazard
Posts: 659
Registered: 8-10-2012
Location: The aqueous layer
Member Is Offline
Mood: No Mood
|
|
Yay! No more messages from chrome saying this site is insecure.
|
|
|
NEMO-Chemistry
International Hazard
Posts: 1559
Registered: 29-5-2016
Location: UK
Member Is Offline
Mood: No Mood
|
|
At the moment in the UK there has been an enquiry into the police and some football incident that happened years ago in Yorkshire. And i think they
are looking into a strike that happened years ago, the point is the police lied time and again apparently, even in legal settings.
I can see why people want to protect themselves but ultimately if they want you bad enough then it looks like they just lie and do you anyway.
And now we have a policy in the UK where ISP's have to record every email etc, not sure but maybe using wifi hot spots? but then to me sniffers would
target those places?
|
|
|
Marvin
National Hazard
Posts: 995
Registered: 13-10-2002
Member Is Offline
Mood: No Mood
|
|
Thumbs up to let's encrypt signed SSL. Working well on Ubuntu/Chrome and also working in XP, which not all SSL sites currently do. Much much better.
|
|
|
The Volatile Chemist
International Hazard
Posts: 1981
Registered: 22-3-2014
Location: 'Stil' in the lab...
Member Is Offline
Mood: Copious
|
|
Do we already have it implemented? Nice. But weren't there some recent complaints about SSL not working for some?
|
|
|
macckone
International Hazard
Posts: 2159
Registered: 1-3-2013
Location: Over a mile high
Member Is Offline
Mood: Electrical
|
|
You don't need security until something like the spanish inquisition or the red scare. But if you wait until then it is already too late. The
primary things needing protecting are passwords. Only ref, whimsy, and u2u aren't public. I would not be surprised to find that numerous government
agencies monitor traffic and the EM forums to tie users to posts. Don't think that https will prevent traffic analysis.
|
|
|
![[*]](images/xpblue/default_icon.gif){kind=icon}
