Enabling HTTPS?

User avatar
jou

21 Jul 2015, 02:31

chzel wrote: Which side are you on boy?
Just kidding, you made your point clear enough!
I'm not too fond of full-on https either.

Just an idea, I don't know if it's feasible or if it has any point, but could we enable https on select pages (login, PM's) and not on the general area?
I'm pretty sure no-one shares private info out in the open, so securing just the login and PM's should be enough security-wise.
That would only prevent having your password grabbed in transit. Once you make a plain HTTP request, anyone between you and the DT server can get your session cookie and impersonate you. With the session cookie, the attacker can read and send PMs. Getting between you and DT can be as easy as pretending to be a public hotspot you've used before.

User avatar
chzel

21 Jul 2015, 02:40

Thanks for the explanation!
Not really savvy with these things!

User avatar
bhtooefr

21 Jul 2015, 02:52

Really, if a respected member logged into Deskthority while at a conference with other users that might want to take over the account, without doing it through a secure VPN or SSH tunnel, it could be done right now with session cookie hijacking.

You actually could do a split HTTP/HTTPS approach by making sure all links within the site are relative, but they AREN'T all going to be relative, there'll be some in forum posts that are going to link to HTTP. Upgrading someone to HTTPS isn't a problem unless they're using something that they really shouldn't be using anyway (if it doesn't support modern encryption standards, the entire internet is abandoning it soon), downgrading someone from HTTPS is an absolutely massive problem.

User avatar
SL89

21 Jul 2015, 04:54

That is a very hypothetical situation. If it's an all or nothing situation, as webwit said then I'd probably have to agree with muirium. While I'd like to be proactive, it just seems like forcing the switch may be a bit ahead of where we are.

User avatar
Muirium
µ

21 Jul 2015, 11:17

I'll just point out I never use public wifi. It smells funny. I have good fast cellular data, so when travelling with my laptop, I tether to that instead. Less hassle. Less ugly!

User avatar
seebart
Offtopicthority Instigator

21 Jul 2015, 11:26

Muirium wrote: I'll just point out I never use public wifi. It smells funny. I have good fast cellular data, so when travelling with my laptop, I tether to that instead. Less hassle. Less ugly!

I never use public wifi either. Talk about tracking. This is fun:

http://www.androidauthority.com/chainfi ... fy-341874/

User avatar
scottc

21 Jul 2015, 15:36

Muirium wrote: Uneasy? You're a regular. Hasn't put you off until now. What's different? All I'm hearing is people appealing to a nebulous concept of "security" in just the same way as politicians do when they want to ruin simple things and pin the blame on… right, "security".

Honest question: Have we ever seen a user account stolen? Or a single piece of private information?

I certainly have seen shitty HTTPS at large. Remember when that whole certificate root registrar (or insert the actual terminology) was hacked a few years back and a good part of the Internet broke, throwing up countless invalid certificate dialogs at millions of irritated users worldwide for months? Why did we miss out on that!

Edit: it was DigiNotar. Affected a huge swathe of stuff, as these certificate vendors routinely trade junk with each other. Dependencies all the eay down. Yuck!

Anyway, I'm not completely anti HTTPS. But I am vehemently against requiring it.
It has put me off since the beginning, to be honest. Even a login page without HTTPS enabled looks pretty amateur. Not enough to completely deter me, but enough that it makes me uneasy about sharing sensitive things.

We haven't seen any user data stolen, but how would we know? It's not like a theft in person, we still have the personal data after it's been stolen. It's in our best interests to make it difficult for someone to steal if they decide to do so, not after the fact.

Rejecting HTTPS is like refusing to wear a coat in the winter. I mean, I haven't gotten a cold yet so it's probably totally fine. Plus, the coat industry charges way too much for those things. Plus, they're kind of heavy...

Sure, there's the possibility that our upstream cert provider could be compromised. That would be inconvenient for a little bit. In the incredibly unlikely event that this happened, we could just swap the Apache rules so that HTTPS redirects to HTTP and all would be right in the world again. Meanwhile, you mightn't be able to load Google, Facebook, Duckduckgo, Gmail, PayPal, [...].

Even GeekHack has HTTPS enabled. The same GeekHack with the r00tw0rm, that was taken down by a single script kiddie with an AWS instance, and that routinely goes down due to database errors. Yet they are more security-conscious about us? Errr...

I can probably alleviate some of your fears about your older devices no longer being supported, though. I would be totally shocked if any one of those devices didn't support at least ONE modern cyphersuite family. We don't have to be incredibly strict about the encryption methods that we support.

andrewjoy

21 Jul 2015, 16:30

I agree with scottc

however , you must know that being cold does not give you a cold , its a virus it does not work like that :)

It would be a shame for funky stuff like using text mode browsers or outdated systems but i think its worth it in the long run.

User avatar
Muirium
µ

21 Jul 2015, 17:02

Man, if only GH had https. That would fix everyth… waiddaminute!

Once Webwit's finished building sand castles, perhaps he could warm up our test domain again: deskthority.com and try a find and replace on a clone. That way we can find out for ourselves what will be broken. Especially if he gets one of those freebie certificates for maximum pain. Safe to assume we'll end up with that user experience anyway, no matter what we pay. Come on, you know what a douche magnet domain registrars are. Certs are even better. Legalised protection money draws a certain kind of mob.

Fuck it. Let's self sign our cert.

Anyway, I literally don't even own a warm jacket or a coat. (Got a nice white linen jacket for formal occasions though. Works well with a Panama hat!) I'm not kidding about my cold tolerance. Lowland Scotland doesn't get cold enough to test me. I need to head north or higher altitude to actually need anything beyond a single layer with sleeves.

User avatar
scottc

21 Jul 2015, 17:04

andrewjoy wrote: I agree with scottc

however , you must know that being cold does not give you a cold , its a virus it does not work like that :)

It would be a shame for funky stuff like using text mode browsers or outdated systems but i think its worth it in the long run.
Damn it Jim I'm a sysadmin, not a doctor! Wait a second...

Image

You're absolutely right though, my exaggerative comparison game is off today. :lol:

I think that most text mode browsers will work just fine with HTTPS. For example, google.com works just fine in elinks:
Screen Shot 2015-07-21 at 16.02.43.png
Screen Shot 2015-07-21 at 16.02.43.png (41.62 KiB) Viewed 10810 times

andrewjoy

21 Jul 2015, 17:06

why does your elinks look so nice !

User avatar
scottc

21 Jul 2015, 17:10

Muirium wrote: Man, if only GH had https. That would fix everyth… waiddaminute!
Unfortunately HTTPS isn't a one-stop fix for all of your security vulnerabilities! Otherwise it might be well worth the cash...
Muirium wrote: Come on, you know what a douche magnet domain registrars are. Certs are even better. Legalised protection money draws a certain kind of mob.

Fuck it. Let's self sign our cert.


This could work as an interim thing, for testing at least. I'm up for helping out. Any sort of cert is good enough to log in with, even if it's self-signed.
Muirium wrote: Anyway, I literally don't even own a warm jacket or a coat. (Got a nice white linen jacket for formal occasions though. Works well with a Panama hat!) I'm not kidding about my cold tolerance. Scotland doesn't get cold enough to test me. I need to head north or higher altitude to actually need anything beyond a single layer with sleeves.
Well that ruins my metaphor... thanks a bunch!
andrewjoy wrote: why does your elinks look so nice !
That's just me running it on one of my servers via iTerm on my work Macbook... no idea! It's ELinks 0.12pre5 on Debian Wheezy. I have nice colour schemes set up in iTerm, maybe that's it?

andrewjoy

21 Jul 2015, 17:16

ewwweeee debian

but andrewjoy don't you use debian for your internal web server

unfortunately i do ! if only arch had a stable branch

User avatar
scottc

21 Jul 2015, 17:18

You should obviously just use Gentoo! Err...

User avatar
SL89

21 Jul 2015, 17:19

>arch
>stable
>????

User avatar
Muirium
µ

21 Jul 2015, 17:30

Image

Elegant.

andrewjoy

21 Jul 2015, 17:37

scottc wrote: You should obviously just use Gentoo! Err...
i just like pacman and the way the configuration of the system is done, its quick and easy to understand , other system like debian confuse my pathetic brain

User avatar
SL89

21 Jul 2015, 17:40

This is a text book case on how all deskthority threads end up Linux distro threads...

User avatar
Muirium
µ

21 Jul 2015, 17:42

All? I wouldn't have much to say. Linux is a pile of shite. Wouldn't catch me on the stuff!

@Andy: Nah, that's just an experience called taste being confronted by shoddy design. Let it guide you!

User avatar
bhtooefr

22 Oct 2015, 16:22


User avatar
Muirium
µ

22 Oct 2015, 16:25

Fuck you too Firefox.

User avatar
scottc

22 Oct 2015, 16:41

Nah, I think Mozilla is in a perfectly defensible position here. It really is insecure.

andrewjoy

22 Oct 2015, 16:43

:) Well its technically true, it is insecure

User avatar
Muirium
µ

22 Oct 2015, 17:04

Buy us a cert.

User avatar
XMIT
[ XMIT ]

22 Oct 2015, 17:10

Maybe whoever webwit's Secret Santa ends up being can buy one for him. :-P

User avatar
Muirium
µ

22 Oct 2015, 17:20

I think we should go full-tinfoil on this and self sign. Then every browser gets an equally shitty user experience.

Image

(No I don't. Fuck Firefox.)

andrewjoy

22 Oct 2015, 17:53

how much would your provided charge for one ?

josm

01 Jan 2016, 14:53

We could always use https://letsencrypt.org

User avatar
Muirium
µ

01 Jan 2016, 17:34

Muirium wrote: A dodgy cert could ruin everything. And I think Webwit is wisely considering any cert signed in the USA (or even worse: England!) to be a very dodgy cert indeed.

We'll get a good one eventually. And I'll see to it that the https crusaders amongst you foot the bill!

User avatar
scottc

01 Jan 2016, 17:40

Let's Encrypt certs are hardly dodgy. Where did you get that idea?

Post Reply

Return to “Deskthority talk”