That would only prevent having your password grabbed in transit. Once you make a plain HTTP request, anyone between you and the DT server can get your session cookie and impersonate you. With the session cookie, the attacker can read and send PMs. Getting between you and DT can be as easy as pretending to be a public hotspot you've used before.chzel wrote: ↑Which side are you on boy?
Just kidding, you made your point clear enough!
I'm not too fond of full-on https either.
Just an idea, I don't know if it's feasible or if it has any point, but could we enable https on select pages (login, PM's) and not on the general area?
I'm pretty sure no-one shares private info out in the open, so securing just the login and PM's should be enough security-wise.
Enabling HTTPS?
-
jou
- Location: Switzerland
- Main keyboard: Ergodox
- Main mouse: Apple Magic Trackpad
- Favorite switch: Not sure yet
- DT Pro Member: -
-
bhtooefr
- Location: Newark, OH, USA
- Main keyboard: TEX Shinobi
- Main mouse: TrackPoint IV
- Favorite switch: IBM Selectric (not a switch, I know)
- DT Pro Member: 0056
- Contact:
Really, if a respected member logged into Deskthority while at a conference with other users that might want to take over the account, without doing it through a secure VPN or SSH tunnel, it could be done right now with session cookie hijacking.
You actually could do a split HTTP/HTTPS approach by making sure all links within the site are relative, but they AREN'T all going to be relative, there'll be some in forum posts that are going to link to HTTP. Upgrading someone to HTTPS isn't a problem unless they're using something that they really shouldn't be using anyway (if it doesn't support modern encryption standards, the entire internet is abandoning it soon), downgrading someone from HTTPS is an absolutely massive problem.
You actually could do a split HTTP/HTTPS approach by making sure all links within the site are relative, but they AREN'T all going to be relative, there'll be some in forum posts that are going to link to HTTP. Upgrading someone to HTTPS isn't a problem unless they're using something that they really shouldn't be using anyway (if it doesn't support modern encryption standards, the entire internet is abandoning it soon), downgrading someone from HTTPS is an absolutely massive problem.
-
SL89
- ‽
- Location: Massachusetts, USA
- Main keyboard: CODE 104
- Main mouse: Logitech M570
- Favorite switch: Cherry MX Green
- DT Pro Member: 0095
That is a very hypothetical situation. If it's an all or nothing situation, as webwit said then I'd probably have to agree with muirium. While I'd like to be proactive, it just seems like forcing the switch may be a bit ahead of where we are.
-
Muirium
- µ
- Location: Edinburgh, Scotland
- Main keyboard: HHKB Type-S with Bluetooth by Hasu
- Main mouse: Apple Magic Mouse
- Favorite switch: Gotta Try 'Em All
- DT Pro Member: µ
I'll just point out I never use public wifi. It smells funny. I have good fast cellular data, so when travelling with my laptop, I tether to that instead. Less hassle. Less ugly!
-
seebart
- Offtopicthority Instigator
- Location: Germany
- Main keyboard: Rotation
- Main mouse: Steelseries Sensei
- Favorite switch: IBM capacitive buckling spring
- DT Pro Member: 0061
- Contact:
Muirium wrote: ↑I'll just point out I never use public wifi. It smells funny. I have good fast cellular data, so when travelling with my laptop, I tether to that instead. Less hassle. Less ugly!
I never use public wifi either. Talk about tracking. This is fun:
http://www.androidauthority.com/chainfi ... fy-341874/
-
scottc
- ☃
- Location: Remote locations in Europe
- Main keyboard: GH60-HASRO 62g Nixies, HHKB Pro1 HS, Novatouch
- Main mouse: Steelseries Rival 300
- Favorite switch: Nixdorf 'Soft Touch' MX Black
- DT Pro Member: -
It has put me off since the beginning, to be honest. Even a login page without HTTPS enabled looks pretty amateur. Not enough to completely deter me, but enough that it makes me uneasy about sharing sensitive things.Muirium wrote: ↑Uneasy? You're a regular. Hasn't put you off until now. What's different? All I'm hearing is people appealing to a nebulous concept of "security" in just the same way as politicians do when they want to ruin simple things and pin the blame on… right, "security".
Honest question: Have we ever seen a user account stolen? Or a single piece of private information?
I certainly have seen shitty HTTPS at large. Remember when that whole certificate root registrar (or insert the actual terminology) was hacked a few years back and a good part of the Internet broke, throwing up countless invalid certificate dialogs at millions of irritated users worldwide for months? Why did we miss out on that!
Edit: it was DigiNotar. Affected a huge swathe of stuff, as these certificate vendors routinely trade junk with each other. Dependencies all the eay down. Yuck!
Anyway, I'm not completely anti HTTPS. But I am vehemently against requiring it.
We haven't seen any user data stolen, but how would we know? It's not like a theft in person, we still have the personal data after it's been stolen. It's in our best interests to make it difficult for someone to steal if they decide to do so, not after the fact.
Rejecting HTTPS is like refusing to wear a coat in the winter. I mean, I haven't gotten a cold yet so it's probably totally fine. Plus, the coat industry charges way too much for those things. Plus, they're kind of heavy...
Sure, there's the possibility that our upstream cert provider could be compromised. That would be inconvenient for a little bit. In the incredibly unlikely event that this happened, we could just swap the Apache rules so that HTTPS redirects to HTTP and all would be right in the world again. Meanwhile, you mightn't be able to load Google, Facebook, Duckduckgo, Gmail, PayPal, [...].
Even GeekHack has HTTPS enabled. The same GeekHack with the r00tw0rm, that was taken down by a single script kiddie with an AWS instance, and that routinely goes down due to database errors. Yet they are more security-conscious about us? Errr...
I can probably alleviate some of your fears about your older devices no longer being supported, though. I would be totally shocked if any one of those devices didn't support at least ONE modern cyphersuite family. We don't have to be incredibly strict about the encryption methods that we support.
-
andrewjoy
- Location: UK
- Main keyboard: Filco ZERO green alps, Model F 122 Terminal
- Main mouse: Ducky Secret / Roller Mouse Pro 1
- Favorite switch: MX Mount Topre / Model F Buckling
- DT Pro Member: 0167
I agree with scottc
however , you must know that being cold does not give you a cold , its a virus it does not work like that
It would be a shame for funky stuff like using text mode browsers or outdated systems but i think its worth it in the long run.
however , you must know that being cold does not give you a cold , its a virus it does not work like that
It would be a shame for funky stuff like using text mode browsers or outdated systems but i think its worth it in the long run.
-
Muirium
- µ
- Location: Edinburgh, Scotland
- Main keyboard: HHKB Type-S with Bluetooth by Hasu
- Main mouse: Apple Magic Mouse
- Favorite switch: Gotta Try 'Em All
- DT Pro Member: µ
Man, if only GH had https. That would fix everyth… waiddaminute!
Once Webwit's finished building sand castles, perhaps he could warm up our test domain again: deskthority.com and try a find and replace on a clone. That way we can find out for ourselves what will be broken. Especially if he gets one of those freebie certificates for maximum pain. Safe to assume we'll end up with that user experience anyway, no matter what we pay. Come on, you know what a douche magnet domain registrars are. Certs are even better. Legalised protection money draws a certain kind of mob.
Fuck it. Let's self sign our cert.
Anyway, I literally don't even own a warm jacket or a coat. (Got a nice white linen jacket for formal occasions though. Works well with a Panama hat!) I'm not kidding about my cold tolerance. Lowland Scotland doesn't get cold enough to test me. I need to head north or higher altitude to actually need anything beyond a single layer with sleeves.
Once Webwit's finished building sand castles, perhaps he could warm up our test domain again: deskthority.com and try a find and replace on a clone. That way we can find out for ourselves what will be broken. Especially if he gets one of those freebie certificates for maximum pain. Safe to assume we'll end up with that user experience anyway, no matter what we pay. Come on, you know what a douche magnet domain registrars are. Certs are even better. Legalised protection money draws a certain kind of mob.
Fuck it. Let's self sign our cert.
Anyway, I literally don't even own a warm jacket or a coat. (Got a nice white linen jacket for formal occasions though. Works well with a Panama hat!) I'm not kidding about my cold tolerance. Lowland Scotland doesn't get cold enough to test me. I need to head north or higher altitude to actually need anything beyond a single layer with sleeves.
-
scottc
- ☃
- Location: Remote locations in Europe
- Main keyboard: GH60-HASRO 62g Nixies, HHKB Pro1 HS, Novatouch
- Main mouse: Steelseries Rival 300
- Favorite switch: Nixdorf 'Soft Touch' MX Black
- DT Pro Member: -
Damn it Jim I'm a sysadmin, not a doctor! Wait a second...andrewjoy wrote: ↑I agree with scottc
however , you must know that being cold does not give you a cold , its a virus it does not work like that
It would be a shame for funky stuff like using text mode browsers or outdated systems but i think its worth it in the long run.
You're absolutely right though, my exaggerative comparison game is off today.
I think that most text mode browsers will work just fine with HTTPS. For example, google.com works just fine in elinks:
- Screen Shot 2015-07-21 at 16.02.43.png (41.62 KiB) Viewed 10826 times
-
scottc
- ☃
- Location: Remote locations in Europe
- Main keyboard: GH60-HASRO 62g Nixies, HHKB Pro1 HS, Novatouch
- Main mouse: Steelseries Rival 300
- Favorite switch: Nixdorf 'Soft Touch' MX Black
- DT Pro Member: -
Unfortunately HTTPS isn't a one-stop fix for all of your security vulnerabilities! Otherwise it might be well worth the cash...Muirium wrote: ↑Man, if only GH had https. That would fix everyth… waiddaminute!
Muirium wrote: ↑Come on, you know what a douche magnet domain registrars are. Certs are even better. Legalised protection money draws a certain kind of mob.
Fuck it. Let's self sign our cert.
This could work as an interim thing, for testing at least. I'm up for helping out. Any sort of cert is good enough to log in with, even if it's self-signed.
Well that ruins my metaphor... thanks a bunch!Muirium wrote: ↑Anyway, I literally don't even own a warm jacket or a coat. (Got a nice white linen jacket for formal occasions though. Works well with a Panama hat!) I'm not kidding about my cold tolerance. Scotland doesn't get cold enough to test me. I need to head north or higher altitude to actually need anything beyond a single layer with sleeves.
That's just me running it on one of my servers via iTerm on my work Macbook... no idea! It's ELinks 0.12pre5 on Debian Wheezy. I have nice colour schemes set up in iTerm, maybe that's it?andrewjoy wrote: ↑why does your elinks look so nice !
-
andrewjoy
- Location: UK
- Main keyboard: Filco ZERO green alps, Model F 122 Terminal
- Main mouse: Ducky Secret / Roller Mouse Pro 1
- Favorite switch: MX Mount Topre / Model F Buckling
- DT Pro Member: 0167
ewwweeee debian
but andrewjoy don't you use debian for your internal web server
unfortunately i do ! if only arch had a stable branch
but andrewjoy don't you use debian for your internal web server
unfortunately i do ! if only arch had a stable branch
-
andrewjoy
- Location: UK
- Main keyboard: Filco ZERO green alps, Model F 122 Terminal
- Main mouse: Ducky Secret / Roller Mouse Pro 1
- Favorite switch: MX Mount Topre / Model F Buckling
- DT Pro Member: 0167
i just like pacman and the way the configuration of the system is done, its quick and easy to understand , other system like debian confuse my pathetic brainscottc wrote: ↑You should obviously just use Gentoo! Err...
-
Muirium
- µ
- Location: Edinburgh, Scotland
- Main keyboard: HHKB Type-S with Bluetooth by Hasu
- Main mouse: Apple Magic Mouse
- Favorite switch: Gotta Try 'Em All
- DT Pro Member: µ
All? I wouldn't have much to say. Linux is a pile of shite. Wouldn't catch me on the stuff!
@Andy: Nah, that's just an experience called taste being confronted by shoddy design. Let it guide you!
@Andy: Nah, that's just an experience called taste being confronted by shoddy design. Let it guide you!
-
bhtooefr
- Location: Newark, OH, USA
- Main keyboard: TEX Shinobi
- Main mouse: TrackPoint IV
- Favorite switch: IBM Selectric (not a switch, I know)
- DT Pro Member: 0056
- Contact:
-
Muirium
- µ
- Location: Edinburgh, Scotland
- Main keyboard: HHKB Type-S with Bluetooth by Hasu
- Main mouse: Apple Magic Mouse
- Favorite switch: Gotta Try 'Em All
- DT Pro Member: µ
I think we should go full-tinfoil on this and self sign. Then every browser gets an equally shitty user experience.
(No I don't. Fuck Firefox.)
(No I don't. Fuck Firefox.)
-
josm
- Location: UK
- Main keyboard: Anne Pro w/ Gateron Reds
- Main mouse: Zowie ZA11
- DT Pro Member: -
- Contact:
We could always use https://letsencrypt.org
-
Muirium
- µ
- Location: Edinburgh, Scotland
- Main keyboard: HHKB Type-S with Bluetooth by Hasu
- Main mouse: Apple Magic Mouse
- Favorite switch: Gotta Try 'Em All
- DT Pro Member: µ
Muirium wrote: ↑A dodgy cert could ruin everything. And I think Webwit is wisely considering any cert signed in the USA (or even worse: England!) to be a very dodgy cert indeed.
We'll get a good one eventually. And I'll see to it that the https crusaders amongst you foot the bill!