HTTPS everywhere except this forum

For discussions about security.
Message
Author
labbe5
Posts: 2159
Joined: Wed 13 Nov 2013, 14:26
Location: Canada

HTTPS everywhere except this forum

#1 Post by labbe5 »

One line of defense is using HTTPS. Electronic Frontier Fondation (EFF) is offering one of the best plugins out there, on par with NoScript : HTTPS Everywhere.

Using this plugin for years, for some time now i use it with the setting Block All Unencrypted Request.

Unfortunately, i have to uncheck it to access Murga-Linux forum, i can not think of another web site i need to do that now.

With Let's Encrypt easing the way toward HTTPS, i wonder why Murga-Linux forum is still on old, soon-to-be deprecated, HTTP.

Have an idea?

Further reading :
https://www.itzgeek.com/how-tos/linux/h ... erver.html
HTTPZ is an advanced HTTP connection upgrader for Firefox
https://www.ghacks.net/2019/11/23/httpz ... r-firefox/
Last edited by labbe5 on Sat 23 Nov 2019, 12:19, edited 2 times in total.

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#2 Post by Flash »

Other than encrypting your password, which is now sent in the clear, I don't see the point of HTTPS for this forum. Everything in it is available to anyone who wants to become a member and log in.

matchpoint
Posts: 168
Joined: Fri 26 Jan 2018, 20:54

#3 Post by matchpoint »

That we post publicly, what are you hoping it will protect you from?

belham2
Posts: 1715
Joined: Mon 15 Aug 2016, 22:47

#4 Post by belham2 »

Flash wrote:Other than encrypting your password, which is now sent in the clear, I don't see the point of HTTPS for this forum. Everything in it is available to anyone who wants to become a member and log in.
Flash,

You cannot possibly be serious, are you? Please tell me you are not. Https has little to do with "protecting" passwords. That is a side corollary, a little thing. There is another, a much bigger thing, one which encapsulate the whole https movement and its reason for being (and the push it is receiving).

Ask yourself: how many small scripts, pics and such do you think murga has on its account at the servers it contracts this forum out to (the web server company)? You think thousands? Hundred of thousands? More??? (it'd be wise to guess the last one).

Ask yourself each and every time one of those things are downloaded, how unbelievably easy it is to: a) impersonate this site, and b) for the end user would have no inkling it happened. Https fights on these two fronts. If you think about the ease of compromising http-only websites, you get an idea of what https would do for this site and its users.

I just wish people would stop putting out there what they think they know about https, and stop using lame, unapplicable excuses. Simply put, there is no way on this green Earth murga-liux.com can confidently tell any browser (who lands on its site today) that it is: a) actually the murga site, and; b) that any and/all scripts/programs that you download will be done securely & thanks to https will not be subject to easy MITM actions.

I've done https on the few sites I run. It is not hard. It is not expensive. It just takes time, not $$$$ or brainpower. It is just plain goddamn laziness (please excuse the language but it has gotten to the point this needs to be said)...it is just plain damn laziness that this site has not been converted to https.

So plz stop spreading mistruths (that https would do nothing for this site) and misconceptions about https overall. And, John, if you are reading this, get off of the eternal laziness pillow and get this done. It is inexcusable at this point in time, especially given the amount of material people have provided your site for decades now, that you've let this linger. Start acting like you want everything protected here. Do you? All of the users who uploaded and contributed stuff, do you value it? Or no??

If the web server provider you currently use will not help you move murga to https (which I cannot think of one on the planet that does not now offer this), then have the foresight to move.

Stop making excuses. This has went beyond ridiculous, especially for a site like murga & the content it holds.

Sailor Enceladus
Posts: 1543
Joined: Mon 22 Feb 2016, 19:43

#5 Post by Sailor Enceladus »

I like living in the past. All those new ad-filled social-media-connected javascript-filled CPU-tanking sites can go to hell :twisted: :lol:

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#6 Post by rufwoof »

belham2 wrote:
Flash wrote:Other than encrypting your password, which is now sent in the clear, I don't see the point of HTTPS for this forum. Everything in it is available to anyone who wants to become a member and log in.
You cannot possibly be serious, are you? Please tell me you are not. Https has little to do with "protecting" passwords. That is a side corollary, a little thing. There is another, a much bigger thing, one which encapsulate the whole https movement and its reason for being (and the push it is receiving).
https often isn't implemented properly and as such offers little in the way of protection over not having bothered.
Last edited by rufwoof on Fri 11 Oct 2019, 00:20, edited 1 time in total.
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#7 Post by Flash »

rufwoof wrote:...hardly a pleasant/helpful community/board for new visitors either.
How so? Please explain.

matchpoint
Posts: 168
Joined: Fri 26 Jan 2018, 20:54

#8 Post by matchpoint »

For our daily 30,000 plus, key comments from a respected Windows MVP administrator and a realistic viewpoint on the topic.
No, the use of SSL does not protect this website, its software or server. Someone asked me something similar offline from this, whether forcing SSL would prevent hackers from attacking. No, it won't. SSL is not a protective barrier keeping anyone out. Everyone can access the site using SSL if it is enabled - good guys and bad guys. And hack attempts, things like SQL injection, or other known exploitable holes in either the [blank] application or the underlying webserver software, are in no way prevented by implementing SSL.
I will add that MITM attacks are just as easy against a site with a CA provided cert as a self-signed one. If a CA grants an open ended cert to some big company or govt agency, which everyone knows has been done, and they then put that between us and this forum, our browsers wouldn't object to that regardless of whether the cert here is self-signed or provided by a CA. It's the trust on the MITM cert that's important at that point, not the target site's certificate.
And no, I'm not interested in a debate.

Ref? You've got plenty to work with.


Peace.

labbe5
Posts: 2159
Joined: Wed 13 Nov 2013, 14:26
Location: Canada

Let's Encrypt

#9 Post by labbe5 »

https://www.bleepingcomputer.com/news/s ... -programs/

Let's Encrypt announced yesterday that they are now directly trusted by all major root certificate programs including those from Microsoft, Google, Apple, Mozilla, Oracle, and Blackberry. With this announcement, Let's Encrypt is now directly trusted by all major browsers and operating systems.

While Let's Encrypt has already been trusted by almost all browsers, it was done so through intermediate certificate that were cross-signed by IdenTrust. As IdenTrust was directly trusted by all major browser vendors and operating systems, it also allowed Let's Encrypt to be trusted as well.

hatemonday
Posts: 35
Joined: Thu 10 Oct 2019, 13:23

#10 Post by hatemonday »

Most sites have https nowadays,
it's strange this murga forum don't have https enabled.
.
Last edited by hatemonday on Sun 15 Dec 2019, 13:12, edited 2 times in total.

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#11 Post by Flash »

No, your password is not encrypted. However, if you are using an encrypted wifi connection, the traffic between your computer and the wifi base station is encrypted, meaning that an eavesdropper can't understand anything that's sent or received over the wireless connection. I don't know about public wifi. Usually it requires a password, so I assume it's an encrypted connection, but the traffic between the wifi base station and the wired Ethernet is definitely not encrypted. This is where someone could read your password, but they'd have to be eavesdropping on the wired Ethernet to do it. That's much more difficult to do than eavesdropping on a wireless connection. It requires physical access to the Ethernet cable.

The reason this forum doesn't use https is that the forum was established in 2005, before https was common. I don't know how much trouble it would be to add https capability. Probably that would require updating the forum software. That would be up to John Murga.

Yes, the forum logs users' IP addresses. Each post has the poster's IP address attached to it. I don't know if everyone can see it but moderators and administrators can. I can't see your password, so don't ask me what it is if you forget it.

User avatar
mikeslr
Posts: 3890
Joined: Mon 16 Jun 2008, 21:20
Location: 500 seconds from Sol

#12 Post by mikeslr »

Although a "Let's encrypt" account can be obtained without cost*, https://gethttpsforfree.com/ It's not just a question of whether this Forum's software could use it. [I suspect major problems in updating 14 year old software and the likelihood of loosing some (many) of its over 1 Million posts). There's also the question of whether the Web-host on which this Forum resides can both accommodate Let's encrypt in general and with respect to this Forum's software in particular.

* I think it has to be renewed every 90 days.

User avatar
01101001b
Posts: 123
Joined: Thu 09 Mar 2017, 01:20
Location: Buenos Aires, Argentina

#13 Post by 01101001b »

rufwoof wrote:Puppy is so [...] Insecure ...etc.
Insecure?? Clearly you don't have the slightest idea of what you're talking about. No surprise, though. But I don't give a damn.

Have a good day 8)

User avatar
01101001b
Posts: 123
Joined: Thu 09 Mar 2017, 01:20
Location: Buenos Aires, Argentina

#14 Post by 01101001b »

belham2 wrote: it is just plain damn laziness that this site has not been converted to https.

So plz stop spreading mistruths (that https would do nothing for this site) and misconceptions about https overall. And, John, if you are reading this, get off of the eternal laziness pillow and get this done. It is inexcusable at this point in time, especially given the amount of material people have provided your site for decades now, that you've let this linger. Start acting like you want everything protected here. Do you?
No disrespect here but you are talking plain paranoia and spreading hysteria. HTTPS has a purpose, secrecy, and here nothing is secret. Security is a must when needed. No need here. HTTPS to protect what? Old scripts? Posts? MITM here?? Please.

Have a good day 8)

s243a
Posts: 2580
Joined: Tue 02 Sep 2014, 04:48
Contact:

#15 Post by s243a »

01101001b wrote:
belham2 wrote: it is just plain damn laziness that this site has not been converted to https.

So plz stop spreading mistruths (that https would do nothing for this site) and misconceptions about https overall. And, John, if you are reading this, get off of the eternal laziness pillow and get this done. It is inexcusable at this point in time, especially given the amount of material people have provided your site for decades now, that you've let this linger. Start acting like you want everything protected here. Do you?
No disrespect here but you are talking plain paranoia and spreading hysteria. HTTPS has a purpose, secrecy, and here nothing is secret. Security is a must when needed. No need here. HTTPS to protect what? Old scripts? Posts? MITM here?? Please.

Have a good day 8)
Passwords and session cookies should be secret. Also https serves as a type of content verification. Without such content verification you can't tell if someone is doing a man in the middle attack on you!
Find me on [url=https://www.minds.com/ns_tidder]minds[/url] and on [url=https://www.pearltrees.com/s243a/puppy-linux/id12399810]pearltrees[/url].

s243a
Posts: 2580
Joined: Tue 02 Sep 2014, 04:48
Contact:

#16 Post by s243a »

Flash wrote:No, your password is not encrypted. However, if you are using an encrypted wifi connection, the traffic between your computer and the wifi base station is encrypted, meaning that an eavesdropper can't understand anything that's sent or received over the wireless connection.
Wifi encryption likely isn't that hard to break (see aircrack-ng), especially older protocols but the attacker doesn't have to if they can do arp poisoning so as to masquerade as the default gateway to the Internet. Alternatively the attacker can compromise the router (see routersploit) and old cheap routers are known for bad security. If the router is compromised than the attacker can send you fake DNS requests and direct all puppylinux traffic to a fake puppylinux phishing site.
Find me on [url=https://www.minds.com/ns_tidder]minds[/url] and on [url=https://www.pearltrees.com/s243a/puppy-linux/id12399810]pearltrees[/url].

s243a
Posts: 2580
Joined: Tue 02 Sep 2014, 04:48
Contact:

#17 Post by s243a »

01101001b wrote:
rufwoof wrote:Puppy is so [...] Insecure ...etc.
Insecure?? Clearly you don't have the slightest idea of what you're talking about. No surprise, though. But I don't give a damn.

Have a good day 8)
I wish there wasn't so much deleting of posts on this forum. I would of liked to here what rufwoof had to say :(
Find me on [url=https://www.minds.com/ns_tidder]minds[/url] and on [url=https://www.pearltrees.com/s243a/puppy-linux/id12399810]pearltrees[/url].

wiak
Posts: 2040
Joined: Tue 11 Dec 2007, 05:12
Location: not Bulgaria

longevity

#18 Post by wiak »

I suppose, thinking about it, not using https and not having passwords encrypted is a bit concerning. I hadn't really thought about it until happening to read this thread today. Main worry would be if someone obtained the passwords list and were thus able to impersonate others. But maybe these are unlikely concerns?

This forum has been open since 04 May 2005. That's a long time and I can't help but wonder how old everyone who is involved in the running of it now is. Not that I want such personal information - not at all. However, time moves on and no-one gets any younger, so that thought simply leaves me wondering if this forum could suddenly close with little or no warning.

I know that I at least tend to post development efforts directly to the forum - way before I upload any of the same material anywhere else. And... I often lose my own home copies... The reason is that life is short and time too precious, so I'm often in a hurry and already spend too much time on computers so tend not to spend sufficient time making good backups. However, I do try to keep backups, and I do both email myself with copies of scripts, and upload to github and google drive now and again (though that could all close too...), but there is usually a delay before I get round to that. Since the development work tends to be for others on murga forum to use, my posts and uploads there tend to take priority.

Anyway, now that I'm thinking these thoughts I've promised myself to put my 'backups' house into better order. But it is a pretty small promise, of a low priority sort such that I'll probably forget all about it by tomorrow. I certainly wouldn't be making backups of many of my posts from over the years, and not even scripts I have once upon a time developed. So if this forum ever closes, much of my own work will certainly be lost and I guess I just accept that since none of what I have done is significant enough to matter to me beyond any utility or fun its use currently provides myself or anyone else.

I certainly don't trust myself to really get round to organising my backups better when there are other aspects of my life that have long needed more of my attention but fail to get it...

So the forum has been around for over 14 years now. Will it be here in another 14 years, I wonder, or for 14 generations to come?!

wiak

s243a
Posts: 2580
Joined: Tue 02 Sep 2014, 04:48
Contact:

Re: longevity

#19 Post by s243a »

wiak wrote:I suppose, thinking about it, not using https and not having passwords encrypted is a bit concerning. I hadn't really thought about it until happening to read this thread today. Main worry would be if someone obtained the passwords list and were thus able to impersonate others. But maybe these are unlikely concerns?
For user verification purposes a cool alternative to https would be to have users sign their posts with a pgp signature. For this to be more seamless there would have to be an api that one could use to edit posts in an external editor. The signature wouldn't show when people are reading the normal forum unless they clicked on the raw button. However, there could be some kind of checkmark to indicate the post is signed with a valid signature.

Unfortunately, though this would require a learning curve for users and wouldn't be widely utilized. One thing that I do know though is that because this form doesn't have https I would never try to access this forum form tor except maybe if there was a hidden service version of this site. However, providing a hidden service interface to a site opens it up to attacks from anonymous hackers.

Edit: It occurred to me that there could be a master signature for the forum that could be used to authenticate the content of a post. This why one could detect man in the middle attacks.

Actually, with an api people could post in a secure way using pgp encryption and not have to rely on https. The advantage of this is that it prevents https certificate authorities from spoofing the site by issuing fake certificates. The disadvantage is mostly the learning curve but with a suitable ap the technical voodoo could be hidden.
Find me on [url=https://www.minds.com/ns_tidder]minds[/url] and on [url=https://www.pearltrees.com/s243a/puppy-linux/id12399810]pearltrees[/url].

User avatar
Burn_IT
Posts: 3650
Joined: Sat 12 Aug 2006, 19:25
Location: Tamworth UK

#20 Post by Burn_IT »

You are all paranoid about security.
I have been in computing since before the PC was invented.
As soon as online computing was available I was testing/trying it for some of the largest and some of the most security conscious companies.
Not once has any of my sessions been hacked and I have never used any special encryption.
Yes I am (still) bound by the official secrets act and was thoroughly investigated by Cheltenham before I was allowed to work on government and MOD projects.
"Just think of it as leaving early to avoid the rush" - T Pratchett

Post Reply