1. What does SSTB mean? See our glossary of acronyms.
    Dismiss Notice

Switching FC to full-HTTPS

Discussion in 'Community Discussion' started by KeroZen, Sep 5, 2016.

?

Would you like that this forum transitions to full HTTPS (encrypted) operation mode?

  1. Yay!

    67 vote(s)
    87.0%
  2. Nay!

    1 vote(s)
    1.3%
  3. I'm clueless

    9 vote(s)
    11.7%
  1. momofthegoons

    momofthegoons vapor accessory addict

    Messages:
    12,725
    You are correct as usual @herbivore21. ;) Hopefully with me tagging him too (and perhaps a pm?) he will respond this time.

    [​IMG]
     
    Last edited: Dec 19, 2016
  2. OldNewbie

    OldNewbie Well-Known Member

    Messages:
    624
    Nah, I'll just bang my head against the wall by posting here. Better than being effective.

    My understanding of the core concept of a forum like this is many fold, but focused on selling and supporting vaporizers and vape equipment. I'm sure that it is a service to those in need is a part of the owner's goals. But, I suspect the bottom line is...at some point...the bottom line. With that in mind, unless the owner wants to slowly drain this swamp of highly-motivated people, the forum has to change.

    Those here will probably shrink over time for any of a number of reasons and word of mouth is not going to drive members. The forum needs/wants to grow in members and most of them will have a virus check on their computer and will come here from Google.

    My current "security" software[​IMG]

    flags unencrypted sites. (As does Chrome.) Google gives a ranking boost to sites that use HTTPS and it is rumored, based on their stated goal to have it "everywhere", at some point the ranking will push down to the point FC is off the front pages no matter how accurate a thread is to the question searched.
     
    GreenHopper and grokit like this.
  3. HellsWindStaff

    HellsWindStaff Dharma Initiate

    Messages:
    1,674
    The only time I ever used TOR I did it from public wifi at McDonald's but I also installed on an old laptop specifically to see if I could get it to work, very interesting stuff IMO didn't have a full grasp on all of it at time (still don't) but fascinating to me the idea of the dark net......is it really dark if you can google instructions to find it? Prob better thoughts for other threads :lol:

    I voted yay I am not overtly paranoid but IMO it's good practice to use HTTPS. There was a program I thought that let you make your own certificates that was free but name escapes me.. Not all that familiar but made self signing certificates to use with controllers I was using Node Red with? If that would be same thing needed. But was very easy
     
    grokit likes this.
  4. momofthegoons

    momofthegoons vapor accessory addict

    Messages:
    12,725
    If our focus was to support the selling of vape equipment, we'd have a whole lot more sponsors. I happen to know that vtac has turned down quite a few; wanting the number to stay the same. He gets no 'kick back' from the vendors and manufacturers that post here (other than the sponsors who pay an annual fee). So no... the purpose of this forum is NOT to support the selling of vape equipment. It was set up to exchange vape information and chat.
     
    RUDE BOY, Amoreena, CarolKing and 4 others like this.
  5. muunch

    muunch zzzzz

    Messages:
    1,008
    Not understanding why TOR/tails are even being discussed here.

    If you're using either of those to browse this forum, regardless the legality of cannabis in your state/nation/etc... take off your tinfoil hat.
     
    Last edited: Jan 4, 2017
  6. grokit

    grokit well-worn member

    Messages:
    11,687
    Location:
    the north
    If I was really paranoid I would secure my home with a router-level vpn and be done with it.

    But I'm just "medium-paranoid", so I take what I believe are "normal" precautions.

    Besides, the vpn thing sounds like a lot of work I don't know how to do.

    Even I can see that an https upgrade to fc would be a plus.

    :tinfoil:
     
    Silat and OldNewbie like this.
  7. muunch

    muunch zzzzz

    Messages:
    1,008
    VPNs are more trouble and money than they're worth. I'd rather just buy a cheapo laptop off someone local (the older and crappier the better if all you're doing is browsing the internet) and only use public wifi.

    I'd wager using public wifi alone is as secure as a VPN or close to it.
     
  8. damm

    damm Well-Known Member

    Messages:
    295
    Location:
    Pacific Northwest
    I don't really understand the point of your post here. If you are trying to provide some basic level of security to avoid your ISP from knowing what you are doing (which is the basic reason of HTTPS).

    If you use this forum on a public WiFI you should absolutely use a VPN or TOR as it's absolutely easy to sniff and get your username/password over wifi.

    Heck there's tools that make it easy to steal the facebook credentials.

    https://en.wikipedia.org/wiki/Session_hijacking#Exploits
     
    grokit likes this.
  9. muunch

    muunch zzzzz

    Messages:
    1,008
    My point was if you're THAT paranoid where you think your ISP is going to come after you for viewing/browsing a forum about cannabis... then idk.

    People talking about tails and TOR to access THIS SITE is (while perfectly valid and secure) way overkill. I can't see a reason for it. That was my point.

    I don't have any identifiable information on here so I really don't care if the account was to be compromised. Maybe some do? I don't know.

    My post wouldn't have been made if tor/tails wasn't mentioned in regards to browsing this site, so I guess that's the point? idk?

    HTTPS for FC? ok - perfectly valid and this should probably be a standard in today's age if you want to not just get skimmed over as a website etc.

    TOR/Tails for FC? perfectly valid, sure you can do it - but it's like wearing a scuba suit to go outside in the rain.
     
    elmoe420 likes this.
  10. damm

    damm Well-Known Member

    Messages:
    295
    Location:
    Pacific Northwest
    It's not about your ISP. It's not about them always coming after you. It could easily be about Session Hijacking to be blunt.

    If you input your credentials on a non-secure site; whoops. Even Chrome is coming out to shame sites that don't provide https

    In time we'll have to start clicking buttons to say yes we are aware that this site is insecure and you shouldn't go there. All browsers are trying to force HTTPS as a standard now.

    Sure you can blame your ISP; you can blame the NSA. But in this day and age it's more of shaming this site for not offering https.
     
    KeroZen, Maitri and muunch like this.
  11. muunch

    muunch zzzzz

    Messages:
    1,008
    https://addons.mozilla.org/en-US/firefox/addon/https-everywhere/

    Idk maybe I'm just fortunate to be computer literate but I just don't click on dumb shit or go to shady sites and I don't get viruses/etc/etc even with no antivirus.

    Or maybe I'm just missing the point. I obviously voted yes for https, I'm more just bewildered at the random mention of tor/tails just because we're discussing internet security lol
     
    elmoe420 and grokit like this.
  12. grokit

    grokit well-worn member

    Messages:
    11,687
    Location:
    the north
    The vpn licenses from avast (one example) only protect one computer at a time; they also have security products made specifically for public wifi, mainly devices but extra security also kicks in on laptops. That tells me that there are many exploits being run on public wifi. Because I use a variety of os's it would be too much of a patchwork solution anyways, which is why I looked at just getting a router with vpn software built in; then I would be secure at home and just need to secure my portable devices for when traveling. The differences in our perception are probably because "public wifi" is such an arbitrary term; a marriot, joe's coffee shop, and public libraries would have very different security. Using an xp computer or older would mean that you're even more vulnerable because there's no more security patches for the os. From what I can tell it's android and windows-based systems being most taken advantage of. Just my perspective.

    edit: Thanks for reminding me about https-everywhere, I used to have it installed on ff but dropped it when I was having ff issues along with a bunch of other extensions. Now I'm running google as well to take the load off of ff, so I should probably go and see if https-everywhere is also available for chrome.

    edit2: I just installed https-everywhere on chrome as well, thanks again now I feel a bit safer :rofl:

    :freak:
     
    Last edited: Jan 5, 2017
    muunch likes this.
  13. muunch

    muunch zzzzz

    Messages:
    1,008
    tails is based off of linux. if i were to use tor and public wifi - the only way i'd bother to do so is if i was on tails.

    i don't think people give that much of a damn and unless you're being specifically targeted or are easily fooled by phishing things etc you really shouldn't worry.

    obviously, this is getting away from the point, so I'll just shut up now and let people do whatever they want. I'm just lazy as fuck so I'm not going to jump through all these unnecessary hoops just to look at a forum about weed lol. A forum that should be https in 2017 :3

    I wouldn't start going crazy with tails/etc/etc unless I was one of the crazy people that orders drugs off the deep west or wild web. whatever it's called.
     
    Last edited: Jan 5, 2017
    grokit likes this.
  14. damm

    damm Well-Known Member

    Messages:
    295
    Location:
    Pacific Northwest
    That really doesn't make FC any more secure. I can deny myself access by blocking insecure requests.

    It's also known to break sites.

    So let's get back on topic here instead of adding useless off topic banter that doesn't help.
     
  15. grokit

    grokit well-worn member

    Messages:
    11,687
    Location:
    the north
  16. damm

    damm Well-Known Member

    Messages:
    295
    Location:
    Pacific Northwest
    Not really. It provides regex rules to help force using secure login mechanisms. It doesn't provide HTTPS to non HTTPS sites.

    So really it's off point; it doesn't help secure FC in anyway what so ever.
     
  17. grokit

    grokit well-worn member

    Messages:
    11,687
    Location:
    the north
    Thanks for your input; it's also absolutely on-topic,
    as this is the only thread that comes up when searching for "https on fc" :tup:

    :sherlock:
     
    Last edited: Jan 5, 2017
  18. damm

    damm Well-Known Member

    Messages:
    295
    Location:
    Pacific Northwest
    Everyone has an opinion and everyone is right? right... wrong there's no website rules for FC on HTTPS Everywhere... so it really doesn't do anything for this site

    Can we move back to the original topic now? Tor has it's point; but the topic here is switching FC to full HTTPS.

    Let's try to stick to that shall we?
     
  19. grokit

    grokit well-worn member

    Messages:
    11,687
    Location:
    the north
    Right, the subject is whether fc should have https;
    just don't talk about the browser plug-in :rolleyes:

    :horse:
     
  20. damm

    damm Well-Known Member

    Messages:
    295
    Location:
    Pacific Northwest
    Exactly the plugin doesn't do anything without https. So we're just bikeshedding off in a different direction doing absolutely nothing productive towards our conversation.
     
  21. grokit

    grokit well-worn member

    Messages:
    11,687
    Location:
    the north
    Regarding your first point, I think you mean that because fc doesn't conform to HTTPS protocols it's still going to be insecure even if it doesn't "break (2nd point)"?

    Your second point is a known issue, which is why https-everywhere can be easily disabled per site.

    What other objections/limitations do you have regarding this plug-in?

    More importantly, do you have any alternatives to suggest?

    "HTTPS Everywhere is a free and open source web browser extension for Google Chrome, Mozilla Firefox and Opera, a collaboration by The Tor Project and the Electronic Frontier Foundation (EFF). It automatically makes websites use the more secure HTTPS connection instead of HTTP, if they support it."

    What if HTTPS Everywhere breaks some site that I use?
    This is occasionally possible because of inconsistent support for HTTPS on sites (e.g., when a site seems to support HTTPS access but makes a few, unpredictable, parts of the site unavailable in HTTPS). If you report the problem to us, we can try to fix it. In the meantime, you can disable the rule affecting that particular site in your own copy of HTTPS Everywhere by clicking on the HTTPS Everywhere toolbar button and unchecking the rule for that site."

    :sherlock:
     
  22. vtac

    vtac vapor junkie Staff Member

    Messages:
    5,374
    Location:
    FC R&D
    Thank you @KeroZen for starting this discussion and to all who participated. Security is something that has always been taken seriously here and https is something that we will be implementing in the future. It's not quite as simple as flipping a switch and there are a number of other matters that also require attention, so you patience is appreciated.

    As usual the level of knowledge here is impressive and there have been many good points brought up in this thread. I agree that if privacy and security are important to you it's best to take control of them yourself. https is certainly worth using, however it's not a panacea for all your privacy and security concerns. Using a trusted and properly configured VPN setup is the way to go as it encrypts all of your traffic including DNS queries.
     
  23. KeroZen

    KeroZen Chronic vapaholic

    Messages:
    2,121
    Location:
    On Air
    Hey @vtac, quite the relief to have you back!

    I bloody know it's not that simple to implement, especially because Google dislikes duplicated content. So it's a real challenge to have every single link out there converted to HTTPS and ensure all others are properly redirected. Miss a single one and then two versions of your site exist at once for the crawlers... (thankfully it seems that since their move to try to switch the entire Internet to HTTPS they made things easier, like for instance you can indicate in Google Webmaster Tools which version is the main one etc)

    Nonetheless it's not easy AND it's not the panacea either as you pointed out. But it would definitely be a good step forward at least. Glad to hear that it's in the pipe. No stress, do it at your own pace. Thank you for your answer.

    PS: ah and avoid the latest free certificates fad, it's turning out to be a disaster and hurting the whole chain of trust...
     
    muunch, grokit and GreenHopper like this.
  24. damm

    damm Well-Known Member

    Messages:
    295
    Location:
    Pacific Northwest
    VPN's at this point in the game only hide where you originate from. Hard lines are still being captured so your data is still being transmitted over the wire unencrypted. Not a perfect solution either but can be helpful in some situations.

    I've never understood why 16$ was so expensive; Gandi used to be a bit cheaper but it's so much better than having to renew your ssl certificate every 90 days.
     
    KeroZen likes this.
  25. damm

    damm Well-Known Member

    Messages:
    295
    Location:
    Pacific Northwest
    I'm sorry you don't really understand how the NSA works then. Let alone how people are hooked into fiber connections to essentially copy every packet over. It has been happening (reportedly) since 2004

    If they have access to the hard lines; there is nothing really you can do except enable HTTPS. This is why Google had to rush to enable crypto on their whole infrastructure as the NSA had tapped into their backlines...

    Using this method; they have access to the body of the message and the cookie content. Really seems harmless unless you consider that your cookie has your email address (and a hashed cookie) that lets someone get in. If they capture doing the login method; they can copy your password and index it.

    Lastly; where they tap in to capture the packets is important. Using a VPN if they capture from your ISP you can avoid that; but you will likely be captured as it nears the destination.

    Additionally the internet uses many routers which pass packets from 1 hop to the next. VPN's do not bypass routers.

    (I get the feeling I am repeating myself at this point)

    VPN's provide some level of security but nothing like what you assume or think. It just helps against state sponsored actors. But when backbones are captured; it's not too helpful. You just have to pass through the right gateway.

    NSA uses replay attacks to try and downgrade ssl ciphers in order to be able to brutceforce the packet to read it.
     

Support FC, visit our trusted friends and sponsors