1. What does SSTB mean? See our glossary of acronyms.
    Dismiss Notice

Switching FC to full-HTTPS

Discussion in 'Community Discussion' started by KeroZen, Sep 5, 2016.

?

Would you like that this forum transitions to full HTTPS (encrypted) operation mode?

  1. Yay!

    92 vote(s)
    87.6%
  2. Nay!

    2 vote(s)
    1.9%
  3. I'm clueless

    11 vote(s)
    10.5%
  1. HellsWindStaff

    HellsWindStaff Dharma Initiate

    Messages:
    1,762
    Can you elaborate on this? I'm not really familiar with certificates and the only time I did it I used OpenSSL which generated me a free certificate..... I don't really understand what I/OpenSSL did though or what actually the certificate is doing, I just put in on my controller and it just allows me to use https//Bs.Bs.Bs.Bs. rather than http://bs.bs.bs.bs - I am on a LAN too so maybe that's why I don't get what changes really took place?

    You can PM if more applicable and I did some research to figure out on my own but a KISS would be appreciated :) some of the jargon is over my head.
     
  2. KeroZen

    KeroZen Chronic vapaholic

    Messages:
    2,664
    Location:
    On Air
    Hm what you are referring to would be a "self signed certificate". They are ok for personal use but give you a warning in your browser and you need to add an exception to accept them (obviously not a solution for this forum, as the warning you get is relatively daunting hehe)

    What I was hinting about is the new "Let's encrypt" initiative: https://letsencrypt.org/

    I can't find the exact article back but it was along these lines:
    http://www.datamation.com/security/lets-encrypt-the-good-and-the-bad.html
    https://www.thesslstore.com/blog/lets-encrypt-phishing/

    ...and the bottom line: it took years to implement the green lock icon and have users trust sites and SSL overall and it could be jeopardized by all these malicious YET GENUINE sites/certs... Free certs don't seem like a good idea (and yes you can get real certs for $12/year it's not as pricey as in the past but having some cost barrier helps a lot to prevent mass spammers/scammers/phishers)

    A few selected links from my browsing history relevant to this topic in general:
    http://neilpatel.com/blog/does-a-ssl-certificate-affect-your-seo-a-data-driven-answer/
    https://www.maxcdn.com/blog/ssl-performance-myth/
    http://www.theverge.com/2016/9/8/12847880/chrome-warning-encryption-web-google-ssl-https
    https://www.bleepingcomputer.com/ne...t-perform-https-interception-weaken-security/
     
    HellsWindStaff likes this.
  3. GreenHopper

    GreenHopper 20 going on 60

    Messages:
    1,632
    Yeh I misread your post, thought you were saying VPNs don't encrypt traffic but you were obviously talking about the bit between the VPN destination endpoint and the web server.

    I took the post down within about 20 seconds of posting it after double checking and realising I had errored.

    So sorry for making you repeat yourself, I was stoned at the time, expect to have to repeat yourself again as I'm stoned this time too :p

    I know all about the NSA, HTTPS isn't going to make any difference in regards to their ability to spy on the traffic. If they can get at hard lines they can get at public root certificates.

    However the good news is the NSA don't care about me, or you, or this site. They endeavour to protect a government (corrupt) and national interests (the corrupters) from anyone who threatens their regime. The same goes for GCHQ and all the other government agencies out there who have the power of state policy on their side and so are able to tap hardlines and demand root certs.

    Just don't give them a reason to be interested in you, don't start a political movement, or appear as if you might. Also don't get given a digital recording of an NSA black ops assassination and then team up with Gene Hackman to take down the NSA leader (thats humor, you don't need to hate it).

    HTTPS will however offer end-to-end security from others that might try to cause an FC member some unjust harm so it's definitely worth having.

    It's the others I worry about, the people selling private data, the extortionists, yadda... yadda... ya...

    Any security is better than no security.
     
    Esoteric likes this.
  4. HellsWindStaff

    HellsWindStaff Dharma Initiate

    Messages:
    1,762
    Thank you much, learn something new everyday @KeroZen
     
    KeroZen likes this.
  5. damm

    damm Well-Known Member

    Messages:
    295
    Location:
    Pacific Northwest
    The problem is there are like 12,00 new paypal like certificates issued by letsencrypt daily. Scammers are using them badly; the cost for SSL Certificates has never been that high for a single record entry. It's really there to provide a good mechanism to stop spammers from getting them

    We've had free ssl certificate providers before; Thawte used to give more... now it's a 21 day trial for free

    That's okay I can repeat myself better then I am stoned.
    Oh it does make a difference. If your web site administrator sets up a ssl_cipher list that your server only supports it can blacklist ciphers that are known to not be good enough to stop the NSA. Don't support TLSv1 don't support RSA or MD5 ciphers goes a long way. There's whole list but that's what https://mozilla.github.io/server-side-tls/ssl-config-generator/ is for.

    I've been in this game far too long and by god even I don't have the memory for this kind of stuff :(

    Oh they care. It's easier to think that you are basically a law abiding citizen and you have nothing to hide. Even people who are good pay taxing citizens who runs businesses have things to hide from the government. That doesn't mean they are working against them or breaking the law either.

    It provides a fluffy bunny feeling knowing that your passwords when you try and login are not being captured using FireSheep or similar tactics. I mean if you are using WiFi (and I do) and you don't run your own network (I do) there's no reason to think that your credentials are secure.

    Sucks but that's the sucker punch; https://en.wikipedia.org/wiki/Firesheep without encrypted cookies...

    and according to the developer tools the cookies here are not secure so I think we really need SSL ... encrypted cookies would be a huge bonus
     
    muunch likes this.
  6. grokit

    grokit well-worn member

    Messages:
    11,955
    Location:
    the north
    I've been reading lately that using things like vpns and the tor browser can put you under added scrutiny, leading to the type of attention you're trying to avoid in the first place. I suppose this is why you need to be able to trust your vpn, which makes me think of this old question: who's gonna watch the watchmen?

    :uhh:
     
  7. GreenHopper

    GreenHopper 20 going on 60

    Messages:
    1,632
    Yeh sorry about that, the high hit me kinda hard tonight, not sure why :lol:

    Oh yeh for sure the cipher is important when it comes to decrypting the traffic using brute force or known vulnerabilities but I'm not referring to decrypting the traffic by breaking the cipher.

    I'm saying the Government agencies most likely have the root certs and thus the master keys for the top Certificate Authorities that deliver Public Key Infrastructure. The reason I say that is because those agencies just don't play by their own rules (or anybody's rules :argh:). They have the power of the state and other interests that I believe give them the capability to demand (not necessarily publicly :tinfoil:) the root certificates from the CA's themselves. I just don't believe they wouldn't bully their way to these certs. Every public certificate will eventually lead up the chain to a root certificate which will act like a master key giving the agencies the ability to decrypt the sessions without having to crack any ciphers.

    No need to attack RSA vulnerabilities in the IKE phase to get the private key.

    No need to brute force the actual AES session (or what ever cipher is being used, hopefully AES256).

    If they have access to CA root certs and I believe they do :tinfoil: then they have the master keys if not for all HTTPS traffic, certainly for the sessions based off of certs created by authorities that reside under their jurisdiction.

    Assuming they don't have the root certs from all/most/some of the CA's they most certainly have their own root cert published to most public clients (that's you, me, most people), it's called the 'Federal Common Policy CA'. They could easily push out a cert for any SSL site that you are browsing but with a certificate chain that would point back to them. This method isn't all that subtle though as anyone looking closely enough would see the cert chain leading back to them.

    We can add more RAM to your system but you'll need to raise an RFC. It's another RFC if you want to be rebooted and you'll have to get authorisation form a manager if you want us to virtualise you. :lol:

    I believe they only care if you present yourself as a threat to their agenda. The NSA and FBI certainly destroyed Aaron Swartz because he was a political organiser. So yep I'm not saying don't be cautious, if you are a person of interest then you shouldn't be on this site.

    But for the average person I just don't believe the major players give a damn about them. Of course that is until you give them a reason to.

    They'll use cannabis against you for sure, that's one of the reasons why the USA haven't legalized federally or the Brits. But I don't think they are hunting or rooting out the FC community or the average stoner. Cannabis users are the lowest of the low priority for government based security agencies, they have to ensure the security for not only the government but the commercial aspect of their realms. It's more about imperialist power and stable economics. If you fuck with that then you are screwed no matter what security measures you've taken.

    Used to manage networks (the usual players), now build cloud IaaS/PaaS/SaaS infrastructures. Now that shit is fluffy! :nod: Mostly due to the sales guys selling one thing, managers thinking they are getting another and the rest of us hoping someone can actually define a requirement to deliver on and then resource it accordingly.

    Completely agree about public WiFi hotspots, you are broadcasting your traffic and anyone with wireshark or tcpdump can easily have at it. However this is where a VPN would cover you from attackers from others on the local WiFi network even if you are using a site that doesn't use SSL. They aren't mutually exclusive technologies but this site shouldn't rely on the end user to know how to manage a VPN.

    SSL is a better option.

    Which is why I'm delighted @vtac is well and present and on the case. :tup:

    P.S. Sorry everyone for the long and techy post but it's an interesting convo when you actually get down to it and this thread is about security for FC.
     
    YaMon, Aizen-sama and OldNewbie like this.
  8. damm

    damm Well-Known Member

    Messages:
    295
    Location:
    Pacific Northwest
    I'm not sure if they really do. If they have access to the keys it is likely through lawsuits and not direct access. I hope; but the truth is most businesses work with the government faithfully because it is considered one of the things you do as a good citizen. Work with your government. So if you are incorrect it's likely only slightly; they just need to make a phone call to get a copy.

    If they don't have a hidden CA in the OpenSSL toolkit. I wouldn't be shocked if there are other CA's also

    Too bad browsers have made it very difficult to untrust CA providers.

    It is the best option unfortunately. There will be exploits in the SSL toolkit from time to time; there is no easy answer.
     
  9. syrupy

    syrupy Authorized Buyer

    Messages:
    2,497
    So we're having a conversation about how creepy the govt is, on a non-encrypted site? Not me, I salute our overlords, at least while on http. (On https or vpn, my opinion may differ.)
     
  10. ichibaneye

    ichibaneye Vapriot, Traveler & Vaporizer/ing lover!

    Messages:
    792
    Location:
    The Honeycomb Hideout
    Hip hip hooray for privacy and security!
     
    peaceonearth likes this.
  11. Esoteric

    Esoteric Pot Head formerly Septon Sefton

    Messages:
    58
    This is exactly what using tor will do. It will get you put on the type of lists you are trying to avoid! It will also slow your internet down to practically unuseable speeds. It always amazes me to see people recomending it. TOR is for political dissidents in countries with extreme laws, it certainly isnt neccasary to browse FC.

    A VPN will provide you with some security from eavesdropping but is also likely already being monitored by security services.

    SSL certificates are a good idea, but again if you are being watched at state level it probably wont help you. It will protect you from people on your network, i.e. people in your house or at your ISP who wish to spy on your traffic. Which is something im not worried at all and that 99.9% of users probably dont need to worry about either.
     
    Last edited: Apr 23, 2017
  12. asdf420

    asdf420 Well-Known Member

    Messages:
    269
    I'm worried about the lack of HTTPS. There's the additional issue of some ISPs injecting content onto unencrypted HTTP connections.

    Let's Encrypt is way more than a fad. I'll admit that I find it worrying that they're still allowing domains containing "paypal" to register. Using Let's Encrypt is much better than nothing, imo. It still does its basic function well, in ensuring that you're really connecting to the server owned by the domain owner. I don't see the harm in registering with them. Even if you think they're immoral, registering with them doesn't support them that much...

    There have been way too many sites that haven't been using HTTPS, including this one. I think it was shown that Let's Encrypt has helped reduce the number of these.. it's not all bad. I think calling it a disaster is a bit of an exaggeration, though phising sucks..
     
    Last edited: Nov 16, 2017
    KeroZen likes this.
  13. asdf420

    asdf420 Well-Known Member

    Messages:
    269
    can't edit, so doubleposting... correction: Let's Encrypt tries to ensure that whoever requests a certificate for a domain owns the server the domain resolves to, which is not necessarily owned by the domain owner.. but usually is. I think most CAs work this way? Just not as automated.
     
  14. asdf420

    asdf420 Well-Known Member

    Messages:
    269
    Last edited: Mar 1, 2018
  15. YaMon

    YaMon Vaping since 2010

    Messages:
    190
    I too am happy to hear @vtac is considering SSL. Obtaining a public key certificate from a recognized CA and switching to HTTPS verifies you are communicating with authorized servers and that your request has not been redirected. The communication is then encrypted, including your email address and password (hope you are not using the same email address and password with other sites?) If it's HTTP and your IP address is logged and they capture some of your clear text traffic, while remote, it's possible someone could knock on your door.

    VPN would not help much, it would simply change the IP, which points to the other end of the VPN tunnel.. who's tunnel, work? That's not helpful.
     
    grokit likes this.
  16. Cemmos

    Cemmos Well-Known Member

    Messages:
    52
    Location:
    United States
    Letsencrypt + proxying images (via XenForo's default configuration) = win. It shouldn't be too hard to switch over to HTTPS and would take as little as 15 minutes to do so, for an advanced sysadmin. Otherwise, tutorials are plentiful and should take no longer than an hour.
     
    asdf420 likes this.
  17. asdf420

    asdf420 Well-Known Member

    Messages:
    269
    If you like less "magic" stuff, there's https://github.com/diafygi/acme-tiny
    Maybe it'd be good to wait until ACME v2 is stable?

    i didn't understand what "proxying images" meant at first. it's so that all images are served through fuckcombustion.com rather than whatever random host. To avoid tracking, and broken images?
     
  18. Cemmos

    Cemmos Well-Known Member

    Messages:
    52
    Location:
    United States
    Yep, it's essentially to keep the images from breaking and keeping the page secure. I think most people on FC tend to use the attachment feature, which is great, but if they're linking from places like Imgur/Photobucket/etc without https, then the images wouldn't appear — this is where proxying the images through FC would come in handy, so old and current posts wouldn't get broken and the page would stay secure.

    Although the images can be cached with the proxy, there is still the issue that images can be broken if they're deleted from the host server (like Imgur). That's not an issue specific with SSL, though, since that could happen without it as well.
     
  19. leveltree

    leveltree the best level to be at

    Messages:
    73
    I really would appreciate a switch to HTTPS!
    It's just standard today for sites with login etc.
    Was happy to find already a thread for it, sad it has not been done yet :D
    Of course it's completely up to vtac but not having it in this forum really feels outdated :D
    Not trying to be a bitch here, just showing support! :)
     
    asdf420 likes this.
  20. asdf420

    asdf420 Well-Known Member

    Messages:
    269
    willing to help with setup. i've set up let's encrypt on a site on a ramnode vps with nginx, and also on shared hosting
     
    Jill NYC likes this.
  21. analytika

    analytika Well-Known Member

    Messages:
    198
    Location:
    San Francisco, California
    The upgrade to SSL and https:// URLs is quick, cheap and easy these days. Modern load balancers and proxies can wrap the existing web server(s) for an http:// site and auto rewrite every URL for browsers that support it, and leave http:// access intact for browsers that for some reason don't support it. (the only reason left, in the real world, is to keep the door open to users in jurisdictions in which SSL browsing is blocked or simply illegal). without a single change required to the original architecture. a couple of hours work for a competent systems administrator.

    The costs in terms of system resources and incremental CPU are negligible, today.

    Much easier to set up HaProxy to handle all of it, above the Nginx layer, in my experience.

    Considering the subject matter of these forums and possible legal jeopardy for some participants, it's the responsible thing to do.

    Bud's Vape Life Forum has been SSL encrypted as long as I've visited the site.

    Has anyone checked whether the site is open invitation for web crawling spiders? Or are the standard robot.txt file and HTTP metatags flagged noindex? Again, this is the responsible thing to do.

    EDIT: I can't find a top level robots.txt file, which, if I'm right, means it's open season for search engines.
     
    Last edited: Apr 26, 2018 at 1:05 AM
    leveltree likes this.

Support FC, visit our trusted friends and sponsors