Switching FC to full-HTTPS

Would you like that this forum transitions to full HTTPS (encrypted) operation mode?

  • Yay!

    Votes: 155 89.6%
  • Nay!

    Votes: 3 1.7%
  • I'm clueless

    Votes: 15 8.7%

  • Total voters
    173
Status
Not open for further replies.

momofthegoons

vapor accessory addict
You are correct as usual @herbivore21. ;) Hopefully with me tagging him too (and perhaps a pm?) he will respond this time.

3UbxFOX.jpg
 
Last edited:

Tranquility

Well-Known Member
Well... unless we stumble on to the thread... how are we expected to know? No one has tagged one of us..:shrug:

Any decisions made here with regard to changes to this forum or it's software are made by the forum owner, @vtac . If you have something you would like to see changed, feel free to pm him. :2c:
Nah, I'll just bang my head against the wall by posting here. Better than being effective.

My understanding of the core concept of a forum like this is many fold, but focused on selling and supporting vaporizers and vape equipment. I'm sure that it is a service to those in need is a part of the owner's goals. But, I suspect the bottom line is...at some point...the bottom line. With that in mind, unless the owner wants to slowly drain this swamp of highly-motivated people, the forum has to change.

Those here will probably shrink over time for any of a number of reasons and word of mouth is not going to drive members. The forum needs/wants to grow in members and most of them will have a virus check on their computer and will come here from Google.

My current "security" software
Funny_Security_20140304_FunnySecurity.jpg


flags unencrypted sites. (As does Chrome.) Google gives a ranking boost to sites that use HTTPS and it is rumored, based on their stated goal to have it "everywhere", at some point the ranking will push down to the point FC is off the front pages no matter how accurate a thread is to the question searched.
 

HellsWindStaff

Dharma Initiate
The only time I ever used TOR I did it from public wifi at McDonald's but I also installed on an old laptop specifically to see if I could get it to work, very interesting stuff IMO didn't have a full grasp on all of it at time (still don't) but fascinating to me the idea of the dark net......is it really dark if you can google instructions to find it? Prob better thoughts for other threads :lol:

I voted yay I am not overtly paranoid but IMO it's good practice to use HTTPS. There was a program I thought that let you make your own certificates that was free but name escapes me.. Not all that familiar but made self signing certificates to use with controllers I was using Node Red with? If that would be same thing needed. But was very easy
 
HellsWindStaff,
  • Like
Reactions: grokit

momofthegoons

vapor accessory addict
My understanding of the core concept of a forum like this is many fold, but focused on selling and supporting vaporizers and vape equipment.
If our focus was to support the selling of vape equipment, we'd have a whole lot more sponsors. I happen to know that vtac has turned down quite a few; wanting the number to stay the same. He gets no 'kick back' from the vendors and manufacturers that post here (other than the sponsors who pay an annual fee). So no... the purpose of this forum is NOT to support the selling of vape equipment. It was set up to exchange vape information and chat.
 

muunch

hotboxing the cockpit
Not understanding why TOR/tails are even being discussed here.

If you're using either of those to browse this forum, regardless the legality of cannabis in your state/nation/etc... take off your tinfoil hat.
 
Last edited:
muunch,

grokit

well-worn member
If I was really paranoid I would secure my home with a router-level vpn and be done with it.

But I'm just "medium-paranoid", so I take what I believe are "normal" precautions.

Besides, the vpn thing sounds like a lot of work I don't know how to do.

Even I can see that an https upgrade to fc would be a plus.

:tinfoil:
 

muunch

hotboxing the cockpit
VPNs are more trouble and money than they're worth. I'd rather just buy a cheapo laptop off someone local (the older and crappier the better if all you're doing is browsing the internet) and only use public wifi.

I'd wager using public wifi alone is as secure as a VPN or close to it.
 
muunch,

damm

Well-Known Member
Not understanding why TOR/tails are even being discussed here.

If you're using either of those to browse this forum, regardless the legality of cannabis in your state/nation/etc... take off your tinfoil hat.

I don't really understand the point of your post here. If you are trying to provide some basic level of security to avoid your ISP from knowing what you are doing (which is the basic reason of HTTPS).

If you use this forum on a public WiFI you should absolutely use a VPN or TOR as it's absolutely easy to sniff and get your username/password over wifi.

Heck there's tools that make it easy to steal the facebook credentials.

https://en.wikipedia.org/wiki/Session_hijacking#Exploits
 
damm,
  • Like
Reactions: grokit

muunch

hotboxing the cockpit
My point was if you're THAT paranoid where you think your ISP is going to come after you for viewing/browsing a forum about cannabis... then idk.

People talking about tails and TOR to access THIS SITE is (while perfectly valid and secure) way overkill. I can't see a reason for it. That was my point.

I don't have any identifiable information on here so I really don't care if the account was to be compromised. Maybe some do? I don't know.

My post wouldn't have been made if tor/tails wasn't mentioned in regards to browsing this site, so I guess that's the point? idk?

HTTPS for FC? ok - perfectly valid and this should probably be a standard in today's age if you want to not just get skimmed over as a website etc.

TOR/Tails for FC? perfectly valid, sure you can do it - but it's like wearing a scuba suit to go outside in the rain.
 
muunch,
  • Like
Reactions: elmoe420

damm

Well-Known Member
My point was if you're THAT paranoid where you think your ISP is going to come after you for viewing/browsing a forum about cannabis... then idk.

People talking about tails and TOR to access THIS SITE is (while perfectly valid and secure) way overkill. I can't see a reason for it. That was my point.

I don't have any identifiable information on here so I really don't care if the account was to be compromised. Maybe some do? I don't know.

My post wouldn't have been made if tor/tails wasn't mentioned in regards to browsing this site, so I guess that's the point? idk?

HTTPS for FC? ok - perfectly valid and this should probably be a standard in today's age if you want to not just get skimmed over as a website etc.

TOR/Tails for FC? perfectly valid, sure you can do it - but it's like wearing a scuba suit to go outside in the rain.

It's not about your ISP. It's not about them always coming after you. It could easily be about Session Hijacking to be blunt.

If you input your credentials on a non-secure site; whoops. Even Chrome is coming out to shame sites that don't provide https

In time we'll have to start clicking buttons to say yes we are aware that this site is insecure and you shouldn't go there. All browsers are trying to force HTTPS as a standard now.

Sure you can blame your ISP; you can blame the NSA. But in this day and age it's more of shaming this site for not offering https.
 

muunch

hotboxing the cockpit
https://addons.mozilla.org/en-US/firefox/addon/https-everywhere/

Idk maybe I'm just fortunate to be computer literate but I just don't click on dumb shit or go to shady sites and I don't get viruses/etc/etc even with no antivirus.

Or maybe I'm just missing the point. I obviously voted yes for https, I'm more just bewildered at the random mention of tor/tails just because we're discussing internet security lol
 

grokit

well-worn member
VPNs are more trouble and money than they're worth. I'd rather just buy a cheapo laptop off someone local (the older and crappier the better if all you're doing is browsing the internet) and only use public wifi.

I'd wager using public wifi alone is as secure as a VPN or close to it.
The vpn licenses from avast (one example) only protect one computer at a time; they also have security products made specifically for public wifi, mainly devices but extra security also kicks in on laptops. That tells me that there are many exploits being run on public wifi. Because I use a variety of os's it would be too much of a patchwork solution anyways, which is why I looked at just getting a router with vpn software built in; then I would be secure at home and just need to secure my portable devices for when traveling. The differences in our perception are probably because "public wifi" is such an arbitrary term; a marriot, joe's coffee shop, and public libraries would have very different security. Using an xp computer or older would mean that you're even more vulnerable because there's no more security patches for the os. From what I can tell it's android and windows-based systems being most taken advantage of. Just my perspective.

edit: Thanks for reminding me about https-everywhere, I used to have it installed on ff but dropped it when I was having ff issues along with a bunch of other extensions. Now I'm running google as well to take the load off of ff, so I should probably go and see if https-everywhere is also available for chrome.

edit2: I just installed https-everywhere on chrome as well, thanks again now I feel a bit safer :rofl:

:freak:
 
Last edited:
grokit,
  • Like
Reactions: muunch

muunch

hotboxing the cockpit
tails is based off of linux. if i were to use tor and public wifi - the only way i'd bother to do so is if i was on tails.

i don't think people give that much of a damn and unless you're being specifically targeted or are easily fooled by phishing things etc you really shouldn't worry.

obviously, this is getting away from the point, so I'll just shut up now and let people do whatever they want. I'm just lazy as fuck so I'm not going to jump through all these unnecessary hoops just to look at a forum about weed lol. A forum that should be https in 2017 :3

I wouldn't start going crazy with tails/etc/etc unless I was one of the crazy people that orders drugs off the deep west or wild web. whatever it's called.
 
Last edited:
muunch,
  • Like
Reactions: grokit

damm

Well-Known Member
https://addons.mozilla.org/en-US/firefox/addon/https-everywhere/

Idk maybe I'm just fortunate to be computer literate but I just don't click on dumb shit or go to shady sites and I don't get viruses/etc/etc even with no antivirus.

Or maybe I'm just missing the point. I obviously voted yes for https, I'm more just bewildered at the random mention of tor/tails just because we're discussing internet security lol

That really doesn't make FC any more secure. I can deny myself access by blocking insecure requests.

It's also known to break sites.

So let's get back on topic here instead of adding useless off topic banter that doesn't help.
 
damm,

grokit

well-worn member
Not really. It provides regex rules to help force using secure login mechanisms. It doesn't provide HTTPS to non HTTPS sites.

So really it's off point; it doesn't help secure FC in anyway what so ever.
Thanks for your input; it's also absolutely on-topic,
as this is the only thread that comes up when searching for "https on fc" :tup:

:sherlock:
 
Last edited:
grokit,

damm

Well-Known Member
Thanks for your input; it's also absolutely on-topic,
as this is the only thread that comes up when searching for "https on fc" :tup:

:sherlock:

Everyone has an opinion and everyone is right? right... wrong there's no website rules for FC on HTTPS Everywhere... so it really doesn't do anything for this site

Can we move back to the original topic now? Tor has it's point; but the topic here is switching FC to full HTTPS.

Let's try to stick to that shall we?
 
damm,

grokit

well-worn member
Right, the subject is whether fc should have https;
just don't talk about the browser plug-in :rolleyes:

:horse:
 
grokit,

damm

Well-Known Member
Right, the subject is whether fc should have https;
just don't talk about the browser plug-in :rolleyes:

:horse:
Exactly the plugin doesn't do anything without https. So we're just bikeshedding off in a different direction doing absolutely nothing productive towards our conversation.
 

grokit

well-worn member
That really doesn't make FC any more secure. I can deny myself access by blocking insecure requests.

It's also known to break sites.
Regarding your first point, I think you mean that because fc doesn't conform to HTTPS protocols it's still going to be insecure even if it doesn't "break (2nd point)"?

Your second point is a known issue, which is why https-everywhere can be easily disabled per site.

What other objections/limitations do you have regarding this plug-in?

More importantly, do you have any alternatives to suggest?

"HTTPS Everywhere is a free and open source web browser extension for Google Chrome, Mozilla Firefox and Opera, a collaboration by The Tor Project and the Electronic Frontier Foundation (EFF). It automatically makes websites use the more secure HTTPS connection instead of HTTP, if they support it."

What if HTTPS Everywhere breaks some site that I use?
This is occasionally possible because of inconsistent support for HTTPS on sites (e.g., when a site seems to support HTTPS access but makes a few, unpredictable, parts of the site unavailable in HTTPS). If you report the problem to us, we can try to fix it. In the meantime, you can disable the rule affecting that particular site in your own copy of HTTPS Everywhere by clicking on the HTTPS Everywhere toolbar button and unchecking the rule for that site."

:sherlock:
 
grokit,

vtac

vapor junkie
Staff member
Thank you @KeroZen for starting this discussion and to all who participated. Security is something that has always been taken seriously here and https is something that we will be implementing in the future. It's not quite as simple as flipping a switch and there are a number of other matters that also require attention, so you patience is appreciated.

As usual the level of knowledge here is impressive and there have been many good points brought up in this thread. I agree that if privacy and security are important to you it's best to take control of them yourself. https is certainly worth using, however it's not a panacea for all your privacy and security concerns. Using a trusted and properly configured VPN setup is the way to go as it encrypts all of your traffic including DNS queries.
 

KeroZen

Chronic vapaholic
Hey @vtac, quite the relief to have you back!

I bloody know it's not that simple to implement, especially because Google dislikes duplicated content. So it's a real challenge to have every single link out there converted to HTTPS and ensure all others are properly redirected. Miss a single one and then two versions of your site exist at once for the crawlers... (thankfully it seems that since their move to try to switch the entire Internet to HTTPS they made things easier, like for instance you can indicate in Google Webmaster Tools which version is the main one etc)

Nonetheless it's not easy AND it's not the panacea either as you pointed out. But it would definitely be a good step forward at least. Glad to hear that it's in the pipe. No stress, do it at your own pace. Thank you for your answer.

PS: ah and avoid the latest free certificates fad, it's turning out to be a disaster and hurting the whole chain of trust...
 

damm

Well-Known Member
Thank you @KeroZen for starting this discussion and to all who participated. Security is something that has always been taken seriously here and https is something that we will be implementing in the future. It's not quite as simple as flipping a switch and there are a number of other matters that also require attention, so you patience is appreciated.

As usual the level of knowledge here is impressive and there have been many good points brought up in this thread. I agree that if privacy and security are important to you it's best to take control of them yourself. https is certainly worth using, however it's not a panacea for all your privacy and security concerns. Using a trusted and properly configured VPN setup is the way to go as it encrypts all of your traffic including DNS queries.

VPN's at this point in the game only hide where you originate from. Hard lines are still being captured so your data is still being transmitted over the wire unencrypted. Not a perfect solution either but can be helpful in some situations.

PS: ah and avoid the latest free certificates fad, it's turning out to be a disaster and hurting the whole chain of trust...

I've never understood why 16$ was so expensive; Gandi used to be a bit cheaper but it's so much better than having to renew your ssl certificate every 90 days.
 
damm,
  • Like
Reactions: KeroZen

damm

Well-Known Member
Sorry bud but this statement is not entirely correct.

A VPN runs as an encrypted logical connection between the source and the VPN endpoint. Irrespective of the physical mediums the data traverses. This means your true point of origin is seen as the endpoint.

All traffic between you and the endpoint is encrypted. However traffic between the endpoint and the destination would not be encrypted.

ORIGIN <=====> Endpoint <- - - - > Destination

The double lines indicate the VPN encrypted tunnel. The single line indicates the unencrypted traffic.

The destination in regards to FC is the FC's public web server IP. Assuming a user is using a VPN with an endpoint in Toronto (just an example) then all traffic from the FC forum being returned to the user will be destined back to Toronto where it would then be encrypted and forwarded back to the user. If the user is sending a password then it's only encrypted up to the point of the VPN endpoint. I think that's what you were probably trying to highlight.

As far as security goes, only a forum users password and private messages are of concern. The rest of the data is public anyway as its a public forum.

HTTPS is beneficial though as it helps to limit man-in-the-middle attacks (regardless of VPN usage) on passwords and PM's.

I'm sorry you don't really understand how the NSA works then. Let alone how people are hooked into fiber connections to essentially copy every packet over. It has been happening (reportedly) since 2004

If they have access to the hard lines; there is nothing really you can do except enable HTTPS. This is why Google had to rush to enable crypto on their whole infrastructure as the NSA had tapped into their backlines...

Using this method; they have access to the body of the message and the cookie content. Really seems harmless unless you consider that your cookie has your email address (and a hashed cookie) that lets someone get in. If they capture doing the login method; they can copy your password and index it.

Lastly; where they tap in to capture the packets is important. Using a VPN if they capture from your ISP you can avoid that; but you will likely be captured as it nears the destination.

Additionally the internet uses many routers which pass packets from 1 hop to the next. VPN's do not bypass routers.

(I get the feeling I am repeating myself at this point)

VPN's provide some level of security but nothing like what you assume or think. It just helps against state sponsored actors. But when backbones are captured; it's not too helpful. You just have to pass through the right gateway.

NSA uses replay attacks to try and downgrade ssl ciphers in order to be able to brutceforce the packet to read it.
 
Status
Not open for further replies.
Top Bottom