Switching FC to full-HTTPS

Would you like that this forum transitions to full HTTPS (encrypted) operation mode?

  • Yay!

    Votes: 155 89.6%
  • Nay!

    Votes: 3 1.7%
  • I'm clueless

    Votes: 15 8.7%

  • Total voters
    173
Status
Not open for further replies.

HellsWindStaff

Dharma Initiate
PS: ah and avoid the latest free certificates fad, it's turning out to be a disaster and hurting the whole chain of trust...

Can you elaborate on this? I'm not really familiar with certificates and the only time I did it I used OpenSSL which generated me a free certificate..... I don't really understand what I/OpenSSL did though or what actually the certificate is doing, I just put in on my controller and it just allows me to use https//Bs.Bs.Bs.Bs. rather than http://bs.bs.bs.bs - I am on a LAN too so maybe that's why I don't get what changes really took place?

You can PM if more applicable and I did some research to figure out on my own but a KISS would be appreciated :) some of the jargon is over my head.
 
HellsWindStaff,

KeroZen

Chronic vapaholic
Hm what you are referring to would be a "self signed certificate". They are ok for personal use but give you a warning in your browser and you need to add an exception to accept them (obviously not a solution for this forum, as the warning you get is relatively daunting hehe)

What I was hinting about is the new "Let's encrypt" initiative: https://letsencrypt.org/

I can't find the exact article back but it was along these lines:
http://www.datamation.com/security/lets-encrypt-the-good-and-the-bad.html
https://www.thesslstore.com/blog/lets-encrypt-phishing/

...and the bottom line: it took years to implement the green lock icon and have users trust sites and SSL overall and it could be jeopardized by all these malicious YET GENUINE sites/certs... Free certs don't seem like a good idea (and yes you can get real certs for $12/year it's not as pricey as in the past but having some cost barrier helps a lot to prevent mass spammers/scammers/phishers)

A few selected links from my browsing history relevant to this topic in general:
http://neilpatel.com/blog/does-a-ssl-certificate-affect-your-seo-a-data-driven-answer/
https://www.maxcdn.com/blog/ssl-performance-myth/
http://www.theverge.com/2016/9/8/12847880/chrome-warning-encryption-web-google-ssl-https
https://www.bleepingcomputer.com/ne...t-perform-https-interception-weaken-security/
 

GreenHopper

20 going on 60
I'm sorry you don't really understand how the NSA works then. Let alone how people are hooked into fiber connections to essentially copy every packet over. It has been happening (reportedly) since 2004

If they have access to the hard lines; there is nothing really you can do except enable HTTPS. This is why Google had to rush to enable crypto on their whole infrastructure as the NSA had tapped into their backlines...

Using this method; they have access to the body of the message and the cookie content. Really seems harmless unless you consider that your cookie has your email address (and a hashed cookie) that lets someone get in. If they capture doing the login method; they can copy your password and index it.

Lastly; where they tap in to capture the packets is important. Using a VPN if they capture from your ISP you can avoid that; but you will likely be captured as it nears the destination.

Additionally the internet uses many routers which pass packets from 1 hop to the next. VPN's do not bypass routers.

(I get the feeling I am repeating myself at this point)

VPN's provide some level of security but nothing like what you assume or think. It just helps against state sponsored actors. But when backbones are captured; it's not too helpful. You just have to pass through the right gateway.

NSA uses replay attacks to try and downgrade ssl ciphers in order to be able to brutceforce the packet to read it.

Yeh I misread your post, thought you were saying VPNs don't encrypt traffic but you were obviously talking about the bit between the VPN destination endpoint and the web server.

I took the post down within about 20 seconds of posting it after double checking and realising I had errored.

So sorry for making you repeat yourself, I was stoned at the time, expect to have to repeat yourself again as I'm stoned this time too :p

I know all about the NSA, HTTPS isn't going to make any difference in regards to their ability to spy on the traffic. If they can get at hard lines they can get at public root certificates.

However the good news is the NSA don't care about me, or you, or this site. They endeavour to protect a government (corrupt) and national interests (the corrupters) from anyone who threatens their regime. The same goes for GCHQ and all the other government agencies out there who have the power of state policy on their side and so are able to tap hardlines and demand root certs.

Just don't give them a reason to be interested in you, don't start a political movement, or appear as if you might. Also don't get given a digital recording of an NSA black ops assassination and then team up with Gene Hackman to take down the NSA leader (thats humor, you don't need to hate it).

HTTPS will however offer end-to-end security from others that might try to cause an FC member some unjust harm so it's definitely worth having.

It's the others I worry about, the people selling private data, the extortionists, yadda... yadda... ya...

Any security is better than no security.
 
GreenHopper,
  • Like
Reactions: Esoteric

damm

Well-Known Member
Hm what you are referring to would be a "self signed certificate". They are ok for personal use but give you a warning in your browser and you need to add an exception to accept them (obviously not a solution for this forum, as the warning you get is relatively daunting hehe)

What I was hinting about is the new "Let's encrypt" initiative: https://letsencrypt.org/

The problem is there are like 12,00 new paypal like certificates issued by letsencrypt daily. Scammers are using them badly; the cost for SSL Certificates has never been that high for a single record entry. It's really there to provide a good mechanism to stop spammers from getting them

We've had free ssl certificate providers before; Thawte used to give more... now it's a 21 day trial for free

Yeh I misread your post, thought you were saying VPNs don't encrypt traffic but you were obviously talking about the bit between the VPN destination endpoint and the web server.

I took the post down within about 20 seconds of posting it after double checking and realising I had errored.

So sorry for making you repeat yourself, I was stoned at the time, expect to have to repeat yourself again as I'm stoned this time too :p
That's okay I can repeat myself better then I am stoned.
I know all about the NSA, HTTPS isn't going to make any difference in regards to their ability to spy on the traffic. If they can get at hard lines they can get at public root certificates.
Oh it does make a difference. If your web site administrator sets up a ssl_cipher list that your server only supports it can blacklist ciphers that are known to not be good enough to stop the NSA. Don't support TLSv1 don't support RSA or MD5 ciphers goes a long way. There's whole list but that's what https://mozilla.github.io/server-side-tls/ssl-config-generator/ is for.

I've been in this game far too long and by god even I don't have the memory for this kind of stuff :(

However the good news is the NSA don't care about me, or you, or this site.
Oh they care. It's easier to think that you are basically a law abiding citizen and you have nothing to hide. Even people who are good pay taxing citizens who runs businesses have things to hide from the government. That doesn't mean they are working against them or breaking the law either.

HTTPS will however offer end-to-end security from others that might try to cause an FC member some unjust harm so it's definitely worth having.
It provides a fluffy bunny feeling knowing that your passwords when you try and login are not being captured using FireSheep or similar tactics. I mean if you are using WiFi (and I do) and you don't run your own network (I do) there's no reason to think that your credentials are secure.

Sucks but that's the sucker punch; https://en.wikipedia.org/wiki/Firesheep without encrypted cookies...

and according to the developer tools the cookies here are not secure so I think we really need SSL ... encrypted cookies would be a huge bonus
 
damm,
  • Like
Reactions: muunch

grokit

well-worn member
I've been reading lately that using things like vpns and the tor browser can put you under added scrutiny, leading to the type of attention you're trying to avoid in the first place. I suppose this is why you need to be able to trust your vpn, which makes me think of this old question: who's gonna watch the watchmen?

:uhh:
 
grokit,

GreenHopper

20 going on 60
That's okay I can repeat myself better then I am stoned.

Yeh sorry about that, the high hit me kinda hard tonight, not sure why :lol:

Oh it does make a difference. If your web site administrator sets up a ssl_cipher list that your server only supports it can blacklist ciphers that are known to not be good enough to stop the NSA. Don't support TLSv1 don't support RSA or MD5 ciphers goes a long way. There's whole list but that's what https://mozilla.github.io/server-side-tls/ssl-config-generator/ is for.

Oh yeh for sure the cipher is important when it comes to decrypting the traffic using brute force or known vulnerabilities but I'm not referring to decrypting the traffic by breaking the cipher.

I'm saying the Government agencies most likely have the root certs and thus the master keys for the top Certificate Authorities that deliver Public Key Infrastructure. The reason I say that is because those agencies just don't play by their own rules (or anybody's rules :argh:). They have the power of the state and other interests that I believe give them the capability to demand (not necessarily publicly :tinfoil:) the root certificates from the CA's themselves. I just don't believe they wouldn't bully their way to these certs. Every public certificate will eventually lead up the chain to a root certificate which will act like a master key giving the agencies the ability to decrypt the sessions without having to crack any ciphers.

No need to attack RSA vulnerabilities in the IKE phase to get the private key.

No need to brute force the actual AES session (or what ever cipher is being used, hopefully AES256).

If they have access to CA root certs and I believe they do :tinfoil: then they have the master keys if not for all HTTPS traffic, certainly for the sessions based off of certs created by authorities that reside under their jurisdiction.

Assuming they don't have the root certs from all/most/some of the CA's they most certainly have their own root cert published to most public clients (that's you, me, most people), it's called the 'Federal Common Policy CA'. They could easily push out a cert for any SSL site that you are browsing but with a certificate chain that would point back to them. This method isn't all that subtle though as anyone looking closely enough would see the cert chain leading back to them.

I've been in this game far too long and by god even I don't have the memory for this kind of stuff :(

We can add more RAM to your system but you'll need to raise an RFC. It's another RFC if you want to be rebooted and you'll have to get authorisation form a manager if you want us to virtualise you. :lol:

Oh they care. It's easier to think that you are basically a law abiding citizen and you have nothing to hide. Even people who are good pay taxing citizens who runs businesses have things to hide from the government. That doesn't mean they are working against them or breaking the law either.

I believe they only care if you present yourself as a threat to their agenda. The NSA and FBI certainly destroyed Aaron Swartz because he was a political organiser. So yep I'm not saying don't be cautious, if you are a person of interest then you shouldn't be on this site.

But for the average person I just don't believe the major players give a damn about them. Of course that is until you give them a reason to.

They'll use cannabis against you for sure, that's one of the reasons why the USA haven't legalized federally or the Brits. But I don't think they are hunting or rooting out the FC community or the average stoner. Cannabis users are the lowest of the low priority for government based security agencies, they have to ensure the security for not only the government but the commercial aspect of their realms. It's more about imperialist power and stable economics. If you fuck with that then you are screwed no matter what security measures you've taken.

It provides a fluffy bunny feeling knowing that your passwords when you try and login are not being captured using FireSheep or similar tactics. I mean if you are using WiFi (and I do) and you don't run your own network (I do) there's no reason to think that your credentials are secure.

Sucks but that's the sucker punch; https://en.wikipedia.org/wiki/Firesheep without encrypted cookies...

and according to the developer tools the cookies here are not secure so I think we really need SSL ... encrypted cookies would be a huge bonus

Used to manage networks (the usual players), now build cloud IaaS/PaaS/SaaS infrastructures. Now that shit is fluffy! :nod: Mostly due to the sales guys selling one thing, managers thinking they are getting another and the rest of us hoping someone can actually define a requirement to deliver on and then resource it accordingly.

Completely agree about public WiFi hotspots, you are broadcasting your traffic and anyone with wireshark or tcpdump can easily have at it. However this is where a VPN would cover you from attackers from others on the local WiFi network even if you are using a site that doesn't use SSL. They aren't mutually exclusive technologies but this site shouldn't rely on the end user to know how to manage a VPN.

SSL is a better option.

Which is why I'm delighted @vtac is well and present and on the case. :tup:

P.S. Sorry everyone for the long and techy post but it's an interesting convo when you actually get down to it and this thread is about security for FC.
 

damm

Well-Known Member
Oh yeh for sure the cipher is important when it comes to decrypting the traffic using brute force or known vulnerabilities but I'm not referring to decrypting the traffic by breaking the cipher.

I'm saying the Government agencies most likely have the root certs and thus the master keys for the top Certificate Authorities that deliver Public Key Infrastructure. The reason I say that is because those agencies just don't play by their own rules (or anybody's rules :argh:). They have the power of the state and other interests that I believe give them the capability to demand (not necessarily publicly :tinfoil:) the root certificates from the CA's themselves. I just don't believe they wouldn't bully their way to these certs. Every public certificate will eventually lead up the chain to a root certificate which will act like a master key giving the agencies the ability to decrypt the sessions without having to crack any ciphers.

I'm not sure if they really do. If they have access to the keys it is likely through lawsuits and not direct access. I hope; but the truth is most businesses work with the government faithfully because it is considered one of the things you do as a good citizen. Work with your government. So if you are incorrect it's likely only slightly; they just need to make a phone call to get a copy.

Assuming they don't have the root certs from all/most/some of the CA's they most certainly have their own root cert published to most public clients (that's you, me, most people), it's called the 'Federal Common Policy CA'. They could easily push out a cert for any SSL site that you are browsing but with a certificate chain that would point back to them. This method isn't all that subtle though as anyone looking closely enough would see the cert chain leading back to them.

If they don't have a hidden CA in the OpenSSL toolkit. I wouldn't be shocked if there are other CA's also

Too bad browsers have made it very difficult to untrust CA providers.

SSL is a better option.
It is the best option unfortunately. There will be exploits in the SSL toolkit from time to time; there is no easy answer.
 
damm,

Esoteric

Pot Head formerly Septon Sefton
I've been reading lately that using things like vpns and the tor browser can put you under added scrutiny, leading to the type of attention you're trying to avoid in the first place. I suppose this is why you need to be able to trust your vpn, which makes me think of this old question: who's gonna watch the watchmen?

:uhh:

This is exactly what using tor will do. It will get you put on the type of lists you are trying to avoid! It will also slow your internet down to practically unuseable speeds. It always amazes me to see people recomending it. TOR is for political dissidents in countries with extreme laws, it certainly isnt neccasary to browse FC.

A VPN will provide you with some security from eavesdropping but is also likely already being monitored by security services.

SSL certificates are a good idea, but again if you are being watched at state level it probably wont help you. It will protect you from people on your network, i.e. people in your house or at your ISP who wish to spy on your traffic. Which is something im not worried at all and that 99.9% of users probably dont need to worry about either.
 
Last edited:
Esoteric,

asdf420

Well-Known Member
I'm worried about the lack of HTTPS. There's the additional issue of some ISPs injecting content onto unencrypted HTTP connections.

Let's Encrypt is way more than a fad. I'll admit that I find it worrying that they're still allowing domains containing "paypal" to register. Using Let's Encrypt is much better than nothing, imo. It still does its basic function well, in ensuring that you're really connecting to the server owned by the domain owner. I don't see the harm in registering with them. Even if you think they're immoral, registering with them doesn't support them that much...

There have been way too many sites that haven't been using HTTPS, including this one. I think it was shown that Let's Encrypt has helped reduce the number of these.. it's not all bad. I think calling it a disaster is a bit of an exaggeration, though phising sucks..
 
Last edited:
asdf420,
  • Like
Reactions: KeroZen

asdf420

Well-Known Member
can't edit, so doubleposting... correction: Let's Encrypt tries to ensure that whoever requests a certificate for a domain owns the server the domain resolves to, which is not necessarily owned by the domain owner.. but usually is. I think most CAs work this way? Just not as automated.
 
asdf420,

YaMon

Vaping since 2010
I too am happy to hear @vtac is considering SSL. Obtaining a public key certificate from a recognized CA and switching to HTTPS verifies you are communicating with authorized servers and that your request has not been redirected. The communication is then encrypted, including your email address and password (hope you are not using the same email address and password with other sites?) If it's HTTP and your IP address is logged and they capture some of your clear text traffic, while remote, it's possible someone could knock on your door.

VPN would not help much, it would simply change the IP, which points to the other end of the VPN tunnel.. who's tunnel, work? That's not helpful.
 
YaMon,
  • Like
Reactions: grokit

Cemmos

Well-Known Member
Letsencrypt + proxying images (via XenForo's default configuration) = win. It shouldn't be too hard to switch over to HTTPS and would take as little as 15 minutes to do so, for an advanced sysadmin. Otherwise, tutorials are plentiful and should take no longer than an hour.
 

asdf420

Well-Known Member
If you like less "magic" stuff, there's https://github.com/diafygi/acme-tiny
Maybe it'd be good to wait until ACME v2 is stable?

i didn't understand what "proxying images" meant at first. it's so that all images are served through fuckcombustion.com rather than whatever random host. To avoid tracking, and broken images?
 
asdf420,

Cemmos

Well-Known Member
i didn't understand what "proxying images" meant at first. it's so that all images are served through fuckcombustion.com rather than whatever random host. To avoid tracking, and broken images?
Yep, it's essentially to keep the images from breaking and keeping the page secure. I think most people on FC tend to use the attachment feature, which is great, but if they're linking from places like Imgur/Photobucket/etc without https, then the images wouldn't appear — this is where proxying the images through FC would come in handy, so old and current posts wouldn't get broken and the page would stay secure.

Although the images can be cached with the proxy, there is still the issue that images can be broken if they're deleted from the host server (like Imgur). That's not an issue specific with SSL, though, since that could happen without it as well.
 
Cemmos,

leveltree

never wanted to beat that one ;)
I really would appreciate a switch to HTTPS!
It's just standard today for sites with login etc.
Was happy to find already a thread for it, sad it has not been done yet :D
Of course it's completely up to vtac but not having it in this forum really feels outdated :D
Not trying to be a bitch here, just showing support! :)
 

analytika

Well-Known Member
The upgrade to SSL and https:// URLs is quick, cheap and easy these days. Modern load balancers and proxies can wrap the existing web server(s) for an http:// site and auto rewrite every URL for browsers that support it, and leave http:// access intact for browsers that for some reason don't support it. (the only reason left, in the real world, is to keep the door open to users in jurisdictions in which SSL browsing is blocked or simply illegal). without a single change required to the original architecture. a couple of hours work for a competent systems administrator.

The costs in terms of system resources and incremental CPU are negligible, today.

Much easier to set up HaProxy to handle all of it, above the Nginx layer, in my experience.

Considering the subject matter of these forums and possible legal jeopardy for some participants, it's the responsible thing to do.

Bud's Vape Life Forum has been SSL encrypted as long as I've visited the site.

Has anyone checked whether the site is open invitation for web crawling spiders? Or are the standard robot.txt file and HTTP metatags flagged noindex? Again, this is the responsible thing to do.

EDIT: I can't find a top level robots.txt file, which, if I'm right, means it's open season for search engines.
 
Last edited:

bossman

Gentleman Of Leisure
I propose that a few good samaritans like @analytika and @asdf420 setup a replacement site for us all to use since the only admin for FC ghosted over a year ago. If there's a prodigal son moment we can all welcome some content migration and in the meantime we can at least roll with a modern bbs.
 

bossman

Gentleman Of Leisure
@Stu that's awesome. I had trouble activating my account when I joined and learned some incomplete stuff about a sole absentee admin. Happy to find out it's not as bad as I thought. What's the admin's name? There's still only the one, correct? I'm wondering now if I've ever seen a post since I joined.
 
Status
Not open for further replies.
Top Bottom