Secure version of the forum

[Rigby]

Virtually everything should be TLS (NOT SSL) all the time unless there is a very good reason otherwise.

To teach that security isn't necessary is, to me, to teach that privacy is not important.  We all know when we shut the door in the bathroom that privacy is important.  We all know when we wonder if that email is an attempt to scam us that privacy and security are important.

Use of HTTPS needs to be the rule rather than the exception.  It should be expected for any site which requires a password.

[janoc]

I think a reasonable compromise should be having SSL/TLS enabled on the login page, so that the login credentials are secure in transit. Sure, your cookie could still be captured afterwards, but who cares? The culprit could post some BS in your name at best until you relog/session expires. Moreover, the chance of that is fairly low.

Enabling encryption on the entire forum is an overkill, IMHO. If you are afraid to post because you are at work and your boss is sniffing the traffic, maybe wait until you are at home to get your fix?

The secret services profiling/Snowden/whatever paranoia - sorry, let's get real. Borking an entire forum only to mitigate a 0.0001% chance risk you get targeted there is a poor trade-off. I think those folks care about different stuff than our FTDIgate flamewars. If this was GMail or something like that, sure. But this is nothing else but a glorified chatroom ...

[sunnyhighway]

Use of HTTPS needs to be the rule rather than the exception.  It should be expected for any site which requires a password.

This website doen NOT require a password, it is a public website for everyone to see. ONLY if you want to post something you are required to log in.

It would make some sense to protect the transmission of your password. But you have to ask yourself what a culprit could do with your password? And even more, is it worth the trouble for that culprit?
I'd say there are much better targets than the EEVblog that offer a much better return on investment for the culprit.

If Dave would choose to use SSL for the EEVblog, the only page what would need SSL protection is the login page. Nothing else because the rest is public.

[Rigby]

OK since I didn't make it clear, I will rephrase.

HTTPS should be used on any website that requires a password for any reason.

[urlkrueger]

I just read a news article the other day which talked about how the people who reposes automobiles are now driving around with cameras,  recording license plates and where they were observed, keeping this info in a database and selling the info to anybody willing to pay the price.  People have learned from Google, and others, just how valuable information can be and are wanting their little piece of the pie. 

It won't be long now before you will be able to get on the internet and for $25 obtain a complete dossier on a friend, a neighbor or an ex-girl/boyfriend.  You will be able to obtain there movements, which stores/banks they frequent, who their friends are, the websites they frequent and a lot more.  Eventually AI will be able to digest all this information and provide you with various profiles, depending on your interests.  There will be very very few secrets.

So what?  Why should I care if somebody knows a bunch of trivia about me?

There are people out there, criminals, governments, corporations and such who will, and are using this info for their own gain and our detriment.  And......AND, they are doing it with the tax money and profits they obtain from us!  The least we can do is make it more difficult for them.

As the Inventors, Developers and Implementers of the technology that allows this to happen I believe we should be setting examples for the non-iniatiates as to how this technology should be used.  In that vein I believe that all internet traffic, including this forum, should be encrypted.

Earl...

Now will somebody get that soapbox out of here before I trip on it again!

[Stonent]

If this is done Dave will have to buy traceable certificates back to Verisign, Thawte, or other major cert signer. Otherwise Firefox and Chrome will get pissed off and try to block you from going to the site. You can still bypass it but it will do it every time you log in.

[madires]

That said, Https will prevent people from intercepting your packets but then they will have to be able to gain access to the networks between you and the server, which is probably not hard since hostmonster and hostgator (same datacenter I believe) offer shells for those that need them.

There are well known MITM attacks. We also know that some of the three-letter agencies retrieved the private SSL keys of a few companies and that the agencies of some countries got forged keys signed by CAs. We've seen many examples how the whole CA conecpt is broken and misused. We also know about security flaws in the design of SSLv2 and v3. Unfortunately a lot of web servers still support those insecure SSL versions. When taking all that into consideration, https offers just two benefits. Data (credentials) isn't sent in clear text and a signed certificate offers some weak authentication of the web site. It's better than http but not bullet proof. The drawback is the higher CPU load for the handshake (needs most) and encyption (not so much, symmetrical encyption).

[Richard Crowley]

I just read a news article the other day which talked about how the people who reposes automobiles are now driving around with cameras,  recording license plates and where they were observed, keeping this info in a database and selling the info to anybody willing to pay the price.  People have learned from Google, and others, just how valuable information can be and are wanting their little piece of the pie. 

It won't be long now before you will be able to get on the internet and for $25 obtain a complete dossier on a friend, a neighbor or an ex-girl/boyfriend.  You will be able to obtain there movements, which stores/banks they frequent, who their friends are, the websites they frequent and a lot more.  Eventually AI will be able to digest all this information and provide you with various profiles, depending on your interests.  There will be very very few secrets.

This is an interesting overview of hacking PEOPLE.   http://youtu.be/hqKafI7Amd8
The presentation is concluded with some very interesting info about hacking applied to solving some of society's biggest problems. Recommended.

So what?  Why should I care if somebody knows a bunch of trivia about me?

There are people out there, criminals, governments, corporations and such who will, and are using this info for their own gain and our detriment.  And......AND, they are doing it with the tax money and profits they obtain from us!  The least we can do is make it more difficult for them.

TED: State Sanctioned Hacking - The Elephant in the Room  - Hacking 101: Frank Heidt at TEDxMidwest
http://youtu.be/nnKh6SFEaLg

The discussion in this thread and watching those TED presentations has rather changed my mind. Secure the forum (the entire EEV website, IMHO).  I am doing nothing illegal or even shady, but that is only the current opinion of the Government.

[jeremy]

How many hits/sec does this forum get? If it is only a few hundred, I can't even understand why this is a point of discussion; just enable it! It's like 3 lines in the nginx config and a free certificate from StartSSL.

Also, the argument that ISP/enterprise level caching should be maintained is a bit odd to me; this website is mostly text content  on a niche topic and the text changes regularly. On top of this, the users are geographically spread out and are unlikely to be using the same upstream provider. Pretty sure your browser can handle all of the caching you need with only a few megabytes of disk. The only real strong point would be that it makes the server bill a bit less, but cloudfront already handles that...

Although I do enjoy this forum, let's be honest, in terms of hits/sec and bandwidth requirements this ain't no youtube.

[geppa.dee]

...Some ISPs record every URL you visit for marketing purposes (a US ISP was caught doing it recently, I forget which, probably Comcast) and HTTPS stops them doing it...

Sorry to partially disappoint... that's not exactly how https works. It will encrypt the content in transit but only part of the URL. The Hostname and dest. port will be visible in plain text (and probably still useful to some extent for surveillance purposes). It will hide the path, query and fragment locator though. Only encrypting tunnelling (ie VPN) hides everything (if done right).  Aside from that, I wholeheartedly agree with you.

If this is done Dave will have to buy traceable certificates back to Verisign, Thawte, or other major cert signer. Otherwise Firefox and Chrome will get pissed off and try to block you from going to the site. You can still bypass it but it will do it every time you log in.

StartSSL's CA certs are in all current browsers (have been for some years so no issues) and the level 1 certs they give (enough for encrypting traffic) are free.

[ctz]

If this is done Dave will have to buy traceable certificates

No, Cloudflare provide free certs. https://www.eevblog.com/ already works, just needs the links fixing to be protocol-neutral.

[gnif]

I made a some changes to nginx which fixes the majority of the SSL issues for those of you that insist on using it. Note that it is mostly un-tested and any issues using SSL will not be supported. Also these is NO encryption between CloudFlare and this server, which means that the security you recieve is still not trusted, and can be intercepted/read in the clear by anyone between CF and this server.

[miguelvp]

It doesn't prevent it though, but if it makes you feel better then that's all it matters

[justanothercanuck]

Pretty sure your browser can handle all of the caching you need with only a few megabytes of disk.

May I remind you that SSL isn't cached.  Anywhere.  Whether it be a proxy server, or your browser. 

[gnif]

Pretty sure your browser can handle all of the caching you need with only a few megabytes of disk.

May I remind you that SSL isn't cached.  Anywhere.  Whether it be a proxy server, or your browser. 

Which is another reason why this is an opt-in thing. People think that the entire world has fast unlimited internet and forget that much of the world pay through the nose for downloads, espessially on wireless plans. Those of us that do have true unlimited are limited in speed by the local infrastructure, and often are also sharing their link with multiple people in the same house. SSL while I like the idea of the entire internet on it in general, I believe is impractical and another instance of trying to force people to use technology they do not need.

If this is to stop the government spying, whats to stop them from tapping the data feeding CF and just logging it at that point? Honestly it is a load of marketing hype and has if anything made SSL more vulnerable as you no longer know if a site is truly on SSL or being proxied via some third party and the last leg of the link is unencrypted and across the public internet.

Honestly, how many website owners truly understand how SSL works? The majority of them will be thinking, wow, we get free SSL if we use CF, we can now process sensative data! Unknowingly exposing their clients data to the public network in the clear. Advertising SSL on the server, and the browser verifying that SSL is working and their connection to the target server is secure... which it isn't, is just down right dangerous and stupid IMHO. It is worse then storing unsalted MD5 hashes, or unencrypted passwords in a database as far as I am concerned, the chain of trust which SSL is designed to ensure is being thwarted and there is no way for website visitors to know.

Edit: I know, it is TLS not SSL these days, but people still use SSL as a general term for 'HTTPS' or 'The Padlock'.

[gxti]

May I remind you that SSL isn't cached.  Anywhere.  Whether it be a proxy server, or your browser. 

This is 110% false. Browsers can, should, and DO cache content retrieved over a secured connection.

https://stackoverflow.com/questions/174348/will-web-browsers-cache-content-over-https

Secure-by-default is important enough that HTTP 2 will make TLS mandatory (although HTTP 2 itself is not mandatory of course). Considering the biggest name in "big internet" (Google) drove the specification, you know they care about stuff like caching.

I understand that not every site owner has the time or the experience to configure TLS for their site, but as far as I'm concerned there is no argument against doing it if you do.

[gnif]

May I remind you that SSL isn't cached.  Anywhere.  Whether it be a proxy server, or your browser. 

This is 110% false. Browsers can, should, and DO cache content retrieved over a secured connection.

Not quite since he stated that proxy servers can not cache, you only mention browsers.

I understand that not every site owner has the time or the experience to configure TLS for their site, but as far as I'm concerned there is no argument against doing it if you do.

I agree that SSL should be implemented across the board, but what CF are doing is a joke, it makes the websites seem aparrently secure, when it is not. Think about this scenario.

High profile website has SSL setup through CF, this website is accepting credit card details amongst other personal details. The site operator believes that this is safe and secure as they are not well informed as to how CF SSL works. A malicious attacker discovers the server's real IP (not hard, just hit direct.example.com as this is normally setup per CF recomendations, or a MX record, etc...) and rents a server at the same premesis, and starts sniffing the data (i know there are ways used to prevent this, but it is not good to rely on these). The attacker will be able to record every transaction in clear text between the CF server and the HTTP server.

This just provides a false sense of security, and a glaring hole to be abused by attackers. What CF are doing is providing a means to break SSL, not make it better. It should be offered as an option that REQURIES server side configuration to enable it, not just enable it for every site and pretend the entire link is secure.

Edit: Here is a good writeup of the problem and how you can configure CF to fix it.

[redtails]

Although https serves no direct reason for a completely open forum, you cannot deny that your Google ranking is negatively affected if you don't support https on your website.

This has been implemented since summer 2014

[miguelvp]

If this is to stop the government spying, whats to stop them from tapping the data feeding CF and just logging it at that point? Honestly it is a load of marketing hype and has if anything made SSL more vulnerable as you no longer know if a site is truly on SSL or being proxied via some third party and the last leg of the link is unencrypted and across the public internet.

I think you misunderstand what the goal is. The government will spy on people if it wants to, and I think most people would argue that spying on certain people is acceptable. What is not acceptable is mass surveillance of everyone all the time.

By implementing encryption everywhere we can we increase the cost of mass surveillance. Those wishing to spy on us not can't simply demand that ISPs do their dirty work for them, they need to hack in to the backbone and do extensive traffic filtering/decoding. If those links become encrypted to they are forced to start hacking service providers and hosting companies. They probably have some zero day exploits they could use, but doing so would risk making them public.

Encrypting where we can makes mass surveillance impractically difficult and expensive.

The only problem with that is that they'll ask for a bigger budget diverting our tax money to more resources and probably increasing our taxes. So in essence you are just feeding the fire to help them grow more by helping them justify a higher budget.

SSL, TLS has not been a concern for national agencies for a while. What are you going to propose next, Tor access to the EEVBlog?

The only way you can achieve what you want is to make it illegal, so good luck going into politics so you can push that agenda if you even get support for it.

And that might be your goal, but it's hardly a concern to many.

[miguelvp]

You underestimate Eve's capabilities no matter what Wendy reported.
Even so Eve, as evil as you portray her, can protect you from Chuck but not from Mallory, so I wouldn't worry  much about Eve, it's Mallory that Bob and Alice should be worried about. And no one knows what Mallory's capabilities are but it's greater than Eve's.

But all in all it keeps Oscar and Walter fed, it's a multi billion dollar industry and SSL/TLS is nothing more than the transport.

[giosif]

Hi all,

Sorry for being silent the past few days!

My main reason for raising this topic was to protect my credentials and any private info in my PM's from the easy/simple eavesdrops - i.e. script kiddies running a wireless sniffer near public hotspots.

I made a some changes to nginx which fixes the majority of the SSL issues for those of you that insist on using it. Note that it is mostly un-tested and any issues using SSL will not be supported. Also these is NO encryption between CloudFlare and this server, which means that the security you recieve is still not trusted, and can be intercepted/read in the clear by anyone between CF and this server.

And I think this is good enough for that.
Thanks, gnif!

Regards,
George

[SirNick]

Although https serves no direct reason for a completely open forum, you cannot deny that your Google ranking is negatively affected if you don't support https on your website.

Google's insistence on HTTPS has been a thorn in the side of a lot of organizations.

Take schools for example.  Access to Google.com is considered essential, as are Gmail and Docs.  However, there's often justifiable cause to block Youtube.  This is very difficult to do, though, since Google uses large, consecutive blocks of IPs, and (AFAIK) doesn't provide any documentation on how they allocate those IPs to services.  With everything defaulting to HTTPS, most of the existing proxy appliances that have been deployed can't distinguish URLs.  And, motivated teenagers have found you can see all kinds of neat stuff with Google Images, with SafeSearch off, via HTTPS.

So the usual "fix" is to block HTTPS entirely, allowing their proxies to work as intended.  Of course, now there are a lot of folks sending their logins and email text over the Internet in clear text.  Hurray for progressive security!

[miguelvp]

Before ChucK and Mallory came along we used to put our username and password right on the url even without SSL.

So it would have been something like this:

http://user:pass@www.eevblog.com/forum/

Of course it makes more sense to use https in that case, that gave Craig a reason to be. Then online banking came along and adopted ssl (or tls or whatever it's pretty much the same handshake)

I'll admit that as long as you keep that private key, well... private, then you might be safe, but, sometimes things don't work as you think they do. What if what was generating those private keys used something stupid like say the process id where they were running.

So you if what would it take to break those private keys if you knew the seed to the random number generator was that pid? how many pid's do you think a linux system have? even if it was 100, and since you have the code for the random number generator and other events the key is based on, just with that you can create a handfull of keys that will pretty much give you a private key that is compatible with those other private keys and accept the same public key.

But you will think that's impossible and will never happen? well it did, and not too long ago either, and for a long amount of time. Yeah it's fixed now (hopefully deployed everywhere) but still you have to understand who the cryptography players are, and when they come out with some algorithm that is unbreakable and non reversible, should you trust them that it's not the case? After all, you just have to take a lot of math to prove it wrong and of course someone would have found the flaw that they might keep in a need to know bases?

Nah, it's all secure and we have nothing to worry about. Home Depot uses SSL, so does Target, and Sony .... there are other attack vectors and just pure social engineering will just get you where you need to be because it's the way things are.

Security now is more about pen testing than even cryptography and everyone wears all kinds of hats and it's a stupid way to generate more and more so called security jobs that only keeps the cycle in perpetuation.

Worries make a ton of money flow, that's the bottom line.

[EEVblog]

According to CloudFlare, my site is now using SSL?

Dear CloudFlare customer:

We’ve got some exciting news to share. In our efforts to help build a better Internet, CloudFlare recently released a new product called Universal SSL. SSL (Secure Socket Layer) is the standard security technology for establishing an encrypted link between a web server and a browser.

CloudFlare’s Universal SSL provides all our Free Plan customers with SSL security encryption for their web traffic at no cost. Universal SSL is on by default. Your web traffic is now encrypted and secure—you don’t have to install or configure anything.

Aside from keeping your web traffic safe from snooping and tampering, having SSL on your site may help boost your Google search rankings.

[gnif]

According to CloudFlare, my site is now using SSL?

Hi Dave, yes it is, but please be aware that the way that CF have implemented it is broken and should not be trusted, I would not advertise that the site is on SSL unless you are prepared to buy a SSL cert for the server and then enable Strict SSL in the CF interface.