Secure version of the forum

[madires]

That coincides with me turning off cloudflare. Just turned it back on now.
BTW, I still don't understand why anyone wants to access the site using https? Why does it matter?

The problem with http is that logins are in cleartext, e.g. sniffing the network traffic will get you the login credentials easily. It's like using telnet instead of ssh over the internet, or like putting the key under the door mat.

But since it seems that cloudflare simply acts as a proxy (like a MITM attack) the SSL encryption is worthless. Let's check the SSL certificate. It's for cloudefaressl.com. So the connection between your PC and the nearest cloudfare proxy is https, but between the proxy and the forum's server it's http.   

[madires]

but for those of us who do want our comms to be unsniffable, defeating our ISP's snooping, denying them insight into what sites we visit, and also denying them the ability to INJECT THEIR OWN ADS and mess up the content along the way - it does matter  to us!

https doesn't hide which sites you visit. It hides what you're receiving or sending.

[miguelvp]

And only hides that to cloudfare, the communication between couldfare and the blog is in the clear, so nothing stops couldfare or the site from monetizing your browsing via adsense.

Actually even going to full implemented https sites won't block adsense, so if you look at a scope, be prepared to see scope ads no matter where you go on the interwebs

[hammy]

I also exchange private messages (pm) inside this forum with other forum users about hacking scopes and other devices. It is not just about the stuff I read here, it is about the stuff I write here in public and in private.
It's a matter of principle. I also use envelopes for my letters. And I insist to get my salary statement inside an envelope.

If the government wants to see my stuff, ok, I cannot do much against that. But the mailman does not need to know how much my income is or which scopes I hack. My ISP (or other people with a tap) does not need to know what I read or write somewhere.
Again: It's a matter of principle.

[manzini]

BTW, I still don't understand why anyone wants to access the site using https? Why does it matter?

Matters.... public wifi, for non EE people bored at work, and now in some EU countries, ISP / country laws about some questions like hack.

Also, I think google has said, using https will be prioritized in the search engine results.

[n45048]

If the government wants to see my stuff, ok, I cannot do much against that.

Encrypt it properly and they can't read it without due legal process. That's the key here - they can screw your life up enough to force you to hand over encryption keys etc, but only if they either go through the legal process or break the law. At the moment they seem to favour the latter, so we have to fight back and block it.

In Australia there is actually legislation which through a court would force you to hand over any passwords or encryption keys or face further prosecution. We tend to do things legally rather than through corruption :-) Being dodgy is just too messy.

[Tandy]

I really don't get what all the fuss is about?

Some people seem to be concerned about people tracking what they have written. I don't get this at all, why would you post ANYTHING in a public forum that you would not want someone to see? Surely the whole point of posting in a public forum is to be part of an open discussion that anyone can read and contribute to so that people can learn from each others experience? What do I care if some spy agency, my employer or my grandma are watching what I have posted. The very fact that the forum is public means I will only ever say something that I am happy for the entire world to read.

Some people say, but my employer might see what I am doing and think I am wasting time or not like what you have written. So you are at work using your employers equipment and internet connection, while being paid to do some kind of work and you think it is unfair that they don't want you doing something they are not paying you to do? If you don't like it that your employer has a strict monitoring policy of their internet use you have a few options open to you. Use the forum in your own time on your own internet connection, or explain to your boss why the forum is useful to your work, or perhaps leave that job and find an employer with a more relaxed attitude towards what you do with your time.

But it all seems a bit of a waste of time carrying on the discussion anyway as Dave clearly doesn't see any need to bother with a full https implementation on the forum and as it is his forum that is how it is. As this is one of the best EE forums on-line I suggest you just have to live with the decisions that have been made by the owners and take them in to consideration when you use the forum such as using a unique password and maybe even a disposable email address and not start posting about guns, bombs and drugs in case the security agencies think that you are a person of interest.

[opty]

It has all been said above. But I will repeat.

.... I don't get this at all, why would you post ANYTHING in a public forum that you would not want someone to see? Surely the whole point of posting in a public forum...

Some folks want their private messages stay private...
Related: Have you read latest Lenovo news? We want https so my internet provider doesn't track what I'm posting, reading nor can inject ads. It is just a matter of principles, even if i'm posting/reading a public forum.

...But it all seems a bit of a waste of time carrying on the discussion anyway as Dave clearly doesn't see any need to bother with a full https implementation on the forum and as it is his forum that is how it is. As this is one of the best EE forums on-line I suggest you just have to live with the decisions that have been made by the owners and take them in to consideration when you use the forum such as using a unique password and maybe even a disposable email address and not start posting about guns, bombs and drugs in case the security agencies think that you are a person of interest.

I agree this is the best EE forum .  We do not threaten to leave it. I'm just asking for https support. Is anything wrong with this kind suggestion?

And where the heck did you get that guns and bombs from? That is a typical demagogy. Just because I don't want to be eavesdropped it must mean I'm a bad person. Oh man, stop it.

Opty 

[EEVblog]

So did turning back on Cloudflare fix the issue?
I personally don't use nor care about https support for the forum so never see any issue.

[EEVblog]

I agree this is the best EE forum .  We do not threaten to leave it. I'm just asking for https support. Is anything wrong with this kind suggestion?

IIRC this was discussed at length in another thread somewhere.
The conclusion was that:
a) Few other technical forums offer proper https support
b) Very few people actually want or need it
c) There are technical issues that preclude it being implemented properly

[EEVblog]

Some folks want their private messages stay private...

In that case I suggest you bypass the forum messaging entirely and use secure encrypted email.

[Tandy]

Some folks want their private messages stay private...

Personally I never consider private messages on a forum to be private, I use them to send messages to people that I feel would be of interested to that person only but would not add to the discussion topic for other people. For example someone might mention a particular multimeter in a thread and rather than take the tread off topic by telling them I have the same meter and asking if they have the manual as I would like a copy. This is something of interest only really to me and the other person but I don't care one bit if someone else can read it as it is not private.
[/quote]

[madires]

Some people seem to be concerned about people tracking what they have written. I don't get this at all, why would you post ANYTHING in a public forum that you would not want someone to see? Surely the whole point of posting in a public forum is to be part of an open discussion that anyone can read and contribute to so that people can learn from each others experience? What do I care if some spy agency, my employer or my grandma are watching what I have posted. The very fact that the forum is public means I will only ever say something that I am happy for the entire world to read.

That's basically right! But it's just plain stupid to send login credentials in plaintext over the internet. This is 2015 and not the 1990s anymore.

Some people say, but my employer might see what I am doing and think I am wasting time or not like what you have written. So you are at work using your employers equipment and internet connection, while being paid to do some kind of work and you think it is unfair that they don't want you doing something they are not paying you to do? If you don't like it that your employer has a strict monitoring policy of their internet use you have a few options open to you. Use the forum in your own time on your own internet connection, or explain to your boss why the forum is useful to your work, or perhaps leave that job and find an employer with a more relaxed attitude towards what you do with your time.

https won't hide your eevblog usage, just the content of your traffic. The firewall can see and log the connections to the forum. And it would be easy to run the firewall in a MITM https attack scenario to see the traffic in cleartext too (that's what cloudfare is doing to proxy the forum).

[madires]

So did turning back on Cloudflare fix the issue?

Yes, https is working again. But there's a security issue with the way how cloudfare works. Cloudfare runs proxy servers. If you connect to the forum, you actually connect to one of the proxy servers which caches the forum's web pages. That means that cloudfare is able to see everything including your login credentials. For https it's the same because the https connection is between your browser and cloudfare's proxy server, not the forum's server (https isn't enabled on the forum's server). When the proxy server gets a page from the forum's server on behalf of the user the connection is http, i.e. not encrypted. So https isn't end-to-end which renders it mostly useless in this case. The question is: do you trust cloudfare?

[EEVblog]

The question is: do you trust cloudfare?

I don't have to, because I don't care about https!
Same for almost all of the users of this forum.
This was never meant to be a secure private forum, and I think people expecting it to be are just asking for too much.
As I mentioned, IIRC, even with cloudflare removed the issues does not stop there. Gnif, the resident server penguin would need to fill in that detaiil.

[Richard Crowley]

At least here in the US, there is no expectation of "privacy" on the internet.  https is like a flimsy lock. It keeps the honest people honest, but is no significant deterrent to someone with serious intent.  You can just assume that somebody can spy on you whenever they wish.
And then there are the thousands of laws already on the books that appear to be selectively enforced. You can be arrested for anything at any time.

[EEVblog]

So you don't have online banking in the US? There is no expectation of privacy, so presumably no one wants their banking details exposed...

This forum is not a bank, and expecting it to have the same level security is IMO not reasonable.

[linux-works]

I really don't get what all the fuss is about?

encryption seems to have a polarizing effect on a lot of people.  they either fully 'get it' or they totally don't get it at all.

you're in the 2nd camp.  and that's fine, we can't convince you to get it if you're not ready or willing.  and you are free to make your choice for yourself.

what those of us in camp-1 ask is that you don't limit our ability, while choosing your own option not to encrypt.

we dont' ask that you understand us, we ask that you allow for our 'silliness' (if you want to think of it that way).  don't deny the use of both http and https and let the user pick what way they want to access the internet.

arguing about encyption and privacy is like religion.  you won't change anyone's mind, but can't we just allow each other their own style and not try to force a limit on the other camp?

allowing for https puts no limits on camp-2 but if camp-2 wants to deny https, that does limit what camp-1 can do.  and that's anti-freedom.

anyway, the whole idea of mass communication across the world is pretty new to mankind.  we are still working out the details and its all a huge social experiment, in a way.  the notion of 'no privacy while online' is NOT a given and NOT a done-deal by any means.  we are still deciding, as a worldwide community, what it means to live in the modern connected age.

lets allow people the right of choice, shall we?  regardless of whether you can understand their viewpoint or not.

[Richard Crowley]

encryption seems to have a polarizing effect on a lot of people.  they either fully 'get it' or they totally don't get it at all.

No that is not true.  We (or at least SOME of us) "get it". 

But we also realize that there are certain TLAs (Three-letter-agencies) that can break https whenever they please.  Just last week I watched a legitimate documentary on the NSA that showed how they have their own cleanroom fab where they develop their own full-custom chips specifically designed for cryptology.  I work at arguably the most leading-edge fab on this planet, and even that (rather dated) glimpse around their fab looked pretty impressive to me.  Ref:  http://youtu.be/N6Ex8Jr7Bzc?t=1h8m30s

Furthermore, if only PART of the link between EEVblog and you (the part between CloudFlare and you) is https encrypted, but the OTHER part (between EEVblog and CloudFlare) is clear, what sense of security do you get from that?  I guess you could say that is the part I don't get.

And yes, I get that implementing https would have little/no affect on us doubters, but that NOT having it completely deprives you of the security you desire.  But as other (including Dave) said, this isn't a bank. It is a PUBLIC forum!  Certainly I wouldn't use a bank (or make a credit-card purchase) using a link that was not AT LEAST secured by https, but that just keeps the amateurs out.

[alimirjamali]

Guys, please consider encrypted version of the forum will have additional costs on Dave's side :

• It would cost to have a valid SSL certificate signed by a certificate authority (Almost negligible)  .
• The web server will have to encrypt the communication over SSL/TLS which means more CPU power will be needed (better CPU costs more)
• https usually means that it would not be possible to use a reverse caching proxy which means more bandwidth and direct request load on Dave's server .
• ClouldFlare (which appears that many people do not trust here) is an exceptional caching proxy which supports different level of SSL.
• If Dave keeps CloudFlare enabled, you can use CloudFlare Flexible SSL connection (right now).
• The connection between you and CloudFlare is secure, your ISP or Coffee Shop can not sniff on it.
• Connection between Dave's server and CloudFlare is insecure (and we have to trust CloudFlare)
• It would be possible to implement Full SSL or Full SSL (strict) with CloudFlare; however, Dave is definitly not a Linux guy and we would better let him use his time for better things.

Let's wait for Dave's Mini-Me to show on the forum. If he is a Penguin guy, we can push him for this issue and few other things.

[Stupid Beard]

But we also realize that there are certain TLAs (Three-letter-agencies) that can break https whenever they please. <snip>

Furthermore, if only PART of the link between EEVblog and you (the part between CloudFlare and you) is https encrypted, but the OTHER part (between EEVblog and CloudFlare) is clear, what sense of security do you get from that?  I guess you could say that is the part I don't get.
<snip>

Not that I want to get drawn into this, and I cut out some of your post to concentrate on the main points, but ...

Consider the scenario where you're sat somewhere using public wifi. In that scenario it is trivial for anybody with a laptop and a wifi card to see 100% of the traffic between your laptop/phone/tablet and the access point.

You may not care about your posts being public, but if the forum login doesn't use https (I couldn't be arsed to check) then your forum account and password is broadcast over the air in the clear for anyone to see. If you use the same password on another site (e.g. the bank) where it actually matters, then you are pretty screwed.

How much that matters to you personally depends on your password hygiene and how much care you take on insecure networks.

[alimirjamali]

Consider the scenario where you're sat somewhere using public wifi. In that scenario it is trivial for anybody with a laptop and a wifi card to see 100% of the traffic between your laptop/phone/tablet and the access point.

Please see my point 4,5,6 and the description on CloudFlare website. You are currently protected against such attacks.

[Richard Crowley]

.... if the forum login doesn't use https (I couldn't be arsed to check) then your forum account and password is broadcast over the air in the clear for anyone to see. If you use the same password on another site (e.g. the bank) where it actually matters, then you are pretty screwed.

Agreed.  But anyone who is paying attention to the Modern World knows that re-using PINs/passwords for different things (particularly for sensitive things) is a pretty stupid thing to do.  And it doesn't take public sniffing of unencrypted coffee-shop WiFi to compromise that. We have seen many companies (and government agencies) reveal that kind of data from their data stores through means that have nothing to do with (and were not protected by) https.

[Mechanical Menace]

At least here in the US, there is no expectation of "privacy" on the internet.

And you should never expect the infrastructure to deliver it, it's anathema to the very concept of how the internet was meant to work.


Services that use it though, if they advertise a certain level of privacy then it is reasonable to expect it.

[Stupid Beard]

Consider the scenario where you're sat somewhere using public wifi. In that scenario it is trivial for anybody with a laptop and a wifi card to see 100% of the traffic between your laptop/phone/tablet and the access point.

Please see my point 4,5,6 and the description on CloudFlare website. You are currently protected against such attacks.

As I said, I couldn't be arsed to check I was just commenting as a general reason why someone would want to care about more than just TLAs so it didn't really matter.

.... if the forum login doesn't use https (I couldn't be arsed to check) then your forum account and password is broadcast over the air in the clear for anyone to see. If you use the same password on another site (e.g. the bank) where it actually matters, then you are pretty screwed.

Agreed.  But anyone who is paying attention to the Modern World knows that re-using PINs/passwords for different things (particularly for sensitive things) is a pretty stupid thing to do.  And it doesn't take public sniffing of unencrypted coffee-shop WiFi to compromise that. We have seen many companies (and government agencies) reveal that kind of data from their data stores through means that have nothing to do with (and were not protected by) https.

They should, but yet still the most common passwords include things like 'password' and '123456'