The site is still not completely TLS exclusive.

[gnif]

Btw the ads are served via HTTPS anyway, so I don't know what your issue is. The few images of concern are the simily faces in posts....

The problem is that with the latest ruling in the US, the ISP will allow advertisers know that you are a electronics engineer, regardless of your willingness of ISP tracking you, despite you run Adblock, plainly because you are frequenting EEVblog, if the advertiser is willing to pay. That is the scary part.

Not my concern, ads are served via HTTPS, HTTPS must be optional, there is nothing to discuss here.

[ebclr]

Simple use anonymous mode, and a VPN and Tor on top

This will help to be anonymous, I don't know why you want that here, but will

[technix]

Not my concern, ads are served via HTTPS, HTTPS must be optional, there is nothing to discuss here.

It is not the ads. It is the plain visiting EEVblog that allows ISP to track.

Speaking of the ads, ISP can scrub Dave's ad code and replace it with their own if they want to (and China Unicom have done that) without mandatory HTTPS. That is no different, if not worse, than Adblock, as not only Dave is missing revenue, forum readers can be misled by the ISP's ads. Even worse, when the ISP's ad server is compromised and started to serve malware...

[gnif]

Not my concern, ads are served via HTTPS, HTTPS must be optional, there is nothing to discuss here.

It is not the ads. It is the plain visiting EEVblog that allows ISP to track.

Speaking of the ads, ISP can scrub Dave's ad code and replace it with their own if they want to (and China Unicom have done that) without mandatory HTTPS. That is no different, if not worse, than Adblock, as not only Dave is missing revenue, forum readers can be misled by the ISP's ads. Even worse, when the ISP's ad server is compromised and started to serve malware...

Then don't visit the website... And for that matter, what is stopping them from removing the HSTS header in an unencrypted connection anyway? Your argument doesn't fly, please kindly go and be paranoid elsewhere.

[technix]

Not my concern, ads are served via HTTPS, HTTPS must be optional, there is nothing to discuss here.

It is not the ads. It is the plain visiting EEVblog that allows ISP to track.

Speaking of the ads, ISP can scrub Dave's ad code and replace it with their own if they want to (and China Unicom have done that) without mandatory HTTPS. That is no different, if not worse, than Adblock, as not only Dave is missing revenue, forum readers can be misled by the ISP's ads. Even worse, when the ISP's ad server is compromised and started to serve malware...

Then don't visit the website... And for that matter, what is stopping them from removing the HSTS header in an unencrypted connection anyway? Your argument doesn't fly, please kindly go and be paranoid elsewhere.

At least on my website (and Google's, and Facebook's, etc) if you connect to it from HTTP, you get a HTTP 302 Redirect to the HTTPS version along with a HSTS flag. ISP can scrub the HSTS header but the 302 is not going away. (If the ISP decided to proxy the connection and terminate HTTPS on their routers, you got bigger problems.) Now your browser is being told to go to the HTTPS version which ISP generally have no way to tamper. By this time the HSTS flag arrives and will stick.

[gnif]

Not my concern, ads are served via HTTPS, HTTPS must be optional, there is nothing to discuss here.

It is not the ads. It is the plain visiting EEVblog that allows ISP to track.

Speaking of the ads, ISP can scrub Dave's ad code and replace it with their own if they want to (and China Unicom have done that) without mandatory HTTPS. That is no different, if not worse, than Adblock, as not only Dave is missing revenue, forum readers can be misled by the ISP's ads. Even worse, when the ISP's ad server is compromised and started to serve malware...

Then don't visit the website... And for that matter, what is stopping them from removing the HSTS header in an unencrypted connection anyway? Your argument doesn't fly, please kindly go and be paranoid elsewhere.

At least on my website (and Google's, and Facebook's, etc) if you connect to it from HTTP, you get a HTTP 302 Redirect to the HTTPS version along with a HSTS flag. ISP can scrub the HSTS header but the 302 is not going away. (If the ISP decided to proxy the connection and terminate HTTPS on their routers, you got bigger problems.) Now your browser is being told to go to the HTTPS version which ISP generally have no way to tamper. By this tome the HSTS flag arrives and will stick.

As stated again and again, your augments are mute, we can not, and will not force HTTPS on the user base, now stop wasting my time.

[Ian.M]

You are currently pushing https at users who don't want it.

On any forum http page, the links 'Show new replies to your posts.' and 'Show unread posts since last visit.'  lead to 'https://www.eevblog.com/forum/unreadreplies/' and 'https://www.eevblog.com/forum/unread/' respectively.  Also all the links on the topic list page number navigation bars:
'Pages: [1] 2 3 4 5 6  ... 593 Next   (Go Down)  (New Topic) (New poll) (Notify) (Mark Read) (Search)' lead to the https version, as do user name links.

This makes the site nearly unusable for anyone who CAN'T use encryption for whatever reason.

Currently to stay on the http pages I have to use a Greasemonkey script to rewrite all  'https://www.eevblog.com/forum/' links to http.

Please fix it!

[ebclr]

Are you kidding

Just because you are the unique guy on the planet that can't use encryption, you want that they change just for you?

This is your problem, not theirs, find out a way, or simply does not access the forum

[gnif]

You are currently pushing https at users who don't want it.

On any forum http page, the links 'Show new replies to your posts.' and 'Show unread posts since last visit.'  lead to 'https://www.eevblog.com/forum/unreadreplies/' and 'https://www.eevblog.com/forum/unread/' respectively.  Also all the links on the topic list page number navigation bars:
'Pages: [1] 2 3 4 5 6  ... 593 Next   (Go Down)  (New Topic) (New poll) (Notify) (Mark Read) (Search)' lead to the https version, as do user name links.

This makes the site nearly unusable for anyone who CAN'T use encryption for whatever reason.

Currently to stay on the http pages I have to use a Greasemonkey script to rewrite all  'https://www.eevblog.com/forum/' links to http.

Please fix it!

There are some issues still yet to resolve, I am yet to find time to do it, please be patient, we know its not complete yet.

[technix]

As stated again and again, your augments are mute, we can not, and will not force HTTPS on the user base, now stop wasting my time.

Well I decided to reach out and ask.

http://serverfault.com/questions/841954/is-there-any-reason-not-to-enforce-https-with-strong-cipher-on-a-website

Well it seem to me that people is okay with dropping the very few users that cannot use strong cryptography, while keeping the folks with slightly newer equipment safe. By the way, by default, there is a big login field on every page...

[ebclr]

Nobody is safe

NSA can decrypt in less than a milisecond

[gnif]

There will be fixes/changes, but when depends on my available time, that said, I am no longer following this thread as it has devolved into an argument I couldn't care less about.

[Ian.M]

As stated again and again, your augments are mute, we can not, and will not force HTTPS on the user base, now stop wasting my time.

@Technix & Ebclr,

Why are you so keen to force other users to choose between meeting the security standards you prefer or possibly abandoning this forum?

If other users choose to use the http pages it doesn't expose any data relating to your activity here that isn't already either indexed by google or trivially available by registering for a free account here.

Gnif is already committed to providing the most secure forum experience he can FOR THOSE THAT WANT IT within his time and budgetary constraints. 

If you want your input on forum security to have greater weight, put your money where your mouth is: Negotiate a sponsorship agreement with Dave that pays Gnif commercial rates!

[technix]

Nobody is safe

NSA can decrypt in less than a milisecond

At least burn some of their CPU before they can read those. Running cryptoanalysis costs CPU for them at least as much as us.

[IanB]

...the ISP will allow advertisers know that you are a electronics engineer ... plainly because you are frequenting EEVblog

Well then it sucks to be them, since I am not an electronics engineer, and nor are many others here.

[technix]

As stated again and again, your augments are mute, we can not, and will not force HTTPS on the user base, now stop wasting my time.

@Technix & Ebclr,

Why are you so keen to force other users to choose between meeting the security standards you prefer or possibly abandoning this forum?

If other users choose to use the http pages it doesn't expose any data relating to your activity here that isn't already either indexed by google or trivially available by registering for a free account here.

Gnif is already committed to providing the most secure forum experience he can FOR THOSE THAT WANT IT within his time and budgetary constraints. 

If you want your input on forum security to have greater weight, put your money where your mouth is: Negotiate a sponsorship agreement with Dave that pays Gnif commercial rates!

Post your login password here, now, if you don't want to use TLS. You don't want to do that, do you? Then try upgrade your browser and move to HTTPS.

Logging into anything without TLS is absolutely equivalent to posting your password here. Anyone want to see it would be able to sniff it off the network. And if you have already logged in the session cookie can be sniffed to impersonate you. Whenever you are using any public Wi-Fi anyone on the same network can sniff your traffic trivially.

Even worse, once someone grabbed your password they can try guess account names of yours and attempt logging in using that password. Do you use the same password for a few account? Poof those are gone.

[technix]

There will be fixes/changes, but when depends on my available time, that said, I am no longer following this thread as it has devolved into an argument I couldn't care less about.

Google have a good tutorial on how to fix everything after a TLS mandate. You may, one day, find out that Google is cutting off Dave's ad revnue simply for this website not mandating TLS.

[Monkeh]

He doesn't need Google to give him a tutorial on doing his job.

Just bloody drop it and stop being a pest.

[technix]

He doesn't need Google to give him a tutorial on doing his job.

Just bloody drop it and stop being a pest.

Here is the same to you: Post your login password here, now, if you don't want to use TLS. You don't want to do that, do you? Then try upgrade your browser and move to HTTPS.

[Monkeh]

He doesn't need Google to give him a tutorial on doing his job.

Just bloody drop it and stop being a pest.

Here is the same to you: Post your login password here, now, if you don't want to use TLS. You don't want to do that, do you? Then try upgrade your browser and move to HTTPS.

I am using HTTPS. And no, posting your password publically, intentionally making it visible to anyone with no effort on their part, is NOT the same thing. Especially if you're not transmitting it cleartext over wifi.

[technix]

He doesn't need Google to give him a tutorial on doing his job.

Just bloody drop it and stop being a pest.

Here is the same to you: Post your login password here, now, if you don't want to use TLS. You don't want to do that, do you? Then try upgrade your browser and move to HTTPS.

I am using HTTPS. And no, posting your password publically, intentionally making it visible to anyone with no effort on their part, is NOT the same thing. Especially if you're not transmitting it cleartext over wifi.

How many public Wi-Fi hotspots employ any form of security other than a login form? Data over the radio is not encrypted unless something no weaker than WPA2-AES is deployed. (WEP is as broken as plain. A gaming laptop with a GTX 980 can do short work searching the wimpy key space.) If the website itself does not encrypt the data, well your password or session cookie will be sniffed.

And that does not include the ISP-level sniffing.

[Ian.M]

In reply to Technix's reply #40,

I am well aware of that and accept the possibility that someone can sniff my session and use it to impersonate me.  However those with access have very little to gain by impersonating me or taking over my account and locking me out, and the cost, effort and risks of doing so are relatively high, so its vanishingly unlikely unless I attract the ire of J Random Cracker who's been pissed off by some other Ian.M on the net, and even so, as I don't use WiFi, they would have to be in a position of trust somewhere in the network between my router and the EEVblog server.

If I was a public figure or political activist it would be a different matter.

I say again: How does my acceptance of an insecure session here compromise *YOUR* security?

[technix]

they would have to be in a position of trust somewhere in the network between my router and the EEVblog server.

Your ISP is there.

You will be sold as your ISP's product to ad companies. You probably already have been.

Also a money-driven hacker sniffing a password from EEVblog may lead to hacking into your Email account. That can lead to your PayPal account or online banking account. Now kiss your life savings goodbye. All the hacker wants is your money. They may even put you into a debt if your bank allows online loaning. Hope your local law enforcement can solve that...

[Monkeh]

they would have to be in a position of trust somewhere in the network between my router and the EEVblog server.

Your ISP is there.

You will be sold as your ISP's product to ad companies. You probably already have been.

Also a money-driven hacker sniffing a password from EEVblog may lead to hacking into your Email account. That can lead to your PayPal account or online banking account. Now kiss your life savings goodbye. All the hacker wants is your money. They may even put you into a debt if your bank allows online loaning. Hope your local law enforcement can solve that...

Using TLS on websites does not fix poor password policy.

[technix]

they would have to be in a position of trust somewhere in the network between my router and the EEVblog server.

Your ISP is there.

You will be sold as your ISP's product to ad companies. You probably already have been.

Also a money-driven hacker sniffing a password from EEVblog may lead to hacking into your Email account. That can lead to your PayPal account or online banking account. Now kiss your life savings goodbye. All the hacker wants is your money. They may even put you into a debt if your bank allows online loaning. Hope your local law enforcement can solve that...

Using TLS on websites does not fix poor password policy.

At least hackers cannot simply sniff it off your connection regardless what your password might be. They need to perform some cryptanalysis for that password. TLS does not enforce a good password policy, but transmitting password in plain ruins any password policy regardless how good is it.

So enable TLS and change your password with TLS on. Done, whatever the hacker had is now useless.