The site is still not completely TLS exclusive.

[Monkeh]

TLS is available. Please change your password and STFU.

[technix]

TLS is available. Please change your password and STFU.

I have already done that.

Just not seeing the green padlock on every page makes me a bit uncomfortable, especially knowing that this specific forum software puts a login box on any page if you have not been logged in.

If that feature can be turned off, at least turn that login anywhere feature off, and use absolutely mandated TLS on the login and password change pages. Session cookies can still be sniffed, but at least passwords are safe.

[ebclr]

I also changed my password

Was 12345

now

secret....

[Elf]

Logging into anything without TLS is absolutely equivalent to posting your password here. Anyone want to see it would be able to sniff it off the network. And if you have already logged in the session cookie can be sniffed to impersonate you. Whenever you are using any public Wi-Fi anyone on the same network can sniff your traffic trivially.

I appreciate good cryptography, well implemented and liberally applied, but this argument is over the top. You might as well say: "Don't have a conversation in your bedroom, because someone might be listening outside with a laser microphone. Otherwise, you might as well take out an ad and post a transcript in the New York Times."

There is nothing you say that is technically inaccurate. Yes, unencrypted traffic is trivial to intercept on any broadcast medium. Yes, the Internet is a scary and untrusted place. But to compare someone local going through the effort of extracting an EEVblog forum login over public wifi and then deciding to abuse it, versus posting those credentials in a public forum indexed by search engines, is hyperbolic at best.

It also ignores simple things that you, the user, can do to reduce your own risk:

• Using proper password management, so that credentials aren't useful in more than one place
• Logging out to invalidate your session authentication
• Tunneling your traffic to a more trusted location closer to major transit providers (i.e. using a VPN), if you're on an untrusted network

I understand the incentive to want to push out best-practices TLS to protect unskilled users, but really, in this context? The stakes couldn't be lower. I'm pretty sure there isn't a black market for EEVblog forum logins. That kind of energy would be better directed at the poor security of banks and other more important institutions.

[PA0PBZ]

Post your login password here, now, if you don't want to use TLS. You don't want to do that, do you? Then try upgrade your browser and move to HTTPS.

Logging into anything without TLS is absolutely equivalent to posting your password here. Anyone want to see it would be able to sniff it off the network. And if you have already logged in the session cookie can be sniffed to impersonate you. Whenever you are using any public Wi-Fi anyone on the same network can sniff your traffic trivially.

I hereby give you permission to post my password here. If it is that simple I guess it will not take you longer than 48 hours?
So you have 48 hours, after that the permission is withdrawn.

[bitseeker]

Just not seeing the green padlock on every page makes me a bit uncomfortable, especially knowing that this specific forum software puts a login box on any page if you have not been logged in.

The lack of the green padlock is due to some smiley icons still using http instead of https. This is a known issue and is in the queue to be fixed. So, there's nothing to worry about. If in doubt, check the stuff on the page as to what is or isn't encrypted.

[med6753]

I am not an IT or security expert so please excuse my ignorance. But could someone please explain, in simple and direct terms, what the issue is that is causing all this fuss and twisted panties?

Am I open to a hack attack if I continue to participate in this forum?

Do I need a tinfoil hat? Watch out for black helicopters? 

[ebclr]

Basically is a fool that does not have anything to do, and wanna play finding problems where does not exist

[rrinker]

 Oh no! people know I frequent the EEVBlog! 

 SSL inspection and rewrite is a standard feature of many firewalls and web filters (and yes, it does cause problems). There's really nothing that stops these devices from making other alterations to the packet stream if they really wanted to do bad things. The alternative is to configure such devices to just pass SSL unchecked, and that simply  does  not   fly  in many types of businesses. This is nothing new.

 Maybe if I stayed off of here I'd get more work done on my projects....

[bitseeker]

I am not an IT or security expert so please excuse my ignorance. But could someone please explain, in simple and direct terms, what the issue is that is causing all this fuss and twisted panties?

Simply put, the security of the forum is being enhanced and there are some niggles remaining to be worked out. Proceed in the usual fashion.

Am I open to a hack attack if I continue to participate in this forum?

Turning on a computer that is connected to the Internet makes it potentially vulnerable to hack attacks.

Do I need a tinfoil hat? Watch out for black helicopters? 

Not unless you needed to before reading the forum today.

Nothing more to see here. Enjoy your stay at the EEVblog forum.

[RGB255_0_0]

Oh no! people know I frequent the EEVBlog! 

 SSL inspection and rewrite is a standard feature of many firewalls and web filters (and yes, it does cause problems). There's really nothing that stops these devices from making other alterations to the packet stream if they really wanted to do bad things. The alternative is to configure such devices to just pass SSL unchecked, and that simply  does  not   fly  in many types of businesses. This is nothing new.

 Maybe if I stayed off of here I'd get more work done on my projects....

The ISP knows you will have gone regardless of SSL. The meta data is enough for the is to build up a profile. In some counties they no doubt already do.

The SSL issue is just a broad brush stroke over finally moving from an unencrypted connection and dumping HTTP completely. Eventually.

[PointyOintment]

SSL inspection and rewrite is a standard feature of many firewalls and web filters (and yes, it does cause problems). There's really nothing that stops these devices from making other alterations to the packet stream if they really wanted to do bad things. The alternative is to configure such devices to just pass SSL unchecked, and that simply does not fly in many types of businesses. This is nothing new.

They can only do that if at least one of the following is true:
- They have installed their MitM system's certificate on your computer, or tricked you into installing it. (On a corporate computer, this is easy, because they own it and presumably have system imaging and remote admin capabilities.) You can detect that this is happening using certificate fingerprinting, but you can't prevent it without uninstalling the certificate. (In a corporate environment, uninstalling the certificate, or attempting to bypass the MitM proxy after having done so, might trigger some alarms.)
- They have stolen the private key of the website you are trying to connect to, and can therefore perfectly impersonate that website. Preventing this is reliant on the server's security—the key could be obtained by e.g. RCE or Heartbleed.
- They have control over a CA that your computer already trusts. There are some questionable CAs that come preinstalled on whichever OS—do you really trust them all? (Such as the Hong Kong Post Office?)

they would have to be in a position of trust somewhere in the network between my router and the EEVblog server.

Your ISP is there.

You will be sold as your ISP's product to ad companies. You probably already have been.

HTTPS cannot prevent your ISP knowing which sites you visit. Even with HTTPS, the domain name has to be sent in the clear to the server (i.e. after DNS stuff is done), to enable the server (which might host multiple websites) to know which site you're requesting. Now, I don't know the details of what the US just decided to allow ISPs to do, but if they're allowed to sell to advertisers a database of correlations between customer IP addresses and domain names, or interests, HTTPS will not hinder that. A good (paid) VPN service will prevent that. I got a lifetime subscription to one from MakeUseOf Deals—I see such offers on the various deals sites pretty often. You can look up reviews and comparisons of the various VPN services if you like—the one I got is pretty well reviewed.

[various claims about not being able to use HTTPS]

Please explain. I cannot think of a reasonable reason to not be able to use HTTPS. Do you insist on browsing the forum using WebTV or an ancient Palm PDA?

[Monkeh]

Please explain. I cannot think of a reasonable reason to not be able to use HTTPS. Do you insist on browsing the forum using WebTV or an ancient Palm PDA?

Some people insist they are completely unable to upgrade to a modern OS and refuse to use one of the several available browsers with their own TLS stacks supporting modern crypto.

[TerraHertz]

Oh, so something about the forum _did_ change on April 1st. It was confusing me, since that morning was when I noticed my preferred browser (Opera 12.15, the last version before it got Chrome-borged) suddenly stopped working with eevblog.
That something in the browser error log suggests that _somehow_ Opera auto-updates got turned back on (should be impossible), and it's April Fools day, made me think the change/fault was at my end. But it's too deep for my little net knowledge to figure out what was going wrong. Screenshot of how eevblog suddenly looks like, and the error log. I had no idea.

But yes, that Opera version is incapable of handling some forms of encryption. Firefox still works with eevblog, so I guess I'll have to use that instead of Opera from now on.

As for https, complete waste of time in my view. If you've been following the wiki and other leaks about CIA hacking utilities, you'd be aware the entire computing ecosystem is totally compromised, from the hardware (CPU backdoors) up through BIOS, all OSs, and the net backbone. There are toolkits for taking over any computer system at any time, via any kind of net connection. Not to mention Microsoft and Intel embedding deliberate State backdoors in their products. The latest vault 7 (part 3? I forget) CIA-tools release (Marble) includes utilities for making hacks look like they came from other entities than the CIA. And apparently the source code for all these tools has been out in the wild for ages.

I just give up on attempting security. Run an old OS, on old hardware, old browsers, with nothing interesting on the machine and no auto-updates (so at least it's stable.) Be an unattractive target.

Anyway, so you broke compatibility with my favorite browser. Oh well, can't be helped, but at least now I know what happened.

[ebclr]

https://www.zeropc.com/

[technix]

they would have to be in a position of trust somewhere in the network between my router and the EEVblog server.

Your ISP is there.

You will be sold as your ISP's product to ad companies. You probably already have been.

HTTPS cannot prevent your ISP knowing which sites you visit. Even with HTTPS, the domain name has to be sent in the clear to the server (i.e. after DNS stuff is done), to enable the server (which might host multiple websites) to know which site you're requesting. Now, I don't know the details of what the US just decided to allow ISPs to do, but if they're allowed to sell to advertisers a database of correlations between customer IP addresses and domain names, or interests, HTTPS will not hinder that. A good (paid) VPN service will prevent that. I got a lifetime subscription to one from MakeUseOf Deals—I see such offers on the various deals sites pretty often. You can look up reviews and comparisons of the various VPN services if you like—the one I got is pretty well reviewed.

At least your ISP wouldn't have any idea what you are actually doing here, unless they MitM your connection (which means you have some even bigger problems.) At least your login password and session cookies are invisible.

[technix]

Just not seeing the green padlock on every page makes me a bit uncomfortable, especially knowing that this specific forum software puts a login box on any page if you have not been logged in.

The lack of the green padlock is due to some smiley icons still using http instead of https. This is a known issue and is in the queue to be fixed. So, there's nothing to worry about. If in doubt, check the stuff on the page as to what is or isn't encrypted.

That is why I am suggesting HSTS. Supported browsers will see and remember that this website prefers proper TLS, and will silently rewrite any http://*.eevblog.com links to https://*.eevblog.com. You can then set up a reporting mechanism (supported by most modern browsers, Google have a free report collecting service any web masters can use) so whenever a link you forgot to upgrade is encountered the user's browser will report it to the web master.

[technix]

Post your login password here, now, if you don't want to use TLS. You don't want to do that, do you? Then try upgrade your browser and move to HTTPS.

Logging into anything without TLS is absolutely equivalent to posting your password here. Anyone want to see it would be able to sniff it off the network. And if you have already logged in the session cookie can be sniffed to impersonate you. Whenever you are using any public Wi-Fi anyone on the same network can sniff your traffic trivially.

I hereby give you permission to post my password here. If it is that simple I guess it will not take you longer than 48 hours?
So you have 48 hours, after that the permission is withdrawn.

I am not a black hat hacker and stealing passwords is a criminal offense here. So I will not do that. Also this attack requires an attacker physically located near you which I am not.

[bitseeker]

HSTS is unnecessary since TLS is not currently required. TLS may be the default, but you can choose not to use it. It's your choice.

Once the remaining anomalies in the forum software are fixed, URLs will be generated properly and everything will work correctly with or without TLS.

If TLS was required, then HSTS would ensure that it was used.

[TerraHertz]

https://www.zeropc.com/

ZeroPC Web Desktop Service is Closing
...we have decided to close the ZeroPC Web Desktop service effective May 31st, 2017.
On June 1st, 2017 the servers hosting the ZeroPC service will be turned off. Please be sure to make a backup of any files that you have stored in the ZeroPC service before this date.

Highlighting just one way in which cloud storage is for the birds. That's not the solution to this situation.

[technix]

HSTS is unnecessary since TLS is not currently required. TLS may be the default, but you can choose not to use it. It's your choice.

Once the remaining anomalies in the forum software are fixed, URLs will be generated properly and everything will work correctly with or without TLS.

If TLS was required, then HSTS would ensure that it was used.

You can use HSTS along with serving HTTP pages normally. Supported browsers (which are the newer ones that supports strong crypto in the first place) will default to TLS once they see HSTS header. Older ones not supporting HSTS will blissfully ignore it.

[Brumby]

This is getting ridiculous.

Wearing a seatbelt does not mean you won't die in a car crash, but it does mean you are less likely.

Bring on the HTTPSeatbelt

[technix]

This is getting ridiculous.

Wearing a seatbelt does not mean you won't die in a car crash, but it does mean you are less likely.

Bring on the HTTPSeatbelt

That is the entire point of seatbelts. Without it you are 100% dead in a crash. With the seatbelt you have 30% likelihood to survive. That is enough to result in laws mandating seatbelts in almost all countries.

The same applies here. Without mandated TLS your session cookies are 100% leaked. With TLS it is a bit less likely to. Now this plainly warrants mandating TLS on most of the world's websites.

[Brumby]

Without it you are 100% dead in a crash.

That's taking things to the extreme - and incorrectly, BTW.

An invalid argument is the best way to destroy your credibility.

[technix]

Without it you are 100% dead in a crash.

That's taking things to the extreme - and incorrectly, BTW.

An invalid argument is the best way to destroy your credibility.

Now how do you specify what a crash is then? Without a precondition your argument is invalid too.

I should have specified my precondition too though. My bad. The crash I was talking about is the standard small vehicle crash test used in China. That test model is chosen specifically to reflect the average crash condition in China (that is, normal Chinese highway speeds, hitting a target with a lot of inertia equivalent to a loaded truck.) and it results in certain death without seat belts.