Instead of the ghetto self-signed HTTPS certificate maybe Sciencemadness could consider using Let's Encrypt https://letsencrypt.org/.
Eventually you should be able to get a real certificate automatically for free. Its developed by the EFF to promote widespread encryption and fight
global surveillance and censorship.aga - 8-11-2015 at 11:22
What for ?
Is there something to hide here on this publicly viewable website ?Bert - 8-11-2015 at 11:31
We've had a couple of other go 'rounds in the last year or so about communication security.
Apparently, a nice single solution that everyone can use is very efficient- For the people breaking that security. Even more so when those interested
paid for nearly all the development and were in on the ground floor.
Is there something to hide here on this publicly viewable website ?
and here goes the first step to totalitarianism. It is best expressed by, "if you don't have anything to hide.."
This is not personal aga.. it's meant to be reflective. Encryption is the digital equivalent of entering a club room to discuss club business or more
generally, putting a letter in an envelope. Transparency depersonalizes communication and promotes the mores held by the most vocal and powerful.
Edited to add: https sites abound; I see no stigma attached to https
I'm in favor of an encryption protocol that is easy to use and effective against brute force attacks. Exchanging key pairs seems too tortuous a path.
I wonder if we might be able to secure the site better than it is but I favor being able to surf the site without joining and making joining
relatively easy.
[Edited on 8-11-2015 by chemrox]Polverone - 8-11-2015 at 12:37
I have been planning to use Let's Encrypt since I first heard about it. I will set it up after it's out of beta.aga - 8-11-2015 at 13:55
Erm, however you connect to this site, it is publicly viewable once you make a Post.
What is the Point of encrypting the connection that posts it ?
Your pervy U2Us ?
Edit:
Hopefully not some vague notion that you're Safe !
[Edited on 8-11-2015 by aga]gdflp - 8-11-2015 at 14:06
Erm, however you connect to this site, it is publicly viewable once you make a Post.
What is the Point of encrypting the connection that posts it ?
Your pervy U2Us ?
Edit:
Hopefully not some vague notion that you're Safe !
[Edited on 8-11-2015 by aga]
It protects your browsing history, so that you can't be tracked by prying eyes who may either incorrectly connect the dots between your viewing
history and your intentions, or investigate you further simply because of an apparent interest in certain topics. It also helps to secure the content
in References and Whimsy.aga - 8-11-2015 at 15:28
Oh dear.
All Safety is an Illusion.
Whatever you do on t'Internet, however you do it, you are tracked, traceable and accountable.
Think harder, faster, smarter - whatever it takes to realise how SSL works.
[Edited on 8-11-2015 by aga]
I know you are a forum personality so I am going to accept this comment for what it is
Encryption is not about keeping forum messages a secret. Its about saying NO to people who think its ok to spy on everything you do for their own
ends. This information is incredibly easy to abuse.
For example the UK openly wants to be able to read every communication in the country and block internet porn. If you are against this you must be a
terrorist or a kiddy fiddler right?
Giving up is not an option. Its like those people who say they don't vote because it doesn't matter. Its literally the only thing you can do, don't
throw it away.kecskesajt - 9-11-2015 at 21:07
We have HTTPS but it doesn't really need certification.
There is a pop-up but that doesnt really matter.
(Offtopic: I rooted phone, downloaded dSploit, started it and then logged in to SM by my PC. I could immediately see my password on my phone...)aga - 10-11-2015 at 09:33
I know you are a forum personality so I am going to accept this comment for what it is
Accept it for what it is : the ramblings of a drunkard.
Having worked on and in this t'internet madness since it began, take it from me that whatever you do on the Internet, however you do it, you are being
watched.
All OpenSource source code is subject to scrutiny by people Other than the contributors.
Quite often people think that encryption is a magic-bullet.
It isn't. At the very least you're going to connect to an IP address, and that is logged, along with the protocol(s) you use to connect to that IP.
The amount of data you send/receive, when that happens, which ports you're using - it's all logged.
Simple statistical analysis pops up a list of the things people are likely to be doing and quickly highlights those connections worthy of deeper
analysis.unionised - 10-11-2015 at 12:18
I'm prepared to believe that there is someone somewhere with a legitimate reason to send information without it being read by others and without
anyone knowing to whom he sent it.
It doesn't matter much who he is, or what the data is.
I understand that he can use something like TOR to do that.
https://en.wikipedia.org/wiki/Tor_(anonymity_network)
But if he was the only one using it, the system wouldn't work. (It's a bit like being the only one wearing camouflage gear- you stick out)
It needs to have lots of other traffic to "bury" his contribution.
So, perhaps we should use systems like TOR in order to protect those who really need to use it.
The irony is that it's quite possible than no two of us would agree on who we should help in this way- but it doesn't matter. aga - 10-11-2015 at 13:01
Oh !
Stupid me.
Of course entrusting unknown entities on the internet with your security is obviously the Best Security Plan Ever.
(this is absolute Sarcasm, just in case anyone gets confused)The Volatile Chemist - 10-11-2015 at 15:44
Why don't we use PGP on our U2Us too?!?!?! (This, too, is sarcasm).
It doesn't really matter. If you've ever logged in with HTTP, then everybody knows you use the site and who you are. If any single person were to be
able to get in and send content to someone interested, security would be breached. I don't think using letsencrypt is that big of a deal.
Also, 'Pervy U2Us' and 'ghetto self-signed HTTPS' are hilarious, and indirectly oxymoronic (not to be confused with oxyanions).Polverone - 18-6-2016 at 14:33
The site is now live with Let's Encrypt for HTTPS connections. I have not yet made HTTP-to-HTTPS redirects automatic but I plan to in the future.
At the same time I performed a number of other upgrades:
* Host machine's underlying virtualization technology switched from Xen to KVM
* RAM upgraded to 4 GB from 2 GB
* Upgraded to Ubuntu 16.04 from 14.04
During the database updates I ran out of disk space for temporary tables. This meant I had to delete the forum archive to make room. I am re-uploading
the archive again now but it will take a few days over my slow home connection.Oscilllator - 18-6-2016 at 23:34
Yay! No more messages from chrome saying this site is insecure.NEMO-Chemistry - 19-6-2016 at 01:03
At the moment in the UK there has been an enquiry into the police and some football incident that happened years ago in Yorkshire. And i think they
are looking into a strike that happened years ago, the point is the police lied time and again apparently, even in legal settings.
I can see why people want to protect themselves but ultimately if they want you bad enough then it looks like they just lie and do you anyway.
And now we have a policy in the UK where ISP's have to record every email etc, not sure but maybe using wifi hot spots? but then to me sniffers would
target those places?Marvin - 19-6-2016 at 04:21
Thumbs up to let's encrypt signed SSL. Working well on Ubuntu/Chrome and also working in XP, which not all SSL sites currently do. Much much better.The Volatile Chemist - 23-6-2016 at 11:15
Do we already have it implemented? Nice. But weren't there some recent complaints about SSL not working for some?macckone - 23-6-2016 at 14:57
You don't need security until something like the spanish inquisition or the red scare. But if you wait until then it is already too late. The
primary things needing protecting are passwords. Only ref, whimsy, and u2u aren't public. I would not be surprised to find that numerous government
agencies monitor traffic and the EM forums to tie users to posts. Don't think that https will prevent traffic analysis.
