Sciencemadness Discussion Board
Not logged in [Login ]
Go To Bottom

Printable Version  
Author: Subject: Let's Encrypt
mr.crow
National Hazard
****




Posts: 884
Registered: 9-9-2009
Location: Canada
Member Is Offline

Mood: 0xFF

[*] posted on 8-11-2015 at 11:13
Let's Encrypt


Instead of the ghetto self-signed HTTPS certificate maybe Sciencemadness could consider using Let's Encrypt https://letsencrypt.org/.

Eventually you should be able to get a real certificate automatically for free. Its developed by the EFF to promote widespread encryption and fight global surveillance and censorship.




Double, double toil and trouble; Fire burn, and caldron bubble
View user's profile View All Posts By User
aga
Forum Drunkard
*****




Posts: 7030
Registered: 25-3-2014
Member Is Offline


[*] posted on 8-11-2015 at 11:22


What for ?

Is there something to hide here on this publicly viewable website ?




View user's profile View All Posts By User
Bert
Super Administrator
*********




Posts: 2821
Registered: 12-3-2004
Member Is Offline

Mood: " I think we are all going to die. I think that love is an illusion. We are flawed, my darling".

[*] posted on 8-11-2015 at 11:31


https://pando.com/2014/07/16/tor-spooks/

We've had a couple of other go 'rounds in the last year or so about communication security.

Apparently, a nice single solution that everyone can use is very efficient- For the people breaking that security. Even more so when those interested paid for nearly all the development and were in on the ground floor.

Let the flaming begin...

https://pando.com/2014/11/14/tor-smear/




Rapopart’s Rules for critical commentary:

1. Attempt to re-express your target’s position so clearly, vividly and fairly that your target says: “Thanks, I wish I’d thought of putting it that way.”
2. List any points of agreement (especially if they are not matters of general or widespread agreement).
3. Mention anything you have learned from your target.
4. Only then are you permitted to say so much as a word of rebuttal or criticism.

Anatol Rapoport was a Russian-born American mathematical psychologist (1911-2007).

View user's profile View All Posts By User
Bert
Super Administrator
*********




Posts: 2821
Registered: 12-3-2004
Member Is Offline

Mood: " I think we are all going to die. I think that love is an illusion. We are flawed, my darling".

[*] posted on 8-11-2015 at 11:34


Quote: Originally posted by aga  
What for ?

Is there something to hide here on this publicly viewable website ?


"The wicked flee when no man pursueth: but the righteous are bold as a lion."




Rapopart’s Rules for critical commentary:

1. Attempt to re-express your target’s position so clearly, vividly and fairly that your target says: “Thanks, I wish I’d thought of putting it that way.”
2. List any points of agreement (especially if they are not matters of general or widespread agreement).
3. Mention anything you have learned from your target.
4. Only then are you permitted to say so much as a word of rebuttal or criticism.

Anatol Rapoport was a Russian-born American mathematical psychologist (1911-2007).

View user's profile View All Posts By User
chemrox
International Hazard
*****




Posts: 2961
Registered: 18-1-2007
Location: UTM
Member Is Offline

Mood: LaGrangian

[*] posted on 8-11-2015 at 12:34


Quote: Originally posted by aga  
What for ?

Is there something to hide here on this publicly viewable website ?

and here goes the first step to totalitarianism. It is best expressed by, "if you don't have anything to hide.."

This is not personal aga.. it's meant to be reflective. Encryption is the digital equivalent of entering a club room to discuss club business or more generally, putting a letter in an envelope. Transparency depersonalizes communication and promotes the mores held by the most vocal and powerful.

Edited to add: https sites abound; I see no stigma attached to https

I'm in favor of an encryption protocol that is easy to use and effective against brute force attacks. Exchanging key pairs seems too tortuous a path.

I wonder if we might be able to secure the site better than it is but I favor being able to surf the site without joining and making joining relatively easy.

[Edited on 8-11-2015 by chemrox]




"When you let the dumbasses vote you end up with populism followed by autocracy and getting back is a bitch." Plato (sort of)
View user's profile View All Posts By User
Polverone
Now celebrating 21 years of madness
*********




Posts: 3186
Registered: 19-5-2002
Location: The Sunny Pacific Northwest
Member Is Offline

Mood: Waiting for spring

[*] posted on 8-11-2015 at 12:37


I have been planning to use Let's Encrypt since I first heard about it. I will set it up after it's out of beta.



PGP Key and corresponding e-mail address
View user's profile Visit user's homepage View All Posts By User
aga
Forum Drunkard
*****




Posts: 7030
Registered: 25-3-2014
Member Is Offline


[*] posted on 8-11-2015 at 13:55


Erm, however you connect to this site, it is publicly viewable once you make a Post.

What is the Point of encrypting the connection that posts it ?

Your pervy U2Us ?

Edit:

Hopefully not some vague notion that you're Safe !


[Edited on 8-11-2015 by aga]




View user's profile View All Posts By User
gdflp
Super Moderator
*******




Posts: 1320
Registered: 14-2-2014
Location: NY, USA
Member Is Offline

Mood: Staring at code

[*] posted on 8-11-2015 at 14:06


Quote: Originally posted by aga  
Erm, however you connect to this site, it is publicly viewable once you make a Post.

What is the Point of encrypting the connection that posts it ?

Your pervy U2Us ?

Edit:

Hopefully not some vague notion that you're Safe !


[Edited on 8-11-2015 by aga]

It protects your browsing history, so that you can't be tracked by prying eyes who may either incorrectly connect the dots between your viewing history and your intentions, or investigate you further simply because of an apparent interest in certain topics. It also helps to secure the content in References and Whimsy.
View user's profile View All Posts By User
aga
Forum Drunkard
*****




Posts: 7030
Registered: 25-3-2014
Member Is Offline


[*] posted on 8-11-2015 at 15:28


Oh dear.

All Safety is an Illusion.

Whatever you do on t'Internet, however you do it, you are tracked, traceable and accountable.

It is all digital, all easy, all tapped.

Depend on it.

Edit:

Quote: Originally posted by mr.crow  
Instead of the ghetto self-signed HTTPS certificate

Self-signing is obviously Less secure than relying on an External, Global organisation is it ?

Think harder, faster, smarter - whatever it takes to realise how SSL works.

[Edited on 8-11-2015 by aga]




View user's profile View All Posts By User
Bert
Super Administrator
*********




Posts: 2821
Registered: 12-3-2004
Member Is Offline

Mood: " I think we are all going to die. I think that love is an illusion. We are flawed, my darling".

[*] posted on 8-11-2015 at 16:39


I'm going to shut the heck up until I know what I'm talking about... Might be a few years.



Rapopart’s Rules for critical commentary:

1. Attempt to re-express your target’s position so clearly, vividly and fairly that your target says: “Thanks, I wish I’d thought of putting it that way.”
2. List any points of agreement (especially if they are not matters of general or widespread agreement).
3. Mention anything you have learned from your target.
4. Only then are you permitted to say so much as a word of rebuttal or criticism.

Anatol Rapoport was a Russian-born American mathematical psychologist (1911-2007).

View user's profile View All Posts By User
mr.crow
National Hazard
****




Posts: 884
Registered: 9-9-2009
Location: Canada
Member Is Offline

Mood: 0xFF

[*] posted on 9-11-2015 at 18:55


Quote: Originally posted by aga  

Think harder, faster, smarter - whatever it takes to realise how SSL works.
[Edited on 8-11-2015 by aga]


I know you are a forum personality so I am going to accept this comment for what it is

Encryption is not about keeping forum messages a secret. Its about saying NO to people who think its ok to spy on everything you do for their own ends. This information is incredibly easy to abuse.

For example the UK openly wants to be able to read every communication in the country and block internet porn. If you are against this you must be a terrorist or a kiddy fiddler right?

Giving up is not an option. Its like those people who say they don't vote because it doesn't matter. Its literally the only thing you can do, don't throw it away.




Double, double toil and trouble; Fire burn, and caldron bubble
View user's profile View All Posts By User
kecskesajt
Hazard to Others
***




Posts: 299
Registered: 7-12-2014
Location: Hungary
Member Is Offline

Mood: No Mood

[*] posted on 9-11-2015 at 21:07


We have HTTPS but it doesn't really need certification.
There is a pop-up but that doesnt really matter.
(Offtopic: I rooted phone, downloaded dSploit, started it and then logged in to SM by my PC. I could immediately see my password on my phone...)
View user's profile View All Posts By User
aga
Forum Drunkard
*****




Posts: 7030
Registered: 25-3-2014
Member Is Offline


[*] posted on 10-11-2015 at 09:33


Quote: Originally posted by mr.crow  
I know you are a forum personality so I am going to accept this comment for what it is

Accept it for what it is : the ramblings of a drunkard.

Having worked on and in this t'internet madness since it began, take it from me that whatever you do on the Internet, however you do it, you are being watched.

All OpenSource source code is subject to scrutiny by people Other than the contributors.

Quite often people think that encryption is a magic-bullet.

It isn't. At the very least you're going to connect to an IP address, and that is logged, along with the protocol(s) you use to connect to that IP.

The amount of data you send/receive, when that happens, which ports you're using - it's all logged.

Simple statistical analysis pops up a list of the things people are likely to be doing and quickly highlights those connections worthy of deeper analysis.




View user's profile View All Posts By User
unionised
International Hazard
*****




Posts: 5128
Registered: 1-11-2003
Location: UK
Member Is Offline

Mood: No Mood

[*] posted on 10-11-2015 at 12:18


I'm prepared to believe that there is someone somewhere with a legitimate reason to send information without it being read by others and without anyone knowing to whom he sent it.
It doesn't matter much who he is, or what the data is.

I understand that he can use something like TOR to do that.
https://en.wikipedia.org/wiki/Tor_(anonymity_network)

But if he was the only one using it, the system wouldn't work. (It's a bit like being the only one wearing camouflage gear- you stick out)
It needs to have lots of other traffic to "bury" his contribution.
So, perhaps we should use systems like TOR in order to protect those who really need to use it.
The irony is that it's quite possible than no two of us would agree on who we should help in this way- but it doesn't matter.
View user's profile View All Posts By User
aga
Forum Drunkard
*****




Posts: 7030
Registered: 25-3-2014
Member Is Offline


[*] posted on 10-11-2015 at 13:01


Oh !

Stupid me.

Of course entrusting unknown entities on the internet with your security is obviously the Best Security Plan Ever.

(this is absolute Sarcasm, just in case anyone gets confused)




View user's profile View All Posts By User
The Volatile Chemist
International Hazard
*****




Posts: 1981
Registered: 22-3-2014
Location: 'Stil' in the lab...
Member Is Offline

Mood: Copious

[*] posted on 10-11-2015 at 15:44


Why don't we use PGP on our U2Us too?!?!?! (This, too, is sarcasm).
It doesn't really matter. If you've ever logged in with HTTP, then everybody knows you use the site and who you are. If any single person were to be able to get in and send content to someone interested, security would be breached. I don't think using letsencrypt is that big of a deal.
Also, 'Pervy U2Us' and 'ghetto self-signed HTTPS' are hilarious, and indirectly oxymoronic (not to be confused with oxyanions).




View user's profile Visit user's homepage View All Posts By User
Polverone
Now celebrating 21 years of madness
*********




Posts: 3186
Registered: 19-5-2002
Location: The Sunny Pacific Northwest
Member Is Offline

Mood: Waiting for spring

[*] posted on 18-6-2016 at 14:33


The site is now live with Let's Encrypt for HTTPS connections. I have not yet made HTTP-to-HTTPS redirects automatic but I plan to in the future.

At the same time I performed a number of other upgrades:

* Host machine's underlying virtualization technology switched from Xen to KVM
* RAM upgraded to 4 GB from 2 GB
* Upgraded to Ubuntu 16.04 from 14.04

During the database updates I ran out of disk space for temporary tables. This meant I had to delete the forum archive to make room. I am re-uploading the archive again now but it will take a few days over my slow home connection.




PGP Key and corresponding e-mail address
View user's profile Visit user's homepage View All Posts By User
Oscilllator
National Hazard
****




Posts: 659
Registered: 8-10-2012
Location: The aqueous layer
Member Is Offline

Mood: No Mood

[*] posted on 18-6-2016 at 23:34


Yay! No more messages from chrome saying this site is insecure.
View user's profile View All Posts By User
NEMO-Chemistry
International Hazard
*****




Posts: 1559
Registered: 29-5-2016
Location: UK
Member Is Offline

Mood: No Mood

[*] posted on 19-6-2016 at 01:03


At the moment in the UK there has been an enquiry into the police and some football incident that happened years ago in Yorkshire. And i think they are looking into a strike that happened years ago, the point is the police lied time and again apparently, even in legal settings.

I can see why people want to protect themselves but ultimately if they want you bad enough then it looks like they just lie and do you anyway.

And now we have a policy in the UK where ISP's have to record every email etc, not sure but maybe using wifi hot spots? but then to me sniffers would target those places?
View user's profile View All Posts By User
Marvin
National Hazard
****




Posts: 995
Registered: 13-10-2002
Member Is Offline

Mood: No Mood

[*] posted on 19-6-2016 at 04:21


Thumbs up to let's encrypt signed SSL. Working well on Ubuntu/Chrome and also working in XP, which not all SSL sites currently do. Much much better.
View user's profile View All Posts By User
The Volatile Chemist
International Hazard
*****




Posts: 1981
Registered: 22-3-2014
Location: 'Stil' in the lab...
Member Is Offline

Mood: Copious

[*] posted on 23-6-2016 at 11:15


Do we already have it implemented? Nice. But weren't there some recent complaints about SSL not working for some?



View user's profile Visit user's homepage View All Posts By User
macckone
Dispenser of practical lab wisdom
*****




Posts: 2168
Registered: 1-3-2013
Location: Over a mile high
Member Is Offline

Mood: Electrical

[*] posted on 23-6-2016 at 14:57


You don't need security until something like the spanish inquisition or the red scare. But if you wait until then it is already too late. The primary things needing protecting are passwords. Only ref, whimsy, and u2u aren't public. I would not be surprised to find that numerous government agencies monitor traffic and the EM forums to tie users to posts. Don't think that https will prevent traffic analysis.
View user's profile View All Posts By User

  Go To Top