Can we get the forum secured?

manithree · 2018-10-21T22:14:28.000Z

79ford:

sb56637:

A frequently overlooked downside of implementing SSL is that it requires significantly more server resources to encrypt and decrypt all the traffic.

This is flat out wrong. You don’t run SSL on this server yet somehow you know it’s going to cripple your server? SSL adds little to no resources, in fact with the use of features such as HTTP/2 (most up-to-date webservers support this) the load on a web server is actually LESS.

Wut? HTTP/2 and TLS are entirely separate issues. HTTP/2 works with or without encryption.

And, I’m sorry, but whatever you’re smoking, I want some. You actually believe that encrypting all the traffic plus the overhead of key exchange and protocol negotiation actually takes less CPU than not encrypting? Is that why crypto coprocessors and SSL offloading are so popular, because encryption is free?

As far as I can tell, blf runs on lunanode. If the node size it’s currently running on is nearly maxed out, you’re out of your mind if you think adding encryption is going to reduce CPU load. And upgrading costs money.

old4570 · 2018-10-22T01:13:30.000Z

Hmmmm !
It’s a flashlight forum …
Why would you be concerned about the FEDS / Interpol / your ISP on BLF ?
Or even some hacker ?
There going to find out about your latest flashlight ? and rat you out to your spouse ?

Online banking , online shopping , Feebay , and so forth . Yes HTTPS is important .
On BLF , ?/ exactly what is the nature of the threat ? / fear ?

79ford · 2018-10-22T13:35:58.000Z

manithree:

Wut? HTTP/2 and TLS are entirely separate issues. HTTP/2 works with or without encryption.

Separate but very much related. While HTTP/2 can work with HTTP most browsers DON’T support it in that method and only support HTTP/2 while using HTTPS.

“Although the standard itself does not require usage of encryption,[28] all major client implementations (Firefox,[29] Chrome, Safari, Opera, IE, Edge) have stated that they will only support HTTP/2 over TLS, which makes encryption de facto mandatory.” - HTTP/2 - Wikipedia

“Does HTTP/2 require encryption?…However, some implementations have stated that they will only support HTTP/2 when it is used over an encrypted connection, and currently no browser supports HTTP/2 unencrypted” - HTTP/2 Frequently Asked Questions

“With just a simple change to the server configuration, the website performs noticeably better over HTTP/2 than HTTP/1.1. The page load time dropped by over 13% thanks to fewer TCP connections, resulting in a lower time to first byte” - 2018 – Pingdom Year in Review - Pingdom

old4570:

Hmmmm !
It’s a flashlight forum …
Why would you be concerned about the FEDS / Interpol / your ISP on BLF ?

That’s a great question and one I see from many people. It’s just a flash light forum, or it’s just a personal blog, or it’s just a website about turtles… who cares.

So while some people would like for you to believe it’s very uncommon for anyone to be snooping data connections. This is absolutely the case. In fact many people do so at public wifi spots, many companies security devices do just that, all potentially leaking your username and password.

Even though some here in this thread have said SSL is no big deal… not one of them has posted their password.

Leaking of passwords is bad for obvious reasons. One of which is while some here are using password managers (kudo’s by the way!!) many people don’t and many re-use passwords. So while you’re connected to the internet and someone is snooping over that traffic (and they do, believe it or not) then that password gets out. So while it may be a flashlight forum password, for some it might just be their ebay, amazon, and bank password too.

Password sniffing is just the start of it. Without SSL, it’s much easier to intercept your web traffic and inject malicious code such as malware or cryptominer software or redirect it to another page entirely.

Troy Hunt – 12 Jul 18

Here's Why Your Static Website Needs HTTPS

It was Jan last year that I suggested HTTPS adoption had passed the "tipping point" [https://www.troyhunt.com/https-adoption-has-reached-the-tipping-point/], that is, it had passed the moment of critical...

web.dev

Alasan pentingnya HTTPS | Articles | web.dev

HTTPS melindungi integritas situs, melindungi privasi dan keamanan pengguna, serta merupakan prasyarat API platform web baru dan andal.

SSL isn’t a silver bullet that will fix ever security issue, no one has said that. It’s about layers. Just like your house, you don’t just put up a door and call it a day. You probably install a lock too don’t you? You probably even lock that lock right? I’m willing to bet you might even have a flashlight near by so when there is a noise in the night you can make light day and see what’s going on?

Layers.

The same goes for websites. SSL adds very little to a server load and if done correctly (like HTTP/2) then it can actually greatly improve the site performance. The owner could also use a free service like Cloudflare to provide the HTTPS (zero impact on the server at that point) and allows for even more features such as content delivery network, DDoS protection and more. Again all for FREE.

Tom_Tom · 2018-10-23T12:20:01.000Z

Hey, Mr. 13 posts, it might surprise you that SBD knows his SSH (IT) and doesn’t need a lecture from a know-nothing.

And is the one providing this fabulous resource to all of us (I don’t know quite how, maybe he’ll tell me one day in a PM).

Don’t knock stuff that you just don’t understand.

And be aware that everything could just be switched-off, all history erased, in a blink, (apart from the Wayback Machine) without very dedicated support from a good person.

ImA4Wheelr · 2018-10-22T15:08:57.000Z

atbglenn:

ImA4Wheelr:

^

Does that encrypt your userid and pw while transmitting? I generally us a VPN too, but have to turn it off when accessing certain financial institutions and my work.

There is a tendency for folks to used a common pw (and userid too). So at a minimum, one should try to use a different pw for unsecured websites. That wouldn't prevent a hacker for using a BLF member's login data to make fictitious posts, edit existing posts, rude button, etc.

This what I do. My LastPass master password is in a hidden file on my Macs. I open the file and then copy and paste the LastPass master password to log into to LastPass. Then I use LastPass to log into my websites. No online typing involved. Every website has a different long complicated password. If somehow someone figures out my BLF password, ( I say next to impossible unless BLF somehow gets hacked,) all my other websites are still protected

Cool. Sounds like something I should do too. Thank you atbglenn.

duramax:

Congrats on 7777 posts If people use the same user ID, are you saying the ImA4Wheelr on the slingshot forum is the same as on here :sunglasses: I know that Drupal encrypts the db, but is the u/p transmission secure as well?

Yep, that be me. Never got the time to get into that hobby, but it still interests me.

manithree · 2018-10-22T15:41:11.000Z

atbglenn:

This what I do. My LastPass master password is in a hidden file on my Macs. I open the file and then copy and paste the LastPass master password to log into to LastPass. Then I use LastPass to log into my websites. No online typing involved. Every website has a different long complicated password. If somehow someone figures out my BLF password, ( I say next to impossible unless BLF somehow gets hacked,) all my other websites are still protected

I don’t trust LastPass, so here’s what I do:

I use long, untypable, generated passwords for everything, stored in keepass (I use keepassxc and keepass2android). Then in browsers, I use the keepasstusk plugin to fill in login forms.

My encrypted keepass database is currently stored on dropbox, but that will transition to syncthing soon, since dropbox will likely drop linux support, and I don’t want to depend on them.

old4570 · 2018-10-23T00:35:43.000Z

79ford:

manithree:

Wut? HTTP/2 and TLS are entirely separate issues. HTTP/2 works with or without encryption.

Separate but very much related. While HTTP/2 can work with HTTP most browsers DON’T support it in that method and only support HTTP/2 while using HTTPS.

“Although the standard itself does not require usage of encryption,[28] all major client implementations (Firefox,[29] Chrome, Safari, Opera, IE, Edge) have stated that they will only support HTTP/2 over TLS, which makes encryption de facto mandatory.” - HTTP/2 - Wikipedia

“Does HTTP/2 require encryption?…However, some implementations have stated that they will only support HTTP/2 when it is used over an encrypted connection, and currently no browser supports HTTP/2 unencrypted” - HTTP/2 Frequently Asked Questions

“With just a simple change to the server configuration, the website performs noticeably better over HTTP/2 than HTTP/1.1. The page load time dropped by over 13% thanks to fewer TCP connections, resulting in a lower time to first byte” - 2018 – Pingdom Year in Review - Pingdom

old4570:

Hmmmm !
It’s a flashlight forum …
Why would you be concerned about the FEDS / Interpol / your ISP on BLF ?

That’s a great question and one I see from many people. It’s just a flash light forum, or it’s just a personal blog, or it’s just a website about turtles… who cares.

So while some people would like for you to believe it’s very uncommon for anyone to be snooping data connections. This is absolutely the case. In fact many people do so at public wifi spots, many companies security devices do just that, all potentially leaking your username and password.

Even though some here in this thread have said SSL is no big deal… not one of them has posted their password.

Leaking of passwords is bad for obvious reasons. One of which is while some here are using password managers (kudo’s by the way!!) many people don’t and many re-use passwords. So while you’re connected to the internet and someone is snooping over that traffic (and they do, believe it or not) then that password gets out. So while it may be a flashlight forum password, for some it might just be their ebay, amazon, and bank password too.

Password sniffing is just the start of it. Without SSL, it’s much easier to intercept your web traffic and inject malicious code such as malware or cryptominer software or redirect it to another page entirely.

Troy Hunt: Here's Why Your Static Website Needs HTTPS

Pourquoi le protocole HTTPS est-il important ? | Articles | web.dev

SSL isn’t a silver bullet that will fix ever security issue, no one has said that. It’s about layers. Just like your house, you don’t just put up a door and call it a day. You probably install a lock too don’t you? You probably even lock that lock right? I’m willing to bet you might even have a flashlight near by so when there is a noise in the night you can make light day and see what’s going on?

Layers.

The same goes for websites. SSL adds very little to a server load and if done correctly (like HTTP/2) then it can actually greatly improve the site performance. The owner could also use a free service like Cloudflare to provide the HTTPS (zero impact on the server at that point) and allows for even more features such as content delivery network, DDoS protection and more. Again all for FREE.

Interesting :

Probably why you use different passwords for different levels of security …
Soft passwords for soft sites , and as the need increases so does the password .
Probably a great reminder for me to consolidate and change passwords for various sites across the net .
Pays to do it from time to time .

beastlykings · 2018-10-23T02:17:09.000Z

atbglenn:

ImA4Wheelr:

^

Does that encrypt your userid and pw while transmitting? I generally us a VPN too, but have to turn it off when accessing certain financial institutions and my work.

There is a tendency for folks to used a common pw (and userid too). So at a minimum, one should try to use a different pw for unsecured websites. That wouldn’t prevent a hacker for using a BLF member’s login data to make fictitious posts, edit existing posts, rude button, etc.

This what I do. My LastPass master password is in a hidden file on my Macs. I open the file and then copy and paste the LastPass master password to log into to LastPass. Then I use LastPass to log into my websites. No online typing involved. Every website has a different long complicated password. If somehow someone figures out my BLF password, ( I say next to impossible unless BLF somehow gets hacked,) all my other websites are still protected

Hmm I’m concerned that you’re frequently loading your master password into your presumably unencrypted clipboard on your computer, where a virus of some sort could snatch it. This may be crazy talk, but who knows man.

I use LastPass as well, but I memorized my master password, it’s only about 25 or so characters, so fairly easy if you toss a few uncommon words in there. Maybe that’s a bit overzealous, but eh, it works and I can type it quickly. Don’t forget 2fa as well. I usually only have that turned on for my linchpin sites, like LastPass and Gmail.

Of course this is just my experience/opinion

Barkuti · 2018-10-25T15:32:20.000Z

toddcshoe:

…

In this day and age it is not someone else’s responsibility to make sure you are feeling all safe and warm. That is your responsibility. If you feel you aren’t safe, change your …

… beliefs, root beliefs.

79ford:

sb56637:

A frequently overlooked downside of implementing SSL is that it requires significantly more server resources to encrypt and decrypt all the traffic.

This is flat out wrong. …

There's one well known site here which more or less recently switched to https, and I have witnessed how it has become less snappy, particularly much less snappy when loading the battery comparators. Prior to https there was no discernible lag when loading them, but now they feel more like clinged to a heavy anchor. Pretty sure Henrik's site/server has nowhere near the same amount of traffic this one has, and look at the consequences.

G00gl€ is not what it used to be. Or maybe should I say they climbed to the top with half truths, and continue to be there with their half-arsed truths?

Their search engine was powerful and way less biased (if at all) than what is now. Many many years ago it was much easier to find relevant results on specific searches, because it ran a pure logic based engine. By default now it is a dumbass spelling corrected advertisement and media party pile of shite, and buttloads of times I find myself in the need to enclose my search terms between quotation marks, which is a pain. And even if I use quotation marks and search operators the number of relevant hits is nowhere close to what it used to. With the coming of the “internet for everyone” lots of previously homeless digitals are now using computers, and G00gl€ is milking the cows and spreading misinformation. In G00gl€'s advocacy, I'm sure they're trying to serve all those morons previously homeless digitals the best they can, and reaping the rewards. For example, smartphones are fully-fledged computers with certain stock limitations which can be removed by installing custom roms and rooting them, though of course you may have heard how bad that is. That is misinformation.

Cheers :-)

P.S.: The above said about G00gl€ is of course because G00gl€ is the main promoting bullying power behind the “https everywhere” thing.

Tue, 10/23/2018 - 07:57. Tue, 10/23/2018 - 14:44.

sb56637 · 2018-10-23T11:40:40.000Z

Barkuti:

By default now it is a […] spelling corrected advertisement party piece of […] I find myself in the need to enclose my search terms between quotation marks, which is a pain.

Thank you! So I’m not the only one. So annoying. I tried switching to DuckDuckGo for a time specifically because of Google’s annoying penchant for simply ignoring my search terms, but I switched back to Google because DuckDuckGo does it too. So as you said, I generally find myself habitually “putting” “all” “search” “terms” “between” “quotation marks”.

old4570 · 2018-10-25T14:24:49.000Z

Not only that , but many use as wide a parameter for TAGS … For search engines to hit on . ( Is tags the right word )

So if you search for Large Cylindrical Battery …

The first word is LARGE …
So a search engine may throw up a whole bunch of results with the word LARGE …
Also , many pay for optimisation !
So when you search for something , the stuff up front is from people who payed to be there .
And then after that comes other criteria …
So yeah , it has become harder to find stuff unless you know exactly what you are looking for - Word for Word …
And lets not forget censorship , many web sites may be blocked from your search results .

Duck Duck Go was good a while back , but recently ?
Google it , youtube it ,

Barkuti · 2018-10-25T16:02:56.000Z

old4570:

…

The whole search engine thing has changed a lot in the last ten years. And let's not speak off the search engines found in e-shops like Banggood and others, they're }( pathetic. Lots of stuff seems to have dropped to the lowest common denominator, which is bad. This is the result of mankind's subconscious and unconscious issues.

Where does the money to run search engines comes from?

Who and why is deciding what to search, what not and what to censor?

Somehow we need to step away from the free stuff thing because search engines are not free, and with this behaviour people is letting themselves be bombarded with mass and even false advertising while at the same time receiving shitty biased search services. Applications also are not free. This does not mean they're expensive either, there's really wonderful stuff at the right price.

I'd advocate for means to finance a no unnecessary censorship logic based search engine to map the actual internet. Nowadays' experience is lacking.

Cheers :-)

sb56637 · 2018-10-25T16:18:27.000Z

I’ve always found YaCy (decentralized P2P federated internet search) to be an intriguing idea, maybe run it on a VPS. But I’ve never had enough motivation to actually set it up.

old4570 · 2018-10-30T04:26:28.000Z

Here in Oz ISP’s are required to filter stuff now . Much like China filters the Internet .
So the words you use for your search may be filtered .

So depending on where you live , ?
Lots and lots of banned web sites now , simply can’t visit them anymore because they are politically incorrect or dont measure up to new doctrine .
I expect it will only get worse as time goes on and supper Nanny gets even more Anal .
Wont be long before Radio Control Forums are banned because of Drones ….

Lightbringer · 2018-10-30T04:30:02.000Z

Three words: V, P, N.

NordVPN, Private Internet Access, whatever, sign up, and be free!

Tell the pollies to rack off…

old4570 · 2018-10-30T05:08:15.000Z

TOR ……
Yeah , I use VPN with Firefox when I want unfiltered results or visit politically incorrect forums / websites . ( Not talking Porn here ) - Torrents .
Music / video / toons / 3D printing / DIY / History / alt tech / alt History /

A lot of this stuff is still on youtube , but for how long .

Lightbringer · 2018-10-30T05:22:04.000Z

TOR is definitely bad for torrents. TMI, just goggle why…

A VPN and “private browsing” is often the best combo, doesn’t matter what or why.

When I start seeing goggle results for amazon.uk, I know my vpn picked a UK server at random. Also, some places like AX will query you to make sure you are whom you claim to be if suddenly you’re trying to dial in from halfway around the globe. GB all of a sudden thinks I’m portuguese, and so on…

Other than little quirks like that (which show that it’s working), it’s the best way to go.

Lightbringer · 2018-10-30T05:24:08.000Z

Oh, and things like OpenDNS would (in theory) be able to bypass “filtered” lookups, too.

Lightbringer · 2018-10-30T05:28:40.000Z

Urg… I just poked through that, saw its “safety” features and “threat protection” and all that nice-sounding rot (which just sounds like more filtering), so maybe skip that.

There are other unfiltered dns servers which’ll let you get all the prøn and illegal movies/music and everything your heart desires, filter-free. The raw, Wild West, unfiltered innernet the way God intended.

Macka17 · 2018-10-30T06:02:04.000Z

From an old fart.
I don’t know all that much about this. BUT. Surely…. YOU are responsible for everything that comes into your modem from the net.
Surely it’s up to YOU to protect your Modem/computers. not anybody else.

IF you are dumb enough to use the same Password etc on BLF etc. as you do on home/banking stuff.
Well. You deserve ALL you lose.
It’s PUBLIC Domain. Cover your arse at your end and let the public side do it’s own thing.
I’ve used Bitdefender for over 10 yrs now. and had 100% cover for everything including a VPN thing for my movies etc.
My Bank use it, manager put me onto it. Minimal costs,
and problems?. Ring them, they fix.
Full 100% coverage.
Just the same as my banking etc. I have a DEBIT card only (Don’t use credit anything).
Linked to a strange bank, with NO affiliation to the banks I have anything in.
I just transfer cash from one of mine to it as needed…
Plus. the 3 or 4 days it takes to clear. Gives me chance to make sure. Mentally. That I REALLY DO want whatever item I’m buying. Quite often I don’t.