Jump to content
CrazyBoards.org

Recommended Posts

I'm wondering if the CB tech team has considered implementing SSL/TLS (HTTPS) on the site to protect member privacy? Yeah, I'm a bit paranoid but hey, the NSA is collecting and data mining our crazy talk on this BBS. 

 

EDIT: if https was done, I suggest the usage of very strong cyphers (AES and elliptical curve)

Edited by Bostonian Aspergian

Share this post


Link to post
Share on other sites

 

 

 the NSA is collecting and data mining our crazy talk on this BBS

My 5-year-old alter has been known to associate with unsavory elements (Looks shifty)

Also:  Hi to all my fans in the NSA and GCHQ.

Remember, GCHQ and the NSA probably have reciprocal data-sharing agreements, so for all intents and purposes they're on the same page...anyway...

 

...Is it reasonable to think that much can keep them out?

 

 I was under the impression that even running TOR only slowed them down, simply because they now have the computing power to crack code like nobody's business.

Share this post


Link to post
Share on other sites

I would not mind SSL myself. But I can imagine that it'd be a bit of a pain to implement and I figure there's likely a reason it hasn't been done already. It's pretty cheap though, if you don't go for the big names. 

 

 

 

 

 the NSA is collecting and data mining our crazy talk on this BBS

My 5-year-old alter has been known to associate with unsavory elements (Looks shifty)

Also:  Hi to all my fans in the NSA and GCHQ.

Remember, GCHQ and the NSA probably have reciprocal data-sharing agreements, so for all intents and purposes they're on the same page...anyway...

 

...Is it reasonable to think that much can keep them out?

 

 I was under the impression that even running TOR only slowed them down, simply because they now have the computing power to crack code like nobody's business.

 

It is my impression that this is something that is suspected but not confirmed. If it is true, you can at least rest easy that they'll only blow that kind of time/money on very high-value targets. 

 

The big hullaballoo in computer security these days is that they've built vulnerabilities into many of the big encryption methods so they can crack them relatively easily later. I believe SSL is as secure as any of them, though. 

Edited by Sync

Share this post


Link to post
Share on other sites

The forum itself is meant to be found.  The whole point is that those who need it can find it through google searches, etc.  It also supports itself solely by ad clicks and donations.

 

It's not meant to be secure in any way other than nobody else can sign into your account.  It's meant to be public.

 

Only members can see the PTSD part and private blogs, but other than that - the forum itself is open.

 

Https is overkill because the servers are privately hosted with the owner and your info (IP, etc) will not be shared.

 

If the government ever tried to force user info into being shared on an MI basis, I'm sure the server would experience a mysterious data loss - and that would be that.

Share this post


Link to post
Share on other sites

The forum itself is meant to be found.  The whole point is that those who need it can find it through google searches, etc.  It also supports itself solely by ad clicks and donations.

 

It's not meant to be secure in any way other than nobody else can sign into your account.  It's meant to be public.

 

Only members can see the PTSD part and private blogs, but other than that - the forum itself is open.

 

Https is overkill because the servers are privately hosted with the owner and your info (IP, etc) will not be shared.

 

If the government ever tried to force user info into being shared on an MI basis, I'm sure the server would experience a mysterious data loss - and that would be that.

HTTPS encrypts the data sent between your computer and the server. It doesn't do server-side encryption and it wouldn't hide the website from anyone. 

 

Essentially, HTTPS protects your username and password from prying eyes as they travel the open internet. And it makes it massively more difficult for some miscreant to make a false CB landing page to steal your credentials. Not that I imagine any of that is a great risk, but you never know. 

Share this post


Link to post
Share on other sites

I'm not sure about the rest of you, but I never gave CB my credit card information. I must have missed that step? They still seem to let me in.

I don't share my birthday, nor where I live. Partly because I'm crazy as a fucking loon and the rest of the people around me don't need to know that (for now). So what is there to encrypt, exactly? The site is indexed by Google. If people want to find it, great! We're a forum. That's how we roll.

Share this post


Link to post
Share on other sites

I hate https unless it is absolutely necessary. I use dial-up and it makes my internet extremely slow.

 

I see no reason to use https on CB. I don't share any information that I'm not comfortable with sharing, and I don't use a username/password here that I use elsewhere. I am anonymous here. If the government wanted to get information on me, I don't fool myself into thinking that https would stop them. They have geniuses on their payroll that spend all their time thinking about how to unencrypt the various encryption schemes. And if worse came to worse, as Cetkat said, they'd just go after the servers.

Share this post


Link to post
Share on other sites

The government has been monitoring my activity for quite some time now.  Even using a proxy (hidemyass, etc) is worthless.  And like someone already said HTTPS merely creates a secure tunnel, nothing more.

 

The only way to avoid the agents tracking you would be to abandon all electronic devices that contain government CECI chips, which is just about anything from your cable box to your microwave.

Share this post


Link to post
Share on other sites

Google has rewritten their search engine to rank sites that use HTTPS higher than others. http://googlewebmastercentral.blogspot.com/2014/08/https-as-ranking-signal.html

 

As a Linux server ninja, I can understand how much of a PITA implementing HTTPS is can understand the reasoning for the Admins not to implement it. HTTPS is one of those things you can't half-ass. It has to be done right: file permissions in the operating system, crypto keys, validation. I had to set this up for a client a few months ago and unless you automate the crap out of the process and store the keys and configs in a code repository, you can blow a day or two troubleshooting. 

 

Strong crypto is an asperger preservation these days for me and wanted to suggest the idea.

Share this post


Link to post
Share on other sites

I tried running TOR, it was SLOOOOOW.

 

...My beloved Mr Crazypants is Someone Who Bears Keeping An Eye On for his government. Probably means I am too. 

 

Of course they aren't going to actually bother to make a human listen to actual phone convoes between the two of us unless he or I happen to say words like SEMTEX, ECHELON, Allahu Akbar, Hezbollah, Real IRA, detonator, ISIS, and so forth...

...So I'm afraid we do that sometimes. Then say hello to the poor schmuck who gets to listen.

 

...Something tells me I'm going to get to third base with a TSA screener next week... :huh:

 

More seriously, I get county care.  The Gub'mint knows all about my crazee. I can't really do anything about that. If I could afford the level of health insurance I need to actually afford all the fricking pills I need I would not be in the county system.  Retail my meds probably cost upwards of $1000 a month.

That's about 3/4 of my income...

 

I worry about employers finding out that I'm nuts.  I am a guard.  I am licensed to work armed.

While my crazee is not going to be a threat to anyone else, employers are going to be freaked if they find out I have MI issues, forget "well-managed," forget "no history of violence". Stigma sucks.

 

Posting under a pseudonym suffices to cover my tush for employment.

Edited by Stickler

Share this post


Link to post
Share on other sites

I'm not sure about the rest of you, but I never gave CB my credit card information. I must have missed that step? They still seem to let me in.

I don't share my birthday, nor where I live. Partly because I'm crazy as a fucking loon and the rest of the people around me don't need to know that (for now). So what is there to encrypt, exactly? The site is indexed by Google. If people want to find it, great! We're a forum. That's how we roll.

That's not the concern. The concern is that your username and password are being sent over the internet in plaintext where they can be intercepted by just about anyone who cares to try. The information they can get by logging into your CB account is probably not, by itself, all that life-altering, but the primary vulnerability with this kind of thing is a password-reuse attack. The vast majority of internet users use the same password on multiple sites, often in conjunction with a common username or email address. The CB accounts of the people who use the site are not all that important in the grand scheme, but if someone can log in here, they can get an email address and a password, and in a lot of cases that can get them access to bank accounts, email addresses (used for various kinds of important authentication), health information, paypal accounts, basically almost any internet service where someone might set their own password.

 

I use a CB-specific password for just this reason, but I would be willing to bet that a majority of the users here don't. It's a widely accepted thing among just about anyone who works with computers or the internet professionally that it's a big risk to log in anywhere that doesn't use SSL. If the CB crew doesn't want to use SSL because it's a pain in the ass or they just don't care or whatever, I can totally understand that, but I don't think this mocking tone in response to a reasonable question about a very basic part of information security is entirely necessary. 

 

I hate https unless it is absolutely necessary. I use dial-up and it makes my internet extremely slow.

 

I see no reason to use https on CB. I don't share any information that I'm not comfortable with sharing, and I don't use a username/password here that I use elsewhere. I am anonymous here. If the government wanted to get information on me, I don't fool myself into thinking that https would stop them. They have geniuses on their payroll that spend all their time thinking about how to unencrypt the various encryption schemes. And if worse came to worse, as Cetkat said, they'd just go after the servers.

For what it's worth (which I would guess is not a whole lot), it's very easy to enable SSL (which is HTTPS) without forcing it. It would be very easy to set it up so that if you went to http://crazyboards.org, you connected as you do now, and if you went to https://crazyboards.org, you connected over SSL.

Share this post


Link to post
Share on other sites

To be clear: no one here built CB from the ground up. The community forum software that we use if from IPB and we use it under license. When VE fundraises to pay for the site he is paying for the license and the server that CB is hosted on (amongst other things). So if you want major changes (and IPB does continually work to improve their software) then we're not the ones to go to.

Share this post


Link to post
Share on other sites

 

 

The TOR browser was compromised which is what lead to the shutdown of half of the dark web when Freedom Hosting got pinched. It was patched pretty quickly and is back to it's usual, secure self. If you really want anonymity though, TOR + VPN on a 256 AES encryption will ensure it.

Share this post


Link to post
Share on other sites

 

I'm not sure about the rest of you, but I never gave CB my credit card information. I must have missed that step? They still seem to let me in.

I don't share my birthday, nor where I live. Partly because I'm crazy as a fucking loon and the rest of the people around me don't need to know that (for now). So what is there to encrypt, exactly? The site is indexed by Google. If people want to find it, great! We're a forum. That's how we roll.

That's not the concern. The concern is that your username and password are being sent over the internet in plaintext where they can be intercepted by just about anyone who cares to try. The information they can get by logging into your CB account is probably not, by itself, all that life-altering, but the primary vulnerability with this kind of thing is a password-reuse attack. The vast majority of internet users use the same password on multiple sites, often in conjunction with a common username or email address. The CB accounts of the people who use the site are not all that important in the grand scheme, but if someone can log in here, they can get an email address and a password, and in a lot of cases that can get them access to bank accounts, email addresses (used for various kinds of important authentication), health information, paypal accounts, basically almost any internet service where someone might set their own password.

 

I use a CB-specific password for just this reason, but I would be willing to bet that a majority of the users here don't. It's a widely accepted thing among just about anyone who works with computers or the internet professionally that it's a big risk to log in anywhere that doesn't use SSL. If the CB crew doesn't want to use SSL because it's a pain in the ass or they just don't care or whatever, I can totally understand that, but I don't think this mocking tone in response to a reasonable question about a very basic part of information security is entirely necessary.  

 

 

 

Rosie's tone was not mocking. She responded after several responses that continued to debate what is a moot point [which I explain further on down]. if you choose to see this as mocking, you need to ease off a little and maybe take a break. There was likely a bit of sarcasm but i would actually inquire at the admin desk. I hear it is open Tuesdays and Thursdays 130-215 and every 3rd Sunday if they feel like it for one random hour.

 

Individual's mismanagement of their passwords in regards to other sites they use is not CB's responsibility- even though implementing it and a crap load of other reasons probably play into it, there is a very basic fact that it isn't CBs responsibility to pick up the slack of everyone else for sucking at managing personal password security.

 

I have like 800 passwords because if I had the same one for every site I'd be screwed. i change them fairly frequently as well. These are two very basic tenants of internet security and if you use anything on the internet you run into these recommendations frequently.

 

In my mind- the logistics of implementing any of this don't even matter because it simply is not CBs responsibility.

 

What Rosie said was perfectly legitimate- there is nothing that requires usage of the site worthy to encrypt, so CB has no responsibility whatsoever to do this.

 

And, seriously? If you can't take a little bit of snark, sarcasm or slight of attitude, what attracts you to this site?

Share this post


Link to post
Share on other sites

I'm wondering if the CB tech team has considered implementing SSL/TLS (HTTPS) on the site to protect member privacy? Yeah, I'm a bit paranoid but hey, the NSA is collecting and data mining our crazy talk on this BBS. 

 

EDIT: if https was done, I suggest the usage of very strong cyphers (AES and elliptical curve)

 

It's on my todo list.

Share this post


Link to post
Share on other sites

 

Rosie's tone was not mocking. She responded after several responses that continued to debate what is a moot point [which I explain further on down]. if you choose to see this as mocking, you need to ease off a little and maybe take a break. There was likely a bit of sarcasm but i would actually inquire at the admin desk. I hear it is open Tuesdays and Thursdays 130-215 and every 3rd Sunday if they feel like it for one random hour.

 

Individual's mismanagement of their passwords in regards to other sites they use is not CB's responsibility- even though implementing it and a crap load of other reasons probably play into it, there is a very basic fact that it isn't CBs responsibility to pick up the slack of everyone else for sucking at managing personal password security.

 

I have like 800 passwords because if I had the same one for every site I'd be screwed. i change them fairly frequently as well. These are two very basic tenants of internet security and if you use anything on the internet you run into these recommendations frequently.

 

In my mind- the logistics of implementing any of this don't even matter because it simply is not CBs responsibility.

 

What Rosie said was perfectly legitimate- there is nothing that requires usage of the site worthy to encrypt, so CB has no responsibility whatsoever to do this.

 

And, seriously? If you can't take a little bit of snark, sarcasm or slight of attitude, what attracts you to this site?

 

I think I pointed that out in the mildest way possible. It read to me as mocking the question of "hey, any plans to implement this?" as if it were a ridiculous question, which I don't think it is. It didn't read that way to you, which is fine, reading tone in text in always a dicey area and different people will always have different perspectives on how something was said. 

 

In any case, I don't really think it's worth getting into a debate over. It's a minor disagreement, I don't think we need to derail the thread and have a throwdown about it or whatever.

 

 

 

I'm wondering if the CB tech team has considered implementing SSL/TLS (HTTPS) on the site to protect member privacy? Yeah, I'm a bit paranoid but hey, the NSA is collecting and data mining our crazy talk on this BBS. 

 

EDIT: if https was done, I suggest the usage of very strong cyphers (AES and elliptical curve)

 

It's on my todo list.

 

Awesome!

Edited by Sync

Share this post


Link to post
Share on other sites

 

I'm wondering if the CB tech team has considered implementing SSL/TLS (HTTPS) on the site to protect member privacy? Yeah, I'm a bit paranoid but hey, the NSA is collecting and data mining our crazy talk on this BBS. 

 

EDIT: if https was done, I suggest the usage of very strong cyphers (AES and elliptical curve)

 

It's on my todo list.

 

 

That's funny.

Share this post


Link to post
Share on other sites

 

I'm wondering if the CB tech team has considered implementing SSL/TLS (HTTPS) on the site to protect member privacy? Yeah, I'm a bit paranoid but hey, the NSA is collecting and data mining our crazy talk on this BBS. 

 

EDIT: if https was done, I suggest the usage of very strong cyphers (AES and elliptical curve)

 

It's on my todo list.

 

 

That's great, but honestly... if it's a hassle, why bother?

 

I'll admit I mistook the subject a bit to mean that it was less about the password you entered and more about the post content, but..

 

If someone has their account broken into, there's no real info to take and it's really easy to give access back to the real person.  You really only have to look at IP to know they're telling the truth.  And I don't recall any account being broken into - only passwords forgotten, etc.

 

Also, CB uses really old password specs.  Mine is still an original one from the '90s.  No site nowadays will even accept my password here, and pretty much all that accepted that then, have required an upgrade at this point (including email accounts).  The only exception are forums built on this interface where nobody would want to pretend to be me anyway - and (anyone) if you really want to tell someone how to fix their computer for me, go for it.

 

Yeah, and this is coming from a password heathen that knowingly reuses passwords when I know I shouldn't.

 

Not to mention that hackers go for servers to find user/pass combinations to break in at other places.  They don't care to intercept password site transmissions. 

 

(This sounded more logical before I lost half of it.. but it's close enough)

Share this post


Link to post
Share on other sites

Here's some background:

 

https://www.eff.org/https-everywhere/deploying-https

What the EFF is pushing is trying to move the entire web from http to https and I'm on board with that.  Several sites, including facebook and reddit, have already either moved or made https versions available.  

 

Google is playing their part by ranking https sites higher than http ones in order to encourage site owners to make the move.  

 

The bottom line is that plain http is insecure and always has been.  With the growth of public wireless networks, this is particularly dangerous.  

Share this post


Link to post
Share on other sites

Well, if the goal is to make the web more secure in general, I'm good with that.  With the google ranking it does make sense to move CB to https.

 

I'm just not sure it really makes enough of a difference to rationalize the work outside of those things unless it's a pet project.  With heartbleed, shellshock, and wifi snooping, it seems https mostly gives a false sense of security.

 

But I guess flawed security is better than no security.

Share this post


Link to post
Share on other sites

Well, if the goal is to make the web more secure in general, I'm good with that.  With the google ranking it does make sense to move CB to https.

 

I'm just not sure it really makes enough of a difference to rationalize the work outside of those things unless it's a pet project.  With heartbleed, shellshock, and wifi snooping, it seems https mostly gives a false sense of security.

 

But I guess flawed security is better than no security.

 

- Anyone who is even marginally on top of things has Heartbleed patched by now. It would be entirely correct to say that it was very bad SSL vulnerability, but the danger has largely passed. 

- Shellshock has nothing to do with SSL. It's a different kind of vulnerability from the kind SSL deals with.

- SSL effectively protects against wifi snooping.

 

All in all, no crypto system is perfect. But SSL falls firmly in the "good" category. 

 

I know I should really leave well enough alone, but as someone whose work is partially in information security, it can be frustrating to see such strong arguments made from erroneous information. 

Share this post


Link to post
Share on other sites

Well, if the goal is to make the web more secure in general, I'm good with that.  With the google ranking it does make sense to move CB to https.

 

I'm just not sure it really makes enough of a difference to rationalize the work outside of those things unless it's a pet project.  With heartbleed, shellshock, and wifi snooping, it seems https mostly gives a false sense of security.

 

But I guess flawed security is better than no security.

 

Wifi snooping doesn't work over https.

 

The other bugs you mention were patched within 48 hours and posed minimal to no threat to users of this site in the first place.

Share this post


Link to post
Share on other sites

 

Well, if the goal is to make the web more secure in general, I'm good with that.  With the google ranking it does make sense to move CB to https.

 

I'm just not sure it really makes enough of a difference to rationalize the work outside of those things unless it's a pet project.  With heartbleed, shellshock, and wifi snooping, it seems https mostly gives a false sense of security.

 

But I guess flawed security is better than no security.

 

- Anyone who is even marginally on top of things has Heartbleed patched by now. It would be entirely correct to say that it was very bad SSL vulnerability, but the danger has largely passed. 

- Shellshock has nothing to do with SSL. It's a different kind of vulnerability from the kind SSL deals with.

- SSL effectively protects against wifi snooping.

 

All in all, no crypto system is perfect. But SSL falls firmly in the "good" category. 

 

I know I should really leave well enough alone, but as someone whose work is partially in information security, it can be frustrating to see such strong arguments made from erroneous information. 

 

 

No, go for it!  Most of the resources I read made it sound it it was the backend of https that was vulnerable... so any https site could have a vulnerable fault.  To my knowledge it's still an issue though.  My NAS issued a patch, but Comcast has yet to even respond to it's users if it's router is vulnerable.

 

 

Well, if the goal is to make the web more secure in general, I'm good with that.  With the google ranking it does make sense to move CB to https.

 

I'm just not sure it really makes enough of a difference to rationalize the work outside of those things unless it's a pet project.  With heartbleed, shellshock, and wifi snooping, it seems https mostly gives a false sense of security.

 

But I guess flawed security is better than no security.

 

Wifi snooping doesn't work over https.

 

The other bugs you mention were patched within 48 hours and posed minimal to no threat to users of this site in the first place.

 

 

My Netgear NAS took longer than that, but to be fair, it wasn't a site.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

×