New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I don't disagree with the need for TLS everywhere.
I do disagree with this planned action by Google.
There are many, many sites delivered via http. People with little knowledge of security (probably a majority) are going to get accustomed to the "not secure" tag in the browser bar and ignore it. A warning that's ignored is useless.
This could be upped. It could start with "insecure" being displayed. Then (months, years) later it could change to adding an exception for a website manually, which is what I thought was supposed to happen with Chrome eventually down the road. It's definitely been suggested.
Just a clarification, there are two personae: there's me as a visitor of static sites without TLS (as I said just above, I don't necessarily mind), and there's me who has to decide whether or not to offer TLS on a web server that I run. As the latter persona, if it's just a static site with some pages of mine, then I tend not to offer TLS, but if someone else is also hosting pages (static or not) on my web server, then yes, I offer TLS.
Right, and I'm totally okay with that. The problem starts when it results in one of the following two things:
Those points are fundamentally what I'm taking issue with here, as both are directly harmful towards the privacy of other people; one by perpetuating the idea that TLS is a "nice to have" rather than a basic technical necessity, and the other by just not offering the option at all.
If you choose not to use TLS yourself as an end user, and to not care about that, then I have no issue with that at all, assuming you're not somehow putting others at risk; that's your choice and your choice alone.
I'd say that in that situation, you should still be offering TLS; otherwise, you get the aforementioned problem where your readers literally cannot have a secure connection to your site, whether static or otherwise.
Valid point, but this has been accounted for.
As far as I'm concerned, I don't care a bloody fuck about what google chrome (or firefox) considers "secure".
Need I really remind anyone that it was - and stays - them web and browser guys who created the fucking biggest insecurity pile of rat shit on this planet?
And now they of all people want to play "the internet security conscience"? Fuck off, google and mozilla!
Who shat javascript into da web? Who reliably used any and every opportunity to make browsing fucking LESS secure? Who fucked up sandboxing? Who fucked up fucking everything and completely sold us out to advertising and marketing? Who actually has a very considerable part of their income from advertising as well as spying on their users to sell the gathered data to advertisers?
In other words: WHO reliably sold us out at each and every fucking corner? Who shat phones that eavesdrop on us even when deactivated? And who siphons off all the collected data as soon as the device gets any kind of connectivity? And who the sells those very data and/or uses them himself to spam us?
Who chose to sink billions into diverse funny projects but kept ssl/tls fucking unverified and on a toy budget? Who actually sank by far more into supporting a presidential candidate than into making tls secure?
And now those fucking spammers, eavesdroppers and talking shitheads want to tell us what's secure and how our local bakery's web site is dangerous?
Oh and btw, is tls secure? Nagging question, I know. And the answer is: NOPE. For many reasons, a major one being that still - in 2018 - we have no properly verified protocols and implementations. About the best we have so far is "less ridiculously insecure than xyz", e.g. libressl supposedly and probably being less ridiculously insecure than openssl.
To say "abc is secure" needs to be formally verifiable to make sense as a statement. Anything else is at best an educated assumption.
And btw, tls pretty much doesn't matter as long as we use utterly rotten browsers which quite probably are the single most shitty piece of software in the known universe.
Fuck off, google and mozilla.
You use Internet Explorer, don't you...
(ducks)
@joepie91
(Insert analogy about car brakes failing and hurting others beside the driver of the car.)
Otherwise, I agree.
@raindog308
Also watch out for a fisting from
@AuroraZ
He thinks windows is the enemy of humanity everywhere.
Fair point, and although I didn't intend to argue against widespread use of TLS above, it may have appeared otherwise.
Yes, okay, but if there's at least one other user, I do set up TLS.
That's an interesting point -- one that I may have underestimated.
(Thanks again.)
Yep, I agree with both. I'm addressing privacy specifically because that's what other people keep bringing up
As for collateral damage; that's exactly why I hedged my statement towards @angstrom with "assuming you're not somehow putting others at risk". The problem is that it's difficult enough to communicate to people the concept of other people having different privacy standards, let alone explaining indirect privacy compromises of other people...
Oh-oh, @bsdguy has just wandered into the room.
I thought that you said that JS, if served with Roquefort dressing, wasn't so bad after all.
Nope, I use suckless surf and pale moon and occasionally firefox - but I use them in a paranoically monitored and regularly sterilized VM and I do all my work, office stuff, etc. on a separate machine.
Just walking down the street when suddenly someone springs from behind a doorway and ZOWIE!
There's no way to prepare for a surprising fisting.
Every shared host worth their salt allows cpanel or let's encrypt certs. If you have a VPS you can run let's encrypt. We've also known about thisfor a while. Seems fair to me. I'm game. Question is if cpanel or let's encrypt ready for the influx
I do host my own images, I mean like a forum or something where normal users can link thinks that would be Non-SSL.
Well on my forum I host, there is an option to route all images through an imageproxy hosted by the server to show it being full SSL. I'm not familiar with many other forum software but there is probably a similar option or a plug-in to do the same functionality.
57 cookies in use? WAT?
Typical WWW'er.
Yeah, but apparently it gives you the shits.
The What-about-ist doth protest too much ?
In TLS I'll trust, until something more viable comes along for mass deployment.
'Defense in depth' : Make the bad actors work for their dragnet interception.
Yes, I don't want algorithms somewhere profiling all the plaintext I read on pub.net.
also yes, be cautious with 3rd party javascript.
umatrix is usually enough, but TLS takes it another step in the right direction.
The term "not secure" is inacurate. It is a technical term, that can be received in a total different way for the end user without technical knowledge (lige the big majority of the people that surf the web).
"Not secure" means "you are in danger". For a blog page, a single page with infos, plain html, a non-encrypted webpage is not "not secure", it is just unencrypted. There are no any critical information and data the website exchanges with the browser.
But, any end user that do not have the knowledge of this difference, when seeing "not secure" state on his browser, he will think that this page is compromised and it is dangerous to browse to...
EDIT: They could also use the term "not secured" instead of "not secure", it would be much more understandable to the middle end user and would not be confused with "dangerous"
Apple have also enabled this with Safari in iOS 11.3 but the 'message' is only prominent when the focus is on a username or password field.
That's been implemented already quite a while ago, in almost all browsers; firefox, vivaldi, chrome to name a few.
The new thing being discussed is permanently displayed in the address bar.
They already show "Secure" for HTTPS connections, and it doesn't mean that the page is not compromised, not dangerous or that it won't steal whatever information you enter. It just means that the connection between you and the site is secure.
I know what it does mean. But I have tech knowledge about hosting, even if I do not have the experties of a web admin. On the other hand, the majority of internet users cannot understand what "not secure" mean, for them, "not secure" is dangerous IMO...
"Not secure" means "you are in danger". For a blog page, a single page with infos, plain html, a non-encrypted webpage is not "not secure", it is just unencrypted. There are no any critical information and data the website exchanges with the browser.
But, any end user that do not have the knowledge of this difference, when seeing "not secure" state on his browser, he will think that this page is compromised and it is dangerous to browse to...
And the user's interpretation will be correct, because anybody can spy on what they're reading and inject any content within the same domain, and that is dangerous in countless ways. Hence, it's not secure.
The problem here is that you're trying to define 'not secure' as 'insecure in a way that I care about'. That's not what it means. "Not secure" is a technical metric, and plaintext communication meets that criterium, regardless of what value you personally place on a given piece of content or its authenticity or privacy.
In other words: it's not inaccurate at all. It's completely (technically) accurate. You just don't like the definition.
Yay, let's get into definition games! The sad fact, though, is that besides some wikipedia bla bla (pretty everyone repeats) there is regrettably little in terms of real definitions. One reason for that is that those who really know tend to think and express themselves mathematically, another reason is that there simply are different definitions around. An additional problem is that most of the basic terms are closely interrelated and any differences as e.g. in safety vs security are usually not made in normal conversation; in fact quite some languages do not even separate words for those concepts (German, usually an exceptionally versatile language, being an example. "Sicherheit" means both, safety and security).
Professionally speaking, both are about the all-quantor (or its negation, depending on point of view) - and! - about a defined set of parameters, the context.
Generally and very loosely speaking I usually explain the difference between safety and security like this: safety means that no harm results from (usually doing) something, while security is stability against something, in the IT context typically against some kind of attack.
I suggest to stay away from definition games. As we have seen here, much of what has been said re 2FA is questionable from one pov or another. Also note that abstraction and simplification are highly important properties in many areas of technology. It is, in fact, desirable that people on one level need not know and/or can use quite simplified definitions because and if the people on another level did their job well. Moreover, there is of cause the social aspects, an important one being that the general population has some, if crude and incomplete, knowledge in a very simplified form of e.g. "have something, know something, be something".
Looks like Lowendtalk will be insecure.... oh wait
Putting security arguments aside, HTTPS for me is all about HTTP/2 HTTPS for page load speed performance
FYI, even better news is Nginx 1.13.9 due in a few days adds HTTP/2 Server Push. Been waiting for this for ages https://trac.nginx.org/nginx/roadmap !