HTTPS [Request to implement HTTPS for this site]

Discussions about the forum and contents
Topic Author
Angelus359
Posts: 846
Joined: Mon Mar 03, 2014 11:56 pm

HTTPS [Request to implement HTTPS for this site]

Post by Angelus359 »

This site does not have HTTPS support.

That means, when someone tries to login, the username and password is sent in plaintext, and is vulnerable to man in the middle attacks.

While I personally use a throwaway password, I'm sure many users do not.

Implementing HTTPS support for the login page alone, would be sufficient. This would not give substantial load on the server. You can use a redirect, on port 443, for everywhere besides the login page, to redirect people back to HTTP.

StartSSL offers free SSL certs. I personally use them.

If you use the Mozilla best practices, found here
https://wiki.mozilla.org/Security/Server_Side_TLS
it will be safe, secure, and very low load. This defaults to the lightest security that can't be cracked in any reasonable amount of time.

If you need help with this, let me know, I do webserver hosting as a side gig, on rented VPS.
Systems Engineer
User avatar
LadyGeek
Site Admin
Posts: 95691
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: HTTPS

Post by LadyGeek »

Hi,

See this post by the site owner: Subject: https access to bogleheads.org?
Alex Frakt wrote:
greg24 wrote:https on this site would create administrative overhead with extremely little value.
Exactly. https for sites like this one is pure security theater, it may make the uninformed feel better, but does nothing to solve the underlying problem of sloppy password reuse. Picking your unencrypted username and password out of the air is only one way to steal this data. You are far more likely to have it exposed by hackers who get access to a site's entire database (or by thieves who set up a site just to collect passwords - http://xkcd.com/792/). In this case, having an https connection does no good at all. If you really want to be secure, have at least two passwords. One for sites that hold private information from credit card numbers to brokerage accounts and one for sites like ours that hold nothing that could cause you a financial loss if revealed.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
arandomdude84
Posts: 69
Joined: Tue Feb 14, 2012 1:57 am

Re: HTTPS

Post by arandomdude84 »

Hi:

The reasoning in that post is flawed. Please add https support; it's 2014 and all websites should use https. There is really no reason not to. The 'administrative overhead' is negligible. There is no affect on latency especially for an application that is not performance sensitive such as this one.

Please read: https://www.imperialviolet.org/2010/06/ ... g-ssl.html

"If there's one point that we want to communicate to the world, it's that SSL/TLS is not computationally expensive any more. Ten years ago it might have been true, but it's just not the case any more. You too can afford to enable HTTPS for your users."

If you are really concerned about latency (which actually makes me laugh at how preposterous this argument is), you can use a self-signed certificate and benchmark page load times between a https encrypted page and a non-encrypted page. (If you do this, please post the benchmarks).

Thanks.
User avatar
TimeRunner
Posts: 1939
Joined: Sat Dec 29, 2012 8:23 pm
Location: Beach-side, CA

Re: HTTPS [Request to implement HTTPS for this site]

Post by TimeRunner »

+1. It's the wild West out there, and there's more than a few entities "in the middle" twixt user and web server.
One cannot enlighten the unconscious. | "All I need are some tasty waves, a cool buzz, and I'm fine." -Jeff Spicoli
arandomdude84
Posts: 69
Joined: Tue Feb 14, 2012 1:57 am

Re: HTTPS [Request to implement HTTPS for this site]

Post by arandomdude84 »

I can think of a few scenarios off the top of my head why HTTPS bogleheads makes perfect sense, but let me outline one that just came to mind:

Imagine: bogleheads.org forum visitor who logs in to the site while on the company VPN (because they either forgot to log out of it, or are taking a break from working, or whatever) posting employment questions weighing questions about whether or not the user should accept a new job offer and/or how the user should better negotiate their current pay/benefits/etc.

Posts from the user detailing their plans to possibly leave their existing employer due to boredom, unhappiness, low pay, insufficient benefits, or a better job offer will be sent **in the clear** which could easily be logged by the company.

I'd also like to add that: bogleheads.org should REMOVE all unencrypted access and setup a redirect to force all users who hit forum URLs via http to be redirected to https instead.

Thanks.
User avatar
bogleblitz
Posts: 506
Joined: Mon Oct 01, 2012 2:51 pm

Re: HTTPS [Request to implement HTTPS for this site]

Post by bogleblitz »

I bet more than 50% of the bogleheads here don't know what https is and don't care.

Most popular forums I visit don't have https either so I don't see it as a problem.
Topic Author
Angelus359
Posts: 846
Joined: Mon Mar 03, 2014 11:56 pm

Re: HTTPS [Request to implement HTTPS for this site]

Post by Angelus359 »

As an IT professional, it amazes me how bad that train of thought is.

It costs literally nothing but minutes of time to protect every user here. Just because something hasn't went wrong before doesn't mean it can't.

Its like leaving your doors unlocked because nobody has tried to break into your house before.
Systems Engineer
simpleton
Posts: 133
Joined: Fri Jul 26, 2013 10:10 am

Re: HTTPS [Request to implement HTTPS for this site]

Post by simpleton »

arandomdude84 wrote: I'd also like to add that: bogleheads.org should REMOVE all unencrypted access and setup a redirect to force all users who hit forum URLs via http to be redirected to https instead.
+1 I do this stuff for a living, and that is best practice for a site like this with even minimal privacy concerns.

Like always wearing your seatbelt.
HoosierJim
Posts: 987
Joined: Wed Mar 24, 2010 7:11 pm

Re: HTTPS [Request to implement HTTPS for this site]

Post by HoosierJim »

Can't wait for the next Boglehead meeting.

Shouldn't take too long to get everybody's password. :shock:
Topic Author
Angelus359
Posts: 846
Joined: Mon Mar 03, 2014 11:56 pm

Re: HTTPS [Request to implement HTTPS for this site]

Post by Angelus359 »

I do agree with the idea of https on every page because some of the stuff people post here can get someone fired

Https would hide the headers and content
Systems Engineer
Topic Author
Angelus359
Posts: 846
Joined: Mon Mar 03, 2014 11:56 pm

Re: HTTPS [Request to implement HTTPS for this site]

Post by Angelus359 »

If you use https session cache and offer spdy support, https barely even has processor usage
Systems Engineer
Sidney
Posts: 6784
Joined: Thu Mar 08, 2007 5:06 pm

Re: HTTPS [Request to implement HTTPS for this site]

Post by Sidney »

Angelus359 wrote:Its like leaving your doors unlocked because nobody has tried to break into your house before.
really, more like using a Master Padlock on the back door because the house is empty.
I always wanted to be a procrastinator.
Topic Author
Angelus359
Posts: 846
Joined: Mon Mar 03, 2014 11:56 pm

Re: HTTPS [Request to implement HTTPS for this site]

Post by Angelus359 »

bogleblitz wrote:I bet more than 50% of the bogleheads here don't know what https is and don't care.

Most popular forums I visit don't have https either so I don't see it as a problem.
Just because they don't know or don't care doesn't mean they don't need it.

How would you feel if a bank didn't use it?
A lot of people against all advice use the same passwords everywhere, so you might as well be handing over bank access
Systems Engineer
Topic Author
Angelus359
Posts: 846
Joined: Mon Mar 03, 2014 11:56 pm

Re: HTTPS [Request to implement HTTPS for this site]

Post by Angelus359 »

Sidney wrote:
Angelus359 wrote:Its like leaving your doors unlocked because nobody has tried to break into your house before.
really, more like using a Master Padlock on the back door because the house is empty.

I don't understand what you mean
Systems Engineer
pradador
Posts: 156
Joined: Thu Jun 14, 2012 9:20 pm
Contact:

Re: HTTPS [Request to implement HTTPS for this site]

Post by pradador »

I'd like to see SSL support for the whole site as well.
dotnet
Posts: 52
Joined: Tue Sep 18, 2012 1:39 pm

Re: HTTPS [Request to implement HTTPS for this site]

Post by dotnet »

Yeah, I am outraged.

This site, that is very helpful and completely free, doesn't use HTTPS? This is a rip off and I will not stand for this.

Does the owner/administrators not realize that I could get fired for something I voluntarily say on here while knowing that it isn't HTTPS?
Topic Author
Angelus359
Posts: 846
Joined: Mon Mar 03, 2014 11:56 pm

Re: HTTPS [Request to implement HTTPS for this site]

Post by Angelus359 »

Given that I've offered to help with it and gave a completely free sslcert authority, I don't think I'm being unreasonable

Every site that has user credentials, free or otherwise, should have TLS enabled https.
Last edited by Angelus359 on Fri Apr 04, 2014 9:03 am, edited 1 time in total.
Systems Engineer
pradador
Posts: 156
Joined: Thu Jun 14, 2012 9:20 pm
Contact:

Re: HTTPS [Request to implement HTTPS for this site]

Post by pradador »

arandomdude84 wrote:Posts from the user detailing their plans to possibly leave their existing employer due to boredom, unhappiness, low pay, insufficient benefits, or a better job offer will be sent **in the clear** which could easily be logged by the company.
dotnet wrote:Does the owner/administrators not realize that I could get fired for something I voluntarily say on here while knowing that it isn't HTTPS?
I saw this type of comment a couple times and just wanted to mention that many companies, especially in the highly regulated industries, have the ability to inspect SSL traffic via their firewalls or other web filtering tools. For example, the Barracuda Web Filter has these capabilities.
Topic Author
Angelus359
Posts: 846
Joined: Mon Mar 03, 2014 11:56 pm

Re: HTTPS [Request to implement HTTPS for this site]

Post by Angelus359 »

pradador wrote:
arandomdude84 wrote:Posts from the user detailing their plans to possibly leave their existing employer due to boredom, unhappiness, low pay, insufficient benefits, or a better job offer will be sent **in the clear** which could easily be logged by the company.
dotnet wrote:Does the owner/administrators not realize that I could get fired for something I voluntarily say on here while knowing that it isn't HTTPS?
I saw this type of comment a couple times and just wanted to mention that many companies, especially in the highly regulated industries, have the ability to inspect SSL traffic via their firewalls or other web filtering tools. For example, the Barracuda Web Filter has these capabilities.
They could see that a connection was made, but the content itself would be encrypted. That's not terribly useful

Https TLS is an end to end encryption method that can't be read in the middle. At best they will know that https traffic is happening
Systems Engineer
richard
Posts: 7961
Joined: Tue Feb 20, 2007 2:38 pm
Contact:

Re: HTTPS [Request to implement HTTPS for this site]

Post by richard »

Angelus359 wrote:Given that I've offered to help with it and gave a completely free sslcert authority, I don't think I'm being unreasonable

Every site that has user credentials, free or otherwise, should have TLS enabled https.
As far as I can tell, it's easy to implement, has no meaningful ongoing costs and adds some protection. I don't see the argument against using it.
Topic Author
Angelus359
Posts: 846
Joined: Mon Mar 03, 2014 11:56 pm

Re: HTTPS [Request to implement HTTPS for this site]

Post by Angelus359 »

richard wrote:
Angelus359 wrote:Given that I've offered to help with it and gave a completely free sslcert authority, I don't think I'm being unreasonable

Every site that has user credentials, free or otherwise, should have TLS enabled https.
As far as I can tell, it's easy to implement, has no meaningful ongoing costs and adds some protection. I don't see the argument against using it.
That's exactly my point.

I don't understand why anyone would be against it.

Anyways, spdy enabled https is actually *faster* than http, because it combines connections, and does preloading!
Systems Engineer
richard
Posts: 7961
Joined: Tue Feb 20, 2007 2:38 pm
Contact:

Re: HTTPS [Request to implement HTTPS for this site]

Post by richard »

but does nothing to solve the underlying problem of sloppy password reuse
It does, however, help solve the potential problem of stealing someone's username and password and hijacking their account.

Angelus359, I was agreeing with you.
User avatar
vectorizer
Posts: 512
Joined: Sat Mar 03, 2007 2:52 pm

Re: HTTPS [Request to implement HTTPS for this site]

Post by vectorizer »

Angelus359 wrote:
pradador wrote:I saw this type of comment a couple times and just wanted to mention that many companies, especially in the highly regulated industries, have the ability to inspect SSL traffic via their firewalls or other web filtering tools. For example, the Barracuda Web Filter has these capabilities.
They could see that a connection was made, but the content itself would be encrypted. That's not terribly useful

Https TLS is an end to end encryption method that can't be read in the middle. At best they will know that https traffic is happening
Actually, companies can perform man-in-the-middle SSL decryption, cleartext inspection, and reencryption if they control both the http proxy and the browser distribution. The browsers are distributed with a company-controlled CA cert, and the SSL traffic to the browsers are presented web site names signed by that cert. Viola, man-in-the-middle undetected by the browser or the typical end user.

If one is worried about their employer seeing what one is posting to a site, don't use employer's equipment to post. If the employer wants to spy on their employee's web use, there is more than one way to do it even on SSL sites, and it's their right to do so (even if it's wrong).
bzcat
Posts: 90
Joined: Sat Jun 04, 2011 10:31 am

Re: HTTPS [Request to implement HTTPS for this site]

Post by bzcat »

Another vote for please add HTTPS.
richard
Posts: 7961
Joined: Tue Feb 20, 2007 2:38 pm
Contact:

Re: HTTPS [Request to implement HTTPS for this site]

Post by richard »

vectorizer wrote:
Angelus359 wrote:
pradador wrote:I saw this type of comment a couple times and just wanted to mention that many companies, especially in the highly regulated industries, have the ability to inspect SSL traffic via their firewalls or other web filtering tools. For example, the Barracuda Web Filter has these capabilities.
They could see that a connection was made, but the content itself would be encrypted. That's not terribly useful

Https TLS is an end to end encryption method that can't be read in the middle. At best they will know that https traffic is happening
Actually, companies can perform man-in-the-middle SSL decryption, cleartext inspection, and reencryption if they control both the http proxy and the browser distribution. The browsers are distributed with a company-controlled CA cert, and the SSL traffic to the browsers are presented web site names signed by that cert. Viola, man-in-the-middle undetected by the browser or the typical end user.

If one is worried about their employer seeing what one is posting to a site, don't use employer's equipment to post. If the employer wants to spy on their employee's web use, there is more than one way to do it even on SSL sites, and it's their right to do so (even if it's wrong).
If you're using company equipment, they could install a keystroke logger and directly watch everything you do. It's not really an https issue (not that you said it was).
Quickfoot
Posts: 1166
Joined: Fri Jan 11, 2013 12:03 pm

Re: HTTPS [Request to implement HTTPS for this site]

Post by Quickfoot »

Guys SSL will not protect you from man in the middle attacks from your employer. Nearly every large company is doing man in the middle attacks on SSL traffic and monitoring the web traffic.
Actually, companies can perform man-in-the-middle SSL decryption, cleartext inspection, and reencryption if they control both the http proxy and the browser distribution. The browsers are distributed with a company-controlled CA cert, and the SSL traffic to the browsers are presented web site names signed by that cert. Viola, man-in-the-middle undetected by the browser or the typical end user.

If one is worried about their employer seeing what one is posting to a site, don't use employer's equipment to post. If the employer wants to spy on their employee's web use, there is more than one way to do it even on SSL sites, and it's their right to do so (even if it's wrong).
And pretty much all major companies have been doing this forever. SSL will not protect you from your employer seeing what you are doing.

If your network allows the connections through you could run Tor which would only appear as encrypted traffic but if IT suspects you of doing something they'll just bug your computer or pull the disks and take a look at that you are doing that you shouldn't be.

Keep the personal stuff personal are at most personal use limited to things that wont draw attention and wont get you fired if they are monitoring your traffic.
Topic Author
Angelus359
Posts: 846
Joined: Mon Mar 03, 2014 11:56 pm

Re: HTTPS [Request to implement HTTPS for this site]

Post by Angelus359 »

Your company can sniff that you are having outgoing TLS traffic.

They can not read your TLS encrypted traffic, without bugging your computer directly.

Knowing that you have TLS traffic, and being able to read your TLS traffic are entirely different things.

You guys really need to read up on ECDHE, AES-GCM, and other fun encryption methods involved here.

Regardless, that doesn't change the fact that anyone who uses the same password here, as another website, is having a security problem, that is worsened by this website.

Why would you be against HTTPS?

I can't think of a single reason.
Systems Engineer
Quickfoot
Posts: 1166
Joined: Fri Jan 11, 2013 12:03 pm

Re: HTTPS [Request to implement HTTPS for this site]

Post by Quickfoot »

They can not read your TLS encrypted traffic, without bugging your computer directly.
Unfortunately you are incorrect. What they do is use a firewall or traffic shaping tool to force you through an SSL proxy, since your corporate computer is configured to recognize the corporate certificate authority they issue a corporate signed ssl certificate for the website you are visiting and pass that to your computer, then the proxy opens the ssl connection to the website. Now the proxy can directly access all your normally encrypted traffic without you knowing they are doing it. They don't need to install software on your computer because they can just manipulate the traffic through their network, because the CA is trusted you will never get a popup about an invalid SSL cert.

There were just several articles written about major employers listening to TLS / SSL traffic. Pretty much ALL major employers have been doing this for years. They are not going to allow their employees to generate traffic without knowing what they are doing or at least without the ability to review the traffic.

If you are on your employers network or using employer equipment they have the right and ability to monitor even your encrypted traffic.
User avatar
Kosmo
Posts: 1303
Joined: Wed Sep 05, 2012 11:54 am
Location: Philadelphia

Re: HTTPS [Request to implement HTTPS for this site]

Post by Kosmo »

arandomdude84 wrote:Please add https support; it's 2014 and all websites should use https. There is really no reason not to.
No reason to not use https. But also no reason to change to use it.

I don't care one way or the other, but I yet to read a compelling reason to make any changes.

If you use the same password here as you do for logging in to your bank, that's you not taking proper security measures. If you're worried that work will read something you don't want them to read, don't use your work computer to post. If you want to anonymously discuss items of questionable legality, that's what admins will weed out (along with the rest of the upstanding citizens here). If you're worried someone will hijack your account and make fake posts, you need to get outside more often. All of these are behavioral issues. They cannot be fixed with any amount of technical wizardry no matter how cheap or easy to implement.
Topic Author
Angelus359
Posts: 846
Joined: Mon Mar 03, 2014 11:56 pm

Re: HTTPS [Request to implement HTTPS for this site]

Post by Angelus359 »

Quickfoot wrote:
They can not read your TLS encrypted traffic, without bugging your computer directly.
Unfortunately you are incorrect. What they do is use a firewall or traffic shaping tool to force you through an SSL proxy, since your corporate computer is configured to recognize the corporate certificate authority they issue a corporate signed ssl certificate for the website you are visiting and pass that to your computer, then the proxy opens the ssl connection to the website. Now the proxy can directly access all your normally encrypted traffic without you knowing they are doing it. They don't need to install software on your computer because they can just manipulate the traffic through their network, because the CA is trusted you will never get a popup about an invalid SSL cert.

There were just several articles written about major employers listening to TLS / SSL traffic. Pretty much ALL major employers have been doing this for years. They are not going to allow their employees to generate traffic without knowing what they are doing or at least without the ability to review the traffic.

If you are on your employers network or using employer equipment they have the right and ability to monitor even your encrypted traffic.
I work in a bring your own device environment.They can't force me to use their certificate. That method only works in a highly controlled environment. Not everyone works for a mega-corp.

As I said, this doesn't personally affect me. I know for a fact my work does *not* monitor, because I'm the one who manages all the networking in the first place!

The views in this thread have ranged from "yes, we should have it" to "why bother?"

Notice the lack of negative responses. Some of us may want it. Some of us don't care. Why not appease the ones who do want it, as nobody is against it?
Systems Engineer
VeloSvengali
Posts: 1
Joined: Fri Apr 04, 2014 11:07 am

Re: HTTPS [Request to implement HTTPS for this site]

Post by VeloSvengali »

Create a unique password algorithm that only you know and is easy to determine your password based on the url you are visiting. Why throw more work at the good folks here who already dedicate a lot of their time to maintaining this site. Frankly I think your request is selfish.
User avatar
Phineas J. Whoopee
Posts: 9675
Joined: Sun Dec 18, 2011 5:18 pm

Re: HTTPS [Request to implement HTTPS for this site]

Post by Phineas J. Whoopee »

The answer was in this thread's second post. It's entirely up to Alex, who owns the forum.

If you have good refutations to his reasoning and he finds them convincing he might change his mind, but the job of bogleheads.org is not to "appease" anybody. A PM would probably be more effective than a public campaign to pressure him.

PJW
Topic Author
Angelus359
Posts: 846
Joined: Mon Mar 03, 2014 11:56 pm

Re: HTTPS [Request to implement HTTPS for this site]

Post by Angelus359 »

Failing to protect one method, because another vulnerability exists is just...

I give up, really, I just give up. I use a throw-away password, at a non-SSL proxy workplace (btw, you can check to see if your work does that in the cert page of a browser)

I was not expecting this level of... here... I'm done with this thread.
Systems Engineer
void
Posts: 34
Joined: Tue May 01, 2012 6:22 am

Re: HTTPS [Request to implement HTTPS for this site]

Post by void »

Quickfoot wrote:Guys SSL will not protect you from man in the middle attacks from your employer. Nearly every large company is doing man in the middle attacks on SSL traffic and monitoring the web traffic.
Yes, it can prevent MITM depending on how it's configured. If TLS client authentication is required by the remote resource, the MITM won't have the private key of the client certificate and the subsequent TLS handshake between the MITM and remote resource will fail
bvps
Posts: 3
Joined: Mon Jan 21, 2013 7:57 am

Re: HTTPS [Request to implement HTTPS for this site]

Post by bvps »

I agree.

HTTPS.
dgray512
Posts: 2
Joined: Fri Apr 04, 2014 2:07 pm

Re: HTTPS [Request to implement HTTPS for this site]

Post by dgray512 »

Another vote in favor of sitewide HTTPS.
bowest
Posts: 193
Joined: Fri Feb 18, 2011 12:19 pm
Location: New York

Re: HTTPS [Request to implement HTTPS for this site]

Post by bowest »

arandomdude84 wrote: Imagine: bogleheads.org forum visitor who logs in to the site while on the company VPN (because they either forgot to log out of it, or are taking a break from working, or whatever) posting employment questions weighing questions about whether or not the user should accept a new job offer and/or how the user should better negotiate their current pay/benefits/etc.

Posts from the user detailing their plans to possibly leave their existing employer due to boredom, unhappiness, low pay, insufficient benefits, or a better job offer will be sent **in the clear** which could easily be logged by the company.
Imagined forum visitor is silly not to presume keystrokes are not being recorded if he is working on said employer's equipment.
gkaplan
Posts: 7034
Joined: Sat Mar 03, 2007 7:34 pm
Location: Portland, Oregon

Re: HTTPS [Request to implement HTTPS for this site]

Post by gkaplan »

Phineas J. Whoopee wrote:The answer was in this thread's second post. It's entirely up to Alex, who owns the forum.

If you have good refutations to his reasoning and he finds them convincing he might change his mind, but the job of bogleheads.org is not to "appease" anybody. A PM would probably be more effective than a public campaign to pressure him.

PJW
I agree.
Gordon
User avatar
Wildebeest
Posts: 1204
Joined: Fri Dec 27, 2013 1:36 pm

Re: HTTPS [Request to implement HTTPS for this site]

Post by Wildebeest »

I learned a lot reading the thread or should I say, I hope I understood some.

I greatly appreciate what Alex Frakt and Larry Auton created on this website and own it. I appreciate very much it is free of ads, etc and it is up to them what they would like to implement.

Angelus357 makes a cogent argument for https and I would support it. It is great he is willing volunteer his expertise and time.
The Golden Rule: One should treat others as one would like others to treat oneself.
franklinsimms
Posts: 13
Joined: Fri Apr 04, 2014 1:10 am

Re: HTTPS [Request to implement HTTPS for this site]

Post by franklinsimms »

I completely respect the forum owner's right to run it as he sees fit. Your forum, your rules.

However, referring to the use of HTTPS on this website as "security theater" pains me. It is simply not true. HTTPS does not merely give the appearance of security. It solves actual security problems, preventing a man-in-the-middle from:
  • Harvesting usernames, email addresses, and passwords
  • Hijacking user sessions (Firesheep, anyone?)
  • Determining a person's username and posting history
  • Determining what a user is reading
Again, I firmly believe that it is the owner's prerogative to run the site as they see fit. Even if the reasoning is as blunt as "I don't want to spend free time or money working on changing things" or "I don't believe my users' information is worth protecting" - that's good enough for me. But referring to HTTPS as "security theater" when it clearly is not bothers me as someone who does this for a living, and it bothers me as someone who cares about making the web a safer place.
stan1
Posts: 14246
Joined: Mon Oct 08, 2007 4:35 pm

Re: HTTPS [Request to implement HTTPS for this site]

Post by stan1 »

I work in cyber security, but am the manager who tells the engineers they have to live within a budget and schedule so I make these types of tradeoffs every day. I agree with Mr. Frakt. For a website like this its more hassle than real benefit. Obviously https is not overkill for a website with personal information (including financial or credit card) or intellectual property. Use a unique password for every site. Use a spam email account if you want. If you are worried about the FBI or your employer monitoring your posts then you shouldn't be posting.
Warning: I am about 80% satisficer (accepting of good enough) and 20% maximizer
User avatar
frugalNOTcheap
Posts: 63
Joined: Fri Feb 08, 2013 11:21 pm

Re: HTTPS [Request to implement HTTPS for this site]

Post by frugalNOTcheap »

I have a slight off topic, but related question. If my employer's IT person gains access to my online banking ID/password and uses it to commit fraud, is the employer liable or just the IT person?
Plan for tomorrow, but live for today.
MathWizard
Posts: 6560
Joined: Tue Jul 26, 2011 1:35 pm

Re: HTTPS [Request to implement HTTPS for this site]

Post by MathWizard »

frugalNOTcheap wrote:I have a slight off topic, but related question. If my employer's IT person gains access to my online banking ID/password and uses it to commit fraud, is the employer liable or just the IT person?
IT person responsible for theft.

Company not responsible because you
probably violated terms of use doing
banking on company computers.

Same may not be true of your
own personal ISP , and almost certainly
not true if it was a bank employee.
MathWizard
Posts: 6560
Joined: Tue Jul 26, 2011 1:35 pm

Re: HTTPS [Request to implement HTTPS for this site]

Post by MathWizard »

Am I the only one who thinks this whole
thread is quite rude to the owner of the site,
once the question has been asked and answered.

Akin to suggesting a homeowner put child locks
on his cabinets, then we he says he does not
want to, telling him what a mistake that is
and even taking a poll on whether he should do it
or not.

There are many IT professionals on the site
I am one also. I in fact did ask this same
question when I first joined, since when
I ask for a password, I use SSL (https)
However, that is what I do and I do not
dictate to others.
richard
Posts: 7961
Joined: Tue Feb 20, 2007 2:38 pm
Contact:

Re: HTTPS [Request to implement HTTPS for this site]

Post by richard »

MathWizard wrote:
frugalNOTcheap wrote:I have a slight off topic, but related question. If my employer's IT person gains access to my online banking ID/password and uses it to commit fraud, is the employer liable or just the IT person?
IT person responsible for theft.

Company not responsible because you
probably violated terms of use doing
banking on company computers.

Same may not be true of your
own personal ISP , and almost certainly
not true if it was a bank employee.
Is there any actual case law on this?
richard
Posts: 7961
Joined: Tue Feb 20, 2007 2:38 pm
Contact:

Re: HTTPS [Request to implement HTTPS for this site]

Post by richard »

MathWizard wrote:Am I the only one who thinks this whole
thread is quite rude to the owner of the site,
once the question has been asked and answered.<snip>

Akin to suggesting a homeowner put child locks
on his cabinets, then we he says he does not
want to, telling him what a mistake that is
and even taking a poll on whether he should do it
or not.

There are many IT professionals on the site
I am one also. I in fact did ask this same
question when I first joined, since when
I ask for a password, I use SSL (https)
However, that is what I do and I do not
dictate to others.
Many in this thread point out that it's solely Alex's decision.

The OP volunteered to help.

No one is dictating. At most, some point out that the stated rationale for not implementing HTTPS does not appear entirely accurate.

Doesn't sound quite rude to me.
User avatar
Kenkat
Posts: 9549
Joined: Thu Mar 01, 2007 10:18 am
Location: Cincinnati, OH

Re: HTTPS [Request to implement HTTPS for this site]

Post by Kenkat »

richard wrote:
MathWizard wrote:
frugalNOTcheap wrote:I have a slight off topic, but related question. If my employer's IT person gains access to my online banking ID/password and uses it to commit fraud, is the employer liable or just the IT person?
IT person responsible for theft.

Company not responsible because you
probably violated terms of use doing
banking on company computers.

Same may not be true of your
own personal ISP , and almost certainly
not true if it was a bank employee.
Is there any actual case law on this?
This is the right question. In almost all legal matters of any complexity, there is almost always a grey area. That's why there are courts and juries and judges. Legal disputes rarely come down to "if a, then b". If you can prove an employer committed acts of gross negligence in allowing access to personal information, there's a potential case there against both parties. Much of law is not specifically written statutes but an interpretation of previous case law as applied to the specific question at hand.
Topic Author
Angelus359
Posts: 846
Joined: Mon Mar 03, 2014 11:56 pm

Re: HTTPS [Request to implement HTTPS for this site]

Post by Angelus359 »

While I am not going to arguing over the HTTPS argument anymore, as it's not worth my time, due to the negative response, there is something I'd like to state. I came here, bringing up a suggestion, and offering help. I was attacked, as if I was being bossy, when I was really just making my case.


Oh, this particular quote, I have a response to.
MathWizard wrote: Company not responsible because you
probably violated terms of use doing
banking on company computers.
Many workplaces (including my own) allow personal use of the work computers, during non work hours, and/or during scheduled breaks.

My work has absolutely no rules on what you can do on the computers, except no graphic material (you know what I mean) or nothing illegal, or otherwise violating data security policy (which is vague)
Systems Engineer
arandomdude84
Posts: 69
Joined: Tue Feb 14, 2012 1:57 am

Re: HTTPS [Request to implement HTTPS for this site]

Post by arandomdude84 »

The amazing thing about this and the previous thread is that the amount of time spent talking about this and reading replies is probably about 5-8x the amount of time required to actually just make the change. This has become the ultimate bike shed and most people participating don't actually know anything about computers.
Topic Author
Angelus359
Posts: 846
Joined: Mon Mar 03, 2014 11:56 pm

Re: HTTPS [Request to implement HTTPS for this site]

Post by Angelus359 »

arandomdude84 wrote:The amazing thing about this and the previous thread is that the amount of time spent talking about this and reading replies is probably about 5-8x the amount of time required to actually just make the change. This has become the ultimate bike shed and most people participating don't actually know anything about computers.
My feelings exactly. It's gotten silly.
Systems Engineer
Locked