HTTPS [Request to implement HTTPS for this site]
-
- Posts: 846
- Joined: Mon Mar 03, 2014 11:56 pm
HTTPS [Request to implement HTTPS for this site]
This site does not have HTTPS support.
That means, when someone tries to login, the username and password is sent in plaintext, and is vulnerable to man in the middle attacks.
While I personally use a throwaway password, I'm sure many users do not.
Implementing HTTPS support for the login page alone, would be sufficient. This would not give substantial load on the server. You can use a redirect, on port 443, for everywhere besides the login page, to redirect people back to HTTP.
StartSSL offers free SSL certs. I personally use them.
If you use the Mozilla best practices, found here
https://wiki.mozilla.org/Security/Server_Side_TLS
it will be safe, secure, and very low load. This defaults to the lightest security that can't be cracked in any reasonable amount of time.
If you need help with this, let me know, I do webserver hosting as a side gig, on rented VPS.
That means, when someone tries to login, the username and password is sent in plaintext, and is vulnerable to man in the middle attacks.
While I personally use a throwaway password, I'm sure many users do not.
Implementing HTTPS support for the login page alone, would be sufficient. This would not give substantial load on the server. You can use a redirect, on port 443, for everywhere besides the login page, to redirect people back to HTTP.
StartSSL offers free SSL certs. I personally use them.
If you use the Mozilla best practices, found here
https://wiki.mozilla.org/Security/Server_Side_TLS
it will be safe, secure, and very low load. This defaults to the lightest security that can't be cracked in any reasonable amount of time.
If you need help with this, let me know, I do webserver hosting as a side gig, on rented VPS.
Systems Engineer
Re: HTTPS
Hi,
See this post by the site owner: Subject: https access to bogleheads.org?
See this post by the site owner: Subject: https access to bogleheads.org?
Alex Frakt wrote:Exactly. https for sites like this one is pure security theater, it may make the uninformed feel better, but does nothing to solve the underlying problem of sloppy password reuse. Picking your unencrypted username and password out of the air is only one way to steal this data. You are far more likely to have it exposed by hackers who get access to a site's entire database (or by thieves who set up a site just to collect passwords - http://xkcd.com/792/). In this case, having an https connection does no good at all. If you really want to be secure, have at least two passwords. One for sites that hold private information from credit card numbers to brokerage accounts and one for sites like ours that hold nothing that could cause you a financial loss if revealed.greg24 wrote:https on this site would create administrative overhead with extremely little value.
-
- Posts: 69
- Joined: Tue Feb 14, 2012 1:57 am
Re: HTTPS
Hi:
The reasoning in that post is flawed. Please add https support; it's 2014 and all websites should use https. There is really no reason not to. The 'administrative overhead' is negligible. There is no affect on latency especially for an application that is not performance sensitive such as this one.
Please read: https://www.imperialviolet.org/2010/06/ ... g-ssl.html
"If there's one point that we want to communicate to the world, it's that SSL/TLS is not computationally expensive any more. Ten years ago it might have been true, but it's just not the case any more. You too can afford to enable HTTPS for your users."
If you are really concerned about latency (which actually makes me laugh at how preposterous this argument is), you can use a self-signed certificate and benchmark page load times between a https encrypted page and a non-encrypted page. (If you do this, please post the benchmarks).
Thanks.
The reasoning in that post is flawed. Please add https support; it's 2014 and all websites should use https. There is really no reason not to. The 'administrative overhead' is negligible. There is no affect on latency especially for an application that is not performance sensitive such as this one.
Please read: https://www.imperialviolet.org/2010/06/ ... g-ssl.html
"If there's one point that we want to communicate to the world, it's that SSL/TLS is not computationally expensive any more. Ten years ago it might have been true, but it's just not the case any more. You too can afford to enable HTTPS for your users."
If you are really concerned about latency (which actually makes me laugh at how preposterous this argument is), you can use a self-signed certificate and benchmark page load times between a https encrypted page and a non-encrypted page. (If you do this, please post the benchmarks).
Thanks.
- TimeRunner
- Posts: 1939
- Joined: Sat Dec 29, 2012 8:23 pm
- Location: Beach-side, CA
Re: HTTPS [Request to implement HTTPS for this site]
+1. It's the wild West out there, and there's more than a few entities "in the middle" twixt user and web server.
One cannot enlighten the unconscious. | "All I need are some tasty waves, a cool buzz, and I'm fine." -Jeff Spicoli
-
- Posts: 69
- Joined: Tue Feb 14, 2012 1:57 am
Re: HTTPS [Request to implement HTTPS for this site]
I can think of a few scenarios off the top of my head why HTTPS bogleheads makes perfect sense, but let me outline one that just came to mind:
Imagine: bogleheads.org forum visitor who logs in to the site while on the company VPN (because they either forgot to log out of it, or are taking a break from working, or whatever) posting employment questions weighing questions about whether or not the user should accept a new job offer and/or how the user should better negotiate their current pay/benefits/etc.
Posts from the user detailing their plans to possibly leave their existing employer due to boredom, unhappiness, low pay, insufficient benefits, or a better job offer will be sent **in the clear** which could easily be logged by the company.
I'd also like to add that: bogleheads.org should REMOVE all unencrypted access and setup a redirect to force all users who hit forum URLs via http to be redirected to https instead.
Thanks.
Imagine: bogleheads.org forum visitor who logs in to the site while on the company VPN (because they either forgot to log out of it, or are taking a break from working, or whatever) posting employment questions weighing questions about whether or not the user should accept a new job offer and/or how the user should better negotiate their current pay/benefits/etc.
Posts from the user detailing their plans to possibly leave their existing employer due to boredom, unhappiness, low pay, insufficient benefits, or a better job offer will be sent **in the clear** which could easily be logged by the company.
I'd also like to add that: bogleheads.org should REMOVE all unencrypted access and setup a redirect to force all users who hit forum URLs via http to be redirected to https instead.
Thanks.
- bogleblitz
- Posts: 506
- Joined: Mon Oct 01, 2012 2:51 pm
Re: HTTPS [Request to implement HTTPS for this site]
I bet more than 50% of the bogleheads here don't know what https is and don't care.
Most popular forums I visit don't have https either so I don't see it as a problem.
Most popular forums I visit don't have https either so I don't see it as a problem.
-
- Posts: 846
- Joined: Mon Mar 03, 2014 11:56 pm
Re: HTTPS [Request to implement HTTPS for this site]
As an IT professional, it amazes me how bad that train of thought is.
It costs literally nothing but minutes of time to protect every user here. Just because something hasn't went wrong before doesn't mean it can't.
Its like leaving your doors unlocked because nobody has tried to break into your house before.
It costs literally nothing but minutes of time to protect every user here. Just because something hasn't went wrong before doesn't mean it can't.
Its like leaving your doors unlocked because nobody has tried to break into your house before.
Systems Engineer
Re: HTTPS [Request to implement HTTPS for this site]
+1 I do this stuff for a living, and that is best practice for a site like this with even minimal privacy concerns.arandomdude84 wrote: I'd also like to add that: bogleheads.org should REMOVE all unencrypted access and setup a redirect to force all users who hit forum URLs via http to be redirected to https instead.
Like always wearing your seatbelt.
-
- Posts: 987
- Joined: Wed Mar 24, 2010 7:11 pm
Re: HTTPS [Request to implement HTTPS for this site]
Can't wait for the next Boglehead meeting.
Shouldn't take too long to get everybody's password.
Shouldn't take too long to get everybody's password.
-
- Posts: 846
- Joined: Mon Mar 03, 2014 11:56 pm
Re: HTTPS [Request to implement HTTPS for this site]
I do agree with the idea of https on every page because some of the stuff people post here can get someone fired
Https would hide the headers and content
Https would hide the headers and content
Systems Engineer
-
- Posts: 846
- Joined: Mon Mar 03, 2014 11:56 pm
Re: HTTPS [Request to implement HTTPS for this site]
If you use https session cache and offer spdy support, https barely even has processor usage
Systems Engineer
Re: HTTPS [Request to implement HTTPS for this site]
really, more like using a Master Padlock on the back door because the house is empty.Angelus359 wrote:Its like leaving your doors unlocked because nobody has tried to break into your house before.
I always wanted to be a procrastinator.
-
- Posts: 846
- Joined: Mon Mar 03, 2014 11:56 pm
Re: HTTPS [Request to implement HTTPS for this site]
Just because they don't know or don't care doesn't mean they don't need it.bogleblitz wrote:I bet more than 50% of the bogleheads here don't know what https is and don't care.
Most popular forums I visit don't have https either so I don't see it as a problem.
How would you feel if a bank didn't use it?
A lot of people against all advice use the same passwords everywhere, so you might as well be handing over bank access
Systems Engineer
-
- Posts: 846
- Joined: Mon Mar 03, 2014 11:56 pm
Re: HTTPS [Request to implement HTTPS for this site]
Sidney wrote:really, more like using a Master Padlock on the back door because the house is empty.Angelus359 wrote:Its like leaving your doors unlocked because nobody has tried to break into your house before.
I don't understand what you mean
Systems Engineer
Re: HTTPS [Request to implement HTTPS for this site]
I'd like to see SSL support for the whole site as well.
Re: HTTPS [Request to implement HTTPS for this site]
Yeah, I am outraged.
This site, that is very helpful and completely free, doesn't use HTTPS? This is a rip off and I will not stand for this.
Does the owner/administrators not realize that I could get fired for something I voluntarily say on here while knowing that it isn't HTTPS?
This site, that is very helpful and completely free, doesn't use HTTPS? This is a rip off and I will not stand for this.
Does the owner/administrators not realize that I could get fired for something I voluntarily say on here while knowing that it isn't HTTPS?
-
- Posts: 846
- Joined: Mon Mar 03, 2014 11:56 pm
Re: HTTPS [Request to implement HTTPS for this site]
Given that I've offered to help with it and gave a completely free sslcert authority, I don't think I'm being unreasonable
Every site that has user credentials, free or otherwise, should have TLS enabled https.
Every site that has user credentials, free or otherwise, should have TLS enabled https.
Last edited by Angelus359 on Fri Apr 04, 2014 9:03 am, edited 1 time in total.
Systems Engineer
Re: HTTPS [Request to implement HTTPS for this site]
arandomdude84 wrote:Posts from the user detailing their plans to possibly leave their existing employer due to boredom, unhappiness, low pay, insufficient benefits, or a better job offer will be sent **in the clear** which could easily be logged by the company.
I saw this type of comment a couple times and just wanted to mention that many companies, especially in the highly regulated industries, have the ability to inspect SSL traffic via their firewalls or other web filtering tools. For example, the Barracuda Web Filter has these capabilities.dotnet wrote:Does the owner/administrators not realize that I could get fired for something I voluntarily say on here while knowing that it isn't HTTPS?
-
- Posts: 846
- Joined: Mon Mar 03, 2014 11:56 pm
Re: HTTPS [Request to implement HTTPS for this site]
They could see that a connection was made, but the content itself would be encrypted. That's not terribly usefulpradador wrote:arandomdude84 wrote:Posts from the user detailing their plans to possibly leave their existing employer due to boredom, unhappiness, low pay, insufficient benefits, or a better job offer will be sent **in the clear** which could easily be logged by the company.I saw this type of comment a couple times and just wanted to mention that many companies, especially in the highly regulated industries, have the ability to inspect SSL traffic via their firewalls or other web filtering tools. For example, the Barracuda Web Filter has these capabilities.dotnet wrote:Does the owner/administrators not realize that I could get fired for something I voluntarily say on here while knowing that it isn't HTTPS?
Https TLS is an end to end encryption method that can't be read in the middle. At best they will know that https traffic is happening
Systems Engineer
Re: HTTPS [Request to implement HTTPS for this site]
As far as I can tell, it's easy to implement, has no meaningful ongoing costs and adds some protection. I don't see the argument against using it.Angelus359 wrote:Given that I've offered to help with it and gave a completely free sslcert authority, I don't think I'm being unreasonable
Every site that has user credentials, free or otherwise, should have TLS enabled https.
-
- Posts: 846
- Joined: Mon Mar 03, 2014 11:56 pm
Re: HTTPS [Request to implement HTTPS for this site]
That's exactly my point.richard wrote:As far as I can tell, it's easy to implement, has no meaningful ongoing costs and adds some protection. I don't see the argument against using it.Angelus359 wrote:Given that I've offered to help with it and gave a completely free sslcert authority, I don't think I'm being unreasonable
Every site that has user credentials, free or otherwise, should have TLS enabled https.
I don't understand why anyone would be against it.
Anyways, spdy enabled https is actually *faster* than http, because it combines connections, and does preloading!
Systems Engineer
Re: HTTPS [Request to implement HTTPS for this site]
It does, however, help solve the potential problem of stealing someone's username and password and hijacking their account.but does nothing to solve the underlying problem of sloppy password reuse
Angelus359, I was agreeing with you.
- vectorizer
- Posts: 512
- Joined: Sat Mar 03, 2007 2:52 pm
Re: HTTPS [Request to implement HTTPS for this site]
Actually, companies can perform man-in-the-middle SSL decryption, cleartext inspection, and reencryption if they control both the http proxy and the browser distribution. The browsers are distributed with a company-controlled CA cert, and the SSL traffic to the browsers are presented web site names signed by that cert. Viola, man-in-the-middle undetected by the browser or the typical end user.Angelus359 wrote:They could see that a connection was made, but the content itself would be encrypted. That's not terribly usefulpradador wrote:I saw this type of comment a couple times and just wanted to mention that many companies, especially in the highly regulated industries, have the ability to inspect SSL traffic via their firewalls or other web filtering tools. For example, the Barracuda Web Filter has these capabilities.
Https TLS is an end to end encryption method that can't be read in the middle. At best they will know that https traffic is happening
If one is worried about their employer seeing what one is posting to a site, don't use employer's equipment to post. If the employer wants to spy on their employee's web use, there is more than one way to do it even on SSL sites, and it's their right to do so (even if it's wrong).
Re: HTTPS [Request to implement HTTPS for this site]
Another vote for please add HTTPS.
Re: HTTPS [Request to implement HTTPS for this site]
If you're using company equipment, they could install a keystroke logger and directly watch everything you do. It's not really an https issue (not that you said it was).vectorizer wrote:Actually, companies can perform man-in-the-middle SSL decryption, cleartext inspection, and reencryption if they control both the http proxy and the browser distribution. The browsers are distributed with a company-controlled CA cert, and the SSL traffic to the browsers are presented web site names signed by that cert. Viola, man-in-the-middle undetected by the browser or the typical end user.Angelus359 wrote:They could see that a connection was made, but the content itself would be encrypted. That's not terribly usefulpradador wrote:I saw this type of comment a couple times and just wanted to mention that many companies, especially in the highly regulated industries, have the ability to inspect SSL traffic via their firewalls or other web filtering tools. For example, the Barracuda Web Filter has these capabilities.
Https TLS is an end to end encryption method that can't be read in the middle. At best they will know that https traffic is happening
If one is worried about their employer seeing what one is posting to a site, don't use employer's equipment to post. If the employer wants to spy on their employee's web use, there is more than one way to do it even on SSL sites, and it's their right to do so (even if it's wrong).
Re: HTTPS [Request to implement HTTPS for this site]
Guys SSL will not protect you from man in the middle attacks from your employer. Nearly every large company is doing man in the middle attacks on SSL traffic and monitoring the web traffic.
If your network allows the connections through you could run Tor which would only appear as encrypted traffic but if IT suspects you of doing something they'll just bug your computer or pull the disks and take a look at that you are doing that you shouldn't be.
Keep the personal stuff personal are at most personal use limited to things that wont draw attention and wont get you fired if they are monitoring your traffic.
And pretty much all major companies have been doing this forever. SSL will not protect you from your employer seeing what you are doing.Actually, companies can perform man-in-the-middle SSL decryption, cleartext inspection, and reencryption if they control both the http proxy and the browser distribution. The browsers are distributed with a company-controlled CA cert, and the SSL traffic to the browsers are presented web site names signed by that cert. Viola, man-in-the-middle undetected by the browser or the typical end user.
If one is worried about their employer seeing what one is posting to a site, don't use employer's equipment to post. If the employer wants to spy on their employee's web use, there is more than one way to do it even on SSL sites, and it's their right to do so (even if it's wrong).
If your network allows the connections through you could run Tor which would only appear as encrypted traffic but if IT suspects you of doing something they'll just bug your computer or pull the disks and take a look at that you are doing that you shouldn't be.
Keep the personal stuff personal are at most personal use limited to things that wont draw attention and wont get you fired if they are monitoring your traffic.
-
- Posts: 846
- Joined: Mon Mar 03, 2014 11:56 pm
Re: HTTPS [Request to implement HTTPS for this site]
Your company can sniff that you are having outgoing TLS traffic.
They can not read your TLS encrypted traffic, without bugging your computer directly.
Knowing that you have TLS traffic, and being able to read your TLS traffic are entirely different things.
You guys really need to read up on ECDHE, AES-GCM, and other fun encryption methods involved here.
Regardless, that doesn't change the fact that anyone who uses the same password here, as another website, is having a security problem, that is worsened by this website.
Why would you be against HTTPS?
I can't think of a single reason.
They can not read your TLS encrypted traffic, without bugging your computer directly.
Knowing that you have TLS traffic, and being able to read your TLS traffic are entirely different things.
You guys really need to read up on ECDHE, AES-GCM, and other fun encryption methods involved here.
Regardless, that doesn't change the fact that anyone who uses the same password here, as another website, is having a security problem, that is worsened by this website.
Why would you be against HTTPS?
I can't think of a single reason.
Systems Engineer
Re: HTTPS [Request to implement HTTPS for this site]
Unfortunately you are incorrect. What they do is use a firewall or traffic shaping tool to force you through an SSL proxy, since your corporate computer is configured to recognize the corporate certificate authority they issue a corporate signed ssl certificate for the website you are visiting and pass that to your computer, then the proxy opens the ssl connection to the website. Now the proxy can directly access all your normally encrypted traffic without you knowing they are doing it. They don't need to install software on your computer because they can just manipulate the traffic through their network, because the CA is trusted you will never get a popup about an invalid SSL cert.They can not read your TLS encrypted traffic, without bugging your computer directly.
There were just several articles written about major employers listening to TLS / SSL traffic. Pretty much ALL major employers have been doing this for years. They are not going to allow their employees to generate traffic without knowing what they are doing or at least without the ability to review the traffic.
If you are on your employers network or using employer equipment they have the right and ability to monitor even your encrypted traffic.
Re: HTTPS [Request to implement HTTPS for this site]
No reason to not use https. But also no reason to change to use it.arandomdude84 wrote:Please add https support; it's 2014 and all websites should use https. There is really no reason not to.
I don't care one way or the other, but I yet to read a compelling reason to make any changes.
If you use the same password here as you do for logging in to your bank, that's you not taking proper security measures. If you're worried that work will read something you don't want them to read, don't use your work computer to post. If you want to anonymously discuss items of questionable legality, that's what admins will weed out (along with the rest of the upstanding citizens here). If you're worried someone will hijack your account and make fake posts, you need to get outside more often. All of these are behavioral issues. They cannot be fixed with any amount of technical wizardry no matter how cheap or easy to implement.
-
- Posts: 846
- Joined: Mon Mar 03, 2014 11:56 pm
Re: HTTPS [Request to implement HTTPS for this site]
I work in a bring your own device environment.They can't force me to use their certificate. That method only works in a highly controlled environment. Not everyone works for a mega-corp.Quickfoot wrote:Unfortunately you are incorrect. What they do is use a firewall or traffic shaping tool to force you through an SSL proxy, since your corporate computer is configured to recognize the corporate certificate authority they issue a corporate signed ssl certificate for the website you are visiting and pass that to your computer, then the proxy opens the ssl connection to the website. Now the proxy can directly access all your normally encrypted traffic without you knowing they are doing it. They don't need to install software on your computer because they can just manipulate the traffic through their network, because the CA is trusted you will never get a popup about an invalid SSL cert.They can not read your TLS encrypted traffic, without bugging your computer directly.
There were just several articles written about major employers listening to TLS / SSL traffic. Pretty much ALL major employers have been doing this for years. They are not going to allow their employees to generate traffic without knowing what they are doing or at least without the ability to review the traffic.
If you are on your employers network or using employer equipment they have the right and ability to monitor even your encrypted traffic.
As I said, this doesn't personally affect me. I know for a fact my work does *not* monitor, because I'm the one who manages all the networking in the first place!
The views in this thread have ranged from "yes, we should have it" to "why bother?"
Notice the lack of negative responses. Some of us may want it. Some of us don't care. Why not appease the ones who do want it, as nobody is against it?
Systems Engineer
-
- Posts: 1
- Joined: Fri Apr 04, 2014 11:07 am
Re: HTTPS [Request to implement HTTPS for this site]
Create a unique password algorithm that only you know and is easy to determine your password based on the url you are visiting. Why throw more work at the good folks here who already dedicate a lot of their time to maintaining this site. Frankly I think your request is selfish.
- Phineas J. Whoopee
- Posts: 9675
- Joined: Sun Dec 18, 2011 5:18 pm
Re: HTTPS [Request to implement HTTPS for this site]
The answer was in this thread's second post. It's entirely up to Alex, who owns the forum.
If you have good refutations to his reasoning and he finds them convincing he might change his mind, but the job of bogleheads.org is not to "appease" anybody. A PM would probably be more effective than a public campaign to pressure him.
PJW
If you have good refutations to his reasoning and he finds them convincing he might change his mind, but the job of bogleheads.org is not to "appease" anybody. A PM would probably be more effective than a public campaign to pressure him.
PJW
-
- Posts: 846
- Joined: Mon Mar 03, 2014 11:56 pm
Re: HTTPS [Request to implement HTTPS for this site]
Failing to protect one method, because another vulnerability exists is just...
I give up, really, I just give up. I use a throw-away password, at a non-SSL proxy workplace (btw, you can check to see if your work does that in the cert page of a browser)
I was not expecting this level of... here... I'm done with this thread.
I give up, really, I just give up. I use a throw-away password, at a non-SSL proxy workplace (btw, you can check to see if your work does that in the cert page of a browser)
I was not expecting this level of... here... I'm done with this thread.
Systems Engineer
Re: HTTPS [Request to implement HTTPS for this site]
Yes, it can prevent MITM depending on how it's configured. If TLS client authentication is required by the remote resource, the MITM won't have the private key of the client certificate and the subsequent TLS handshake between the MITM and remote resource will failQuickfoot wrote:Guys SSL will not protect you from man in the middle attacks from your employer. Nearly every large company is doing man in the middle attacks on SSL traffic and monitoring the web traffic.
Re: HTTPS [Request to implement HTTPS for this site]
I agree.
HTTPS.
HTTPS.
Re: HTTPS [Request to implement HTTPS for this site]
Another vote in favor of sitewide HTTPS.
Re: HTTPS [Request to implement HTTPS for this site]
Imagined forum visitor is silly not to presume keystrokes are not being recorded if he is working on said employer's equipment.arandomdude84 wrote: Imagine: bogleheads.org forum visitor who logs in to the site while on the company VPN (because they either forgot to log out of it, or are taking a break from working, or whatever) posting employment questions weighing questions about whether or not the user should accept a new job offer and/or how the user should better negotiate their current pay/benefits/etc.
Posts from the user detailing their plans to possibly leave their existing employer due to boredom, unhappiness, low pay, insufficient benefits, or a better job offer will be sent **in the clear** which could easily be logged by the company.
Re: HTTPS [Request to implement HTTPS for this site]
I agree.Phineas J. Whoopee wrote:The answer was in this thread's second post. It's entirely up to Alex, who owns the forum.
If you have good refutations to his reasoning and he finds them convincing he might change his mind, but the job of bogleheads.org is not to "appease" anybody. A PM would probably be more effective than a public campaign to pressure him.
PJW
Gordon
- Wildebeest
- Posts: 1204
- Joined: Fri Dec 27, 2013 1:36 pm
Re: HTTPS [Request to implement HTTPS for this site]
I learned a lot reading the thread or should I say, I hope I understood some.
I greatly appreciate what Alex Frakt and Larry Auton created on this website and own it. I appreciate very much it is free of ads, etc and it is up to them what they would like to implement.
Angelus357 makes a cogent argument for https and I would support it. It is great he is willing volunteer his expertise and time.
I greatly appreciate what Alex Frakt and Larry Auton created on this website and own it. I appreciate very much it is free of ads, etc and it is up to them what they would like to implement.
Angelus357 makes a cogent argument for https and I would support it. It is great he is willing volunteer his expertise and time.
The Golden Rule: One should treat others as one would like others to treat oneself.
-
- Posts: 13
- Joined: Fri Apr 04, 2014 1:10 am
Re: HTTPS [Request to implement HTTPS for this site]
I completely respect the forum owner's right to run it as he sees fit. Your forum, your rules.
However, referring to the use of HTTPS on this website as "security theater" pains me. It is simply not true. HTTPS does not merely give the appearance of security. It solves actual security problems, preventing a man-in-the-middle from:
However, referring to the use of HTTPS on this website as "security theater" pains me. It is simply not true. HTTPS does not merely give the appearance of security. It solves actual security problems, preventing a man-in-the-middle from:
- Harvesting usernames, email addresses, and passwords
- Hijacking user sessions (Firesheep, anyone?)
- Determining a person's username and posting history
- Determining what a user is reading
Re: HTTPS [Request to implement HTTPS for this site]
I work in cyber security, but am the manager who tells the engineers they have to live within a budget and schedule so I make these types of tradeoffs every day. I agree with Mr. Frakt. For a website like this its more hassle than real benefit. Obviously https is not overkill for a website with personal information (including financial or credit card) or intellectual property. Use a unique password for every site. Use a spam email account if you want. If you are worried about the FBI or your employer monitoring your posts then you shouldn't be posting.
Warning: I am about 80% satisficer (accepting of good enough) and 20% maximizer
- frugalNOTcheap
- Posts: 63
- Joined: Fri Feb 08, 2013 11:21 pm
Re: HTTPS [Request to implement HTTPS for this site]
I have a slight off topic, but related question. If my employer's IT person gains access to my online banking ID/password and uses it to commit fraud, is the employer liable or just the IT person?
Plan for tomorrow, but live for today.
-
- Posts: 6560
- Joined: Tue Jul 26, 2011 1:35 pm
Re: HTTPS [Request to implement HTTPS for this site]
IT person responsible for theft.frugalNOTcheap wrote:I have a slight off topic, but related question. If my employer's IT person gains access to my online banking ID/password and uses it to commit fraud, is the employer liable or just the IT person?
Company not responsible because you
probably violated terms of use doing
banking on company computers.
Same may not be true of your
own personal ISP , and almost certainly
not true if it was a bank employee.
-
- Posts: 6560
- Joined: Tue Jul 26, 2011 1:35 pm
Re: HTTPS [Request to implement HTTPS for this site]
Am I the only one who thinks this whole
thread is quite rude to the owner of the site,
once the question has been asked and answered.
Akin to suggesting a homeowner put child locks
on his cabinets, then we he says he does not
want to, telling him what a mistake that is
and even taking a poll on whether he should do it
or not.
There are many IT professionals on the site
I am one also. I in fact did ask this same
question when I first joined, since when
I ask for a password, I use SSL (https)
However, that is what I do and I do not
dictate to others.
thread is quite rude to the owner of the site,
once the question has been asked and answered.
Akin to suggesting a homeowner put child locks
on his cabinets, then we he says he does not
want to, telling him what a mistake that is
and even taking a poll on whether he should do it
or not.
There are many IT professionals on the site
I am one also. I in fact did ask this same
question when I first joined, since when
I ask for a password, I use SSL (https)
However, that is what I do and I do not
dictate to others.
Re: HTTPS [Request to implement HTTPS for this site]
Is there any actual case law on this?MathWizard wrote:IT person responsible for theft.frugalNOTcheap wrote:I have a slight off topic, but related question. If my employer's IT person gains access to my online banking ID/password and uses it to commit fraud, is the employer liable or just the IT person?
Company not responsible because you
probably violated terms of use doing
banking on company computers.
Same may not be true of your
own personal ISP , and almost certainly
not true if it was a bank employee.
Re: HTTPS [Request to implement HTTPS for this site]
Many in this thread point out that it's solely Alex's decision.MathWizard wrote:Am I the only one who thinks this whole
thread is quite rude to the owner of the site,
once the question has been asked and answered.<snip>
Akin to suggesting a homeowner put child locks
on his cabinets, then we he says he does not
want to, telling him what a mistake that is
and even taking a poll on whether he should do it
or not.
There are many IT professionals on the site
I am one also. I in fact did ask this same
question when I first joined, since when
I ask for a password, I use SSL (https)
However, that is what I do and I do not
dictate to others.
The OP volunteered to help.
No one is dictating. At most, some point out that the stated rationale for not implementing HTTPS does not appear entirely accurate.
Doesn't sound quite rude to me.
Re: HTTPS [Request to implement HTTPS for this site]
This is the right question. In almost all legal matters of any complexity, there is almost always a grey area. That's why there are courts and juries and judges. Legal disputes rarely come down to "if a, then b". If you can prove an employer committed acts of gross negligence in allowing access to personal information, there's a potential case there against both parties. Much of law is not specifically written statutes but an interpretation of previous case law as applied to the specific question at hand.richard wrote:Is there any actual case law on this?MathWizard wrote:IT person responsible for theft.frugalNOTcheap wrote:I have a slight off topic, but related question. If my employer's IT person gains access to my online banking ID/password and uses it to commit fraud, is the employer liable or just the IT person?
Company not responsible because you
probably violated terms of use doing
banking on company computers.
Same may not be true of your
own personal ISP , and almost certainly
not true if it was a bank employee.
-
- Posts: 846
- Joined: Mon Mar 03, 2014 11:56 pm
Re: HTTPS [Request to implement HTTPS for this site]
While I am not going to arguing over the HTTPS argument anymore, as it's not worth my time, due to the negative response, there is something I'd like to state. I came here, bringing up a suggestion, and offering help. I was attacked, as if I was being bossy, when I was really just making my case.
Oh, this particular quote, I have a response to.
My work has absolutely no rules on what you can do on the computers, except no graphic material (you know what I mean) or nothing illegal, or otherwise violating data security policy (which is vague)
Oh, this particular quote, I have a response to.
Many workplaces (including my own) allow personal use of the work computers, during non work hours, and/or during scheduled breaks.MathWizard wrote: Company not responsible because you
probably violated terms of use doing
banking on company computers.
My work has absolutely no rules on what you can do on the computers, except no graphic material (you know what I mean) or nothing illegal, or otherwise violating data security policy (which is vague)
Systems Engineer
-
- Posts: 69
- Joined: Tue Feb 14, 2012 1:57 am
Re: HTTPS [Request to implement HTTPS for this site]
The amazing thing about this and the previous thread is that the amount of time spent talking about this and reading replies is probably about 5-8x the amount of time required to actually just make the change. This has become the ultimate bike shed and most people participating don't actually know anything about computers.
-
- Posts: 846
- Joined: Mon Mar 03, 2014 11:56 pm
Re: HTTPS [Request to implement HTTPS for this site]
My feelings exactly. It's gotten silly.arandomdude84 wrote:The amazing thing about this and the previous thread is that the amount of time spent talking about this and reading replies is probably about 5-8x the amount of time required to actually just make the change. This has become the ultimate bike shed and most people participating don't actually know anything about computers.
Systems Engineer