HTTPS (aka TLS, aka SSL) comes to bogleheads.org

Discussions about the forum and contents
User avatar
LadyGeek
Site Admin
Posts: 48056
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

HTTPS (aka TLS, aka SSL) comes to bogleheads.org

Post by LadyGeek » Fri Nov 28, 2014 11:18 pm

Requested for quite some time, mingstar (Larry Auton) has implemented a secure protocol for this site. What does that mean?

Logins are now safe from hackers intercepting your information.

- The URL prefix is changed from http:// to https://
- Your browser should be showing a padlock icon to the left of the URL (address bar link).
- The home page and wiki may show mixed content (non-secure and secure) if you're not logged in, which will show a broken padlock icon. They'll stay that way.
- If you have your password stored in your web browser, your web browser will see this as a new login and will ask for a password.

The important part is that the forum itself uses https:// which is where you login and post from.

As for bookmarks, the links will not automatically change to https:// , you'll have to make the updates yourself.

To help things along, the links at the top of the forum and home page are changed to https:// . Click on any one of them and your browser will change-over to https://

For the tech crowd:

Chrome is reporting TLS 1.0 protocol.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

Alex Frakt
Founder
Posts: 10853
Joined: Fri Feb 23, 2007 1:06 pm
Location: Chicago
Contact:

Re: SSL (aka TLS, https) comes to bogleheads.org

Post by Alex Frakt » Fri Nov 28, 2014 11:27 pm

LadyGeek wrote:As for bookmarks, the links will not automatically change to https:// , you'll have to make the updates yourself.
You don't have to change your bookmarks. Everything will work correctly whether your link starts with https or http. But if you want your information encrypted while it travels the internet, you'll need to use the https version.

stlutz
Posts: 4742
Joined: Fri Jan 02, 2009 1:08 am

Re: SSL (aka TLS, https) comes to bogleheads.org

Post by stlutz » Fri Nov 28, 2014 11:27 pm

Nice! Applause for Larry! :sharebeer

LeeMKE
Posts: 1753
Joined: Mon Oct 14, 2013 9:40 pm

Re: SSL (aka TLS, https) comes to bogleheads.org

Post by LeeMKE » Sat Nov 29, 2014 2:12 am

+1

Thanks!
The mightiest Oak is just a nut who stayed the course.

placeholder
Posts: 3957
Joined: Tue Aug 06, 2013 12:43 pm

Re: SSL (aka TLS, https) comes to bogleheads.org

Post by placeholder » Sat Nov 29, 2014 2:35 am

An interesting consequence of that with Firefox is that if you have a posting edit window open and navigate away and back the https links will reload that and wipe out anything entered but the http pages don't.

ccieemeritus
Posts: 561
Joined: Thu Mar 06, 2014 10:43 pm

Re: SSL (aka TLS, https) comes to bogleheads.org

Post by ccieemeritus » Sat Nov 29, 2014 4:01 am

Thank you!

User avatar
BrandonBogle
Posts: 2097
Joined: Mon Jan 28, 2013 11:19 pm

Re: SSL (aka TLS, https) comes to bogleheads.org

Post by BrandonBogle » Sat Nov 29, 2014 6:36 am

Thank you!

While we should never post anything we are afraid of others to see (like personally identifiable information) and we should not reuse login information here that we use elsewhere, I appreciate the forum doing its part to take measure in securing its part of the Internet!

Alex Frakt
Founder
Posts: 10853
Joined: Fri Feb 23, 2007 1:06 pm
Location: Chicago
Contact:

Re: SSL (aka TLS, https) comes to bogleheads.org

Post by Alex Frakt » Sat Nov 29, 2014 9:44 am

LadyGeek wrote:The home page and wiki may show mixed content (non-secure and secure) if you're not logged in, which will show a broken padlock icon. They'll stay that way.
I've fixed this on the home page (the Google search needed to be changed into an https submission on both the home page and phpbb headers) and I believe I've discovered the fix for this on the wiki, but I need LadyGeek to implement it.

If you come across other pages with "broken" security when using https, you can report it here. Note that this will happen on any page that contains an image from our server where the URL starts with http: . For example if there is an image of someone's avatar inside a post.

JDDS
Moderator
Posts: 959
Joined: Sun Mar 16, 2014 2:24 pm

Re: SSL (aka TLS, https) comes to bogleheads.org

Post by JDDS » Sat Nov 29, 2014 10:12 am

thanks a bunch!

User avatar
LadyGeek
Site Admin
Posts: 48056
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: SSL (aka TLS, https) comes to bogleheads.org

Post by LadyGeek » Sat Nov 29, 2014 10:39 am

Alex Frakt wrote:
LadyGeek wrote:The home page and wiki may show mixed content (non-secure and secure) if you're not logged in, which will show a broken padlock icon. They'll stay that way.
I've fixed this on the home page (the Google search needed to be changed into an https submission on both the home page and phpbb headers) and I believe I've discovered the fix for this on the wiki, but I need LadyGeek to implement it.

If you come across other pages with "broken" security when using https, you can report it here. Note that this will happen on any page that contains an image from our server where the URL starts with http: . For example if there is an image of someone's avatar inside a post.
I fixed the wiki home page.

Remember that the wiki is intended as a reference. Consequently, there are a LOT of pages containing http:// links. Since this is not our content, we have no control over what those sites do. For our purposes, there's no need to fix anything. However, if anyone has a suggested fix for the wiki, we're happy to take a look. We'll also take suggests on content...

The wiki editors have a secure login.

Update: Secure login depends on how you link to the site. See my post below.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

FinanceGeek
Posts: 835
Joined: Sun Jul 01, 2007 5:27 pm

Re: SSL (aka TLS, https) comes to bogleheads.org

Post by FinanceGeek » Sat Nov 29, 2014 11:18 am

Thanks Larry for updating the website! If you run the nifty browser extension HTTPS Everywhere, you automagically get directed to the secure version of the bogleheads site. In fact you should use this extension always!

https://www.eff.org/HTTPS-EVERYWHERE

User avatar
The529guy
Posts: 610
Joined: Fri May 23, 2014 1:08 am

Re: SSL (aka TLS, https) comes to bogleheads.org

Post by The529guy » Sat Nov 29, 2014 11:39 am

FinanceGeek wrote:Thanks Larry for updating the website! If you run the nifty browser extension HTTPS Everywhere, you automagically get directed to the secure version of the bogleheads site. In fact you should use this extension always!

https://www.eff.org/HTTPS-EVERYWHERE
Thank you for posting! I didn't realize EFF had a Chrome version now.

User avatar
LadyGeek
Site Admin
Posts: 48056
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: SSL (aka TLS, https) comes to bogleheads.org

Post by LadyGeek » Sat Nov 29, 2014 2:20 pm

The wiki videos, such as Video:Bogleheads® investment philosophy which use Vimeo didn't like linking to http:// from https://. I removed the http:// protocol to just leave the domain URL, e.g. src="//player.vimeo.com/video/5399673". The browser will figure it out and make the connection.

Likewise for Google spreadsheets, such as: Emerging market stocks (In the Notes section.)

Did we miss anything else?
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

nguoivohinh511
Posts: 10
Joined: Fri Apr 11, 2014 9:09 pm

Re: SSL (aka TLS, https) comes to bogleheads.org

Post by nguoivohinh511 » Sat Nov 29, 2014 3:28 pm

If you use apache as your webserver, you can set a redirect so any http will change to https. This means if members clicking on their bookmarked url that still use http, the browser will redirect the url to https.
It's done at the server level so visitors do not have to do anything.

Alex Frakt
Founder
Posts: 10853
Joined: Fri Feb 23, 2007 1:06 pm
Location: Chicago
Contact:

Re: SSL (aka TLS, https) comes to bogleheads.org

Post by Alex Frakt » Sat Nov 29, 2014 6:05 pm

nguoivohinh511 wrote:If you use apache as your webserver, you can set a redirect so any http will change to https. This means if members clicking on their bookmarked url that still use http, the browser will redirect the url to https.
It's done at the server level so visitors do not have to do anything.
We've discussed it, but Larry wants to keep the http version alive for those who don't want to use https for whatever reason. I believe he feels the whole thing is a waste of processor cycles. FWIW, I agree with him. We only decided to do it because Google has promised to start downgrading sites that don't offer it, see http://googlewebmastercentral.blogspot. ... ignal.html (curiously the linked page does not use https),

That said, since we are doing it, we want to do it right. So continue to let us know if you see it broken somewhere.

nordsteve
Posts: 645
Joined: Sun Oct 05, 2008 9:23 am

Re: SSL (aka TLS, https) comes to bogleheads.org

Post by nordsteve » Sat Nov 29, 2014 7:04 pm

Since you're just starting out with HTTPS support, I'd recommend turning off SSL V3 protocol support, and enabling TLS 1.1 and 1.2. The big players are all turning off SSL V3.

https://technet.microsoft.com/en-us/lib ... 09008.aspx
https://groups.google.com/a/chromium.or ... nhy9aKM_l4

User avatar
archbish99
Posts: 1633
Joined: Fri Jun 10, 2011 6:02 pm

Re: SSL (aka TLS, https) comes to bogleheads.org

Post by archbish99 » Sat Nov 29, 2014 7:28 pm

Indeed. SSLv3 should be considered broken at this point, and TLS 1.0 is not substantially better, since you can't know that the other side is patched for BEAST without using RC4, and that's broken. TLS 1.2 is state of the art, and should be used anywhere you're going to the effort of setting up TLS.
I'm not a financial advisor, I just play one on the Internet.

nguoivohinh511
Posts: 10
Joined: Fri Apr 11, 2014 9:09 pm

Re: SSL (aka TLS, https) comes to bogleheads.org

Post by nguoivohinh511 » Sat Nov 29, 2014 8:10 pm

Alex Frakt wrote:
nguoivohinh511 wrote:If you use apache as your webserver, you can set a redirect so any http will change to https. This means if members clicking on their bookmarked url that still use http, the browser will redirect the url to https.
It's done at the server level so visitors do not have to do anything.
We've discussed it, but Larry wants to keep the http version alive for those who don't want to use https for whatever reason. I believe he feels the whole thing is a waste of processor cycles. FWIW, I agree with him. We only decided to do it because Google has promised to start downgrading sites that don't offer it, see http://googlewebmastercentral.blogspot. ... ignal.html (curiously the linked page does not use https),

That said, since we are doing it, we want to do it right. So continue to let us know if you see it broken somewhere.
Hey Alex,
I spent a lot of time configuring my SSL and securing my site so I do my fair share of this task.
With respect to you choice of keeping both http and https, unless you run the site on an old machine from home, the https overhead is insignificance on any modern server hardware.
Also, if you configure your site to use SSL and SPDY, the speed increase would more than compensate for any perceived cpu overhead.
http://en.wikipedia.org/wiki/SPDY

As for the SSL certificate you have here, it's badly configured. You need to turn of SSL 3 immediately to avoid the POODLE attack and use TLS 1.2.
At the first look, it looks like the cypher suite you used is not strong enough. The site currently got a grade C.
https://www.ssllabs.com/ssltest/analyze ... eheads.org

User avatar
LadyGeek
Site Admin
Posts: 48056
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: SSL (aka TLS, https) comes to bogleheads.org

Post by LadyGeek » Sat Nov 29, 2014 8:49 pm

I reconfigured the wiki's main logo (top-left) and links on the left-hand menu to force https://.

Wiki editors who want to login securely should click on the logo to switch to https://.

(Not configured in the wiki left-hand menu were 3 external website links that didn't support https://; also the Tools and Print/Export section.)
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

Alex Frakt
Founder
Posts: 10853
Joined: Fri Feb 23, 2007 1:06 pm
Location: Chicago
Contact:

Re: SSL (aka TLS, https) comes to bogleheads.org

Post by Alex Frakt » Sat Nov 29, 2014 9:26 pm

nguoivohinh511 wrote:Hey Alex,
I spent a lot of time configuring my SSL and securing my site so I do my fair share of this task.
With respect to you choice of keeping both http and https, unless you run the site on an old machine from home, the https overhead is insignificance on any modern server hardware.
Also, if you configure your site to use SSL and SPDY, the speed increase would more than compensate for any perceived cpu overhead.
http://en.wikipedia.org/wiki/SPDY

As for the SSL certificate you have here, it's badly configured. You need to turn of SSL 3 immediately to avoid the POODLE attack and use TLS 1.2.
At the first look, it looks like the cypher suite you used is not strong enough. The site currently got a grade C.
https://www.ssllabs.com/ssltest/analyze ... eheads.org
I'll forward your message to Larry.

JDDS
Moderator
Posts: 959
Joined: Sun Mar 16, 2014 2:24 pm

Re: SSL (aka TLS, https) comes to bogleheads.org

Post by JDDS » Sat Nov 29, 2014 9:52 pm

Alex Frakt wrote:
nguoivohinh511 wrote:If you use apache as your webserver, you can set a redirect so any http will change to https. This means if members clicking on their bookmarked url that still use http, the browser will redirect the url to https.
It's done at the server level so visitors do not have to do anything.
We've discussed it, but Larry wants to keep the http version alive for those who don't want to use https for whatever reason. I believe he feels the whole thing is a waste of processor cycles. FWIW, I agree with him. We only decided to do it because Google has promised to start downgrading sites that don't offer it, see http://googlewebmastercentral.blogspot. ... ignal.html (curiously the linked page does not use https),

That said, since we are doing it, we want to do it right. So continue to let us know if you see it broken somewhere.
Thanks for going ahead with https regardless of personal feelings. I support a couple of https-only sites; while not overly complicated, it's more than just flipping one switch.

avidsaver
Posts: 75
Joined: Wed Aug 13, 2014 1:47 am

Re: SSL (aka TLS, https) comes to bogleheads.org

Post by avidsaver » Sun Nov 30, 2014 12:48 am

TL;DR, good on Bogleheads for offering an HTTPS version, it is just one more reason to stick around and one more example of why this is such a good community and resource. Some thoughts follow...

Nginx can also auto-redirect http:// requests to the https:// site, that is how I have it configured. I had offered both versions (secure and non-secure) in the past but when Google announced that it would start dinging sites for not providing it, I decided it was as good a time as any to go fully HTTPS/TLS. The site is a blog and a public forum and there is not much secure information hackers would want, people are allowed psuedonyms and do not have to provide payment details or real names (though some do).

Beyond the privacy implications, the encrypted link also ensures that my viewers are seeing the site as intended without any ISP bullshit snooping or ad/code injection (they could still try but would get a browser warning).

With modern computing what it is, even running the site on the lowest end Digital Ocean VPS, the HTTPS overhead is insignificant and is far outweighed by the benefits of a secure connection. If you are going to use it though, it is an undertaking that needs time and resources to deploy correctly and to make sure that it stays secure in the wake of past and future attacks.

At this point (and since you are keeping the http version for now so no need to worry about supporting older client devices), I would dump ssl all together and only keep TLSv1 and TLSv1.2. Then, disable all of the weaker ciphers to prevent a downgrade attack where the connection is forced to renegotiate to a lower than supported (and less secure or vulnerable) cipher.

For those curious, here is an Nginx configuration example that will auto-redirect http to https. It can be further tweaked from here to make it a bit more secure (I still have to implement PFS)

Code: Select all

#HTTP to HTTPS-Redirect Traffic To Secure Site
server {
        listen 80;
        listen [::]:80 ipv6only=on;
        server_name DOMAIN.com 123.456.78.910;
        return 301 https://$host$request_uri;
}

server {
        listen 443 default ssl;
        listen [::]:443 ipv6only=on;

        root /var/www/html;
        index index.php index.html index.htm;

        # Make site accessible from http://localhost/
        server_name DOMAIN.com 123.456.78.910;

        # Enable SSL
        ssl_certificate /etc/nginx/ssl/sslcertbundle.crt;
        ssl_certificate_key /etc/nginx/ssl/myserver.key;
        # Enables TLSv1, but not SSLv3 because of POODLE vulnerability or SSLv2 which is weak and shoul$
        ssl_protocols TLSv1 TLSv1.2;
        # Disables all weak ciphers
        ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;

mnvalue
Posts: 1086
Joined: Sun May 05, 2013 2:22 pm

Re: SSL (aka TLS, https) comes to bogleheads.org

Post by mnvalue » Sun Nov 30, 2014 2:50 am

https://www.ssllabs.com/ssltest/analyze ... eheads.org

Ideally, you should upgrade to Apache 2.4 and then this is applicable: http://blog.ivanristic.com/2013/08/conf ... crecy.html

If you have any questions or need any help, please feel free to PM me. I've recently spent a non-trivial amount of time with this exact subject on both Ubuntu and cPanel (on Red Hat) hosting platforms.

Alex Frakt
Founder
Posts: 10853
Joined: Fri Feb 23, 2007 1:06 pm
Location: Chicago
Contact:

Re: SSL (aka TLS, https) comes to bogleheads.org

Post by Alex Frakt » Sun Nov 30, 2014 3:10 am

I've forwarded the concerns to Larry. It's his call. Given his experience, I'm not going to second guess his server administration or his determination of the required level of security given the particulars of this site (e.g., we hold no personal information other than your e-mail address).

crg11
Posts: 419
Joined: Sat Jan 04, 2014 8:16 am

Re: SSL (aka TLS, https) comes to bogleheads.org

Post by crg11 » Sun Nov 30, 2014 8:10 am

Thank you for enabling this!

Alex Frakt
Founder
Posts: 10853
Joined: Fri Feb 23, 2007 1:06 pm
Location: Chicago
Contact:

Re: SSL (aka TLS, https) comes to bogleheads.org

Post by Alex Frakt » Sun Nov 30, 2014 10:30 pm

Larry has turned off SSL 3.0 support. I better change the title :-)

User avatar
JamesSFO
Posts: 3107
Joined: Thu Apr 26, 2012 10:16 pm

Re: SSL (aka TLS, https) comes to bogleheads.org

Post by JamesSFO » Sun Nov 30, 2014 11:52 pm

Alex Frakt wrote:Larry has turned off SSL 3.0 support. I better change the title :-)
Yay, now we get a B (https://www.ssllabs.com/ssltest/analyze ... eheads.org), it seems silly to leave the site vulnerable to known attacks like CRIME, etc.

Several of the issues raised by SSL Labs and others in this thread are also issues raised by the EFF as best practices (https://www.eff.org/https-everywhere/deploying-https).

I think one of the important parts of implementing HTTPS is broader than just what data BH maintains and part of a broader commitment to helping people secure their browsing habits against (unauthorized) intrusions.

Pizzasteve510
Posts: 635
Joined: Sun Jul 27, 2014 3:32 pm

Re: HTTPS (aka TLS, fka SSL) comes to bogleheads.org

Post by Pizzasteve510 » Mon Dec 01, 2014 12:27 am

:beer
:D
Thanks to the team!

User avatar
g$$
Posts: 446
Joined: Wed Dec 21, 2011 12:17 am
Location: San Francisco

Re: HTTPS (aka TLS, fka SSL) comes to bogleheads.org

Post by g$$ » Mon Dec 01, 2014 12:31 am

thanks!

User avatar
LadyGeek
Site Admin
Posts: 48056
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: SSL (aka TLS, https) comes to bogleheads.org

Post by LadyGeek » Mon Dec 01, 2014 4:20 pm

JamesSFO wrote:...I think one of the important parts of implementing HTTPS is broader than just what data BH maintains and part of a broader commitment to helping people secure their browsing habits against (unauthorized) intrusions.
One of the things SSL Labs tests are the browsers themselves. This is a big deal:
IE 6 / XP No FS 1 No SNI 2 Protocol or cipher suite mismatch Fail 3
No one should be using Internet Explorer 6 at this point. Please update immediately.

As an incentive, the next update to the forum software will drop support for IE 6 and IE 7.* If anyone needs help updating their browser, start a thread in the Personal Consumer Issues forum and we'll get you pointed in the right direction.

*Please don't ask about when the software will be updated. I don't have a date and it's not up to me. phpBB 3.1 requires JSON, which is not supported by IE6 or IE7.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

User avatar
JamesSFO
Posts: 3107
Joined: Thu Apr 26, 2012 10:16 pm

Re: SSL (aka TLS, https) comes to bogleheads.org

Post by JamesSFO » Mon Dec 01, 2014 6:23 pm

LadyGeek wrote:
JamesSFO wrote:...I think one of the important parts of implementing HTTPS is broader than just what data BH maintains and part of a broader commitment to helping people secure their browsing habits against (unauthorized) intrusions.
One of the things SSL Labs tests are the browsers themselves. This is a big deal:
IE 6 / XP No FS 1 No SNI 2 Protocol or cipher suite mismatch Fail 3
No one should be using Internet Explorer 6 at this point. Please update immediately.

As an incentive, the next update to the forum software will drop support for IE 6 and IE 7.* If anyone needs help updating their browser, start a thread in the Personal Consumer Issues forum and we'll get you pointed in the right direction.

*Please don't ask about when the software will be updated. I don't have a date and it's not up to me. phpBB 3.1 requires JSON, which is not supported by IE6 or IE7.
Just to be clear I'm not using IE6... Or IE anything...

Jeff7
Posts: 329
Joined: Sat Nov 24, 2012 2:30 pm

Re: HTTPS (aka TLS, aka SSL) comes to bogleheads.org

Post by Jeff7 » Mon Dec 01, 2014 6:55 pm

Neat, thank you! :sharebeer



For those interested:
HTTPS Everywhere, which is an addon for Firefox, Chrome, and Opera.

It will cause the browser to try to use the HTTPS version of most websites, if it's available.

Caveat: Some sites will glitch out with this. I guess a site is normally supposed to report back something along the lines of "HTTPS isn't available. Try HTTP." But some sites will instead send back some kind of odd error page, and the browser then is left thinking that its job is done, and you're left staring at a partially-loaded page.
You can put the icon on the browser toolbar though, and it's easy to disable. I don't have too many problems.


(If programmers adhered to standards more often......*cough* ;)
I still run across pages that only seem to work in Internet Explorer.)

User avatar
LadyGeek
Site Admin
Posts: 48056
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: HTTPS (aka TLS, aka SSL) comes to bogleheads.org

Post by LadyGeek » Mon Dec 01, 2014 7:09 pm

To be clear, my request for immediate upgrade on old browsers is due to security - not the forum software.

If you don't know which browser version you have, there are several sites which can help identify it for you: What browser am I using?

I tried What Is My Browser, but it incorrectly identified that I had javascript disabled. (Right now, I have it enabled.)

Linux has several browsers (like Midori). Technically challenged users should stick with ones that are supported everywhere: Chrome or Firefox.
Jeff7 wrote:(If programmers adhered to standards more often......*cough* ;)
I still run across pages that only seem to work in Internet Explorer.)
I could fill a few pages of discussion on that... but suffice it to say I agree with you.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

User avatar
tfb
Posts: 7953
Joined: Mon Feb 19, 2007 5:46 pm
Contact:

Re: HTTPS (aka TLS, aka SSL) comes to bogleheads.org

Post by tfb » Sat Dec 20, 2014 5:02 pm

If not implementing https redirect for every page, can you at least redirect the login page on the non-secure site to https?
Harry Sit, taking a break from the forums.

lululu
Posts: 1378
Joined: Thu Apr 10, 2014 4:23 pm

Re: SSL (aka TLS, https) comes to bogleheads.org

Post by lululu » Wed Dec 24, 2014 1:51 pm

placeholder wrote:An interesting consequence of that with Firefox is that if you have a posting edit window open and navigate away and back the https links will reload that and wipe out anything entered but the http pages don't.
Yes, the post in progress gets wiped out if one is using the latest SeaMonkey also. I have almost trained myself to save it if I have to go back, but I've abandoned any number of lost replies.

User avatar
LadyGeek
Site Admin
Posts: 48056
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: HTTPS (aka TLS, aka SSL) comes to bogleheads.org

Post by LadyGeek » Wed Dec 24, 2014 2:19 pm

One thing you can do is to copy the content into memory before proceeding with Submit:

Type your post. Hit "Control+A" to select all the text, then "Control+C" to copy it into memory. If it disappears, you can reload the text back into the post with "Control+V" (paste).

Or, just have a text editor open in another window and use that.

You can have "easy to use" or have "secure". It's always a compromise, you can never have both.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

lululu
Posts: 1378
Joined: Thu Apr 10, 2014 4:23 pm

Re: HTTPS (aka TLS, aka SSL) comes to bogleheads.org

Post by lululu » Wed Dec 24, 2014 3:54 pm

LadyGeek wrote:
You can have "easy to use" or have "secure". It's always a compromise, you can never have both.
Where is that written?

User avatar
LadyGeek
Site Admin
Posts: 48056
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: HTTPS (aka TLS, aka SSL) comes to bogleheads.org

Post by LadyGeek » Wed Dec 24, 2014 4:51 pm

Good question. It's one of the trade-offs you run into when working with security. security vs ease of use trade off - Google Search

The first result is a good article which explains it better as a triangle of "Functionality", "Ease of Use", and "Security." InfoSec Triads: Security/Functionality/Ease-of-use

For the tech crowd: Check out the Dilbert cartoon at the bottom of the article.

This reminds me of the trade among speed, complexity, and cost - "Pick any two".
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

User avatar
archbish99
Posts: 1633
Joined: Fri Jun 10, 2011 6:02 pm

Re: HTTPS (aka TLS, aka SSL) comes to bogleheads.org

Post by archbish99 » Wed Dec 24, 2014 5:09 pm

Reminds me of an article on security: Take the side off your case, fill it with concrete, and replace the side. Allow to dry. The computer is now impervious to viruses, the data can't be stolen, and the computer itself is very difficult to abscond with. Of course, it won't power on and you probably can't move it yourself either, but that's the price you pay....

Good UX design can help smooth the friction, but as a general rule, any security feature degrades the user experience, and any UX improvement is a potential security vulnerability. It's just a question of trying to make the trade-offs as minimal as possible.
I'm not a financial advisor, I just play one on the Internet.

yoasif
Posts: 19
Joined: Fri Jun 22, 2012 3:18 pm

Re: SSL (aka TLS, https) comes to bogleheads.org

Post by yoasif » Wed Dec 24, 2014 6:15 pm

placeholder wrote:An interesting consequence of that with Firefox is that if you have a posting edit window open and navigate away and back the https links will reload that and wipe out anything entered but the http pages don't.
Lazarus can help you if you use Chrome, Safari, or Firefox.

User avatar
LadyGeek
Site Admin
Posts: 48056
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: SSL (aka TLS, https) comes to bogleheads.org

Post by LadyGeek » Wed Dec 24, 2014 7:08 pm

yoasif wrote:
placeholder wrote:An interesting consequence of that with Firefox is that if you have a posting edit window open and navigate away and back the https links will reload that and wipe out anything entered but the http pages don't.
Lazarus can help you if you use Chrome, Safari, or Firefox.
Caution, that add-on is flagged as "buyware." See the reviews for Firefox: Lazarus: Form Recovery :: Reviews

I recommend downloading add-ons from Firefox, Chrome, or Safari's related sites directly. Add-ons need to pass muster (including a security review) in order to get listed. Use caution if downloading from another site.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

placeholder
Posts: 3957
Joined: Tue Aug 06, 2013 12:43 pm

Re: HTTPS (aka TLS, aka SSL) comes to bogleheads.org

Post by placeholder » Wed Dec 24, 2014 9:38 pm

LadyGeek wrote:You can have "easy to use" or have "secure".
I guess I'm not sure why I'd be concerned about security here because I can't think of any dire consequences.

lululu
Posts: 1378
Joined: Thu Apr 10, 2014 4:23 pm

Re: HTTPS (aka TLS, aka SSL) comes to bogleheads.org

Post by lululu » Sun Dec 28, 2014 3:56 pm

placeholder wrote:
LadyGeek wrote:You can have "easy to use" or have "secure".
I guess I'm not sure why I'd be concerned about security here because I can't think of any dire consequences.
Me, too. This is like having to stand on your head to buy stamps from usps.com or to delete a facebook account. I can see why facebook wants to falsely keep its number of accounts high even if they are not used, but what does the usps think is going to happen, or bogleheads?

User avatar
archbish99
Posts: 1633
Joined: Fri Jun 10, 2011 6:02 pm

Re: HTTPS (aka TLS, aka SSL) comes to bogleheads.org

Post by archbish99 » Sun Dec 28, 2014 10:14 pm

Stolen credentials are an issue on any site where opinions and comments are attributed to an identifiable identity, even if the identity is site-local. The content isn't really worth encrypting, but the login and resulting cookie that identify you are.

Beyond that, there are certain elements of the Internet community that want to move the entire web to TLS as a form of DDoS attack against the NSA's pervasive passive monitoring (see http://tools.ietf.org/html/rfc7258 for more info here), and if you subscribe to that pseudo-political view, encryption is a good thing regardless of what data is being transferred.
I'm not a financial advisor, I just play one on the Internet.

richardglm
Posts: 260
Joined: Sun Jan 04, 2015 9:42 pm

Re: HTTPS (aka TLS, aka SSL) comes to bogleheads.org

Post by richardglm » Sun Jan 04, 2015 10:14 pm

I've lurked for a while and have adopted the BOGLEHEAD investing style for myself but I have just registered now to post my opinion.

I work in computer security and as far as I'm concerned almost EVERY website should use HTTPS. It's not just for financial transactions. That is why Google will prefer HTTPS sites in its rankings.

For example, there are Javascript injection attacks. Someone who controls your internet connection (say you are on a public WiFi) can modify any non-HTTPS page you visit, changing the content of the page or having arbitrary Javascript run in your browser. They can put advertising, track which pages you visit, etc. In combination with any vulnerabilities that may be in your browser (if your browser is not up to date or if the bug is not yet public) you risk running malicious code on your computer, even visiting a trusted website like Bogleheads.org.

Your login password or cookies to Bogleheads could be stolen by anyone intercepting your internet traffic. There are some respected financial professionals who visit this forum and post under their real name and have reputations tied to what they say. Someone could steal their login and impersonate them.

Finally People often post what I consider to be private or sensitive data about themselves. Total net worth, income, liability insurance coverage, debt situation, career situation, family issues, retirement plans. Are you comfortable with your employer knowing your retirement situation/plans or that you are considering a job elsewhere? If you visit bogleheads while logged in even once while at work without HTTPS, there is the possibility they can identify you with your posts.
placeholder wrote:I guess I'm not sure why I'd be concerned about security here because I can't think of any dire consequences.
The issue is that you might not be able to think of any at the moment, but no one can possibly consider every bad consequence. Nor should you have to think of everything. It's easy to use HTTPS and protect against many situations you might not consider. There are very few legitimate reasons why most non-governmental third party should be able to read traffic between you and bogleheads.org. So it is better to just use HTTPS. It is a few minutes of work for the website operator each year and uses a tiny bit more CPU on the web server, but it is usually quite close to negligible.

User avatar
Peculiar_Investor
Posts: 1110
Joined: Thu Oct 20, 2011 12:23 am
Location: Calgary, AB
Contact:

Re: HTTPS (aka TLS, aka SSL) comes to bogleheads.org

Post by Peculiar_Investor » Fri Feb 13, 2015 11:30 am

Minor nit, when posting a BH forum link such as

Code: Select all

www.bogleheads.org/forum/viewtopic.php?p=1916070#p1916070
the appearance of the resultant link depends on which prefix is used:
• http: - http://www.bogleheads.org/forum/viewtop ... 0#p1916070
• https: - viewtopic.php?p=1916070#p1916070
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams

Bubbagump
Posts: 61
Joined: Thu May 09, 2013 11:42 pm

Re: HTTPS (aka TLS, aka SSL) comes to bogleheads.org

Post by Bubbagump » Fri Feb 13, 2015 11:03 pm

Regarding concerns over TLS 1 vs 1.2 etc, all modern browsers will negotiate the most secure cipher available on the server. Much of the concerns over SSLv3 are over blown unless you are on a horribly old browser that can't or won't negotiate TLS and AES. Anything IE6 on XP SP3 or greater should be fine. The fact the certificate itself is signed using SHA256 breaks compatibility with any truly horridly outdated browser. That said, IE6 should be ditched for 100 other security reasons and no TLS 1.2 is odd as it is trivial to enable. It actually is more effort to not enable in every major web server. But, this isn't my box and who knows what restrictions the hosting company may impose.

User avatar
Epsilon Delta
Posts: 7430
Joined: Thu Apr 28, 2011 7:00 pm

Re: HTTPS (aka TLS, aka SSL) comes to bogleheads.org

Post by Epsilon Delta » Sat Feb 14, 2015 9:07 pm

Bubbagump wrote:Regarding concerns over TLS 1 vs 1.2 etc, all modern browsers will negotiate the most secure cipher available on the server.
That doesn't solve the problem. One concern is a man-in-the-middle attack. So the browser is negotiating with the man-in-the-middle who can force use of the weakest protocol supported by the browser.

Bubbagump
Posts: 61
Joined: Thu May 09, 2013 11:42 pm

Re: HTTPS (aka TLS, aka SSL) comes to bogleheads.org

Post by Bubbagump » Sat Feb 14, 2015 11:22 pm

Epsilon Delta wrote:
Bubbagump wrote:Regarding concerns over TLS 1 vs 1.2 etc, all modern browsers will negotiate the most secure cipher available on the server.
That doesn't solve the problem. One concern is a man-in-the-middle attack. So the browser is negotiating with the man-in-the-middle who can force use of the weakest protocol supported by the browser.
What's the particular problem you are referencing? If you are dealing with a man in the middle where you are terminating your SSL/TLS session, cipher strength means nothing as they can already see everything in the clear.

Jeff7
Posts: 329
Joined: Sat Nov 24, 2012 2:30 pm

Re: HTTPS (aka TLS, aka SSL) comes to bogleheads.org

Post by Jeff7 » Sun Feb 15, 2015 7:43 pm

richardglm wrote:...
placeholder wrote:I guess I'm not sure why I'd be concerned about security here because I can't think of any dire consequences.
The issue is that you might not be able to think of any at the moment, but no one can possibly consider every bad consequence. Nor should you have to think of everything. It's easy to use HTTPS and protect against many situations you might not consider. There are very few legitimate reasons why most non-governmental third party should be able to read traffic between you and bogleheads.org. So it is better to just use HTTPS. It is a few minutes of work for the website operator each year and uses a tiny bit more CPU on the web server, but it is usually quite close to negligible.
Something else that comes to mind: People tend to reuse passwords a lot.

A few years ago, there was a breach of Cupid Media servers. 42 million passwords, stored in plain text format, were taken. Plentyoffish.com - 30 million passwords, also stored in plain text. That information can be added to password cracking dictionaries, and it can also be easily analyzed for patterns to make password crackers more efficient.
Normally, you'd want the password and user data to be strongly encrypted so that even if someone did break through the server's perimeter defenses and make off with that data, it would be effectively useless.

Post Reply