You can now access libcom.org with SSL

11 posts / 0 new
Last post
libcom's picture
libcom
Offline
Joined: 20-03-05
Jan 3 2014 18:21
You can now access libcom.org with SSL

We've recently installed an SSL certificate so you can now access libcom.org via https://libcom.org for a more secure browsing experience.

This is done by encrypting the connection between your computer and libcom. While this will make your browsing more secure, it will not give you complete security.

It is always a good idea never to say anything on the internet you wouldn't want read out in a court of law.

snipfool
Offline
Joined: 9-06-11
Jan 3 2014 18:37

Heads up, chrome says "... this page includes other resources which are not secure. These resources can be viewed by others while in transit and can be modified by an attacker to change the look of the page."

I think images are still http.

cx32
Offline
Joined: 4-01-14
Jan 4 2014 22:57

Glad you guys finally did this. A few notes on security, however:

- You're still including Google Analytics, Google+, Twitter, and Facebook tracking on every page. Regardless of whether the traffic is encrypted, if the visitor is logged into any of those services (or just a user of those services, really) those services will record every page that the user visits.

- Any non-HTTPS assets loaded from an HTTPS page blow away the security that HTTPS afford for concealing which pages are visited

- Configure your server to use the latest cipher suites

At the moment, I'd say the security for this site is still very weak.

By the way, just trying to post this comment was very difficult. I kept getting the message "Your submission has triggered the spam filter and will not be accepted." The message was being generated by the line about your web server's ciphersuites. I had to modify the line to be much less helpful for it to pass the spam filter.

Great site though! Keep up the great work.

Steven.'s picture
Steven.
Offline
Joined: 27-06-06
Jan 5 2014 14:29

Hey, thanks for the helpful comments.

We have now changed your permissions so you will bypass the anti-spam protections from now on and can post freely.

cx32
Offline
Joined: 4-01-14
Jan 7 2014 08:23

Thanks for approving me. Here is a link to a guide for configuring your webserver with the best ciphersuites based on the advice of an encryption expert who's been dedicated to anti-surveillance open-source software (@zooko).

Changing your default ciphersuites is important because browsers can either choose "broken" ciphers as defaults or be forced to downgrade. A notorious example of this was discovered just recently wherein the default ciphersuites for all Android web browsers was inexplicably modified by Google to choose the ciphersuite RC4-MD5 as its #1 choice, a ciphersuite that is considered very insecure relatively speaking, especially against folks like the NSA.

The guide suggests ECDH as the #1 ciphersuite. ECDH is the best choice of today but even the security of that is questioned by crypto guru (and Snowden assistant) Bruce Schneier because it depends on the parameters for the math equation behind it (hyper-elliptic curve cryptography) are chosen with the assumption that the parameters are not exploitable. There are proposals to change the ciphersuites accepted by browsers. Remember to update these ciphersuites in a year or two!

Remember, the security of the site is only as good as the weakest link.

If you have any questions, I'd be happy to help.

snipfool
Offline
Joined: 9-06-11
Jul 16 2014 17:21

Just in case you weren't already aware, embedded youtube videos don't appear on https, for me at least.

jef costello's picture
jef costello
Offline
Joined: 9-02-06
Aug 17 2017 22:01

Libcom is no longer all https as far as I can tell, or at least not by default, when I go to the login screen it is automatically http, I have type in https.

In terms of google analytics I am assuming that they are accepting the security weakness in exchange for the benefits of analytics. I used to block google tracking cookies but have gotten lazy. And to be honest they track you through lots of other stuff now, if you use anything android google has everything you do and if you used microsft then they share it bewteen them (and probably de-anonymise it without too much trouble)

petey
Offline
Joined: 13-10-05
Aug 17 2017 23:08
jef costello wrote:
Libcom is no longer all https as far as I can tell,

huh, surprising. i have https-everywhere tho'.
https://www.eff.org/https-everywhere

propofread's picture
propofread
Offline
Joined: 17-07-17
Aug 18 2017 13:34

Some pages on Libcom are displayed secure and green in the url bar here, next to a disabled 'unsafe scripts' button, and in red 'not secure' https on other pages.
Using the Smart HTTPS extension which supposedly is lighter in resources than https-everywhere.

Steven.'s picture
Steven.
Offline
Joined: 27-06-06
Aug 19 2017 11:53
jef costello wrote:
Libcom is no longer all https as far as I can tell, or at least not by default, when I go to the login screen it is automatically http, I have type in https.

there are essentially two versions of the site: http://libcom.org and https://libcom.org

If you first go to the HTTP version, you will pretty much stay on that version as you navigate around. But if you first go to https then you will stay on that version mostly (unless for example you click an absolute hyperlink somewhere in the text to an HTTP page for example).

I have libcom as my homepage. I used to have it as http://libcom.org/tracker, but I changed it to https. I also now use https everywhere, which we would recommend.

Quote:

In terms of google analytics I am assuming that they are accepting the security weakness in exchange for the benefits of analytics.

This is right, ditto Twitter/Facebook. It's good to be secure but ultimately we want to be a tool for huge numbers of people, and so to do this we have to be able to measure our traffic and interact with social media

snipfool
Offline
Joined: 9-06-11
Aug 23 2017 15:17
snipfool wrote:
Just in case you weren't already aware, embedded youtube videos don't appear on https, for me at least.

This is still an issue, does anyone else have it?