We've recently installed an SSL certificate so you can now access libcom.org via https://libcom.org for a more secure browsing experience.
This is done by encrypting the connection between your computer and libcom. While this will make your browsing more secure, it will not give you complete security.
It is always a good idea never to say anything on the internet you wouldn't want read out in a court of law.
Heads up, chrome says "...
Heads up, chrome says "... this page includes other resources which are not secure. These resources can be viewed by others while in transit and can be modified by an attacker to change the look of the page."
I think images are still http.
Glad you guys finally did
Glad you guys finally did this. A few notes on security, however:
- You're still including Google Analytics, Google+, Twitter, and Facebook tracking on every page. Regardless of whether the traffic is encrypted, if the visitor is logged into any of those services (or just a user of those services, really) those services will record every page that the user visits.
- Any non-HTTPS assets loaded from an HTTPS page blow away the security that HTTPS afford for concealing which pages are visited
- Configure your server to use the latest cipher suites
At the moment, I'd say the security for this site is still very weak.
By the way, just trying to post this comment was very difficult. I kept getting the message "Your submission has triggered the spam filter and will not be accepted." The message was being generated by the line about your web server's ciphersuites. I had to modify the line to be much less helpful for it to pass the spam filter.
Great site though! Keep up the great work.
Hey, thanks for the helpful
Hey, thanks for the helpful comments.
We have now changed your permissions so you will bypass the anti-spam protections from now on and can post freely.
Thanks for approving me. Here
Thanks for approving me. Here is a link to a guide for configuring your webserver with the best ciphersuites based on the advice of an encryption expert who's been dedicated to anti-surveillance open-source software (@zooko).
Changing your default ciphersuites is important because browsers can either choose "broken" ciphers as defaults or be forced to downgrade. A notorious example of this was discovered just recently wherein the default ciphersuites for all Android web browsers was inexplicably modified by Google to choose the ciphersuite RC4-MD5 as its #1 choice, a ciphersuite that is considered very insecure relatively speaking, especially against folks like the NSA.
The guide suggests ECDH as the #1 ciphersuite. ECDH is the best choice of today but even the security of that is questioned by crypto guru (and Snowden assistant) Bruce Schneier because it depends on the parameters for the math equation behind it (hyper-elliptic curve cryptography) are chosen with the assumption that the parameters are not exploitable. There are proposals to change the ciphersuites accepted by browsers. Remember to update these ciphersuites in a year or two!
Remember, the security of the site is only as good as the weakest link.
If you have any questions, I'd be happy to help.
Just in case you weren't
Just in case you weren't already aware, embedded youtube videos don't appear on https, for me at least.
Libcom is no longer all https
Libcom is no longer all https as far as I can tell, or at least not by default, when I go to the login screen it is automatically http, I have type in https.
In terms of google analytics I am assuming that they are accepting the security weakness in exchange for the benefits of analytics. I used to block google tracking cookies but have gotten lazy. And to be honest they track you through lots of other stuff now, if you use anything android google has everything you do and if you used microsft then they share it bewteen them (and probably de-anonymise it without too much trouble)
jef costello wrote: Libcom is
jef costello
huh, surprising. i have https-everywhere tho'.
https://www.eff.org/https-everywhere
Some pages on Libcom are
Some pages on Libcom are displayed secure and green in the url bar here, next to a disabled 'unsafe scripts' button, and in red 'not secure' https on other pages.
Using the Smart HTTPS extension which supposedly is lighter in resources than https-everywhere.
jef costello wrote: Libcom is
jef costello
there are essentially two versions of the site: http://libcom.org and https://libcom.org
If you first go to the HTTP version, you will pretty much stay on that version as you navigate around. But if you first go to https then you will stay on that version mostly (unless for example you click an absolute hyperlink somewhere in the text to an HTTP page for example).
I have libcom as my homepage. I used to have it as http://libcom.org/tracker, but I changed it to https. I also now use https everywhere, which we would recommend.
This is right, ditto Twitter/Facebook. It's good to be secure but ultimately we want to be a tool for huge numbers of people, and so to do this we have to be able to measure our traffic and interact with social media
snipfool wrote: Just in case
snipfool
This is still an issue, does anyone else have it?