HTTPS everywhere except this forum

[mikeb]

Hmm unnecessary security like those google ecapchas appearing everywhere.
On bad side effect is that parental controls ion routers no longer work as they cannot filter the encrypted site addresses.
Also as mentioned often badly implemented with out of date certificates.
Where it s truly needed ..eg banks then its done properly i notice.

mike

[s243a]

You are all paranoid about security.
I have been in computing since before the PC was invented.
As soon as online computing was available I was testing/trying it for some of the largest and some of the most security conscious companies.
Not once has any of my sessions been hacked and I have never used any special encryption.
Yes I am (still) bound by the official secrets act and was thoroughly investigated by Cheltenham before I was allowed to work on government and MOD projects.

But you used some kind of encryption though right (e.g. https)? Otherwise perhaps the company wasn't as security conciousness as you suggest. Also can you be 100% sure someone didn't jack your session? I don't think that you can be.

Anyway, preaching about paranoia will will offer you little comfort if your system ever gets locked down by ransom ware. Thanks to vault 7 the NSA cyber weapons are now in the wild and who knows what people are doing with them!

[Flash]

Running in RAM from a multisession DVD-R or BD-R and saving changes of important data to the non-erasable optical disc would probably be the solution to ransomware. So what if it takes ten minutes to reboot? That's infinitely better than having to pay someone for an encryption key or lose everything for good.

[tallboy]

I agree with flash. One other thing: You guys are using different passwords for different sites and purposes, right? No? You use the same? Shame on you!

Seriously, there are hardly any secrets to protect from the public eyes in this forum, so the risk of having someone steal you password is negligible. But, if you use the same password elsewhere, to sites containing more sensitive information, then there is always a risk you might be under attack.
BTW, last week, the news here in Norway told us that 600 000 norwegian passwords were floating around openly on the net, some of them to high-ranking individuals, organisations and companies. Some were from the massive russian attack on LinkedIn in 2012, still unchanged! The most common password is 123456. You can check yourself at https://haveibeenpwned.com/, and also browse the list of hacked sites, and the 555,278,657 pwned passwords...

In October 2017, the genealogy website MyHeritage suffered a data breach. The incident was reported 7 months later after a security researcher discovered the data and contacted MyHeritage. In total, more than 92M customer records were exposed and included email addresses and salted SHA-1 password hashes. In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly. The data was provided to HIBP by a source who requested it be attributed to "BenjaminBlue@exploit.im".

One of my old uni passwords were among them, from a one-time visit to Myheritage. It was a password used only for such instances, so no harm done.

[s243a]

I agree with flash. One other thing: You guys are using different passwords for different sites and purposes, right? No? You use the same? Shame on you!

Seriously, there are hardly any secrets to protect from the public eyes in this forum, so the risk of having someone steal you password is negligible.

An attacker could replace your uploads with malicious files, replace your links with proxy links to servers that they control. The attacker can delete or encrypt your old posts. The attacker could also change the content of your old posts to something that is damaging to your character. They could harrass other members via PM and get you banned from this forum..

But, if you use the same password elsewhere, to sites containing more sensitive information, then there is always a risk you might be under attack.
BTW, last week, the news here in Norway told us that 600 000 norwegian passwords were floating around openly on the net, some of them to high-ranking individuals, organisations and companies. Some were from the massive russian attack on LinkedIn in 2012, still unchanged! The most common password is 123456. You can check yorself at https://haveibeenpwned.com/

In October 2017, the genealogy website MyHeritage suffered a data breach. The incident was reported 7 months later after a security researcher discovered the data and contacted MyHeritage. In total, more than 92M customer records were exposed and included email addresses and salted SHA-1 password hashes. In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly. The data was provided to HIBP by a source who requested it be attributed to "BenjaminBlue@exploit.im".

One of my old uni passwords were among them, from a one-time visit to Myheritage. It was a password used only for such instances, so no harm done.

Agreed. We shouldn't assume that any site is secure!

[sc0ttman]

You are all paranoid about security.

It's not just about security is it, though?

Search engines AND users prefer HTTPS URLs ...

The millions of downloads of "HTTPS only", and the big push by Google et al to get everyone onto HTTPS, and the fact they rank HTTPS site higher than HTTP, should cause you to re-think..

Add to that the fact that almost all modern browsers now block HTTP connections to third party resources when on an HTTPS site, is another reason that you're about 3 to 5 years behind on this.

It's bad practice to use HTTP instead of HTTPS, for various reasons.
Simple.

[sc0ttman]

Other than encrypting your password, which is now sent in the clear, I don't see the point of HTTPS for this forum. Everything in it is available to anyone who wants to become a member and log in.

See my post above.. 3 or 4 years ago, you'd be right Flash..
Now, you're wrong.

[jamesbond]

Everybody knows "putty", right? It is __THE__ ssh client for Windows. It is not new, has been there for at least 15 years if not more. It's made by a nice bloke in the UK by the name of Simon Tatham. He has a nice collection of other stuff too.

I have not used it for years, since I weaned myself off Windows. But recently I have a need for it, and I don't exactly remember where the website is. So I searched for it, and the top result is: "https://putty.org"

Ok, that sounds legit. It has "https" and it has the name "putty" on it. In the past Simon put putty on this personal website. Perhaps he has decided to hand-over putty to the community, and they build a website around it. So I went to the site.

You can check the site yourself if you want. It is basically a "redirector" page. It has a link to the original putty page (which, surprise surprise, is still located in the same personal website: https://www.chiark.greenend.org.uk/~sgtatham/putty/), but the rest of the page is basically an advertisement for a totally different SSH client (and server) product; I'm inclined to think that this domain/name/SSL cert is registered by entities other than Simon himself.

What value does "https" add to "https://putty.org" here?

Think. Google does not push "https-only sites" for no reason (and that reason is not because they care about security).

[rufwoof]

Running in RAM from a multisession DVD-R or BD-R and saving changes of important data to the non-erasable optical disc would probably be the solution to ransomware. So what if it takes ten minutes to reboot? That's infinitely better than having to pay someone for an encryption key or lose everything for good.

Hi Flash

If saved data are too large to fit into ram then the DVD would have to remain inserted. To add additional saves/changes the DVD disc would have to remain 'open' (not closed against further writing additional save folders to it). Under those circumstances the content could be wiped by a cracker. If instead you opt for physical isolation, ejecting the DVD after startup, then that is no different to using any other form of physical disconnection once copied.

For creep encryption, that may have slowly been encrypting things over weeks/months intentionally to also get into backups, you may need a long history of backups in order to get back to a 'clean' version (and be prepared to accept the loss of any edits since that clean recording). And where you hadn't deleted that old clean version to perhaps make space for newer backups.

One of the reasons the likes of btrfs is quite popular nowadays, as snapshots are pretty much instant to create, primarily just recording differences - so are also quick to backup/copy and generally relatively small in size. AFAIK however Puppy in general hasn't made much in the way of inroads into using btrfs.

http://murga-linux.com/puppy/viewtopic. ... 135#935135

[Flash]

Not to belittle the average Puppy user, but I mainly had in mind servers, especially servers used as central repositories for businesses and governments. As far as I know, nobody has run a server from multisession DVD-R or BD-R.

I've never run a server, much less run one from a multisession DVD-R, but multisession Puppy run from a DVD-R or BD-R seems made to order as a solution to the ransomware problem. I gather that the typical server these days has lots of RAM, enough that loading the contents of even a 25 GB BD-R into the RAM of a server wouldn't be an undue burden, if the alternative is having everything on the server's hard drive encrypted by a ransomware attack. Reboot only as often as seems necessary.

It may be possible to hack the firmware of an optical drive so that it would, on command, overwrite the contents of a DVD-R or BD-R, effectively erasing the whole disk. I want to stress that it's only a theoretical possibility. I don't know a thing about the internal workings of of an optical disk drive or how to edit its firmware; I only know that it can be done. Irreversibly erasing an optical disk is not the same thing as a ransomware attack, but backing up an optical disk is not that hard to do: just duplicate it.

[tallboy]

I run from a CD-R whenever I can. If someone should be able to get into my system and write to the multisession CD-R - not over it, it would be rejected if it isn't exactly filling the rest of the disc, except maybe in multiple small sessions, which easily can be skipped when booting later. If it is written as an addendum to the CD, it is not read at bootup, so it doesn't matter. I admit that it theoretically is possible to f.. up a CD-R, but not very probable.
It's a bit like having multiple locks on your door; you will probably not prevent a determined person to get in, but it is a great possibility that the person give it up when it takes a lot of time and demands too much work, thus increasing the risk of being detected.

[mikeb]

Well the https push did obsolete browsers which did not have security issues by coupling it with weird and wonderful certificate 'issues'....bit like obsoleting computers through non necessary software 'updates'. 'create a need and make a profit' I believe is the slogan.

Actually light 33 lets me bypass bad certificate issues thankfully...it also lets me grab things off the net newer versions prevent (pictures and movies mainly). Not had a virus since 2004 and usually use olde 'insecure' systems most of the time...I must be doing something wrong lol.

Oh and when researching the mating habits of the common house spider....why do I need encryption??

All very silly, all resource and time wasting.
Now back to compulsory organ harvesting and only seeing your doctor via the net in the UK...much more important issues to consider.

mike

[labbe5]

https://www.eff.org/deeplinks/2019/10/c ... rtificates
Certbot is a free, open source software tool for enabling HTTPS on manually-administered websites, by automatically deploying Let’s Encrypt certificates. Since we introduced it in 2016, Certbot has helped over a million users enable encryption on their sites, and we think this update will better meet the needs of the next million, and beyond.

Certbot is part of EFF’s larger effort to encrypt the entire Internet. Websites need to use HTTPS to secure the web. Along with our browser add-on, HTTPS Everywhere, Certbot aims to build a network that is more structurally private, safe, and protected against censorship.

About 80% of websites are now secured with https.

Want proof? Use HTTPS Everywhere addon, and click Encrypt all sites. Some sites will be unavailable because they use http, such as Murga-Linux website, but unfrequently.

Further reading :
How to manage Let's Encrypt SSL/TLS certificates with certbot
https://www.howtoforge.com/how-to-manag ... h-certbot/
What is https and How to enable https on your website
https://www.usessionbuddy.com/post/What ... your-site/

[s243a]

Everybody knows "putty", right? It is __THE__ ssh client for Windows. It is not new, has been there for at least 15 years if not more. It's made by a nice bloke in the UK by the name of Simon Tatham. He has a nice collection of other stuff too.

I have not used it for years, since I weaned myself off Windows. But recently I have a need for it, and I don't exactly remember where the website is. So I searched for it, and the top result is: "https://putty.org"

Ok, that sounds legit. It has "https" and it has the name "putty" on it. In the past Simon put putty on this personal website. Perhaps he has decided to hand-over putty to the community, and they build a website around it. So I went to the site.

You can check the site yourself if you want. It is basically a "redirector" page. It has a link to the original putty page (which, surprise surprise, is still located in the same personal website: https://www.chiark.greenend.org.uk/~sgtatham/putty/), but the rest of the page is basically an advertisement for a totally different SSH client (and server) product; I'm inclined to think that this domain/name/SSL cert is registered by entities other than Simon himself.

What value does "https" add to "https://putty.org" here?

Think. Google does not push "https-only sites" for no reason (and that reason is not because they care about security).

Might the value of https here be so that the people at https://putty.org can man-in-the-middle the traffic between you and https://www.chiark.greenend.org.uk/~sgtatham/putty/

Who owns putty.org? I don't know but my Browser tells me that the certificate was issued by Amazon.com. Amazon, is currently competing with Microsoft for a 10 billion dollar cloud contract:

https://www.theguardian.com/us-news/201 ... act-battle

Pay attention to who issued a https certificate for a given web site if you want to know who could spy on you. Many VPNs make you install their root certificate so in theory they can spy on you. Even google has it's own certificate authority:
https://www.theregister.co.uk/2017/01/2 ... e_root_ca/

[s243a]

I'm inclined to think that this domain/name/SSL cert is registered by entities other than Simon himself.

Interestingly enough GoDaddy says that the domain name is avialable for purchase:
https://ca.godaddy.com/domainsearch/fin ... Fputty.org

while whois.net says the site is owned by joker.com

https://www.whois.net/

THAT SOUNDS TOTALLY LEGIT!


Another thing that is interesting is if you look at who the certificate is issued to there is no "organization" given for the organization that it is issued to.

[s243a]

I'm inclined to think that this domain/name/SSL cert is registered by entities other than Simon himself.

Interestingly enough GoDaddy says that the domain name is avialable for purchase:
https://ca.godaddy.com/domainsearch/fin ... Fputty.org

while whois.net says the site is owned by joker.com

https://www.whois.net/

THAT SOUNDS TOTALLY LEGIT!


Another thing that is interesting is if you look at who the certificate is issued to there is no "organization" given for the organization that it is issued to.

I remember some safe browsing tool at a place that I worked blocking a site for domain parking. The putty.org site doesn't look like a parked domain but GoDaddy suggests that perhaps it is.

A search for "domain parking scams" on duckduckgo brought up the following:

200k+ Parked/Expired Domains Used to Distribute Malicious Ads

[mikeb]

About 80% of websites are now secured with https.

Want proof?

not really...its pretty apparent .
Missing the point ... securing sites pointlessly yet at the same time google gaining rights to use your web visits and the information that transpires on many major websites ...https is not providing an ounce of security against that....or is it to protect googles habits.

mike

[Flash]

So, I guess 20% of websites are not using https. Why do you suppose that is? One in five is a significant fraction.

[hatemonday]

If murga forum have https , will it protect members from being hijacked or sniffed? http://murga-linux.com/puppy/viewtopic.php?t=114701

[rufwoof]

Even with https, running under Apache 2.2.22 and phpBB version 2 ... riddled with security vulnerabilities - so would also require migration/upgrade and the potential demise of the board altogether. As its a public board anyway I'd rather see it sustained, and resolve individual userid issues as and when they might (seemingly relatively rarely) occur, than see the loss of a million+ postings record/database.

https is no assurance of security, has to be implemented/used correctly (most don't).