Jump to content











Photo

https://reboot.pro/


  • Please log in to reply
17 replies to this topic

#1 alacran

alacran

    Platinum Member

  • .script developer
  • 2710 posts
  •  
    Mexico

Posted 19 May 2017 - 02:32 AM

@ Nuno and Staff

 

This is first a question:

Does reboot.pro has a https  address?

 

If yes I would like to know it.

 

If not, I think it should, unless this means unnecesary expenses at the moment.

 

I am asking this because first somebody asked me on a PM, and second AFAIK it is going to be a requirement pretty soon.

 

Supposedly https is safer than http.

 

 

Best Regards

 

alacran



#2 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 19 May 2017 - 10:59 AM

I am asking this because first somebody asked me on a PM, and second AFAIK it is going to be a requirement pretty soon.

 

Supposedly https is safer than http.

 

Supposedly, but I would like to point out how there is no actual *need* for it.

 

It's not like we have financial transactions or the like, surely keeping (say) your pocket change in a safe, enclosed  in an underground re-bar concrete caveau is safer that having it in your pocket, but I believe *somehow* less practical.

 

:duff:

Wonko



#3 Guest_AnonVendetta_*

Guest_AnonVendetta_*
  • Guests

Posted 19 May 2017 - 02:07 PM

The forum itself is publicly accessible and fine on http. But I do think it should revert to https for logged in users, especially while they're logged in, posting, etc.

On the other hand, stuff like SeNsItIvE financial info isn't handled here, so https isn't a real necessity. It's not like this forum does anything truly important, it doesn't even get much Web traffic, it's mainly just the regulars and assholes like me.

#4 v77

v77

    Silver Member

  • Team Reboot
  • 602 posts
  •  
    France

Posted 19 May 2017 - 03:28 PM

https is useful when entering login/password to avoid that they are stolen. With the proper stolen identity, it is possible to remove or change softwares published. It should also be possible to propagate viruses through one of these softwares which might, by the way, ruin the reputation of the author.

There are also advanced tools for privacy and we not necessarily wants that some intelligence agencies know that we are using them. This may be called paranoia, but after all, I am the author of an encryption software...

So I too think that reboot.pro should be available through https.



#5 Guest_AnonVendetta_*

Guest_AnonVendetta_*
  • Guests

Posted 19 May 2017 - 04:32 PM

@v77: No disrespect, but you're crazy if you think https will hender intelligence agencies' efforts. They can already crack many forms of encryption, or have backdoors into them. If they really want something, they'll find a way to get to it. Best bet, if you have info you don't want them to find, don't put it on the Net or otherwise put it in a digital format, keep it tucked away only in your mind.

Besides, I seriously doubt there is anything of real value here that they care about.

#6 v77

v77

    Silver Member

  • Team Reboot
  • 602 posts
  •  
    France

Posted 19 May 2017 - 05:01 PM

@v77: No disrespect, but you're crazy if you think https will hender intelligence agencies' efforts. They can already crack many forms of encryption, or have backdoors into them. If they really want something, they'll find a way to get to it. Best bet, if you have info you don't want them to find, don't put it on the Net or otherwise put it in a digital format, keep it tucked away only in your mind.

Besides, I seriously doubt there is anything of real value here that they care about.

 

For a https connection, they can work with a certification authority to retrieve the encryption keys used with AES.
They also can put a spyware directly on our system but the network streams can be monitored, so this is not very discreet.

This is all they can do. They don't have magical powers, they are mere humans like you and me.
Even AES is not yet cracked, I have no doubt about that.



#7 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 19 May 2017 - 05:36 PM

Time to cite the (inevitable :whistling: ) XKCD, in this particular occasion, TWICE ;):

 

1: https://xkcd.com/538/

 

2: https://xkcd.com/792/

 

Ok, I lied :w00t:, a third one is needed:

 

3: https://xkcd.com/386/

 

:duff:

Wonko



#8 Guest_AnonVendetta_*

Guest_AnonVendetta_*
  • Guests

Posted 19 May 2017 - 07:12 PM

@v77: They don't have magic powers, but they *DO* have vast sums of money and (oftentimes) classified technology. Who knows what exactly they are/aren't capable of? There are reasons why they keep so many secrets, and possess lots of power/influence. Even the almighty Google/MS/Apple/Intel/etc bow to their demands, they know they can be heavily punished or even shut down if they don't cooperate.

#9 Brito

Brito

    Platinum Member

  • .script developer
  • 10616 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted 20 May 2017 - 07:09 AM

Yes, HTTPS is trivial do decode at government level.

  1. Certificate providers cooperate with law enforcement
  2. your telecom provider for the Internet is monitoring the traffic on their network
  3. backdoors are installed on the server operating system, on the forum software
  4. If that isn't enough, even physical access to the web server can be requested
  5. third-party javascript is also profiling you (e.g. google, facebook)
  6. the apps in your computer are logging the keystrokes (skype, dropbox, etc)
  7. governments have huge computer farms for brute-forcing decryption of whatever formats
  8. the co-processor in your computer permits anyone outside to raw access your computer

HTTPS is useful to remove the small-time criminals from the picture, those that are typically eavesdropping on public WIFI and fake access points.

 

I'm not sure if worth the effort of putting it here. In either case it could be possible if not involving some crazy surgery on the forum software.

 

:cheers:



#10 v77

v77

    Silver Member

  • Team Reboot
  • 602 posts
  •  
    France

Posted 20 May 2017 - 08:24 AM

You are spotted, Edward...



#11 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 20 May 2017 - 10:24 AM

I would like to have HTCPCP implemented, as per RFC2324:

https://tools.ietf.org/html/rfc2324

Updating to later extension RFC7168:

https://tools.ietf.org/html/rfc7168

 is IMHO not really needed (as only a few people from the UK will probably whine about the lack of it).

 

:duff:

Wonko



#12 alacran

alacran

    Platinum Member

  • .script developer
  • 2710 posts
  •  
    Mexico

Posted 20 May 2017 - 11:35 AM

Well, after reading all comments, and having no money transactions on this forun, I change my mind:  I am agree with Nuno there is not a real need for HTTPS.

 

From Nuno Post #9

 

I'm not sure if worth the effort of putting it here. In either case it could be possible if not involving some crazy surgery on the forum software.


:cheers:


  • Brito likes this

#13 Zoso

Zoso

    Silver Member

  • Advanced user
  • 640 posts
  •  
    Isle of Man

Posted 20 May 2017 - 03:39 PM

hi all,

three letter agencies and corporate legal fictions (to include the officers that enforce corporate policies) are, in truth, only imaginary. the real people acting for them are not though, perhaps they are acting out of the scope of their duties and beyond their delegation of authority? in many, if not most cases, i think so.

im not adverse to http for reboot.pro but https would seem more fitting to a tech site.

Nuno, number 8 on your list i find perplexing, what is this about?

FWIW the 'small time criminals' can be the worst since they are ignorant to any obligations they have to the letter of the law (or corporate policy)

the Emperor has no cloths but the small time crims are clothed with iniquity! (and many of them work *acting as agents* for the Emperor)

#14 v77

v77

    Silver Member

  • Team Reboot
  • 602 posts
  •  
    France

Posted 20 May 2017 - 04:14 PM

Well, after reading all comments, and having no money transactions on this forun, I change my mind:  I am agree with Nuno there is not a real need for HTTPS.

 

So you think that only money transactions require https on the web?

 

I have no need for a secure connection when I am on Wikipedia, but I understand that others may have a need for that.



#15 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 20 May 2017 - 04:52 PM

@Zoso, check IME/AMT:

https://en.wikipedia...ment_Technology

http://hackaday.com/...agement-engine/

http://hackaday.com/...agement-engine/

 

For AMD more or less the same thing is called PSP/Trustzone.

 

:duff:

Wonko



#16 Brito

Brito

    Platinum Member

  • .script developer
  • 10616 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted 20 May 2017 - 06:15 PM

For AMD more or less the same thing is called PSP/Trustzone.

 

ARM was the last one without that kind of snooping but they got bought last year, so would expect the next generation of their mobile processors to be "upgraded" too. 

 

https://techcrunch.c...f-arm-holdings/



#17 Zoso

Zoso

    Silver Member

  • Advanced user
  • 640 posts
  •  
    Isle of Man

Posted 20 May 2017 - 09:44 PM

@Zoso, check IME/AMT:
https://en.wikipedia...ment_Technology
http://hackaday.com/...agement-engine/
http://hackaday.com/...agement-engine/

For AMD more or less the same thing is called PSP/Trustzone.

:duff:
Wonko

oh, OK thanks. it seemed like something else to me for some reason. Im familiar with this since the early TPM days.

I have no trust in trusted platforms or zones and expressly distrusted that trust to collapse the trust. ;-)

#18 alacran

alacran

    Platinum Member

  • .script developer
  • 2710 posts
  •  
    Mexico

Posted 21 May 2017 - 03:04 PM

v77, on 20 May 2017 - 11:14 AM, said:

So you think that only money transactions require https on the web?

I have no need for a secure connection when I am on Wikipedia, but I understand that others may have a need for that.


Quoting myself from Post #12

Quote
Well, after reading all comments, and having no money transactions on this forun, I change my mind: I am agree with Nuno there is not a real need for HTTPS.


No my good friend, I didn't use the word only, I tryed to say as not having money transactions it is not an specific requirement. So there is not a real need, but this do not mean in any sence it is not desirable for other members of this forum.

And of course I respect your opinion.

I think it is up to Nuno to take a desition after reading all comments.

Best Regards

alacran




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users