Syllable Forum Index Syllable
Syllable Forums
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

https for forum
Goto page 1, 2  Next
 
Post new topic   Reply to topic    Syllable Forum Index -> Syllable Desktop
View previous topic :: View next topic  
Author Message
Ronaldlees



Joined: 15 Oct 2014
Posts: 146

PostPosted: Sat Feb 28, 2015 8:54 am    Post subject: https for forum Reply with quote

Hi Kaj:

Have you ever considered using https (TLS) with your forum web servers? Some people think it's silly to go the https route with open source projects, but others realize that some problems are ameliated with the protocol, and do implement https. Haiku and FreeBSD both allow https connections, and both of them allow DHE* cipher suites. In the area where I live, vandals like to inject stuff into plain http streams. I've had it happen while viewing your forum pages, quite often. It's a growing problem here and around the world, and https (especially DHE* cipher suites) nullify the problem so long as you manage your certificates properly (albeit it's not exactly a security issue, per se).
Back to top
View user's profile Send private message
Kaj
The Knights of Syllable


Joined: 14 Sep 2007
Posts: 2203
Location: Friesland

PostPosted: Sat Feb 28, 2015 10:29 am    Post subject: Reply with quote

https://forum.syllable.org Smile

I'm curious now where you live?
Back to top
View user's profile Send private message Visit poster's website
Ronaldlees



Joined: 15 Oct 2014
Posts: 146

PostPosted: Sat Feb 28, 2015 1:59 pm    Post subject: LOL Reply with quote

That is so funny.

Well, I have an excuse. I tried to access the page from my "hardened" Netsurf/Haiku client, which will only offer and accept DHE* (Diffie Hellman Ephemeral) cipher suites. So, my bad, I guess. I suspect your default SSL setup might not support DHE* suites, or I possibly have other issues. LOL

BTW: Live in US.

Embarassed

- Ron
Back to top
View user's profile Send private message
Kaj
The Knights of Syllable


Joined: 14 Sep 2007
Posts: 2203
Location: Friesland

PostPosted: Sat Feb 28, 2015 3:15 pm    Post subject: Reply with quote

Hm.

The SSL is provided by CloudFlare, so I would have expected them to support modern features.

I didn't know Internet thuggery had reached those levels yet in the US, so thanks for the heads-up. Unless you mean CloudFlare's HTML injections. Smile
Back to top
View user's profile Send private message Visit poster's website
Ronaldlees



Joined: 15 Oct 2014
Posts: 146

PostPosted: Sat Feb 28, 2015 9:39 pm    Post subject: Reply with quote

Cloudflare?

That's the rub. Cloudflare doesn't accept DHE, and instead accepts the elliptical curve variant (ECDHE). Both Google and Cloudflare use that one, but I prefer not to use it. IMO - FWIW - I think anything other than non elliptical diffie hellman ephemeral suites are pretty close to worthless.
Back to top
View user's profile Send private message
Kaj
The Knights of Syllable


Joined: 14 Sep 2007
Posts: 2203
Location: Friesland

PostPosted: Sat Feb 28, 2015 9:52 pm    Post subject: Reply with quote

I'll keep it in mind, but there's not much I can do about it in the short term.
Back to top
View user's profile Send private message Visit poster's website
Ronaldlees



Joined: 15 Oct 2014
Posts: 146

PostPosted: Sun Mar 01, 2015 2:07 pm    Post subject: thuggery Reply with quote

Kaj:

Yes, the internet thuggery in ths US has reached impressive levels. First, let me disclaim my statements. I'm not officially any kind of security expert. So, these ideas are IMHO, given FWIW, and that may be zero.

It's my opinion that the keys for the 500+ top web presences are "in the wild." This means that vandals can decrypt most communications "on the fly" - and do it passively so that the victim is entirely unaware of it (until his bank account is drained, etc).

AFAIK, the only asynchronous remedy against keys in the wild is the straight DHE* family of cipher suites (not ECDHE). That's my opinion, FWIW. Only one percent of sites support straight DHE* now, so most traffic is on the "all you can eat salad bar." The reason given for lack of support is performance, but only the KEYS - and not the DATA, are in that equation. So, writing as a non expert, I'd say that the performance excuse seems to be bunk.

The vandals are clever. If a keyed decryption cannot be had in the communication, then the system automatically drops back to the certificate spoofing method. Indeed, when I use lesser known web presences, I am more likely to see the bad certificate insertion attempts. Even more clever, the vandals control DNS, so that no matter which IP is selected, the same server responds to all port 53 traffic. Again, this is said as a non expert, and based on some anecdotal/empircial experiences.

Lesser used protocols are also more likely to be cert-spoofed. (SMTP, POP, IMAP, etc). Most people use webmail. IMO, email clients seem to be worthless in terms of security, in this neck of the woods. IMO, it's because the only certs coming down the pipe (all wired connections) are spoofed certs. Either accept them, and hope that the email is actually delivered, or don't accept them and not communicate at all. Obviously the only thing to put in emails are trivialisms like "Hi Bob," and "Bye Susie."

When you use a browser, often the bad certs won't appear, because passive sniffing is all they need. IMO, don't do your banking on the internet.

The vandals, having access to all the data streams, know when a victim is trying to send reports about this. Using any kind of electronic medium to solicit help alerts them, so that they can "disappear" for a while. It's a perfect, pat system, end to end. That's why I have such an interest in DHE* stuff. It doesn't cover everything, but it makes the barrier a lot higher.

Forget VPNs. Most likely their keys are "in the wild" (even symetrical ones). I don't use one, so that statement is conjecture. Like this whole post.

Many secure sites have http leaker links, pulled in by the core pages. I have anecdotal experiences indicating that these leaker links are used for shell code exploitation. A proper set of https connections do not allow the insertions necessary for shell codes or other browser exploits. The defense, it seems, is to connect only to DHE* sites, and only those which contain no leaker http links. The number of sites that do this properly is excruciatingly small, and not surprisingly - are the techie oriented sites like Haiku-OS.org and the like. Haiku's site accepts straight DHE* and has no leakers, so far as I have ever noticed.

I hope talking about this is not a legal problem in your country. Some countries it is. Feel free to delete the post if it is.
Back to top
View user's profile Send private message
Ronaldlees



Joined: 15 Oct 2014
Posts: 146

PostPosted: Sun Mar 01, 2015 2:42 pm    Post subject: Reply with quote

I meant to write asymmetrical, not asynchronous - don't get old - your spelling goes to hell..

I seem to recall finding a cloud powered site that successfully utilized DHE* suites. I think the url https://raymii.org has information on it. Although that site has one leaker link.
Back to top
View user's profile Send private message
Ronaldlees



Joined: 15 Oct 2014
Posts: 146

PostPosted: Sun Mar 01, 2015 3:22 pm    Post subject: Reply with quote

It's very hard to debug DHE* connections (using something like wireshark). That's part of the beauty, I guess. The reasons for my positive feelings toward DHE* suites are mostly anecdotal. I remarked about the http insertions (inserting trashy stuff into plain http connections is trivial). But, occassionally, I noticed the insertions with https connections made with standard server selected cipher suites (not DHE). Using the DHE suites, I NEVER noticed any insertions. After a time, this difference caused me to develop a good "touchy-feel-ly" attitude relative to the DHE* suites.

Relative to the standard (non DHE*) suites that allowed insertions: the implication is that they were broken "on the fly." How else could anything be inserted?

It's made me a DHE* believer, FWIW. Your mileage may vary.
Back to top
View user's profile Send private message
Kaj
The Knights of Syllable


Joined: 14 Sep 2007
Posts: 2203
Location: Friesland

PostPosted: Sun Mar 01, 2015 5:31 pm    Post subject: Reply with quote

Indeed, I have little experience with such breaches. I do take some general precautions such as using open source Unix type operating systems, and trying to stay away from bloat, Windows and wireless networks.

The pervasive interception of networks doesn't seem to happen here, except by governments and incidentally on wireless networks if you're unlucky. In any case, I'm not aware of ever having seen malicious insertions in the network stream.

I guess you won't like CloudFlare. They offer SSL on the frontend while customer backend servers are still allowed to be without SSL. If you do encrypt traffic on your backend server, it's still re-encrypted by CloudFlare, and HTTP and HTML insertions are part of their service.
Back to top
View user's profile Send private message Visit poster's website
Ronaldlees



Joined: 15 Oct 2014
Posts: 146

PostPosted: Sun Mar 01, 2015 5:47 pm    Post subject: Reply with quote

I looked at Cloudflare, but after I read their TOS, I decided not to use them.

See section 11, in the terms of service:

http://www.cloudflare.com/terms

I'm not a criminal, nor have I ever been involved (in a negative way) with the law. But, that section of their TOS is downright scary. I've been thinking of a change of habitat though ... maybe someplace with sandy beaches, year round warm weather, and fewer worries. It has to be south of Florida tho.... Wink
Back to top
View user's profile Send private message
Kaj
The Knights of Syllable


Joined: 14 Sep 2007
Posts: 2203
Location: Friesland

PostPosted: Sun Mar 01, 2015 6:14 pm    Post subject: Reply with quote

Yeah, it's not ideal. I try to use them only for sites with public content.

On the other hand, I'm familiar with the kind of absurd people that come to you when you do anything on the Internet, so a service provider would need such kind of terms.
Back to top
View user's profile Send private message Visit poster's website
Ronaldlees



Joined: 15 Oct 2014
Posts: 146

PostPosted: Mon Mar 09, 2015 10:23 am    Post subject: Reply with quote

[quote="Kaj"]Yeah, it's not ideal. I try to use them only for sites with public content.

On the other hand, I'm familiar with the kind of absurd people that come to you when you do anything on the Internet, so a service provider would need such kind of terms.[/quote]

"Not ideal" is the supreme understatement. But, what can you do? Really, I've thought recently about abandoning the internet. For an internet junkie, that's really saying something.

I made a big deal over the encryption cipher, because the better ones do seem to work (sometimes) - to alleviate the problem. However; the encryption level is only one of many problem areas, non of which have perfect (or any, even) fixes.

For three years I had baristas at coffee shops reading my encrypted https emails back to me - and I HAD NOT accepted any additional certificates. So, lately I'm leaning to the idea that the SHA1 digest algorithm has been completely broken. Since much of the world's certificates use SHA1, that opinion would force me to believe that there is no security at all in https/ssl/tls/etc.

With SHA1 broken, any certificate can be forged on the fly, and will not result in a warning message in the browser, and does not require any collaboration with cert authorities. It's a completely clean intercept and control of communications, abeit with some additional overhead beyond what would accompany just obtaining the private keys from the sources by subterfuge.

I looked at SHA1 - and it's messy. It seems to me that the messier something is, the more likely it can be undone (more levers to tweak). It's nothing like the simple prime number based setups (like RSA) albeit those are not for digest. I wonder how Europeans (you're one of those I think) like using all this stuff made in America, given current events, especially since SHA1 was written by NSA.
Back to top
View user's profile Send private message
Ronaldlees



Joined: 15 Oct 2014
Posts: 146

PostPosted: Mon Mar 09, 2015 11:21 am    Post subject: Reply with quote

I made mention earlier that I had never noticed insertions with any DHE* suite. Well, the other day I had just one instance (with DHE* in use) - and today another small one. In another setup, when using a TOR circuit to a far away entry node and a far away place, it happened while using an ECDHE* suite. So, while the use of the better suites does seem to help, it does not fix it completely, thus bringing the idea of the certificates into play. In order to insert, the data must be decrypted, so - that's gonna be certs or ciphers, in the main. I think I'm poetic Smile
Back to top
View user's profile Send private message
Kaj
The Knights of Syllable


Joined: 14 Sep 2007
Posts: 2203
Location: Friesland

PostPosted: Mon Mar 09, 2015 2:20 pm    Post subject: Reply with quote

Well, it's not a strong cipher if baristas break it between coffees.

Now I'm curious what things they insert in your streams?

You're right, I don't much trust American technology anymore, and that notion has finally broken through publicly here now, too.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Syllable Forum Index -> Syllable Desktop All times are GMT - 6 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group