Ben Sturmfels

Security Friday

Ben Sturmfels at

Upgrading a number of small websites with HTTPS, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options and Content-Security-Policy.

Liking this tip from the Piwik team about using analytics in a way that complies with safe CSP settings.

Claes Wallin (韋嘉誠) likes this.

Claes Wallin (韋嘉誠), Claes Wallin (韋嘉誠), Claes Wallin (韋嘉誠) shared this.

Show all 5 replies

hyyps looked too risky

that stuff looks far worse than even that

its time to BREAK UP the cartels that try to bully us into a censorship regime

I will always resist that

there is no way in hell O would want to allow untrusted third parties to9 block any website I make!

untill they come up with something without the censorship risks plain old http will always be allowed

I won't budge on that and all the sloganising over https in recent years only makes me dig my heels in more.

I repeat - the issue is not the price of certificates, its the CENSORSHIP risk!.

now that browser BLOCK that is even worse!.

the brower cartel MUST be broken yp - had a gutful of their crapware in recent years.

sure encryption would be nice, but not if the price is to allow censorship.

Michael at 2017-06-19T13:13:38Z

@Michael You're right that there is some risk of censorship in that an HTTPS certificate could be revoked, which assuming you're using HSTS, censors you until you can get a new cert. There is also some risk that certificate authorities could sign certificates fraudulently.

It's a trade-off. HTTPS provides visitors privacy and authenticity when they access a web site or service and, for me, that's a higher priority.

While HTTP doesn't rely on a certification system, it is vulnerable to more subtle censorship and manipulation, in that spying and tampering with the information "in flight" is straightforward.

Ben Sturmfels at 2017-06-28T00:14:40Z

der.hans, Christopher Allan Webber likes this.

We need a better system than ssl for sure.

But at least in the meanwhile, LetsEncrypt has done some for-profit-cabal-busting.

But there is more to be done, and better systems to build!

Christopher Allan Webber at 2017-06-28T14:50:13Z

der.hans likes this.

these days more worried about browser cartels than certificate cartels

re letsencrypt I need to find those instructions for doing it manually

there are multiple domains on the same server here and subdomains too

multiple "platforms" and an xmpp server too

I really do think the first time I should do it manually to make sure nothing breaks and I learn properly what needs to be done

(can probably automate it later once I know whats needed - just need to be sure I get web server configs right. I must avoid downtime as much as possible - there are users to consider!)

also cannot redirect http to https .. thats a no go for now

I do want to let users use https but still have that other option of they need it

I cannot rule out the possibility of browsers being compromised

they are fixing holes in every release and there are always more

and I saw an attack with my own eyes a year ago that was probably exploiting a browser vulverability

it showed a spoof site DESPITE dns returning the correct ip - trying http went to the real site! -

(saw it happen a few times - all the same day - on different machines in different locations running different operating systems - the only obvious thing those machines had on common was the browser)

if that could still happen to anyone out there it would be madness to take away the only remaing way that the user could get to the real site.

in that situation redirecting to https would force a user trying that back to the spoof site!

I don't think those kinds of risks can be ignored

the only sane option would be to let the user choose

only they could really know which risk really is worse for them than another.

when its a case of a compromised web browser whether or not the connection is encrypted is probably not their biggest worry

and if they just want to look at the public events listings here without logging in (the most popular thing here) then they might consider that low risk and be more worried about NOT being able to see it!

but I do want people to be able to use tls here

especially when they login and look at non-public messages, post or edit content, etc

making logins safer where possible is always on the agenda

as long as the user can choose .. just in case

Michael at 2017-07-04T08:43:09Z