https and https addon

Discussion in 'privacy problems' started by lovelymaiden, Jan 11, 2012.

Thread Status:
Not open for further replies.
  1. lovelymaiden
    Offline

    lovelymaiden Registered Member

    By way of intro, I am NOT an IT professional, just a small business owner who recently learned that my information online is terribly compromised and trying to do what I can to create better protection and security for my private information.

    In the course of doing research I learned that using https vs. http is a better way to insure that the pages I am searching are not visible to others. By someones recommendation, I downloaded the httpsfinder program (or add-on, I'm new to all this) and I THINK its working, but I am finding the menu for set up terribly confusing to my non-techie brain.

    This morning I noticed that my sign on to this site came through http and not https. I manually typed in https and got a notice that there was an invalid certificate.

    Maybe I don't understand all this, as I would think that if https provides some kind of added privacy it would indeed be used here. Can someone help me understand the "https story" and what it means to me?

    Thanks so much.
  2. Cudni
    Offline

    Cudni Global Moderator

  3. lovelymaiden
    Offline

    lovelymaiden Registered Member

    Thanks for the link: I read everything.

    I would have posted there but the thread is closed. I am wondering if my PMs are also private without using the https. I changed some setting on my computer the other day and now I get messages when I send a PM here that its not encrypted and it can easily be read by others others.

    Is there anyone who can clarify in the simplest of terms what using https actually does?

    Thanks
  4. MrBrian
    Offline

    MrBrian Registered Member

    How SSL Works
  5. Spooony
    Offline

    Spooony Registered Member

    https means the HTTP protocol over SSL on port 443
  6. Victek
    Offline

    Victek Registered Member

    Practicably speaking what it means is data transmitted to the website is encrypted. For instance when you go to your bank's website you can safely enter your user name and password because the transmission of that data is encrypted. Not all websites support HTTPS (including wilderssecurity.com) and when you enter data on those sites it is transmitted "in the clear". That means if someone successfully engaged in a "man in the middle" attack (MITM) they could see the information you entered. Some accounts are a lot more important than others. It's not likely that anyone will bother hacking my wilders account so they can impersonate me here - that would be a ridiculous waste of time. On the other hand email, bank sites and e-commerce need protection. Any site that accepts credit card information is going to use HTTPS. Email sites support HTTPS at least during the actual login to protect the credentials. Gmail supports continuous HTTPS.

    The danger of MITM attacks is much greater over unencrypted wireless networks, ie "open wifi" in cafes, restaurants,etc, but it's good to be careful on a wired network too.
  7. HAN
    Offline

    HAN Registered Member

    lovelymaiden: Your post is about https. Hopefully, in doing your research, you have learned that it is only 1 part of many that helps in keeping your web surfing more private.

    I didn't want you (or anyone reading this) to assume that using https solves most or all privacy protection issues. It does not.
  8. Hungry Man
    Offline

    Hungry Man Registered Member

    @Vic,

    Wilders does support HTTPS.

    I'd also like to say that HTTPS doesn't just prevent someone reading your data it also prevents them from changing it. If you use HTTP and someone is in the middle they can change data on the fly going either way. This means they could reroute bank information, emails, anything or even send information to you like a malicious webpage or phishing page.
  9. xxJackxx
    Offline

    xxJackxx Registered Member

    They use a self signed certificate though. A novice user would probably skip it since most browsers advise against using them and try to direct you away from it like your browser is going to spontaneously combust if you continue.
  10. Victek
    Offline

    Victek Registered Member

    You're right and I stand corrected. Firefox says the certificate is untrusted/self signed and Calomel shows the security as extremely weak though. Under those circumstances I wonder if it's a good idea to use https?
  11. xxJackxx
    Offline

    xxJackxx Registered Member

    I started a thread on the same subject several months ago and the general consensus was that if everyone connected to the site with SSL it would slow the site down considerably and would provide no measurable benefits.
  12. Hungry Man
    Offline

    Hungry Man Registered Member

    Anyone can spoof it a self-signed cert. It's pretty much as good as not being there at all. Not that Wilders needs it.

    I was just clarifying that Wilders does support it it just doesn't have a certificate.

    It's worth using as long as whoever uses it understand that if someone wants to look it's a matter of just looking, really.
  13. LowWaterMark
    Offline

    LowWaterMark Administrator

    That's rather an extreme conclusion. Sure, if you choose not to save our certificate into your browser, then you will get a certificate warning everytime you come to the forum. If you have not made note of our certificates thumbprint, and simply click any browser accept or ignore option, then someone could do a MITM attack successfully. But, why do that? Why not save the certificate one time and from then on be assured that you will never again get an alert, "unless" something has changed, like a hacker doing a MITM intercept and putting in their own certificate?

    Once you save a self-signed cert, you will definitely get a warning if a different certificate is accessed. That's the surety provided in the certificate functionality in the browsers. Once trusted, any change will be alerted to you, and then you'll know something is wrong. To me, that does not mean that anyone that wants can simply take over our sessions and we'd never know about it.

    Speaking of our self-signed certifiate... It's been almost a year since I enabled SSL access here and the cert I created was only good for a year. I'm going to need to get/make a new one. In this past year, I've been satisified that this has been working fine. My own experience of saving the cert to all my browsers on two PCs, a phone and an iPod, have left me confident in a self-signed cert being just fine. And given the past year's continued CA industries problems, (especially this latest issue, which really surprised me, I didn't know they could do that), I see even less reason now than a year ago to get a CA signed cert. I'll probably just make a new, 1-year self-signed certificate.
  14. Hungry Man
    Offline

    Hungry Man Registered Member

    This is true - I was working on the assumption that users were using default settings.
  15. Victek
    Offline

    Victek Registered Member

    Apart from the issue of self-signing Vs a cert issued by a CA, what about the implemented security level? I'm not well versed in SSL so I don't know how to evaluate the numbers when the Calomel plugin describes what I think are various aspects of encryption as weak. I imagine it's appropriate for the strength of the cyphers, etc, to be in proportion to the site's function - we're not engaged in financial transactions here - but I'm interested to hear how you think about it.
  16. LowWaterMark
    Offline

    LowWaterMark Administrator

    What does the Calomel plugin state exactly? (I don't have it installed.)

    What I can say about what we're using is that I copied Google's gmail server settings, back when the Beast attack was being discussed. We're using the same key and signature algorithm for the certificate and the same cipher choice because it isn't vulnerable to beast. I figured that if it was good enough for Gmail, it was good enough for us.
  17. Victek
    Offline

    Victek Registered Member

    Have a look at these. I included Gmail and Lastpass for comparison.

    wilderssecurity Calomel.jpg

    gmail Calomel.jpg

    LastPass Calomel.jpg
    Last edited: Feb 15, 2012
  18. Hungry Man
    Offline

    Hungry Man Registered Member

    Yes, the only difference is that the Google cert is verified.

    Self signed certificates aren't trusted by default because
    1) If it's your first time visiting a page it's impossible to verify the cert.

    2) If you don't save the cert it's the same issue as above.
  19. LowWaterMark
    Offline

    LowWaterMark Administrator

    Ah, I've seen that display before. And yes, the choice of RC4 was deliberate following the Beast attack discussions - again, copied from what Google chose to use, since it is not vulnerable to that attack. Is it the best cipher? No, but, it hasn't been cracked either.

    FYI - Regarding uploading attachments for display, see this: http://www.wilderssecurity.com/showpost.php?p=356869&postcount=2
  20. Victek
    Offline

    Victek Registered Member

    Thanks I'll checkout uploading attachments. By the way, I added a Calomel screenshot for LastPass.com, which apparently has the strongest settings.
  21. LowWaterMark
    Offline

    LowWaterMark Administrator

    Yes, I see that. It actually quite funny... We were using AES-256 here originally, however, all the automated Beast test tools indicated that our site was vulnerable. So, that's when I switched to RC4 stream.
  22. Victek
    Offline

    Victek Registered Member

Thread Status:
Not open for further replies.