>>10933
I thought it made it easier for them.

>>10933

I agree with this, provided it's done properly and uses perfect forward secrecy.

>>10935
This. I can't believe it's not used widely at all.

As far as my understanding allows (and tech blogs have told me) there's not really any excuse now for any website not to have https enabled.


>>10934
All data between the server and the user is unreadable, therefore only the servers internal IP logs can identify which user posted which content.

>>10933

While we're at it why don't we tweak robots.txt so that google/bing/etc won't (theoretically) cache posts in search results. Obviously this won't do much against intel agencies but it's a nice privacy tweak.

>>10937
Cost and effort of certificates. (Unless you're happy to have all your visitors presented with WARNING DODGY CERTIFICATE DETECTED ITS PROBABLY AN ATTACK, obviously.)

>>10937
Fuck me, that sounds nice.

>>10939

PFS sort of kind of deals with that. Kind of. But it's the best we have. And better that than nowt, say I. Etc.

BTW if money is the issue throw up a paypal page, or better yet, a BTC wallet, and I'm sure the money will roll right in. INB4 GCHQ.

>>10941
I don't see how it deals with your free or self-signed certificate not being trusted.

>>10938
Oi no fuck off don't do this, search engines are the only tool when I want to read a thread from long ago, and they barely work at this task anyway.

>>10942

How much are we talking? I could spare a tenner as a one off on next payday. Assuming other people were open to it, how much would need to be scrounged?

>>10945

m8 purple is well minted hes got a telesccope wot can c the moon

>>10947

Thanks for clarifying.

purps pls.

>>10945

It's even cheaper than I imagined:

http://www.trustico.co.uk/dv/rapidssl/cheap-rapidssl-certificate.php

what difference does https make?

>>10952
It's a little bit faster and shinier, but not really a massive leap forward. Assuming the iPhone 4s was anything to go by, of course.

Come on purple!

>>11761
Ew

Do you know a really good way to get GCHQ's attention? Mention GCHQ lots of times in posts about GCHQ. Apparently GCHQ have the equivalent of Google Alerts set up to see when people are talking about GCHQ.

>>11763

GCHQ would never do that.

>>11764
No, really, GCHQ do exactly that. This is why the only way to undermine GCHQ is to mention GCHQ for reasons that are entirely irrelevant to the actual mission of GCHQ just to keep GCHQ busy. I call it the Casino Royale technique.

>>11765

I'm sure the GCHQ has a GCHQ whitelist of sites that frequently mention GCHQ yet are no threat, to GCHQ or otherwise, that GCHQ ignores because they benignly mention GCHQ so often.

>>11767

And, although not knowing the workings of GCHQ, that the GCHQ has added .gs to this GCHQ whitelist.

>>11768

Don't be silly, that would be a terrible idea for GCHQ, if it was true then all you would need to do is pretend to be no threat to GCHQ and then you could start to mention GCHQ in your muslamic plans freely.

Some poor GCHQ intern's inbox is getting blown the fuck out right now.

More so, because I just said blown the fuck out and GCHQ in the same sentence.

>>11770
>GCHQ intern

"Enthusiastic individuals wanted for two-month unpaid placement spying on communications between members of the public"

>>10939
Effort, maybe, but cost? A cert is less than £5/year.

>>11770

It'd be a proper explosive headache to sort through that inbox for free Palestine.

>>11771

They get students in, like wot that telly show Alias done.

>>11772
You do know cheap certs are one of the reasons for the widespread compromises over the last few years, right?

Is there any actual point of having HTTPS here?

Everything that gets posted is publicly available, where does the encryption come into use?

Sent via my GCHQ iPhone.

>>11778
Some ISPs may inject shit into unencrypted traffic.
Also, if I understand it correctly, will prevent peeping on what exactly you have been peeping here.

>>11778

Not having HTTPS is a security and privacy risk on untrusted local networks (coffee shops, pubs, trains, work, etc), even if you don't care about giving two fingers to the TLAs.

>>11780
Bear in mind they're the same sort of networks that are likely to do blanket MITM on your SSL.

>>11781

Unless you're a moron or they've persuaded someone to sell them a root certificate, you should be alright.

>>11782
You do know this is a fairly standard feature in off-the-shelf gateway and filtering products, right?

>>11782
Oh fuck off you tedious cocksucker. Cunt. I hope you get buggered by a pack of rabid rats.

Can we have HTTPS now please?

When it's free and basically minimal effort (https://letsencrypt.org/) perhaps?

Why do you lot even care? If someone at a cafe sees you shitposting here, so what?

If it's because of the three/four letter agencies, they can own any widely used SSL for sure.

>>13351
Malicious Wi-Fi hotspots that inject shite into unencrypted traffic, maybe.

Sage thoroughly checked because I don't know if this applies to Blighty.

>>13360

Things like Quantum Insert just wouldn't work if every site on the internet used SSL. Even if you had the private key of every SSL provider on the internet, that'd only really help you to crack encrypted traffic later on (and that's only if they're not using PFS, which they should be) - certainly the extra latency involved in calculating SSL on the fly would almost certainly push the timings needed for QI type attacks into the realm of the very improbable.

> Sage thoroughly checked because I don't know if this applies to Blighty.

>>13351

> they can own any widely used SSL for sure

It's ok, I'm pretty sure he doesn't know very much about blighty either.

Sage checked for rampant foreigner-hating and baiting.

>>13361

>Things like Quantum Insert just wouldn't work if every site on the internet used SSL.

Not if a trusted Certificate Authority is compromised.

https://en.wikipedia.org/wiki/Certificate_authority#CA_compromise

>>13362
Or, more worryingly, one willingly compromises itself.

>>13362

PFS and certificate pinning, sir.

The Govt making all unencrypted traffic light reading for your local council's IT department is surely the impetus we need to implement this.

IRC supports SSL, so why not allow encryption on .gs?

>>13402
If you've got nothing to hide, you've got nothing to fear, m7.

>>13403

Jokes aside, this is a pretty serious invasion of privacy.

Expressing you opinion anonymously is something this site enshrines. We need HTTPS now for that to remain true.

>>13404

We've needed it for years, but the admin team has never been able (or willing?) to provide it. With Let's Encrypt it should now be a relatively straightforward affair - providing the admin team doesn't make a dog's dinner out of it and sets PFS up properly. Providing that is done I'll put myself up for writing a short guide on how to do certificate pinning correctly so that anyone who wants to use this site as securely as possible will be able to.

>>13405
The Admin team is nonexistent. purple left the website in the hands of one of the teenagers and nothing really will ever get done on this site anymore. It's a shame, it used to be quite fun.

>>13406
Don't be a cock I read every day.

I've actually changed my mind on the issue - >>13402 is right, this latest change in the law does make me very minded to encrypt a lot more.

>>13407

For users:

https://www.eff.org/Https-everywhere

For admins:

https://community.letsencrypt.org/t/beta-program-announcements/1631

>>13408
Let's Encrypt doesn't support nginx.

>>13409
Pound works pretty well for adding an SSL layer and has a fairly low admin overhead.

>>10933
Surely if someone packet sniffs the entire conversation on https, they would be able to decrypt the traffic?

>>13411

No. The whole point of HTTPS is that it allows a secure session to be established over an insecure channel. If the client, server and certificate authority are trustworthy then the session is (in theory) perfectly secure.

HTTPS has a vital role to play in reducing the reach of surveillance, which is why Lets Encrypt is such an important project. The NSA and YMCA have spent close to a billion dollars attempting to undermine HTTPS and other cryptosystems, with only shape-shifting reptilianest success. The techies are outpacing the spooks.

https://en.wikipedia.org/wiki/Bullrun_(decryption_program)

>>13412
>The techies are outpacing the spooks.

I suspect that we only hear half of what they are capable of. All the typical "black" projects in othe defence sectors (you know, like all the skunkworks stuff) aren't admitted about for years. How long did they keep the stealth bomber a secret for? I imagine it's much the same with whatever vile electronic glass against our wall they are using.

>>13412
>YMCA have spent close to a billion dollars attempting to undermine HTTPS and other cryptosystems
It was only a matter of time...

>>13409

You no longer need to use the Let's Encrypt client as this site allows you to just get the certificate and do the installation and setup manually.

https://gethttpsforfree.com/

>>13540
That's interesting. I managed to get on the Lets Encrypt beta list, but there were two issues - they're currently rotating certificates every six to eight weeks, which is boring and they wanted to publish my email address, which is also tedious.

>>13542

Any updates on this modlads? It's been another six months. I guess I'll have another dig around and see if things are any easier than they were then, although I'd hope they are.

While I'm here (and because there's no Sheds General thread), I noticed that the geofag for Brazil is 'Nutfag', which while a clever play on Brazil Nuts, isn't really all that funny. I humbly offer up the following alternatives:

Coconut
Dilmafag
HUeHUe
Zikafag
Sextourist

I also look forward to hearing any other suggestions our users may have.

No sage because I want to bump this onto the first page of /shed/

This thread was an amusing read, I think I just avoided it in the past because I don't even know what http means.

What does https do? And what is robots.txt? I've seen the little fucker pop up a lot but I don't know what it is or why it's so named.

>>13815

HTTP stands for Hyper-Text Transfer Protocol. It's the system used to send webpages and other data from web servers to your computer. The S in HTTPS stands for "secure". HTTPS adds a layer of encryption to HTTP, preventing the data from being intercepted by an eavesdropper. It is essential for things like online shopping and banking, but there is a movement to make it standard on all websites. This movement has been accelerated by the Snowden revelations.

Robots.txt is a standard system for web servers to communicate with automated systems like search engines. It can be used to declare certain files or folders as off-limits to automated systems, or to request that they only access files at a certain rate. It is purely advisory, but systems that ignore the robots.txt can be assumed to be malicious and automatically blocked by a firewall. It's normally used to stop irrelevant things from cluttering up search engine listings, or to stop search engines from battering a server with too many requests.

Why bother? There's nothing of security interest here. If Spooks In Specs, Gigantic Crania Hacking Quietly or Mission Impossible 5 decide they'd like a poke around some corner of the domestic internet I strongly doubt even .gs' legendary webmaster could keep them at bay.

I'm not advancing the 'nothing to hide, nothing to fear' trope, just saying it's a bit of a pointless concern. Like investing in a sturdier umbrella to protect against meteorite strikes you don't need it and it wouldn't work if you did. Must say I love the image of some whizzkid locked away in the Doughnut trawling through /iq/ and trying not to snigger.

>>13817
>There's nothing of security interest here.
That's the point.

>>13817

>Must say I love the image of some whizzkid locked away in the Doughnut trawling through /iq/ and trying not to snigger.

It's not about people, it's about algorithms. HTTPS thwarts the bulk collection and analysis of intercepted data. It forces the spooks to work for their intel, rather than getting an instant picture of who you are, who you know and what you think just by searching for your name in a database.

If you're a target then you're fucked, but good data hygiene can stop you from becoming a target, it can stop you from getting swept up in a dragnet.

>>13819
What exactly would I be 'targeted' for?

>>13820

Damned near anything that the government considers suspicious. Socialising with the wrong people, visiting the wrong website, signing the wrong petition, travelling to the wrong country, exceeding an arbitrary threshold on some nebulous "risk algorithm" based on your browsing history and the content of your e-mails.

Back in the '70s, my dad had an MI5 file because he was a Student Union rep. Special Branch put me under surveillance because I was involved in the Stop The War Coalition. A photographer friend of mine had a "friendly visit" from SO15 because he was spotted taking photos near the Thames Barrier. Given the scale of their resources today, I expect that GCHQ are monitoring a vast number of people.

I know for a fact that this post has been intercepted and logged by GCHQ, and that the keywords in it will increase the risk score associated with my IP address. I doubt that any human being will ever read it, but I know that it's part of the intelligence profile being constructed about me. If I raise enough red flags, an intelligence analyst will have a good rummage through the collected data to see if I'm a wrong'un.

>>13821
>Back in the '70s, my dad had an MI5 file because he was a Student Union rep. Special Branch put me under surveillance because I was involved in the Stop The War Coalition.
And you know this because...?

>>13820
Well for a start you've just posted in an imageboard thread about encryption and GCHQ.

Less facetiously, look at it like this: You lock your door when you leave for work. You're not a criminal, but presumably you're not going to leave a spare key with the police just in case they want to take a look around.

>>13823
This is more like asking your landlord to install an alarm system.

>>13823
Jews, Allah, Mohammed, IRA, Republican, Fertiliser, Jet fuel can't melt steel beams.

>>13824
It's actually more like when you stumble home from the pub, pissed, but then get to the door and find you've left your keys on the bar, so you try and climb over the garden fence so you can get to the shed and get a ladder to go through the bedroom window you left open, but you kick over some paint cans and wake up your neighbour, and they ring the rozzers who come and spend an hour questioning you before they leave, and then when you wake up in the morning you find you've shat yourself.

>>13822

My father learned of the existence of his file the late 90s, after an investigation and legal challenge by Liberty. If memory serves, the matter was precipitated by the Shayler affair.

My own surveillance was overt, I suspect because it was primarily intended to intimidate me. The officers tasked with monitoring me introduced themselves to my friends, neighbours and colleagues. They were gathering intelligence, but they were also sending a clear message. Overt surveillance is a common tactic in the policing of protest and civil disobedience, the most common form being the Met's use of Forward Intelligence Teams.

https://en.wikipedia.org/wiki/Forward_Intelligence_Team

My parents had some overt surveillance too, back in the 70s. It clearly worked because they stopped going to protests and settled down into normal lives and even went as far as to tell me about it as a scare story.

>>13821
Why the fuck do they care about people protesting war? Where's the security threat there?

>>13829

Anything that threatens or inconveniences the government is regarded as a security threat. Environmentalism, animal and human rights, pacifism, you name it. There are a web of secretive organisations whose sole function is to infiltrate and undermine political activist groups.

https://en.wikipedia.org/wiki/National_Public_Order_Intelligence_Unit

The family of Stephen Lawrence were put under surveillance by the Met. An undercover officer was tasked with smearing the family to damage the credibility of their campaign.

https://en.wikipedia.org/wiki/Murder_of_Stephen_Lawrence#Revelations_about_undercover_police_conduct_.282013.29

When the undercover officer Mark Kennedy secretly recorded evidence that would have exonerated six environmental protesters, the Met buried the evidence. Over the course of seven years undercover, Kennedy provided intelligence to the police forces of 22 countries.

https://www.theguardian.com/uk/2011/jun/07/mark-kennedy-police-spy-secret-tapes
https://en.wikipedia.org/wiki/Mark_Kennedy_(police_officer)

There's no ethics here, no honour. They'll do whatever they think they can get away with. Christ knows what SIS get up to under cover of the Official Secrets Act.

>>13829
It's an indirect threat. It may prevent action to thwart direct threats elsewhere. See Syria, for example. Protests against engagement persuaded the pollies to prevent us from going in, and the net result was ISIS taking over half the place.^{[oversimplification]}

Hello.

https://doesmysiteneedhttps.com/

Sorry about that lads.

I'll be setting up LetsEncrypt and HTTPS in advance of the October deadline from the Google Chrome team - at that point, any site that is submitting forms and suchlike will get an insecure content warning, which would be quite boring.

Pardon the necromancy, but LetsEncrypt makes this cost-free as long as you trust certbot (style encryption). If gs these days uses a cdn, then I give up because I don't know what I'm talking about but if it's still single endpoint it should be doable. "Pound" is a great front-end for whatever service does the work. It's all a layer before it hits brian and a layer where filtering would prevent more traffic... as far as I can see should be fine.

>>14381
But of course you know that, so I'm sure there are reasons :(

>>14231
I've been looking for this site which I found interesting when it was first posted, so thanks for bumping this thread so I could find it again. I was Googling 'https why' and similar terms and it wasn't coming up.

>>14383
Which website?

>>14384
If we were having this conversation in person this is where I would stare at you until you stopped being a dumbarse.

>>14385
Why won't you just link to it, you fucking twat.

>>14386
Why can't you read six posts back?

>>14386
>>14231

>>14387
Come on, lad. Let's not make .gs even more autistically insular than it already is.

>>14388
It's the Christmas cunt-off and is fairly friendly by our standards.

But agree entirely, obvs.

The certificate expired shortly before noon today.

I just noticed its https now and 😍

Really appreciate the work you did for this.

(A good day to you Sir!)

>>14787
Duly noted, I shall contain myself.

You know that email that Let's Encrypt sends you to let you know the certificate is going to expire, right? Right?

You know, right? Right?



Right, lads? Right?

>>14815
We like to let it expire to remind you how secure and private your posts are.