Seconded
#1966 posted by
- on 2015/11/14 14:17:02
Drunken Scampie from like 9 years ago agrees too:
http://www.celephais.net/board/view_thread.php?id=23795&start=892&end=892
I was mad he changed my 'Other Games' thread to 'Other PC Games'. Go read the first 800 so posts, it's very much about all games. He only got away with it because I stepped down as mod year or so before that and thus couldn't fix my thread.
#1967 posted by
metlslime on 2015/11/14 20:08:22
Yeah I agree with those ideas
Spirit.
#1968 posted by
Shambler on 2015/11/15 12:27:03
What ARE you waffling on about now?
And?
#1970 posted by
Shambler on 2015/11/15 12:36:45
Get a sense of humour you choad. It's hardly secret editing.
#1971 posted by
JneeraZ on 2015/11/15 12:43:21
It SHOULD be tagged with a "- Moderator" or something. I don't think that's unreasonable.
BTW.
#1972 posted by
Shambler on 2015/11/15 13:10:07
Sorry I SECRETLY EDITED the news post to put in the precious .zip link :P
Quoting A Url
#1973 posted by
Preach on 2015/11/20 01:13:22
http://celephais.net/board/
#1974 posted by
Spirit on 2015/12/03 21:11:29
Let's Encrypt is public and incredibly easy get a cert with via
https://gethttpsforfree.com/
Would be great if func got HTTPS.
#1975 posted by
necros on 2015/12/03 21:23:15
what is the point of https unless you are doing things that need to establish encrypted comms?
#1976 posted by
Spirit on 2015/12/03 21:46:54
Why would you want to let state surveillance track all our behaviour and communications online? Why should shady agencies be invited to know what you are reading?
It's none of their business. Everything should be encrypted.
#1977 posted by
- on 2015/12/03 21:48:05
We need a tinfoil hat emote too. Please add one for us NSA.
#1978 posted by
necros on 2015/12/03 21:51:15
i'm surprised it's a free service, since normally the price you're paying for a certificate is the security that the key is stored in.
#1979 posted by
metlslime on 2015/12/03 22:01:57
I'm open to this but sleepwalkr would have to do the actual setup, since i don't have access to install this kind of stuff AFAIK.
P.S. one obvious use for https is that you send your password over the internet when you log in (and after that you send a hashed password with every page request.) Asssuming you don't use your func password for any other website it's not a huge risk but still, why not make it more secure?
#1980 posted by
Joel B on 2015/12/03 22:03:25
One reason to care about https is that Google cares when listing search results:
http://googlewebmastercentral.blogspot.com/2014/08/https-as-ranking-signal.html
Necros
#1981 posted by
Spirit on 2015/12/03 22:08:07
It's a joint effort by Mozilla, the EFF and others to make global HTTPS an easier target to reach. The private key nevers leaves your own infrastructure in any sane procedure.
Expensive certs might have more validation, LE is "just" domain based. You show that you control "quakewiki.org" and they sign your cert for it. "Blue" certs require more proof of your identity but are not necessary unless you are transferring actually sensitive data like money.
Any CA can be breached or made accomplice in MITM.
Scampie: Did you miss the last 2 years of news?
Necros
#1982 posted by
Spirit on 2015/12/03 22:08:07
It's a joint effort by Mozilla, the EFF and others to make global HTTPS an easier target to reach. The private key nevers leaves your own infrastructure in any sane procedure.
Expensive certs might have more validation, LE is "just" domain based. You show that you control "quakewiki.org" and they sign your cert for it. "Blue" certs require more proof of your identity but are not necessary unless you are transferring actually sensitive data like money.
Any CA can be breached or made accomplice in MITM.
Scampie: Did you miss the last 2 years of news?
OMG NSA STOP REPLAYING MY PACKETZ!
#1983 posted by
Spirit on 2015/12/03 22:08:32
#1984 posted by
JneeraZ on 2015/12/03 22:20:39
Wouldn't this have to come with a bunch of other changes as well? If you don't have to log in to see the content, what good is encrypting anything?
I admit to ignorance on this, I just don't see how it stops bots from skimming the text...
#1985 posted by
Spirit on 2015/12/03 22:28:38
Nah, that's a different thing. Func is a public forum.
Jere the encryption would make sure that your login data is transmitted safely and that no one knows what you _read_.
There is nothing sensitive at func but we should strife to make privacy the norm.
Oh No
#1986 posted by
Kinn on 2015/12/03 23:35:59
the govorment stealing mah quakes
#1987 posted by
necros on 2015/12/03 23:37:32
getting a bit hazy on these details, but aren't public keys built into browsers? if anyone can gets certs, these will go into the browsers as well?
Public Keys
#1988 posted by
Preach on 2015/12/04 00:56:55
The public keys are, as the name suggest, public. They don't need to go into the browser because the server will transmit them to anyone who requests them.
If you request the public keys for a server, there are two questions of trust at stake.
1. How do I know that the person who sent me this public key has the private key to go with it? (Threat: an attacker could get the public key and then relay it to you.)
2. How do I know that this public key belongs to the server I want to talk to? (Threat: an attacker could send you details of a different public key which they have the private key for)
The first question is answered by a challenge-response system - you ask your counterpart to encode a random message using the private key, and check that the public key unlocks it.
The second question is answered by having a trusted party sign the key. This works a bit like our challenge-response, but the encrypted message is hard coded, and unlocks using the public key of a trusted party. In this case, the trusted party will be letsencrypt, and it's their public key which gets built into your browser or operating system. The hard-coded message should decrypt to say that "this key is valid for that server", and you don't trust it if it says anything else.
So then, you might reasonably ask, if letsencrypt will give anyone a certificate, what stops an attacker from getting their own key signed to work on somebody else's server? The reason that doesn't work so easily is that letsencrypt will give the certificate to anyone, so long as they can prove they control the server. This usually involves uploading a specific file to a location specified by letsencrypt - you only get a signature once you meet this challenge.
"You're Privacy Is Literally Raped :^)" -Edward Snowman