Security->Technical Details: more info on HTTPS connections

[opera1215b1748]

Just tried: CipherFox v3.71 does not show the protocol used (no SSL3/TLSv1/TLSv1.1/TLSv1.2 indication).

I almost ready to pay you for implementing native display of all the relevant HTTPS status information.

[Moonchild]

Just tried: CipherFox v3.71 does not show the protocol used (no SSL3/TLSv1/TLSv1.1/TLSv1.2 indication).

The dev removed $PROTOCOL because it was apparently incorrect.

I almost ready to pay you for implementing native display of all the relevant HTTPS status information.

Sorry, I'm not for hire at this time.

[EnDaFresh]

Just wanted to add this quick bit here.
Wow...YOUTUBE of all sites, having always-active security settings that put nearly every other website (and especially most banks) to shame!

Just...WOW. It is almost like Google is going out of their way to give the NSA a big middle-finger after the Snowden info came out. It seems we're finally getting at least one major (commonly used) website like YouTube to get a 100% Green Calomel score

Now if only banks would do the same. It seems that older versions of IE prior to IE 11 have defaulted to 128-bit RC4 (not surprised) as well as BingBot (lol). Also seems older versions of (official) Firefox and

[Moonchild]

Keep in mind that the NSA, if they want personal data, will just go to companies like Google directly and get it from them. No sniffing needed.

[EnDaFresh]

I get that. That's an issue for Congress to revoke certain abused parts of the Patriot Act so these National Security Letters can stop being so damn abused.
The point is that there's SOMETHING there. They have to send the NSL to get that info.
This is small comfort but is a better arrangement than having everything completely unecrypted so that any derp with a laptop can intercept ALL URLs being accessed in a public WiFi area.

I've discovered a bit of an NSA backdoor that Verizon had put in their FIOS (ActionTec) routers. The port '4567' is wide open to a web service on the internet to allow for remote-control and whatever other interception they like. Too bad for them that I plugged that hole and sent a scathing e-mail to Verizon tech support telling them where to shove it if they don't want a massive consumer dropoff like what happened to Sprint a few years ago.

I'd love if these forums used AES 128-bit encryption (at least) rather than only encrypting the login. Or we should all just use a reliable VPN instead? =D

[Moonchild]

I'd love if these forums used AES 128-bit encryption (at least) rather than only encrypting the login. Or we should all just use a reliable VPN instead? =D

Why do you think SSL is important for this forum to use? Posts here are public, don't contain sensitive information or touchy topics, and important parts are encrypted like login, account settings, etc.

[opera1215b1748]

MC, as you are enhancing the crypto-related parts of PM, could you please look into my original request again?
No need to copy the whole overly-long full cipher suite string - just make an intelligent overview of the protocol and key size.

[EnDaFresh]

MC, my primary concern about privacy/encryption is primarily related to the way the stupid US Govt (the NSA in particular) seem to take a hostile antagonistic view towards security and privacy.

Specifically, assuming everyone is a terrorist unless the data proves otherwise. That's basically what they've done with their PRISM and other schemes. I know you're in Sweden and have no clue why silly Americans need to be so paranoid but those of us outside of that area need to be careful against corrupt police-state governments.

The British GCHQ is even worse and those two organizations put together do indeed have the resources and finances to break encryption and put everything at risk.

So why do I care? Because if we don't encrypt everything we are being recorded and archived. That information is then linked to our r/l profile and used (sooner or later) against us in court or to capture us as 'potential terrorists'. I wish I was describing some silly Hollywood film plot but it seems art mimics reality mimics art.

We are in full-style 1984 Orwellian police-state here in America. Any privacy or freedom we have to prevent our communications being intercepted is a small slice of humanity we can have.

All I'm asking is an OPTION for those of use who desire such a thing (and are willing to wait longer for the encrypted pages/threads to load). Perhaps we login and have to specify it as an option (on account settings) to 'always use encryption for forum browsing' or whatever.

Take care

[Night Wing]

Off-topic:
@EnDaFresh

I don't believe the United States is a police state. You're over exaggerating. You want a police state, try North Korea, China, Iran. In those countries, say something about their leaders or their policies in public or in an email and that person gets a knock on their door and then is hustled off someplace for "re-education". In some countries like the above, sometimes one can disappear permanently and is never seen again.

[Moonchild]

@Endafresh: I'm well aware of the state of things in the Americas. I have many Stateside friends that I'm in contact with every day.

The point is, though, that the forum is public, i.e.: publicly accessible to anyone. This is on purpose, so any people looking for troubleshooting information can find it in search engines, if nothing else. This is not a private forum. As such, any harvesting/crawling and archiving there may be done will happen whether the connection is SSL-secured or not.
Parts that should be secured, are secured (e.g. account settings, login, the administration control panel, etc.) to prevent important details like your e-mail address or password from being sniffed out.
There is no need to secure public parts of the forum. In fact, it's better not to, especially if e.g. someone tries to find troubleshooting information for non-working SSL connections.

[EnDaFresh]

@NightWing:

You honestly believe the USA allows free discourse anymore?

Try saying something negative about ANY specific Congressional politician or the US President. Post it on your Facebook Wall and say something like you want to throw them out of office. I'll laugh at you when the Secret Service raid your home in the middle of the night. It has happened and you're blind/stupid to think it hasn't happened. I'd link articles here, but for the sake of keeping on topic I'll just say that I absolutely believe we are in a Police State. We no longer have any civil rights that we aren't losing on a daily basis. Blind idiots like you are the reason we've even lost as many rights as we have, so I have no problem with you being one of many victims who are hauled away to Guantanimo sooner or later. Enjoy it there and send me a postcard

@ MC:
I understand your point. While I still feel that you could disallow crawlers via edits to the robots.txt, that is up to you. It may help to update the user agreement so that people are aware regarding the insecurity of anything they post here. Your forums, your rules, just keep us posted on things ^_^

"javascript:void(location.href='http://'%20+%20location.host%20+%20'/robots.txt')"

User-agent: *
Disallow: /contact/
Disallow: /images/
Disallow: /stats/
Disallow: /screens/
Disallow: /update/
Disallow: /dl-images/
Disallow: /websetup/

[Night Wing]

Off-topic:
@EnDaFresh

File this in the deep dark recesses of your mind where your fear and paranoia lurk....for future reference.

I don't have a Facebook account, I don't have a Twitter account, I don't have a MySpace account, I don't have an Instagram account, I don't have a Pinterest account or any social BS account.

You're nothing but a paranoid schizo conspiracy blow hard who wouldn't know Reality if it jumped up and bit you on your a$$. Guys like you just like to hear yourselves talk loads of hot air.

Radio personalities like Rush Limbaugh, Sean Hannity, Michael Berry say negative things about President O'Bama and also say negative things about US Senators and Congressmen/women everyday on their weekly radio shows, 5 days a week. Yet, no government entity has raided their homes or taken them away during the middle of the night. And no government entity has asked these radio stations for their call in logs from people who call in to these shows. I can even call in to one of these shows and say O'Bama is a sorry weak willed president with a spine made of Jello and no government entity is going to come to my house. And any government entity can read this post and still nothing is going to happen to me. I imagine the government's Carnivore program reads these posts, but it doesn't bother me.

Now for your so called Police State comment.

Do a little research and find out which country in the world has the most armed population and if you do, you'll find it's the United States. I don't know of any "police state" which allows their armed citizenry to own firearms (and in large quantities) like the United States does . I'll even provide you with a little leg work.

http://www.reuters.com/article/2007/08/ ... 3820070828

Since I've dealt with the ATF many times during my lifetime, the ATF already knows me from filling out a US government Form 4473, 22 separate times (and been approved) which means the ATF knows I've owned 22 firearms (long rifles and handguns) during my lifetime. The local, county and state governments where I live also know I know how to use them very well at both long (300 yards with a 30-06, 25-06 and 270 caliber rifles) and short (up close and personal) distances (with a .357 magnum revolver and 12 gauge semi-automatic and pump action shotguns) since I had to so some qualifying time with them. And I've never been employed with law enforcement in any capacity.

And at the present time, there are more firearms in my home than you have fingers on both of your hands. Since 1973, with the knowledge the AFT has on me, the ATF hasn't raided my home, the FBI hasn't raided my home, the NSA hasn't raided my home, the Secret Service hasn't raided my home, the state police hasn't raided my home, the county sheriff hasn't raided my home and the local city police haven't raided my home.

Police state......my a$$.

[access2godzilla]

While I still feel that you could disallow crawlers via edits to the robots.txt

- robots.txt is just a list of paths that should not be traversed by the bot, but it all depends on its compliance.
- Banning crawlers from the forum would be detrimental for the Pale Moon project.
- If NSA does indeed have a crawler, its not going to cry "NSAbot" in its useragent, so your hopes of "if preg_match("/NSAbot/", $_SERVER['HTTP_USER_AGENT']) { header ("HTTP/1.1 403 Forbidden"); }" are dashed.
- NSA can simply use techniques like deep packet inspection when they're intercepting such a huge amount of traffic, instead of making a crawler.

[Moonchild]

I don't want to disallow crawlers. One of the points of running this forum is that posts are public and are indexed in search engines (as already explained).
That is why known bots have a specific access class to allow efficient crawling (which automatically disallows private and irrelevant information). Notice the "Bot"-classified users at the bottom, in the list of "users browsing this forum"?

If you want to discuss forum-encryption in detail and/or the other offtopic side discussion going on (Endafresh/NightWing), please be so kind as to make new topics (one for each in the appropriate board); this has completely derailed from the original topic of this thread.