It looks like you're using an Ad Blocker.

Please white-list or disable AboveTopSecret.com in your ad-blocking tool.

Thank you.

 

Some features of ATS will be disabled while you continue to use an ad-blocker.

 

Time has come ats to impletment HTTPS protocol

page: 1
12

log in

join
share:

posted on Jun, 8 2008 @ 02:44 AM
link   
With all these draconian laws esp the p2p one ats should make privacy of its freedom loving users number one priority.you guys should implement https secure encrypted web traffic.


I hope this gets flagged to death and everone supports it.
dont shy away from this idea as imo if you guys make excuses then it would be fishy




posted on Jun, 8 2008 @ 04:00 AM
link   
WTF ?????????????

first question - who is going to pay for it

HTTPS costs money for EVERY page secured - and you want the ENTIRE site SSL certified - to put it bluntly , you are insane

second - what ` draconian laws ?? the only ones i have seen pertaining to P2P are IMHO perfectly valid - i do not support piracy / copyright infrignent - and i do not see why i should bay hundreds of pounds for software only to see theives downloading it FOC

i still use P2P quite regularly - its a grat way to share huge files with a number of people

and none of us have had any problem - because all the files we share are our own intulectual property

lastly :


dont shy away from this idea as imo if you guys make excuses then it would be fishy


well show us the money then

you want it so badly - you pay for it

its easy to make absurd demands - then scream nonfeasance when your demands are ignored

so it will be fishy if you do not volunteer to finance this supposedly vital upgrade to HTTPS

there the ball is back in your court



posted on Jun, 8 2008 @ 02:23 PM
link   
reply to post by ignorant_ape
 


No. You can create self-signed certificates yourself. This is not difficult.

Also, you don't need one for every page. Are you serious? I believe you only need a certificate per IP.

You can set up a local CA on the server, or you can get free certificates if you don't want the hassle of setting up the CA. Either way, the cost is minimal.

[edit on 6/8/2008 by apolluwn]



posted on Jun, 8 2008 @ 02:35 PM
link   
First I doubt the site is willing to add the overhead required (processing) to accomplish this.

What is the purpose you are seeking?

To protect the information that will be posted on the forum while it is moving over the internet? Anyone can read it once it is posted and if changed the poster can see that also.

If the concern is whether you are actually talking to ATS then the certificate would need to be sourced from an authority.



posted on Jun, 8 2008 @ 02:37 PM
link   
This has been discussed before and I'm all for it if it doesn't cost a ton of money.



posted on Jun, 8 2008 @ 02:44 PM
link   
A few SSL facts:
You purchase a certificate per domain name not per page. ATS would only need one certificate for ATS itself (BTS probably doesn't need SSL.)

A self-signed certificate is useful for encryption of the data stream but provides no way for the user to be sure that they are actually talking to an ATS server.

A signed certificate verifies that you are in fact talking to the server you think you are talking to. Basically it defends against a man-in-the-middle attack where a criminal sits between ATS and you.

Without locking down the server completely and denying non-SSL requests, an SSL enabled server does absolutely nothing to stop outsiders from knowing what, when and for how long you looked at something.

If the police state really wanted to, they will still be able to gather enough information to have probable cause to get a warrant to pull ATS's server logs.

All SSL does is keep secure-data secure. SSL doesn't keep your browsing habits secure. ATS doesn't have any secure data, the whole concept of a public forum complete with google indexing is at odds with what you are proposing.

I am not even going to get into the increased load (load = $) placed on the servers.

Jon

[edit on 6.8.2008 by Voxel]



posted on Jun, 8 2008 @ 03:03 PM
link   
The simple fact is; who cares if someone is intercepting the data that is going to a public forum?

The main point of SSL is to keep private data private. I doubt you will be sending your Credit Card or Social Security numbers to ATS. The fact that someone could hijack your account password is pretty moot. Who really cares, and why would someone even bother?



posted on Jun, 8 2008 @ 03:36 PM
link   

Originally posted by apolluwn
The fact that someone could hijack your account password is pretty moot. Who really cares, and why would someone even bother?


Even passwords can be secured using some simple _javascript (did it once on a website i worked on) without resorting to heavy handed SSL.

It works like this:

On Request
The server sends you a random number along with the login page. Call the number (N). The server must store this number in a temporary file or database table with a date field.

When the user clicks "Login", a simple _javascript script hashes together the password (P) and the random number (N) creating a new number (H).

Then the page sends the server a response containing the user name (L), the number (N), and the hash (H).

The key is we never send the password to the server.

On Verification
The server checks to see if the (N) it got back from the login page is a valid number. (ie. Did I generate and send this (N) within the last hour?) If not login FAILS.

The server fetches the password for the user (L) from the database. If the user does not exist login FAILS.

Then the server hashes the fetched password with (N) resulting in another hash number (H'). Finally, compare the hashes (H) and (H'). If they do not match login FAILS.

Otherwise login succeeds.

Jon

[edit on 6.8.2008 by Voxel]



posted on Jun, 8 2008 @ 03:45 PM
link   
It looks like this has sprung up from that dubious P2P law thread.

I'm not convinced. Until we see it in action nothing should change. People overreact so much on this board.



posted on Jun, 8 2008 @ 05:20 PM
link   
As far as I'm concerned - what's the problem?

It all works fine.

And it's free.



posted on Jun, 8 2008 @ 11:12 PM
link   
I will not speak for others, this is just my opinion, but......

The data you post is on a public forum. What would be the difference if this was implemented? This is not online banking.



posted on Jun, 8 2008 @ 11:55 PM
link   
Its a public forum and its free - your free to post and must know that your posting onto a web site...

I don't get why it needs anything at all - enjoy it and stop being so paranoid.


Edn

posted on Nov, 7 2008 @ 01:59 PM
link   
Its not just about the privacy of what you write its the principle of the matter. Considering the kind of things the UK government want to implement I would have thought that a site like this would have implemented SSL a long time ago just out of the principal of the matter.

What you type may be viewable on this forum but no one knows where it comes from and if your using SSL no one can intercept your data before it arrives here.

Everyone talks about how there rights get stepped on by governments gone power mad but do nothing to fix it its the exact same problem here, you think just because things written here are in 1's and 0's that your rights somehow change? You would be pissed off the postoffice opened your letters and copied them before you got them its no different here.

SSL also doesn't cost anything and companies such as Verisign only abuse the system to grab as much money as they can. ATS could have certificates issued by cacert.org... for free.

You shouldn't just maintain a website, you should also uphold the principles of what your website is about, and I would have thought that keeping the data of its users safe and secure regardless of how useless that data might be would be an important factor for a site like this.



posted on Nov, 7 2008 @ 05:23 PM
link   
Adding SSL to ATS doesn't serve any valid purpose, as the information transmitted to the site doesn't need to be secured. We are not talking credit card numbers and bank account details, but posts to a public message board easily and extensively cached by popular websites such as Google.


Additionally, the following two overheads are further reasons we do not have any intention of pursuing SSL (but we did investigate it!):

1. The requirement/action of encrypting data would slow down the servers' performance due to the nature of ATS - database-driven forums on across multiple servers.

2. Encrypting pages would decrease our SEO (Search Engine Optimisation) strategy. After SkepticOverlord has spent years fine-tuning our pages for SEO, adding SSL just throws that away and makes it harder to index/spider the site.

HOWEVER, when it comes to user privacy, it is a huge concern to us. Scroll down to the bottom of each page and you will see our Legal disclaimer, Creation Commons agreement, link to the DMCA, and TRUSTe certification.

[edit on 7-11-2008 by SimonGray]



posted on Nov, 7 2008 @ 05:35 PM
link   
Also, that is why we have RATS, no one out side the site can view it.

Besides, there is no real reason to secure ATS with encryption, it would only draw attention from unwanteds.



posted on Nov, 8 2008 @ 01:48 PM
link   

Originally posted by ignorant_ape
HTTPS costs money for EVERY page secured - and you want the ENTIRE site SSL certified - to put it bluntly , you are insane

This is not correct. You pay one single certificate for the whole site - a cert. works on domains, not pages.

It's cheap and it's a simple process. I've done this many times my self.

The only change you might want to do is on base level in the code for the forum to check if the connection is secure by SSl, if not redirect the page to a secure connection. That is a two-liner code wise.

For more information and prices, check out these links:
www.comodo.com...
www.thawte.com...

(search Google for more.. there are plenty of suppliers)



posted on Nov, 8 2008 @ 01:53 PM
link   

Originally posted by SimonGray
Adding SSL to ATS doesn't serve any valid purpose, as the information transmitted to the site doesn't need to be secured.

Actually you do, every user that logs on provides a password and auth information sent in clear text. This can easily be sniffed on an unsecure connection and abused is someone wishes to.

Edit: And it reduces anonymous protection as everything YOU write can be linked to an IP-address.

[edit on 8.11.2008 by MaverickTheWise]



posted on Nov, 8 2008 @ 02:00 PM
link   
Just want to mention: there is no point to implementing HTTPS if you are going to post information to the general public.

HTTPS is useful only if there are a small number of highly trusted participants, such as a the credit card holder and a vendor.

HTTPS is useful only in keeping third parties out of a discussion.

Where does ATS fit that model? MAYBE in the login and user authentication, but I think the current system is secure enough for any regular user (who can quickly see that they are being impersonated by someone else.)

Edit: Anything that speeds up ATS is good. Anything that slows it down (like HTTPS) is bad. IMO


[edit on 8-11-2008 by Buck Division]


Edn

posted on Nov, 8 2008 @ 03:36 PM
link   
ATS I would hope already implements SSL on the administration side of the site, i would be very worried if they didn't.

Passwords can be secured before being transmited, but hashed passwords can still be broken. But everything else is sent unencrypted, that means everything you do through an admin interface is sent in plain text so thats emails, changes to the databases etc if someone were to grab data being sent between the site they could potentially link email addresses to account names if the information is sent unencrypted.

And on the user side even signing up to the site on an unencrypted page is dangerous, that is where the user is most vulnerable, all there information is transmited unencrypted from a single page.

If SSL were to be implemented anywhere it should at least be used for user login and user signup where the user is most valnerable, after all how many people use a different password for every login they have.



posted on Dec, 10 2011 @ 10:49 PM
link   

Originally posted by SimonGray
Adding SSL to ATS doesn't serve any valid purpose, as the information transmitted to the site doesn't need to be secured. We are not talking credit card numbers and bank account details, but posts to a public message board easily and extensively cached by popular websites such as Google.


Additionally, the following two overheads are further reasons we do not have any intention of pursuing SSL (but we did investigate it!):

1. The requirement/action of encrypting data would slow down the servers' performance due to the nature of ATS - database-driven forums on across multiple servers.

2. Encrypting pages would decrease our SEO (Search Engine Optimisation) strategy. After SkepticOverlord has spent years fine-tuning our pages for SEO, adding SSL just throws that away and makes it harder to index/spider the site.

HOWEVER, when it comes to user privacy, it is a huge concern to us. Scroll down to the bottom of each page and you will see our Legal disclaimer, Creation Commons agreement, link to the DMCA, and TRUSTe certification.

[edit on 7-11-2008 by SimonGray]



12/10/2011
22:30hrs/ US-CST
Dear Simon;

>The implementation of HTTPS protocol's are very important, even more so now. To suggest post's to this site need not be secured? I am less concerned with what happens en-route access to your site (i.e your servers). Member's and Friend's&Visitors* (Human, though no doubt we would welcome serious discourse from any "other" valid entity, correct me if I'm wrong), then the process en-route. As "https" does provide "some" greater degree of security and this is a common language motif that is available to anyone, it should be available. Major point here is NOT to restrict those who by using an address entered in totality, in the address bar, or by search engine as "abovetopsecret.com" This should be a protocol for your users if they wish.

>Many would, and it would demonstrate, and provide your site access member's&guests the good "pr" that you are concerned about this issue. In effect member privacy&access security. I know it DOES concern you and should.,and to "imprint" this concern&sincerity to your members, guests, groupies, who ever. Also, this along with your current "http" address routing pro forma need not be limited to those who specify that OR "https" in address bar, or if as I do just by contacting this group by "abovetopsecret.com.....; etc". **

The point's you make above are appreciated but frankly not at least as valid in original post of 08, as said issues need not "complicate" any number of two-way communication's on an open posting website; aka, this one.

Personal privacy and the integrity of any post w/appropriate audit trails is of greater concern to me now then just a year or two ago. These are critical to free expression and frankly, learning or at least being "amused" by and from each other. Even the later has a tendency if nothing else but inform.

Kind Regards;

Bob (arbiture)





* Include's what I call : (A: "WanderSeekers"; the curious,bored,and those interested in what is, at least to me defined as the "cool", "neat stuff" (I define w/ key-word-combo this includes any of the "WOW!" factor). (B: "WebSystech"; this is self explanatory and just involves what current&common OS/unclassified web access tools do, or could w/out user modification.
** Please contact me through regular pm, or via "arbiture@comcast.net" directly, and mark/designate (as you would item as "urgent" for example if your options permit) or just put in subject area "Special ATS Admin-Com. SECLAR-N/A;ATS>ADMIN" should this be of interest.



new topics

top topics



 
12

log in

join