This discussion has come up many times before so am creating a space for those who wish to discuss it. I will tidy the post up but need to put somethig up to move the ccomments. But feel free tp begin!
One indicator of a SSL site is in the URL bar instead of “http:” it shows“https” with an image of a lock by it.
This is a quick overview of Secure Socket Layer (SSL)
My recommendation for some time is that ISB utilize SSL on the blog site. Linkedin, FaceBook and many other sites now use SSL for a more secure way to connect to those sites. Of course, what is posted is public, but the point is that by using SSL it reduces (but as noted in many articles in thehackernews.com) does not eliminate the possibility of a man in the middle attack such that some, for example, may impersonate you, acquire your IP details, etc. For IBS, it would be a useful and logical next step to use SSL for our connections to the blog.
JC says: original comment here
December 12, 2014 at 5:28 am
Re: my digression about SSL for IBS/ADCS. I have been in contact with the webmaster of ADCS (who I am not sure if they wish to remain anonymous). Anyway, some very informed information:
There is no ecommerce going on at IBS and people do not log in to the site to comment so encryption is not needed or warranted and would slow it down for no advantage. SSL won’t protect email address information that is used in the forms anyway.
As for ADCS-ADSC I am not concerned about the security since the payments go through PayPal which is secured by SSL. The reason that the fatca legal action website has SSL is that they include ecommerce on their site and must keep the financial data secure.
From what I have read about SSL it won’t keep anyone’s email address information secure on a public blog. SSL keeps your Google emails secure because you log into your mail, but for a blog site which people don’t log into to make comments, it won’t.
NotThatTara says: original comment here
December 12, 2014 at 6:44 am
Dear IBS Team –
Thanks for taking the SSL topic into further consideration!
Please watch this video for professional insights:
https://www.youtube.com/watch?v=cBhZ6S0PFCY&feature=youtu.be
“Data delivered over an unencrypted channel is insecure, untrustworthy, and trivially intercepted. We must protect the security, privacy, and integrity of our users data. In this session we will take a hands-on tour of how to make your websites secure by default: the required technology, configuration and performance best practices, how to migrate your sites to HTTPS and make them user and search friendly, and more. Your users will thank you.”
And maybe watch this to emphasise the idea even further: https://www.ted.com/talks/edward_snowden_here_s_how_we_take_back_the_internet
tdott says : original comment here
tdott says
December 12, 2014 at 3:13 pm
@JC
I don’t follow how SSL would not protect email addresses. SSL prevents snooping of in-transit IP packets. That means that with SSL, nobody could intercept the IBS destined IP packets and pick out email addresses. So, AFAICT the only way that an email address could be still obtained by a bad guy is if the email address is shown on a web page, which is supposed to be not happening.
What am I missing?
[In any case, those that are concerned about email address privacy may want to consider getting another email address for exclusive use with IBS. And the truly paranoid, would not use their regular email address as the backup/recovery/secondary email address with the new IBS-only email address]
GwEvil says: original comment here
GwEvil says
December 12, 2014 at 3:32 pm (Edit)
The reason for using SSL is to keep sensitive data private during a transfer of information such as credit card numbers or login to a site such as your personal email:
http://support.exware.com/ssl.html
https://www.sslshopper.com/why-ssl-the-purpose-of-using-ssl-certificates.html
But for a public site where people post comments and do not have to log in, it will not keep that data private. The email addresses that are used on those sorts of sites are to be kept private by the admins and not shared with anyone unless expressly given permission by the owner of the email. SSL will slow down a site, so having it is of no real advantage if there is no secure data transferring going on. It is also an added expense, so if there’s no advantage then why pay for it?
If you are that worried about your email being found out by third parties, then create different emails that you use for each different purpose. Gmail uses SSL so it should be fairly secure, however they may be forced by court order to hand over some data. In that case it would be wise to have different emails so it’s unlikely that everything about you will be discovered.
What you must do is keep your own data private in various ways yourself:
https://www.abine.com/blog/2013/stop-the-nsa-from-tracking-you/
Personally, for internet privacy, I use “Do not track me” that I have installed on all my browsers (now known as Blur but you will have more luck googling “do not track me”). I use the email proxy function, as well, if I don’t want the other party to know my email address. It is quite handy and they will soon allow Canadian users to create temporary credit cards for one-time-use for online purchases too. You may also use the private window function in Firefox and on Chrome you can use “incognito window” so your browsing history is not saved.
The bottom line is not to rely on the garden variety sites you visit to keep your data private (exception being ecommerce and login sites (your email)). Keeping your data protected is up to you, so make note of sites where they have SSL if you are logging in or paying for something. If they don’t have it then don’t use it or use a temporary one-time-use card
tdott says: original comment here
tdott says
December 12, 2014 at 4:17 pm
So email addresses are not considered “sensitive data” – fair enough. However, some percentage of people are likely to be under the notion that the email addresses they use on IBS are in fact secure because they are not visible on IBS web pages. As we seem to agree, that would be an incorrect notion.
GwEvil says: original comment here
GwEvil says
December 12, 2014 at 4:28 pm
@tdott – you did not read the posted links. SSL will do little to keep your email address secure on a public site if you are not actually logging in. Email addresses are secured by the admin of IBS and SSL would make little difference to the security of that data. However, if you feel that SSL is a necessity for IBS, then you or someone else or a combination thereof, could volunteer to pay for it on an ongoing basis. Petros is the founder of the site and you can discuss something like that with him. If you or someone else or a combination thereof wants to pay for SSL on the Alliance site, then you can also discuss that with the board of ADCS
Tricia Moon says: original comment here
Tricia Moon says
December 12, 2014 at 5:00 pm
@All discussing SSL
I would like to create a new post and transfer your comments there. Does anyone have an objection?
tdott says: original comment here
tdott says
December 12, 2014 at 5:17 pm
@Tricia
AFAIAC you should do that. We’ve hijacked this thread enough.
Tricia Moon says: original comment here
Tricia Moon says
December 12, 2014 at 5:21 pm
@tdott
It’s just that this thread is designed to become something else in the long run and if possible, I would like to keep in on track. Thanks for this!
At the end of the day having a much more secure connection to IBS to prevent interception in transit is better than not having any protection (the current situation). I use https sites all the time and have not noticed any speed delay. Plain old http is just completely insecure. E commerce is not the gating factor here – search sites, LinkedIn and many many others use https to prevent third party interception of the data to and from the site.
I ditto Steve!
and if there is a price to changing – then start a fundraiser!
NotThatTara says: original comment here
NotThatTara says
December 12, 2014 at 5:43 pm
I have come to the conclusion that my suggesting you support SSL is equivalent to homelands being told to consider eliminating CBT.
Your responses are equivalent to “well then just renounce”.
I suggest IBS Admins seek the professional advice from anybody with an information security background to tell you what the above Google I/O video attempted to explain already in plain English.
That said … let’s see the birthday cake and get back to cheering the admins for everything else!!! 🙂
US_Foreign_Person says: original comment here
US_Foreign_Person says
December 12, 2014 at 6:03 pm
@NotThatTara
Please don’t take this the wrong way….
This web site is funded by Petros & etc… so whatever money there is… its to run this site free of charge… This is grass roots… there are no sugar daddies/mamas to help defray the costs… if u are willing to foot the bill for it… feel free to contact Petros & his admins… cause I am very grateful to them… even if my info is safe or not… got to the point that I don’t give a crap anymore since this is the least of my problems…
Again… please don’t
US_Foreign_Person says: original comment here
@NotThatTara
Sorry…
My dang kid pushed the flipping button before I could finish…
**Again… please don’t take this as a slam… its not…**
JC says: original comment here
JC says
December 12, 2014 at 7:26 pm
@Tricia If easy, maybe please remove my posts and posts about SSL and put in a separate thread.
I am thinking about our IBS and ADCS users and we have heard some fear to even post here, so then how to alleviate such fear.
The essential foundations of Internet privacy are anonymous browsing and encrypted email.
Using these should become a matter of routine for citizens around the globe to reclaim the Internet from pervasive government surveillance.
Good introduction an an Internet security expert:
https://firstlook.org/theintercept/2014/10/28/smuggling-snowden-secrets/
Tor Browser (for browsing privacy)
“The Tor software protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, it prevents the sites you visit from learning your physical location, and it lets you access sites which are blocked.”
https://www.torproject.org/projects/torbrowser.html.en
GPG Encryption (for email privacy)
http://www.cnet.com/how-to/want-really-secure-gmail-try-gpg-encryption/
“Encryption scrambles messages so that only someone with a key (or a tremendous amount of computing horsepower, or knowledge of how to exploit an encryption weakness) can decode them. One form is called, curiously, public key encryption, and this is what GPG and Enigmail use. Here’s the quick version of how it works. You get a private key known only to yourself and a public key that’s available for anyone else to use. The person you’re corresponding with also has such a pair of keys. Although the public and private keys are mathematically related, you can’t derive one from the other. “
Roger Conklin and I were very, very old friends. He left us earlier this month and was an optomist until the last day. He believed a small group who had God on their side would eventually prevail. I find myself doubting at times about a subject I have been writing about since 1985 when he first told me about being driven home from his business, in Brazil, by double taxation.
He thought amending the current tax code was the answer, but in the last two years he got on board with Americans for Fair Taxation, who want to scrap the entire Marxist Idea of an Income Tax and pass the FairTax bills, SB122 and HR25, that have been introduced every congress since 1999 and is gaining steam very slowly. Last year we had 74 House Members and 7 Senators as cosponsors.
The new congress will have a new Chairman of the Committee on Ways and Means, where all tax bills come out of, (Paul Ryan) and a new Senator to Chair the Senatorial Committee on Taxation. The house guy is in favor of the FairTax, which will do away with citizenship based taxation and go to a national Sales tax paid on new goods sold within our borders, which by its nature cures the tax problems of Expats and Accidental Americans.
Please all Canadian-Americans log onto the Americans for Fair Taxation and become paid members at $5.00 a year so we can show the congress we have a large paid membership.
The NRA has less than 5 million members and when they sneeze the congress get pneumonia– we want to show that same clout and get rid of all the Marxists Ideas we have now.
@GwEvil
@tdott
Users of a Website are identified by their respective IP addresses. SSL secures communication of bitstreams through the unavoidable series of unpredicatable transfer points they pass through as defined by TCP/IP. So helping Petros with funding an SSL certificate for installation and the small annual fee would make sense.
@Wondering
Thanks for these tips that might help some Brockers. Unfortunately for other users GPG and Tor have learning curves that are probably too steep. Let me add that Canada has two encrypted email systems that are relatively easy to use: Hushmail and http://www.cryptoheaven.com/
I have no financial interest in either of these.
@seniorexpat
If you install TOR as a service and then configure the browser to proxy thru TOR, then, yes, it could be daunting for some. However, the Tor Browser is installed just like any other application and there is no post-install configuration needed. Basically, if you can install an application, you can use the Tor Browser to hide your IP address.
Note that Chrome will from 2015 onward mark all http sites as ‘not secure’ – IBS will be one of those
http://thehackernews.com/2014/12/chrome-plans-to-mark-all-http-traffic_88.html
The article referenced in Steve’s post references the “Let’s Encrypt” project:
Well, that would certainly take care of the cost of getting a certificate. Sounds like certificates would be available Summer 2015.
http://thehackernews.com/2014/11/lets-encrypt-certificate-authority-to.html
https://www.eff.org/deeplinks/2014/11/certificate-authority-encrypt-entire-web
https://www.letsencrypt.org/