Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
@xenira That depends on which sites you visit. Nearly all sites I visit every day use a secure connection so for me it's hardly a problem :).
-
@linuxxx Yeah, but I am still surprised that I have to add exceptions for some of the big sites. True, a lot of sites have https but it's not nearly enough. Especially when you consider how easy it has become to add encryption.
-
@xenira Yup that! I run quite some domains/subdomains myself and the first thing I ALWAYS do is enabling/forcing HTTPS! That takes me about... idk like 20 seconds per site or something!?
-
@AlexDeLarge Found the link (I think?) but it's in French and I am very bad at french :/ (https://framanotes.org/)
-
@billgates If you don't trust it, go ahead and analyze the open source SSL/TLS libraries :)
-
@linuxxx well not everyone can find out... You gotta dig hard or just know it... Like Snowden...
-
@billgates need I remind that SSL overall is considered vulnerable and you have to use TLS? :)
Cause an experienced web developer I personally know didn't know that fact.
@@@@@@@@@@@@@@@
For those who still don't know:
SSL was cracked a long time ago.
It's all about TLS now.
Yet we use the name SSL since it's what we are used to. -
@Noob Yeah I'm aware of that, should really start naming it TLS myself....
-
@AlexDeLarge You mean the naming it TLS part? :)
-
@AlexDeLarge Ah right!
-
And of course keep your webserver and DB secure too. Dont rely purely on SSL for security. People sometimes forget that its a TRANSFER protocol. ie it only protects your data in transit, so it only really protects you from someone sitting sniffing for packets. If they hack your webserver or your DB you are still hosed. So keep everything secure and dont assume that because you use https you are secure :)
-
@linuxxx @AlexDeLarge I had no doubt :)
-
@Noob ¯\_(ツ)_/¯
that's why I don't do web development... and have come to the conclusion one day, we are all going to be screwed anyway... -
@billgates But if you don't even try to keep your users secure, that's one bad attitude! (not saying you are not trying but that's how I understood your comment)
-
@linuxxx that why I don't do web dev... It's someone else problem...
-
@billgates Ah right like that. Do you develop software which connects to backends though? Because in that case, it's still your 'problem' :)
-
@linuxxx yes but I'm not sending sensitive info so...
Though I guess ya I use a VPN but who knows how private it is...🤔🤔🤔🤔🤔
Ok... Lalalala.... Let's pretend there's on problems...😗😗😗😗 -
@billgates I'd secure it even with sensitive data 😉
-
@linuxxx actually in the large sense of things we just need to ensure we"re the last ones to get hacked. Let all the regular people get compromised... The vulnerability will be patched before it's our turn to get hit...
Then again... There's Equifax and the NSA.. -
@billgates Yup. The NSA proactively tries to break any and all HTTPS connections made anytime.
-
@AlexDeLarge @linuxxx
In fact it uses https://turtlapp.com, where you can download the clients, but on Framanotes you have a web access which can be useful if you need to access your notes everywhere. It's the same thing, you just have the browser client with Framanotes.
And about Framanotes, it's part of Framasofts which purpose is to get rid of Google by making open source tools for almost everything 😊
Hope I helped! -
@elazar the problem is that the software that does the encryption is loaded over an insecure connection, allowing an attacker to manipulate it rendering the encryption useless
-
@xenira https is not the solution for this problem. Signature is.
-
@xenira https < signing the actual code, since the code can be compromised in the servers too.
In general, the trust put on the real server to deliver you uncompromized software forever is problematic. This is _not_ end to end encryption, which conceptually means that you you only need to trust the software at installation time, and not at each and every connection. -
@elazar that might be true but tls is a necessary first step.
Related Rants
It all makes sense now...
Did you say security?
Following a conversation with a fellow devRanter this came to my mind ago, happened a year or two ago I think.
Was searching for an online note taking app which also provided open source end to end encryption.
After searching for a while I found something that looked alright (do not remember the URL/site too badly). They used pretty good open source JS crypto libraries so it seemed very good!
Then I noticed that the site itself did NOT ran SSL (putting the https:// in front of the site name resulted in site not found or something similar).
Went to the Q/A section because that's really weird.
Saw the answer to that question:
"Since the notes are end to end encrypted client side anyways, we don't see the point in adding SSL. It's secure enough this way".
😵
I emailed them right away explaing that any party inbetween their server(s) and the browser could do anything with the request (includingt the cryptographic JS code) so they should start going onto SSL very very fast.
Too badly I never received a reply.
People, if you ever work with client side crypto, ALWAYS use SSL. Also with valid certs!
The NSA for example has this thing known as the 'Quantum Insert' attack which they can deploy worldwide which basically is an attack where they detect requests being made to servers and reply quickly with their own version of that code which is very probably backdoored.
This attack cannot be performed if you use SSL! (of course only if they don't have your private keys but lets assume that for now)
Luckily Fox-IT (formerly Dutch cyber security company) wrote a Snort (Intrustion Detection System) module for detecting this attack.
Anyways, Always use SSL if you do anything at all with crypto/sensitive data! Actually, always use it but at the very LEAST really do it when you process the mentioned above!
undefined
frontend
what the actual fuck
crypto
wtf
security