Is the deprecation of insecure HTTP an attack on alternative media?

[ThePythonicCow]

It seems that both Google and Mozilla are increasingly favoring secure HTTP (HTTPS) over HTTP. See for example:

• Google favors encryption: HTTPS sites to get search ranking boost
• Mozilla Moves Forward With Deprecating Non-Secure HTTP

This puts smaller alternative media websites, such as ProjectAvalon.net, at a disadvantage, since we cannot easily adapt secure HTTPS technology. The vBulletin software we use does not handle HTTPS, and cannot be converted for any reasonable effort (believe me, Ilie has tried.)

Eventually, if this keeps up, only sites running HTTPS (encrypted HTTP) will be widely visible, as more and more end-users come to distrust "old fashioned, unencrypted, insecure, and risky" HTTP.

What's more, only those HTTPS sites that can get trusted certificates from the certificate issuing authorities will be allowed through without, at a minimum, warnings in the browser to the user of an insecure site, or, later on, allowed through at all on many end-user systems and configurations.

Question: could this be (no doubt one of many) ways of attacking smaller alternative media websites?

[Hervé]

... ... ...



... going out the way of the dinosaurs...

[grannyfranny100]

Nasty tricks of a panicking NWO class. Thanks for the info!

[ThePythonicCow]

In other words, an important aspect of "control" is that only authorized parties can "broadcast". By such means as increasing control over the indexing (aka search engines) of the Web and over the licensing (aka SSL security certificates) of the Web, unauthorized broadcasters can (and I presume will) be increasingly marginalized.

I anticipate that an SSL certificate from a recognized authority will eventually become a sine qua non of hosting web sites, just as FCC broadcast licenses are now for TV and radio stations.

[EWO]

HTTPS is becoming more of a standard because it implements security encryption. Anyone can buy a certificate. There are many types, you can get a $15 SSL cert in 20min and off you go, or you can validate your company for $200 and get a enhanced ssl.

I found this page on vBulletin and https, looks like it is possible to turn on HTTPS.
http://www.vbulletin.com/forum/forum...https-question

you can also get a loadbalancing device or software in front of your website which will do HTTPS offloading and the traffic between that device and the site will remain HTTP. The main thing is that outside facing side is HTTPS encrypted.

I dont see this as a type of control its just a security measure to prevent hackers. In this day and age online crime is increasing. There will be less purse snatching and more online identity theft.

The control part is TPTB getting rid of cash and making everything payable by RFID chip.
In the end it doesnt matter what the method is used, smart criminals will always find a way to exploit it, and the security will always be enhanced to try to stop them.

[lucidity]

Hello Siblings,

The irony of all this... is that SSL is known to be broken.
For those of you who are new to this news.... i'm not kidding.

See here for a presentation on this from the Black Hat 2013 conference.
(specifically from 32 minutes in -- they're calling it the 'cryptoapocalypse' )
http://bit.ly/1bTXTZ9

It's know, for example, that the NSA can already break into HTTPS ..
.. this is one of the gems that came out of the Snowden revelations.

The upshot is that the world will need to move to Ecliptic Curve Cryptography (ECC).
However this stuff is encumbered with patents, currently owned by Blackberry.
This is why they're calling it the 'cryptoapocalypse' ... It wont be long before criminals
(and criminal states) start exploiting these vulnerabilities to attack global e-commerce.
And that... my dear siblings... includes your Amazon and ebay purchases and your online
banking transactions, credit/debit card payments... the whole 9 yards.


It doesn't matter that SSL is using 256 bit encryption:
(a) NSA can already break everything up to 1024 bit RSA
(b) the encryption details are irrelevant anyway... because SSL is vulnerable to a clever
man-in-the-middle attack, ... again... i'm not kidding. See these videos to learn how:

https://www.youtube.com/watch?v=gNhyjPxuy5w
https://www.youtube.com/watch?v=qzNv6e1z1_E

Soon... the only safe money will be bitcoin and litecoin..
(on that basis, i predict that the crypto-currencies will take off again)

be happy

lucidity :-)

[Tesla_WTC_Solution]

Posted by Paul (here)
It seems that both Google and Mozilla are increasingly favoring secure HTTP (HTTPS) over HTTP. See for example:

• Google favors encryption: HTTPS sites to get search ranking boost
• Mozilla Moves Forward With Deprecating Non-Secure HTTP

This puts smaller alternative media websites, such as ProjectAvalon.net, at a disadvantage, since we cannot easily adapt secure HTTPS technology. The vBulletin software we use does not handle HTTPS, and cannot be converted for any reasonable effort (believe me, Ilie has tried.)

Eventually, if this keeps up, only sites running HTTPS (encrypted HTTP) will be widely visible, as more and more end-users come to distrust "old fashioned, unencrypted, insecure, and risky" HTTP.

What's more, only those HTTPS sites that can get trusted certificates from the certificate issuing authorities will be allowed through without, at a minimum, warnings in the browser to the user of an insecure site, or, later on, allowed through at all on many end-user systems and configurations.

Question: could this be (no doubt one of many) ways of attacking smaller alternative media websites?

It will steer people away from sites if their ISP/router limits the # of secure connections incoming

We've been noticing this a lot at home in WA Paul, lots of "connection refused" and lost connection messages,
spouse says he thinks it's to do w/ HTTPS limitations per connection

thanks for bringing this to public attention.
it really sux to be alt!!!

Thanks for all you do to keep it going.

p.s. it's true, sometimes we get connection errors where only https works and then eventually those get blocked too, lol

[ThePythonicCow]

Posted by EWO (here)
HTTPS is becoming more of a standard because it implements security encryption. Anyone can buy a certificate.

Yes, almost anyone (for now) can buy a certificate.

The limitations on alternative media sites are such things as (1) some of us running sites that don't easily convert from HTTP to HTTPS, and (2) more control over who can get certificates, in the future, after appropriate false flag events have sold the public on the need to keep dangerous hackers off the web.

[ThePythonicCow]

Posted by Tesla_WTC_Solution (here)
It will steer people away from sites if their ISP/router limits the # of secure connections incoming

We've been noticing this a lot at home in WA Paul, lots of "connection refused" and lost connection messages,
spouse says he thinks it's to do w/ HTTPS limitations per connection

I am sceptical of that explanation .

I am not in a position to debug web connection issues for others, but I doubt that there are serious "HTTPS limitations per connection" imposed by an ISP or router.

[ThePythonicCow]

Posted by lucidity (here)
Hello Siblings,

The irony of all this... is that SSL is known to be broken.
For those of you who are new to this news.... i'm not kidding.

SSL is not reliable protection against the NSA - yes.

It is usually protection against ordinary snoops and hackers (not always, there are security flaws that show up and eventually get fixed, but usually.)

However SSL is not at all broken from the "purpose" that I am speculating on in this thread -- a means of imposing "licenses" on websites. If most users, using their typical smartphone or tablet or PC configuration, cannot see "insecure" HTTP sites, or can only see them if they click through some warning, then that will reduce the audience for "unlicensed" websites, such as those that, in some future time, after some more control is imposed onthe web, cannot get an SSL certificate.

[Xanth]

If privacy were valued everywhere on the web, SSL would be used everywhere. Granted SSL has flaws, but if you want to keep things private across the web, SSL is a good start.
Suggesting that its an attempt to undermine people who use outdated technology I would consider an invalid argument. With all the NSA/government spying - using SSL is one measure you can use to slow them down. Obviously if you're individually targetted there's not much you can do, however if everyone used SSL for all web interactions, it would make the security services jobs much more difficult. It would also prevent opportunists like your ISP from examining and storing the data you send and receive across the web.

If the main proponents of privacy and freedom on the internet are suggesting you use SSL - after all, what right does anyone have to monitor the data travelling between your browser and a web site, then its a broken argument to suggest that is being done to attack the alternative media. With SSL it makes it less likely that a heavy handed state can monitor an individual's alternative media discussion, and therefore less likely that an individual's alternative media expression will be surpressed.

One simple reason why a lot of sites use SSL, is that HTTP makes it trivial for a 10 year old to gather all the passwords for all the users on sites like this.

[Xanth]

If you did want to run avalon over HTTPS without touching vbulletin, one way would be to host HTTPS://projectavlon.net on a separate box and pass through requests to http://projectavalon.net using HTTP.
If http://projectavalon.net was only accessible from https:/projectavalon.net, all users would come in via HTTPS.
The only unencrypted communication would be between your two boxes, and how much of an issue that was would likely depend on geographic separation.

If you google "https to http reverse proxy" that supplies more info. Depending on how sophisticated your reverse proxy is, it will deal with ensuring that all page urls get mapped correctly between http and https.

[ThePythonicCow]

Posted by Xanth (here)
If privacy were valued everywhere on the web, SSL would be used everywhere. Granted SSL has flaws, but if you want to keep things private across the web, SSL is a good start.

Yes - SSL is a good start for just such privacy.

I am anticipating that in the hands of the bastards in power, it can also be used as part of the means to limit the reach of alternative websites such as ours.

Most technologies can be used and abused in various ways, depending on who's using them, and why.

[Tesla_WTC_Solution]

Posted by Paul (here)

Posted by Tesla_WTC_Solution (here)
It will steer people away from sites if their ISP/router limits the # of secure connections incoming

We've been noticing this a lot at home in WA Paul, lots of "connection refused" and lost connection messages,
spouse says he thinks it's to do w/ HTTPS limitations per connection

I am sceptical of that explanation .

I am not in a position to debug web connection issues for others, but I doubt that there are serious "HTTPS limitations per connection" imposed by an ISP or router.

*Skeptical

Well, I understand the aversion to offering free tech support.
Offering information on our limited connection was meant to be helpful to PA.

I sense from the tone that my help may not be particularly welcome.
A simple Thanks communicates a lot.

I read a few sites that said the issues can be client side due to routers that don't support recent Windows changes.

Also Windows came up again,

IIS 6.0 Documentation > IIS 6.0 Operations Guide > Performance Tuning
Limiting Connections (IIS 6.0)

Connection limits restrict the number of simultaneous client connections to your Web sites and your Web server. Limiting connections conserves memory and protects against malicious attacks designed to overload your Web server with thousands of client requests.

So I am guessing, there's some way I've misread this or misinterpreted its meaning?

The quoted text says Windows itself limits incoming connections.

https://www.microsoft.com/technet/pr....mspx?mfr=true

[ThePythonicCow]

Posted by Tesla_WTC_Solution (here)

Posted by Paul (here)
... but I doubt that there are serious "HTTPS limitations per connection" imposed by an ISP or router.

...

So I am guessing, there's some way I've misread this or misinterpreted its meaning?

The quoted text says Windows itself limits incoming connections.

https://www.microsoft.com/technet/pr....mspx?mfr=true

WindowsServer IIS is a web server, not your Windows client, much less your ISP or router.

I doubt that there are serious connection limits specific to HTTPS imposed by your ISP or router.

It does not surprise me at all that a web server has configurable connection limits on the total number of WWW or FTP connections ... totally different .

[amor]

I don't know whether this is happening only to my computer, but I have been busy and checking into Avalon almost exclusively. My computer viewing is being bombarded by advertisings, blocking out the screen or refusing to be removed until I shut down what I have been viewing. If other Avalonians are experiencing this, it could be a virus planted to get rid of the site. This is a possible heads up to to those running the site. I hope that it is only my computer. One screen says I have a virus and must call a certain telephone number. I have not done so because I suspect that they are the ones who have planted the virus. I have McAfee active and so I do not understand how this virus got through to me.

[ThePythonicCow]

Posted by amor (here)
I don't know whether this is happening only to my computer, but I have been busy and checking into Avalon almost exclusively. My computer viewing is being bombarded by advertisings, blocking out the screen or refusing to be removed until I shut down what I have been viewing. If other Avalonians are experiencing this, it could be a virus planted to get rid of the site. This is a possible heads up to to those running the site. I hope that it is only my computer. One screen says I have a virus and must call a certain telephone number. I have not done so because I suspect that they are the ones who have planted the virus. I have McAfee active and so I do not understand how this virus got through to me.

It is almost certainly your computer . No one else is reporting this, and from what you describe, it's typical of the sorts of problems people see on Windows PC's (which I am guessing is what you're running.)

Perhaps someone else reading this has some suggestions on how to clean such problems up; I don't work on Windows enough to know such things.

[Hervé]

Posted by amor (here)
[...]
.... I have McAfee active and so I do not understand how this virus got through to me.

Get rid of McAfee!

Use Comodo "Free Internet Security."

[Hervé]

That thing seems already well on its way:

Posted by Daughter of Time (here)
Whenever I have tried to log in to PA while using google chrome, unlike Firefox or Internet Explorer, it has not let me in.

GoogleChrome blocks Project Avalon with the caption "unsafe site" and it will simply not navigate to the log in page.

[looking-glass]

Hi,

in one of my 'roles' I have had an email that google's turn to https will affect our various security filtering so we will need to be 'certified' in order to stay 'safe' and use our 'filters'.

regards