It seems that both Google and Mozilla are increasingly favoring secure HTTP (HTTPS) over HTTP. See for example:

Google favors encryption: HTTPS sites to get search ranking boost (http://www.techtimes.com/articles/12631/20140811/google-favors-encryption-https-sites-to-get-search-ranking-boost.htm)
Mozilla Moves Forward With Deprecating Non-Secure HTTP (http://www.phoronix.com/scan.php?page=news_item&px=Mozilla-Deprecate-Non-HTTPS)

This puts smaller alternative media websites, such as ProjectAvalon.net, at a disadvantage, since we cannot easily adapt secure HTTPS technology. The vBulletin software we use does not handle HTTPS, and cannot be converted for any reasonable effort (believe me, Ilie has tried.)

Eventually, if this keeps up, only sites running HTTPS (encrypted HTTP) will be widely visible, as more and more end-users come to distrust "old fashioned, unencrypted, insecure, and risky" HTTP.

What's more, only those HTTPS sites that can get trusted certificates from the certificate issuing authorities will be allowed through without, at a minimum, warnings in the browser to the user of an insecure site, or, later on, allowed through at all on many end-user systems and configurations.

Question: could this be (no doubt one of many) ways of attacking smaller alternative media websites?

... ... ...

http://www.sott.net/image/image/10627/medium/missing.gif

... going out the way of the dinosaurs...

Nasty tricks of a panicking NWO class. Thanks for the info!

In other words, an important aspect of "control" is that only authorized parties can "broadcast". By such means as increasing control over the indexing (aka search engines) of the Web and over the licensing (aka SSL security certificates) of the Web, unauthorized broadcasters can (and I presume will) be increasingly marginalized.

I anticipate that an SSL certificate from a recognized authority will eventually become a sine qua non of hosting web sites, just as FCC broadcast licenses are now for TV and radio stations.

HTTPS is becoming more of a standard because it implements security encryption. Anyone can buy a certificate. There are many types, you can get a $15 SSL cert in 20min and off you go, or you can validate your company for $200 and get a enhanced ssl.

I found this page on vBulletin and https, looks like it is possible to turn on HTTPS.
http://www.vbulletin.com/forum/forum/vbulletin-4/vbulletin-4-questions-problems-and-troubleshooting/400131-http-to-https-question

you can also get a loadbalancing device or software in front of your website which will do HTTPS offloading and the traffic between that device and the site will remain HTTP. The main thing is that outside facing side is HTTPS encrypted.

I dont see this as a type of control its just a security measure to prevent hackers. In this day and age online crime is increasing. There will be less purse snatching and more online identity theft.

The control part is TPTB getting rid of cash and making everything payable by RFID chip.
In the end it doesnt matter what the method is used, smart criminals will always find a way to exploit it, and the security will always be enhanced to try to stop them.

Hello Siblings,

The irony of all this... is that SSL is known to be broken.
For those of you who are new to this news.... i'm not kidding.

See here for a presentation on this from the Black Hat 2013 conference.
(specifically from 32 minutes in -- they're calling it the 'cryptoapocalypse' )
http://bit.ly/1bTXTZ9

It's know, for example, that the NSA can already break into HTTPS ..
.. this is one of the gems that came out of the Snowden revelations.

The upshot is that the world will need to move to Ecliptic Curve Cryptography (ECC).
However this stuff is encumbered with patents, currently owned by Blackberry.
This is why they're calling it the 'cryptoapocalypse' ... It wont be long before criminals
(and criminal states) start exploiting these vulnerabilities to attack global e-commerce.
And that... my dear siblings... includes your Amazon and ebay purchases and your online
banking transactions, credit/debit card payments... the whole 9 yards.


It doesn't matter that SSL is using 256 bit encryption:
(a) NSA can already break everything up to 1024 bit RSA
(b) the encryption details are irrelevant anyway... because SSL is vulnerable to a clever
man-in-the-middle attack, ... again... i'm not kidding. See these videos to learn how:

https://www.youtube.com/watch?v=gNhyjPxuy5w
https://www.youtube.com/watch?v=qzNv6e1z1_E

Soon... the only safe money will be bitcoin and litecoin..
(on that basis, i predict that the crypto-currencies will take off again)

be happy

lucidity :-)

It seems that both Google and Mozilla are increasingly favoring secure HTTP (HTTPS) over HTTP. See for example:

Google favors encryption: HTTPS sites to get search ranking boost (http://www.techtimes.com/articles/12631/20140811/google-favors-encryption-https-sites-to-get-search-ranking-boost.htm)
Mozilla Moves Forward With Deprecating Non-Secure HTTP (http://www.phoronix.com/scan.php?page=news_item&px=Mozilla-Deprecate-Non-HTTPS)

This puts smaller alternative media websites, such as ProjectAvalon.net, at a disadvantage, since we cannot easily adapt secure HTTPS technology. The vBulletin software we use does not handle HTTPS, and cannot be converted for any reasonable effort (believe me, Ilie has tried.)

Eventually, if this keeps up, only sites running HTTPS (encrypted HTTP) will be widely visible, as more and more end-users come to distrust "old fashioned, unencrypted, insecure, and risky" HTTP.

What's more, only those HTTPS sites that can get trusted certificates from the certificate issuing authorities will be allowed through without, at a minimum, warnings in the browser to the user of an insecure site, or, later on, allowed through at all on many end-user systems and configurations.

Question: could this be (no doubt one of many) ways of attacking smaller alternative media websites?

It will steer people away from sites if their ISP/router limits the # of secure connections incoming

We've been noticing this a lot at home in WA Paul, lots of "connection refused" and lost connection messages,
spouse says he thinks it's to do w/ HTTPS limitations per connection

thanks for bringing this to public attention.
it really sux to be alt!!!

Thanks for all you do to keep it going.

p.s. it's true, sometimes we get connection errors where only https works and then eventually those get blocked too, lol

HTTPS is becoming more of a standard because it implements security encryption. Anyone can buy a certificate.
Yes, almost anyone (for now) can buy a certificate.

The limitations on alternative media sites are such things as (1) some of us running sites that don't easily convert from HTTP to HTTPS, and (2) more control over who can get certificates, in the future, after appropriate false flag events have sold the public on the need to keep dangerous hackers off the web.

It will steer people away from sites if their ISP/router limits the # of secure connections incoming

We've been noticing this a lot at home in WA Paul, lots of "connection refused" and lost connection messages,
spouse says he thinks it's to do w/ HTTPS limitations per connection
I am sceptical of that explanation :).

I am not in a position to debug web connection issues for others, but I doubt that there are serious "HTTPS limitations per connection" imposed by an ISP or router.

Hello Siblings,

The irony of all this... is that SSL is known to be broken.
For those of you who are new to this news.... i'm not kidding.

SSL is not reliable protection against the NSA - yes.

It is usually protection against ordinary snoops and hackers (not always, there are security flaws that show up and eventually get fixed, but usually.)

However SSL is not at all broken from the "purpose" that I am speculating on in this thread -- a means of imposing "licenses" on websites. If most users, using their typical smartphone or tablet or PC configuration, cannot see "insecure" HTTP sites, or can only see them if they click through some warning, then that will reduce the audience for "unlicensed" websites, such as those that, in some future time, after some more control is imposed onthe web, cannot get an SSL certificate.

If privacy were valued everywhere on the web, SSL would be used everywhere. Granted SSL has flaws, but if you want to keep things private across the web, SSL is a good start.
Suggesting that its an attempt to undermine people who use outdated technology I would consider an invalid argument. With all the NSA/government spying - using SSL is one measure you can use to slow them down. Obviously if you're individually targetted there's not much you can do, however if everyone used SSL for all web interactions, it would make the security services jobs much more difficult. It would also prevent opportunists like your ISP from examining and storing the data you send and receive across the web.

If the main proponents of privacy and freedom on the internet are suggesting you use SSL - after all, what right does anyone have to monitor the data travelling between your browser and a web site, then its a broken argument to suggest that is being done to attack the alternative media. With SSL it makes it less likely that a heavy handed state can monitor an individual's alternative media discussion, and therefore less likely that an individual's alternative media expression will be surpressed.

One simple reason why a lot of sites use SSL, is that HTTP makes it trivial for a 10 year old to gather all the passwords for all the users on sites like this.

If you did want to run avalon over HTTPS without touching vbulletin, one way would be to host HTTPS://projectavlon.net on a separate box and pass through requests to http://projectavalon.net using HTTP.
If http://projectavalon.net was only accessible from https:/projectavalon.net, all users would come in via HTTPS.
The only unencrypted communication would be between your two boxes, and how much of an issue that was would likely depend on geographic separation.

If you google "https to http reverse proxy" that supplies more info. Depending on how sophisticated your reverse proxy is, it will deal with ensuring that all page urls get mapped correctly between http and https.

If privacy were valued everywhere on the web, SSL would be used everywhere. Granted SSL has flaws, but if you want to keep things private across the web, SSL is a good start.
Yes - SSL is a good start for just such privacy.

I am anticipating that in the hands of the bastards in power, it can also be used as part of the means to limit the reach of alternative websites such as ours.

Most technologies can be used and abused in various ways, depending on who's using them, and why.

It will steer people away from sites if their ISP/router limits the # of secure connections incoming

We've been noticing this a lot at home in WA Paul, lots of "connection refused" and lost connection messages,
spouse says he thinks it's to do w/ HTTPS limitations per connection
I am sceptical of that explanation :).

I am not in a position to debug web connection issues for others, but I doubt that there are serious "HTTPS limitations per connection" imposed by an ISP or router.


*Skeptical

Well, I understand the aversion to offering free tech support.
Offering information on our limited connection was meant to be helpful to PA.

I sense from the tone that my help may not be particularly welcome.
A simple Thanks communicates a lot.

I read a few sites that said the issues can be client side due to routers that don't support recent Windows changes.

Also Windows came up again,


IIS 6.0 Documentation > IIS 6.0 Operations Guide > Performance Tuning
Limiting Connections (IIS 6.0)

Connection limits restrict the number of simultaneous client connections to your Web sites and your Web server. Limiting connections conserves memory and protects against malicious attacks designed to overload your Web server with thousands of client requests.


So I am guessing, there's some way I've misread this or misinterpreted its meaning?

The quoted text says Windows itself limits incoming connections.

https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/b2b550de-f655-4fb6-9bed-dfc9583b6700.mspx?mfr=true






:Music:

... but I doubt that there are serious "HTTPS limitations per connection" imposed by an ISP or router.

...
So I am guessing, there's some way I've misread this or misinterpreted its meaning?

The quoted text says Windows itself limits incoming connections.

https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/b2b550de-f655-4fb6-9bed-dfc9583b6700.mspx?mfr=true

WindowsServer IIS is a web server, not your Windows client, much less your ISP or router.

I doubt that there are serious connection limits specific to HTTPS imposed by your ISP or router.

It does not surprise me at all that a web server has configurable connection limits on the total number of WWW or FTP connections ... totally different :).

I don't know whether this is happening only to my computer, but I have been busy and checking into Avalon almost exclusively. My computer viewing is being bombarded by advertisings, blocking out the screen or refusing to be removed until I shut down what I have been viewing. If other Avalonians are experiencing this, it could be a virus planted to get rid of the site. This is a possible heads up to to those running the site. I hope that it is only my computer. One screen says I have a virus and must call a certain telephone number. I have not done so because I suspect that they are the ones who have planted the virus. I have McAfee active and so I do not understand how this virus got through to me.

I don't know whether this is happening only to my computer, but I have been busy and checking into Avalon almost exclusively. My computer viewing is being bombarded by advertisings, blocking out the screen or refusing to be removed until I shut down what I have been viewing. If other Avalonians are experiencing this, it could be a virus planted to get rid of the site. This is a possible heads up to to those running the site. I hope that it is only my computer. One screen says I have a virus and must call a certain telephone number. I have not done so because I suspect that they are the ones who have planted the virus. I have McAfee active and so I do not understand how this virus got through to me.

It is almost certainly your computer :). No one else is reporting this, and from what you describe, it's typical of the sorts of problems people see on Windows PC's (which I am guessing is what you're running.)

Perhaps someone else reading this has some suggestions on how to clean such problems up; I don't work on Windows enough to know such things.

[...]
.... I have McAfee active and so I do not understand how this virus got through to me.

Get rid of McAfee!

Use Comodo "Free Internet Security (https://www.comodo.com/home/free/free-protection.php?track=5630&key5sk0=5630&key5sk1=6f137a89508cdd7e93c115773810112319c4e5d5)."

That thing seems already well on its way:


Whenever I have tried to log in to PA while using google chrome, unlike Firefox or Internet Explorer, it has not let me in.

GoogleChrome blocks Project Avalon with the caption "unsafe site" and it will simply not navigate to the log in page.

Hi,

in one of my 'roles' I have had an email that google's turn to https will affect our various security filtering so we will need to be 'certified' in order to stay 'safe' and use our 'filters'.

regards

Paul, sorry for the snark, we've had some real router issues etc lately that prevent certain types of work

it puts us in a bad mood.

[...]
.... I have McAfee active and so I do not understand how this virus got through to me.

Get rid of McAfee!

Use Comodo "Free Internet Security (https://www.comodo.com/home/free/free-protection.php?track=5630&key5sk0=5630&key5sk1=6f137a89508cdd7e93c115773810112319c4e5d5)."

Or better still... switch to a MAC or Ubuntu (or some other flavour of linux/unix)
then you wont even need a virus checker.

99.99% of all viruses are written for windows.

be happy

lucidity :-)

This week's Security Now episode with Steve Gibson sheds some new light on the wider use of https.

Steve spends most of this weeks show on the topic, beginning at 28 min 52 sec (https://youtu.be/g3C9PPZbnrI?t=28m52s)
g3C9PPZbnrI
We are increasingly enabling more powerful and capable client software on the user's computer or smartphone, within the web browser and within other client software. Such complicated, increasingly feature rich, execution environments will always have serious security flaws. To the extent that plain text, unencrypted, html webpages, are allowed to execute in those environments, to that extent, security will always be compromised.

For example, the Great Cannon of China (https://www.schneier.com/blog/archives/2015/04/chinas_great_ca.html) works by replacing a bit of Javascript in http (unencrypted) search results from Baidu, the dominant Chinese search engine, anytime they passed through routers controlled by the Chinese government (the same routers used to implement the Great Wall of China web censor). The replacement Javascript can be used to drive a massive denial of service attack, from hundred's of thousands of end user PC's, simultaneously, against any target designated by the Chinese government, as was done against on March 16, 2015 against GreatFire.org and on March 26 against GitHub. Both the GreatFire and GitHub attacks targeted repositories, https://gitub.com/greatfire and https://github.com/cn-nytimes that provide technology for users who wish to circumvent Chinese government censorship.

The fundamental mechanism used by the Great Cannon of China is a "man in the middle" attack ... altering web pages on the fly as they traversed the Web and happened to pass through a smart router controlled by China. This mechanism depends on the web page being plain text HTML (http), not encrypted SSL (https). Substituting, adding, or removing text in plain text http pages on the fly is trivial, for anyone who controls any router that the page passes through. Encrypting pages as they traverse the web, such as using SSL encryption (https), disables, or at a minimum makes far, far more expensive, any such endeavors.

We have long (well, for the last decade or two, anyway) understood the need to encrypt sensitive data sent over the web, such as the password to our bank account. This stops others from spying on what is sent on the web.

However we now face a second challenge, stopping anyone with man in the middle access (a surprising and increasing variety of untrusted parties, given the increasing complexity of web pages) from executing hostile code on our own computers and smartphones (and increasingly, other devices, such as smart meters on our electric power, smart cars, refrigerators, major appliances, etc, etc.)

In my present view, after listening to Steve Gibson this week, all websites that allow even so much as Javascript must plan to convert to HTTPS, in the coming next few years. Browsers will increasingly force this transition on websites, out of necessity, because they will provide increasingly complex features that execute within the client's browser, hence expose a never ending series of security flaws that expose the client's computer or smartphone to abuse, spying, ransom, or whatever other uninvited activity some "hostile" entity might attempt, whether that be a teenage hacker in his mother's basename or the NSA or Chinese government.

The main browser providers are learning that they simply cannot provide an acceptable level of reliability over http, reasonably secure from hacking, to their user's while at the same time continuing to provide the increasingly sophisticated browser based client interactions that users will prefer, if given the choice. So the browser providers will have to shut off more advanced browser features from being used over http, and deprecate the use of http in order to force web providers to adapt more secure https.

As with any change that involves some centralization of authority (such as, in this case, centralized issuance of browser accepted SSL security certificates), that change creates a new "central control point" that a sufficiently powerful entity can use to further their control over humanity. Perhaps in the next year or two from now, the Project Avalon forum converts to https, and perhaps a few years from that, Avalon pisses off some bastard in power sufficiently and is denied the issuance of a security certificate, making it quite difficult for people to access us. However in my view we must,convert to https (SSL). There is, as usual, no "free lunch", or in this case, no place on this planet that is both (1) worth being and (2) guaranteed secure from the reach of the bastards in power.

Just as the centrally controlled DNS service (which maps URL's such projectavalon.net to IP addresses such as 198.143.158.131) is currently used by some national entities to shut down access to some websites, similarly centrally issued SSL security certificates will no doubt be similarly (ab)used in the future.

The constant struggle between "good" guys, "bad" guys, tyrannical bastards in power and us ordinary humans, guarding our own freedom and well being, will continue.

The fundamental mechanism used by the Great Cannon of China is a "man in the middle" attack ... altering web pages on the fly as they traversed the Web and happened to pass through a smart router controlled by China. This mechanism depends on the web page being plain text HTML (http), not encrypted SSL (https). Substituting, adding, or removing text in plain text http pages on the fly is trivial, for anyone who controls any router that the page passes through. Encrypting pages as they traverse the web, such as using SSL encryption (https), disables, or at a minimum makes far, far more expensive, any such endeavors.
From one of several sites supporting this conclusion, Google Analyzes China's "Great Cannon" DDoS Attacks (http://www.securityweek.com/google-analyzes-chinas-great-cannon-ddos-attacks):

“Had the entire web already moved to encrypted traffic via TLS, such an injection attack would not have been possible,” said Niels Provos, distinguished engineer in Google’s Security Team. “This provides further motivation for transitioning the web to encrypted and integrity-protected communication.”

Hello,

Interesting post you have here Paul.

I am not yet done with the video, but I've paused to write this.

I find myself in agreement with what you wrote and I would like to add some other things to the mix.

Yes, using a Certificate requires that you get one from a Certificate Authority (CA) that then becomes a central point of power. However, I am sure that many CAs will show up because of the demand, and I have already seen free or very cheap certificates out there that will do the job good enough.

So, why is not everybody creating their own CAs? Well, the simple answer is that if a browser does not support you as a CA then it will deny the certificates that you are issuing. This means that Mozilla, Google (and other browser developers) have even more power by choosing who they trust implicitly. That can be used for "good" to prevent monopoly and centralization of power, or for "bad" to create said monopoly. To be fair, you can install new CAs into your browser but it is not something that most uses know how to do or understand what that is.

Because there is still room for flexibility and I've seen a proliferation of CAs and a drop to almost zero in the cost of simple certificates I assume that "centralization of power" will not really be an issue, but the possibly for abuse remains (same as with DNS).

In the video that Paul posted above, the presenters see now reason why to have Secure HTTP in a site that you only read?! Why secure that?

In my opinion, there are actually two reasons:

1) man in the middle attack: you as the content provider cannot know for sure that you write is actually what the visitor sees. Your content can be intercepted and changed. Sometimes in obvious ways, sometimes in more subtle ways. This can be a very effective tool for silencing (or redirecting) dissent or other "uncomfortable content" without you being the wiser.

2) profiling. If someone intercepts the NON secure requests you make towards say a newspaper, over time they can profile you to learn your interest, political view and sexual orientation. Why? Because in NON secure requests the LINK to the pages you visit is completely visible and super easy to intercept. This is very different with SECURE requests. With Secure requests a third party can see that you visit a website, but NOT what are you looking at there. It's like someone seeing you buy a paper magazine, so they know something there interests you, but they cannot say what pages really interest you.

Because of the above two reasons, I am leaning forward SECURING the web requests by using HTTPS. The costs to do that have dropped significantly in the past few years and (in my estimation) they will continue to drop.

In conclusion I see a lot of benefits (for privacy, content integrity and proper authentication) and only one draw back, albeit a big one: you have to rely on an external Certificate Authority for your site to continue to work.

Q: "Is the deprecation of insecure HTTP an attack on alternative media?"

My answer: we cannot say. There is a real need to secure the connections and traffic. It all depends on what the solution will be and who will control it :).

2) profiling.
As I was reading your post in this window, I was sharing with a few others the following link about the UK elections today: Google Search tips Cameron to win election - and Nigel Farage's Ukip will beat Labour and the Liberal Democrats (http://www.dailymail.co.uk/sciencetech/article-3070470/Google-Search-tips-Cameron-win-election-Nigel-Farage-s-Ukip-beat-Labour-Liberal-Democrats.html).

So I am figuring that the "profiling" efforts of the bastards in power, and of anyone with sufficient funds to hire a reliable Search Engine Optimization team, are doing just fine, thanks to the enormous success of Google and Baidu.

I doubt that the reduced visibility into the contents of web traffic will significantly impact profiling efforts :).

Besides, the meta-data collection efforts are proceeding with much success. Knowing the location and contacts of a billion people is quite enough, without actually reading their drivel (much of which is open anyway, on social media sites such as Twitter, Facebook and Avalon).

There is a real need to secure the connections and traffic. It all depends on what the solution will be and who will control it :).
Yes :)