*

Offline Toddler Thork

  • *
  • Posts: 3026
  • I am Toddler Thork. Hear me roar!
    • View Profile
Library not on https
« on: March 10, 2020, 08:31:15 AM »
Not sure why the SSL certificate doesn't extend to library.tfes.org, but being as it does extend to both forum.tfes.org and wiki.tfes.org, it's a bit odd.

Needless to say my browser freaks out and informs me that my computer will get coronavirus if I download any of the resources, making me less likely to do so.

Kind Regards,

Dr David Thork
Rate this post.      👍 6     👎 1

*

Offline la xasop

  • Administrator
  • *****
  • Posts: 6266
  • Professional computer somebody
    • View Profile
Re: Library not on https
« Reply #1 on: March 10, 2020, 09:23:28 AM »
The library hosts only public files, so there is limited value in having TLS there. Your browser is a hypochondriac.

The reason why our normal X.509 certificate does not apply to the library is that the library is hosted on S3, separately from our other services.

That said, there is no harm in having it. I'll look into it sometime as a low priority.
when you try to mock anyone while also running the flat earth society. Lol

*

Offline Toddler Thork

  • *
  • Posts: 3026
  • I am Toddler Thork. Hear me roar!
    • View Profile
Re: Library not on https
« Reply #2 on: March 10, 2020, 09:49:08 AM »
The library hosts only public files, so there is limited value in having TLS there.
They are downloads and html pages.

I know this website isn't malicious. Do the people who just happen upon it, know that? Does google believe that? Its just about trust. Something tfes.org usually gets right.

Your browser is a hypochondriac.
I said as much in my OP. But not everyone who comes to our site is tech savvy and nor do they know that clicking on a link hosted here will be fine. They might choose to believe their browser over the website where there are people telling them the world is flat.

The reason why our normal X.509 certificate does not apply to the library is that the library is hosted on S3, separately from our other services.

That said, there is no harm in having it. I'll look into it sometime as a low priority.
Its been like this for years. Of course it is low priority ... but a little continued improvement is always welcome. We don't want to stop fixing things, otherwise you end up with a mess like the Davis/Shenton crap hole.

We may also find that google looks a little more kindly on some of our resource pages when it comes to serving search results.

ttfn
Rate this post.      👍 6     👎 1

*

Offline la xasop

  • Administrator
  • *****
  • Posts: 6266
  • Professional computer somebody
    • View Profile
Re: Library not on https
« Reply #3 on: March 10, 2020, 12:16:55 PM »
I know this website isn't malicious. Do the people who just happen upon it, know that? Does google believe that? Its just about trust. Something tfes.org usually gets right.

HTTPS makes no difference if the website is malicious. Indeed, if you don't trust the website owner, then HTTPS is entirely useless for security. What's the difference between fetching content from someone you know you don't trust, and a third party you don't trust?

HTTPS is only useful for protection against malicious third parties, as well as for a small boost to user privacy. If the party you want to talk to is malicious, all bets are off.

We may also find that google looks a little more kindly on some of our resource pages when it comes to serving search results.

Yes, Google is well known for bullying smaller websites into falling in line with their hype of the month.
« Last Edit: March 10, 2020, 12:21:52 PM by Parsifal »
when you try to mock anyone while also running the flat earth society. Lol

*

Online Pete Svarrior

  • e
  • Planar Moderator
  • *****
  • Posts: 11777
  • (>^_^)> it's propaganda time (◕‿◕✿)
    • View Profile
    • The Flat Earth Society
Re: Library not on https
« Reply #4 on: March 10, 2020, 04:29:29 PM »
HTTPS is only useful for protection against malicious third parties, as well as for a small boost to user privacy.
While you are obviously correct here, the third party scenario is a decent rationale to move to HTTPS. I do agree that the benefits wouldn't be massive, and that it could/should be treated as low-priority, but it's an improvement nonetheless.

Plus, you know I love to butter Google up.
Read the FAQ before asking your question - chances are we've already addressed it.
Follow the Flat Earth Society on Twitter and Facebook!

<Parsifal> I like looking at Chinese Wikipedia with Noto installed
<Parsifal> I don't understand any of it but the symbols look nice

*

Offline timterroo

  • *
  • Posts: 1051
  • domo arigato gozaimashita
    • View Profile
Re: Library not on https
« Reply #5 on: June 26, 2020, 01:31:15 AM »
HTTPS is only useful for protection against malicious third parties, as well as for a small boost to user privacy.
While you are obviously correct here, the third party scenario is a decent rationale to move to HTTPS. I do agree that the benefits wouldn't be massive, and that it could/should be treated as low-priority, but it's an improvement nonetheless.

Plus, you know I love to butter Google up.

I don't mean to speak out of line, but I tend to agree with Parsifal (or whatever the hell he calls himself now), if it's just downloads, what are you going to gain by encrypting the link? Do you have to be a member to download? In other words, is there any session data, or logins? If the answer is no, what's the point in https? I guess if the downloads themselves are questionable in nature, perhaps you'd want to encrypt it, but otherwise, it's like an open-door museum. No privileged information would be captured by a third party because it isn't being transferred.

Edit:

That said, https always looks better. Especially when the end-user (non-techy) is being taught https means your safe. But that involves having to request a new cert (probably costs you some money), then you have to install it. Not a huge deal, but you'd probably want to install the new cert on all your hosts, so it's just a pain when you have other shit you have to do... like backups, and updates.... and morons who ask for stupid shit.... <- ok that's just some tech-support-rage coming out, but I'm cool....
« Last Edit: June 26, 2020, 01:40:13 AM by timterroo »
"noche te ipsum"

"If you can't explain it simply, you don't understand it well enough."  - Albert Einstein

*

Online Pete Svarrior

  • e
  • Planar Moderator
  • *****
  • Posts: 11777
  • (>^_^)> it's propaganda time (◕‿◕✿)
    • View Profile
    • The Flat Earth Society
Re: Library not on https
« Reply #6 on: June 26, 2020, 05:58:30 PM »
I don't mean to speak out of line, but I tend to agree with Parsifal (or whatever the hell he calls himself now), if it's just downloads, what are you going to gain by encrypting the link?
We're all in agreement that any benefits would be minimal. However, there are scenarios in which it could be beneficial.

The hypothetical risk here isn't that a third party will see what you're seeing (they can do that anyway in this case, as you pointed out), but that you can't technically be sure that the file you received was served by us. If I wanted to download something from the library over HTTP, I have to trust that my ISP or another malicious actor doesn't MitM me and force-feed me a file different from what I requested. The whole point is that if you request something via HTTPS, you have some reassurance that what you're receiving is what the sender intended.

The current state of the library illustrates that quite well, actually. You CAN fetch files from the library via HTTPS, but the certificate being served does not match the domain you've requested. This should trigger a security warning from your browser, and ideally block the file transfer until you've manually OK'd it.

https://library.tfes.org/library/Flat_Earth_Society_Newsletter_-_1977_July.pdf
Read the FAQ before asking your question - chances are we've already addressed it.
Follow the Flat Earth Society on Twitter and Facebook!

<Parsifal> I like looking at Chinese Wikipedia with Noto installed
<Parsifal> I don't understand any of it but the symbols look nice

*

Offline timterroo

  • *
  • Posts: 1051
  • domo arigato gozaimashita
    • View Profile
Re: Library not on https
« Reply #7 on: June 27, 2020, 02:57:17 AM »
I don't mean to speak out of line, but I tend to agree with Parsifal (or whatever the hell he calls himself now), if it's just downloads, what are you going to gain by encrypting the link?

The hypothetical risk here isn't that a third party will see what you're seeing (they can do that anyway in this case, as you pointed out), but that you can't technically be sure that the file you received was served by us. If I wanted to download something from the library over HTTP, I have to trust that my ISP or another malicious actor doesn't MitM me and force-feed me a file different from what I requested. The whole point is that if you request something via HTTPS, you have some reassurance that what you're receiving is what the sender intended.

That’s a valid concern. I think the risk is still minimal (and acceptable). I’m not sure how easy mitm is over wan these days. If a system is compromised though, that’s another thing altogether.
"noche te ipsum"

"If you can't explain it simply, you don't understand it well enough."  - Albert Einstein