If I enable 128,168,and 256 bit encryption will the secure server default to 128? or which would it choose over the other?. (Or is this dependant on the configuration of the secure server).
The reason im asking is i only want to use 256 bit encryption on all secure sites and disable 128, and 168 in my browser. (Or by doing this would the sites I visit not really be secure? because they only use 128 bit encryption.)

For instance right now I have enabled 128, 168, and 256 ssl 3, tls1, and tls 1.1 in opera, but when I visit https://www.linuxquestions.org opera gives an error saying the connection is not secure and not to submit sensitive information. the server tried to apply security measures but failed.
(doesnt this mean everything i type into the login forms and even what I'm typing right now is basically sent plain text over the net? (even though the url says "HTTPS")

any help is appreciated.

btw I did search for this elsewhere but nothing came up explaining what I need to understand.

thanks again.

a client and a server both have a cipher suite they will use, and they will agree to use the first common cipher that they exchange knowledge of. These are listed broadly in terms of safety. e.g. http://www.singapore-security.com/20...te_choice.html see this has 256 bit ciphers first, 128 last.

the error you list has nothing to do with this at all though. the source code just references http links not https links, so whilst the main page itself is encrypted, some javascript files and images aren't encrypted. Not ideal really, might be worth dropping a line to Jeremy if you have concerns.

Just curious tho......with all the shit with cross site scripting and php and cgi (and apache)...why hasn't anyone tried to promote entire website encryption? I mean whats so bad about an entire website being secure? why even have a website with partial security? why not make a person feel at ease if they visit your website? I guess what I mean to say is on an insecure network shouldnt we all be working together to making it as secure as possible?

why leave room in the dark?

I would love to see the day when the entire web is encrypted and surpassing todays standards...
this should be the goal of every single being with a chip...
when you whisper in someones ear telling them that you love them and all the things you would do to them, you dont want anyone eavesdropping...
and neither does she...(unless shes playing you like a fool).

wtf? *EVERYONE* promotes entire site encryption.... just happens that for some reason unclear to me personally this site isn't doing that. fundamentally all "sensitive" data on lq is passed over an encrypted channel, e.g. username and password and as this is not a bank site that's all that matters in reality. There's no ultimate utopia affair here...

I've taken a quick look at the HTML code and the impression I got was that HTTPS is only used to transmit your login info if you specifically loaded an HTTPS URL. Granted, it seems that in both cases an MD5 hash of your password is transmitted instead of the password itself. Please correct me if I'm wrong (and I probably am wrong, or at the very least missing something).

If you go to https://www.linuxquestions.org/, what happens is that some of the content on the page, with addresses belonging to the linuxquestions.org domain, isn't sent via HTTPS. At the time of this post, the content seems to be these four images:So it's understandable that a browser would want to let you know that not everything you are getting from the domain is being sent securely. This doesn't, however, have anything to do with the login credentials you can transmit using the form on that page. Those should indeed be sent via HTTPS regardless of whether some of the page content was sent your way in the clear.

<EDIT>My bad, I just noticed that acid_kewpie had already explained this (and mentioned the JS files which I forgot about).</EDIT>

I'd be willing to bet that if you use https://www.linuxquestions.org/questions/ instead of https://www.linuxquestions.org/ your browser won't complain, as that page doesn't have any non-HTTPS media being served from the linuxquestions.org domain.

I get the picture...
I know most websites have login encryption, but everything else a user does on that site isnt. Google doesnt even give you the option of a secure search, and sites like yahoo encrypt your password but not the contents of your mailbox. This allows snooping and profiling. Plus I know there are encryption plugins for pidgin but the user your speaking to has to have encryption enabled and most of your messaging programs dont give you that option. I dont see why we all wouldnt want our communications encrypted.

When I log into Yahoo to check my mail, Its like me saying "Hey yall I need a minute to myself, Im going to my room" my door may be locked and Im the only one with a key but all the walls in my room are made of glass or air. Its the same way for most of the popular websites out there.

Honestly, I've wondered the same thing many times. Specially with regards to your free Web-based email example. Sometimes I've figured it might be due to performance reasons, but I'm not sure. As for the IMs, I'm even more clueless as to why everything isn't wrapped up with end-to-end encryption. The service providers are aware of the security threat, otherwise they wouldn't encrypt the login information. So maybe that's where their concern ends and they don't consider privacy a priority.

I don't quite see how a secure search would work - yahoo or the like would still have the search and results in some form I'd assume, so you could stop an external party eavesdropping, but not yahoo itself.

ok first you said they have a suite to use the first common cipher but this takes place if all requirements are met first first the client connects to the server requesting an encrypted service the server responds saying ok lets use this cypher but if the client and server have a disagrement like the example I listed saying that the server tried to implement encryption but it failed then that handshake with encryption never takes place regardless of whether it happens because of links to http images or not. the encryption is not there. so basically even though the website is configured for encryption without the handshake saying ok we agree to use this then none of the site is encrypted for that session. right?

yes they would have the results but depending on how they set the server up it could be in an ecrypted form or plain text to them. if its the encrypted form then we are good to go why would a company want to take the time to crack every search made on thier server would take too much time and resources.

however if its the second form then they still get their traffic analysis and can sell it to other companies trying to give people what they are searching for. but other people trying to eavesdrop and profile are going to have to go to extreeme effort to get anything.
which in my opinion is still way better than just openly yelling to the entire neighborhood everything going on in your house, or company.

this is my theory.... lets say the new web standard was all transfer of packets needs to be done encrypted then a web crawler like googles would have to be setup to use encryption. then the cache could be encrypted on an encrypted filesystem. only google employees with the passphrase could access the data without cracking it. and this in turn could made more secure by limiting the users with that passphrase.

there is some research going on about this subject. I found a few links on google itself.

but it should be on the minds of everyone..imho

Correct, but that (third-party snooping) is the main concern IMHO - at least for me it is. I think anyone concerned about Yahoo! or Google (or whatever) snooping on them simply wouldn't be using those services in the first place, or would only do so via Tor.

Web-based email is a completely different problem, though. By using HTTPS only for the logins, service providers leave you extremely vulnerable to third-party snooping, injection, and hijacking. And you can't get around that by using Tor - in fact, Tor would just make things worse in most cases. I know Gmail has given users the option to always use HTTPS - I wish the other big providers would follow suit.

I just made sure my wife was computer illiterate!!!!

The reason their concern ends? the OS: (or marketing)
people mimick what they are taught is secure, and most people start on windows. Im not picking on windows the same goes with linux, mac, and any other os out there.

you see the problem is the same as the example I gave about Yahoo.
what happens when the normal user boots up his pc? he gets a login screen. that login screen encrypts his password and allows him access to his account. ( the same way as on yahoo) but his my documents and everything on that account are readable by anyone with an account on the computer by default. (im talking about the home editions of windows you know the ones that ask for a username and password but if you hit cancel or login without entering anything you get a desktop anyway?) <--- some linux distros are actually trying to mimick this with auto login and dont get me started on sudo as the only means of accessing root.
and some of the linux distros that arent doing those things are using lax files permissions that allow another user to browse another users directory by default. I just think it would benefit everryone if all filesystems were encyrpted by default and creating programs that use encrypted sockets and any data transfered from one filesystem to another was done through an encrypted tunnel.

I dont know...I might sound paranoid to some people or stupid to others.
and some of this may never happen but it sounds good, it draws up on paper but problably will never happen. or maybe it will