I'd prefer a well utilised file/directory level permissions system than putting up with the overhead of encrypted file systems. I can have an encrypted portion for files that matter, but for videos I work on? No thanks

I understand what you mean. Making it so that everything is encrypted on the client before being uploaded to the server (so that you are protected from third-parties AND the service provider) does make sense if you have a paid service (and you and the people you exchange email with use PKI, etc). But for a free service which depends on being able to run all sorts of analysis on your emails in order to exist, this would be completely unfeasible IMHO. That is, by today's standards at least. Maybe tomorrow there will be some kind of paradigm shift. For now I dare say you won't see any of the big companies offering this feature, and you'll need to do-it-yourself with GnuPG or whatever.

user name and password gives all people a warm sense of security...but in reality username and password dont mean xxxx if the database your accessing isnt secure. I can sell you a room for a night at a motel and give you a key. and just by me telling you you have a key you get a feeling of security....noone but you has that key.....now....ive already altered the room you are staying in (with cameras and shit) and it cant be undone without my permission. you stay in the room and recommend (the motel) it to others cause i made it a great experience for you now your hooked .... and the people you refered are hooked and the standard begins.
but the standard isnt even a standard at all just what we wanted you to feel and see.

get my drift?

erm, yes... i don't get your point though. I am giving specific points about LQ.org, but you seem to just be quoting off-the-shelf theory about unrelated issues.

LQ's https session is not secure. if a client and server dont agree on the handshake for security it will not exist.
and all the issues im stating are true for the most part Im trying to get other readers to think about it and possibly motivate future implementations.
I guess I just keep getting agitated by all the websites I like to use not being secure and feeling like anyone (which they can!) could be snooping on me, trying to figure out where to find me on the web, what music I listen to, what banners I click on, geographical area I live in, possibly where I work, eat, shit, sleep, health issues, my choice of banking, where i shop, what isp i use, how I pay my bills, ... ultimately everything I enter or do on a webpage!.

Could you elaborate on that please? I don't understand what you mean by "LQ's https session is not secure". I've been using HTTPS on LQ for a very long time and have never noticed any problems with any of the HTTPS URLs, or with the SSL certificate which is in use.

The irony of the matter is that most of the pieces of information you've listed are still available to anyone snooping on you whether you use HTTPS or not. If you are seeking anonymity you're gonna have to use Tor (or an equivalent). HTTPS isn't designed to provide you with anonymity - only security. A bad guy can tell where you work, where you pay your bills, what bank you use, where you shop, etc. simply by looking at the hosts/domains you are connecting to - it doesn't matter whether you're using HTTPS or not. And a bad guy can get geographical/ISP information on you by looking at the source IP on your packets (which HTTPS has no effect on). I understand your desire to have HTTPS become widespread (in fact, I share that desire), but let's keep things real when it comes to talking about the benefits.

I can understand that...but if a server is secure (ish) the video files could reside on another filesystem that wasnt encrytped then a user could access a website securely and download the other files from the other filesystem with minimal risk to security. and from the os standpoint the same rules primarily apply

try going to http://www.cia.gov ... notice you are automatically redirected to a secure negotiation if you watch your url it will automagically change to HTTPS

and every page and image and script is somewhat secure.
its not perfect ... but better than most.

and I can almost say that any link image or script you access ... there will be an https in the url and your browser will accept it, and there will be no ? as to wether or not you are encrypted .... and if you do happen to take a link that takes you to another site you will be warned if your browser is configured for it. granted they may track your every move but to others ? hmmmm......

if the entire web was this way .... or better .... what more could we do?.

If you feel LQ should also force HTTPS like the CIA and other sites do then I would say your best bet is to make a suggestion in the LQ Suggestions and Feedback forum. It sounds like a reasonable request to me, but I'm sure there might be reasons why it wouldn't be such a good idea, and I would look forward to seeing a discussion. I know for a fact that Jeremy has given thought to LQ's situation regarding the use of SSL.

That said, keep in mind that unless you are specifically looking for your browser to report that a valid SSL certificate is being used (most people don't even know what that is), a bad guy can have you wrapped around his finger when you typed the URL (or clicked the link) without the HTTPS. For example, when you click the CIA link you posted above, a bad guy could have you browsing a completely fake (and possibly even virus-laden) CIA website, and your browser would have never spit a single warning at you. Your browser would be completely oblivious to the fact that you were under a man-in-the-middle attack, since you never reached the point where a certificate was provided.

The only reason I mention this is because it sounds like you are thinking that having a server do URL rewriting to force HTTPS is some sort of magical cure to all our surfing security problems, when that is quite far from the the truth for most users. Sometimes nothing beats typing the HTTPS address into the address bar yourself, or making sure that your saved bookmarks use the HTTPS URLs. I, for one, try to do that for every HTTPS-capable website I use (including LQ).

that wasnt what I meant by saying see how the url automagically changes.
I was merely pointing out how they implement it (they dont even give you the option of a non encrypted session...but thats the cia for you).
the only point im trying to get out is encrypting our communications.
https means that your session is encrypted. and if it is not man in the middle attacks come very easy. it makes sense to have the option of both https and http. but a site that says https and doesnt make the encryption handshake is nothing more than an http session. so when I visit https://www.linuxquestions.org opera tells me the server tried to apply security but failed. and that the session isnt secure and dont submit sensitive data. That says that the server offers a secure session that isnt secure. why offer an https session.

How do I get in touch with Jeremy?


Im not trying to start an argument, just stating facts and asking a few questions while doing it, and seeking info. and I do understand about the certificate policy(and most ppl not knowing about it...but thats why
Im bringing this up...to get it out to everyone else and get not just the vets but noobies as well...
if enough people start asking the right questions to the right people and start using software based on security and started acctually using some of the security provided with some software and developers making it easy to emplement security in their software...so and so forth ... (then maybe in a few years I could hear my 10 year old reprimand me for using a non secure application or protocol).
thanks to all you guys running this forum its a great!

Okay, it seems that this is the basis of your issue right here. You are basically jumping to a conclusion. Just because Opera is throwing an error like that at you doesn't automatically mean that LQ's SSL is broken. It could simply be that Opera isn't using the right words to describe what is happening (which AFAIK is simply that there are files on the page which are transmitted using non-HTTPS, as has already been explained to you), for example. Try other browsers and see what they report; do a packet capture and check for outbound cleartext upon login; ask other users whether they are experiencing the same browser warnings. There's lots of stuff you should try before concluding that LQ's SSL is broken.

The same way you would get in touch with anyone on this site - the contact via email option (if the user has it enabled, which Jeremy does). But for something like this I strongly recommend that you use the Suggestions and Feedback forum instead, as it's exactly what it was designed for.

BTW, if you check the certificate you will see that it's issued for the subdomain www.linuxquestions.org which is not the same as linuxquestions.org so if you've been using a URL like https://linuxquestions.org all along then that would most likely explain your problem right there.

BTW, if you check the certificate you will see that it's issued for the subdomain www.linuxquestions.org which is not the same as linuxquestions.org so if you've been using a URL like https://linuxquestions.org all along then that would most likely explain your problem right there.[/QUOTE]

I see ... and this is what ive been doing https://www.linuxquestions.org (even as I type).

And I have been checking with other users...thats why I started this thread (only one said they had no problem...which may be due to someone pressing the do not notify me when this security feature happens in their browser or accepted a bum certificate).

thank you I did submit a request in LQ suggestions.
thanks for everyones attention and I hope this thread gets a few more peoples input.

thanks

[QUOTE=win32sux;3333160]Okay, it seems that this is the basis of your issue right here. You are basically jumping to a conclusion. Just because Opera is throwing an error like that at you doesn't automatically mean that LQ's SSL is broken. It could simply be that Opera isn't using the right words to describe what is happening (which AFAIK is simply that there are files on the page which are transmitted using non-HTTPS, as has already been explained to you), for example. Try other browsers and see what they report; do a packet capture and check for outbound cleartext upon login; ask other users whether they are experiencing the same browser warnings. There's lots of stuff you should try before concluding that LQ's SSL is broken.


I did a packet capture and I understood what you were telling me about it being due to linked images on a http server.
but the fact is other than the password its all plain text! when I visit https://www.linuxquestions.org I should have a little locked sign in opera that says secure...instead I get a ? (the same issue in other browsers) telling me what Ive already stated before.

Sure, you do get that, but now we've discussed WHY you get that, everyone understands and is cool with it, right? The password is plain text if you aren't on https, but if you are it is implicitly within that channel so that's fine.

For the record, the thread deepsix opened in LQ Suggestions and Feedback is located here.