Enable SSL

[draketungsten]

In the age of spying by the US government on its on citizens, I am utilizing privacy features more than ever. I am suggesting that INGO enable SSL (https) for the site. This will encrypt the data transferred between my machine and INGO web server making the data unreadable except for the most powerful resources.

 

[dans4420]

In the age of spying by the US government on its on citizens, I am utilizing privacy features more than ever. I am suggesting that INGO enable SSL (https) for the site. This will encrypt the data transferred between my machine and INGO web server making the data unreadable except for the most powerful resources.

Your pitching the government as a reason, but also wouldn't they definitely have the most powerful resources to see it.

 

[draketungsten]

This is true that they have the resources but it is still finite resources. Which do you think they'd rather spend their finite resources on breaking...the encrypted communications between possible terrorists or groups that they have on their radar or a bunch of midwesterners on a forum? Obviously they will spend it on clear and present dangers. However, even though we don't pose a threat or have anything to hide, we still shouldn't regard our privacy or constitutional rights as unneeded or irrelevant.

 

[dans4420]

I understand your point. We all have varying degrees of privacy concerns so yes i do see how it could help. but at what cost/to help ratio? i truly don't know the answer to that.

 

[hooky]

if your thought is that the .gov can't easily overcome SSL encryption, I have some bad news for you.

 

[draketungsten]

Based on my previous experience with building sites, SSL certificates cost between $30 - $60 / year. This is a very low cost to safeguard your privacy. Most of us spend more on coffee every year.

 

[draketungsten]

if your thought is that the .gov can't easily overcome SSL encryption, I have some bad news for you.

Oh, I'm under no delusion that they can break it. However, it takes X amount of resources to break it. Every transaction between a database and server or every analyst it takes to look at the results costs money. If the amount intel or benefit that they are getting out of breaking that SSL is far less than X, they won't bother committing the resources to it. There are much bigger fish to fry.

 

[dans4420]

I have a good amount of computer knowledge but none in that field, so my question would be with all the traffic here would it slow this down, or cost more? if it absolutely hinders nothing then yes i agree you should pitch it to Fenway, but i would assume if it was that cut and dry they would already be doing it for such a low cost.

 

[draketungsten]

I've been in IT for the last 16 years, 9 years in the government running secure websites for fellow agencies or local governments to utilize. SSL does cause some overhead, but it is minimal. Unless INGO is running on some very slow and very old servers (which I don't think it is based on the performance in response I've gotten from the site), people won't notice the exta time for the encryption/decryption.

 

[hooky]

Oh, I'm under no delusion that they can break it. However, it takes X amount of resources to break it. Every transaction between a database and server or every analyst it takes to look at the results costs money. If the amount intel or benefit that they are getting out of breaking that SSL is far less than X, they won't bother committing the resources to it. There are much bigger fish to fry.

It can be broken with a warrant or subpoena where INGO is told to turn over all posts. It can be broken by a free membership to the site. The .gov doesn't have to intercept the data between your browser's data post and INGO servers, because INGO is storing what you're submitting and it's readily available to anyone who signs up for a membership here or subpoenas the information.

 

[draketungsten]

This is true. There are legal avenues to be able to read such data. However, a) a free membership is of limited value to identify the author of a post. There is no way for me to know who Hooky is short of a subpoena for the traffic data for the INGO webserver to trace it back to your IP address and then another subpoena to your ISP (warrantless wiretaps courtesy of the Patriot Act not withstanding or assuming you're not using a VPN with a random proxy exit).

Even though there are legal ways to access information, this is no reason to voluntarily give up your 1st and 4th amendment rights. It's those rights that force the powers to be to provide legal justification and probable cause to convince a judge to allow it to happen.

 

[hooky]

Again, all I'm saying is that an SSL connection won't keep you or your posts anonymous. You just laid out how to find out who is posting what.

Ask Liberty Sanders (or T.Lex) whether or not your posts on here can be easily used in a court proceeding.

 

[draketungsten]

Of course it can be. What police find in your home can be as well but does that mean you should open your doors and invite them in to see and take what they choose? Of course not. Our rights were written for a reason. They are not invulnerable.


This is the same reason the remaining Boston Bomber entered a non guilty plea today. The burden of proof rests on the government. They must prove that you have done something to an impartial judicial body before they are allowed to intrude upon your rights. By not exercising your rights as an american citizen you only hurt yourself and encourage other unwarranted intrusions.

 

[hooky]

Here's an idea, and it's only worth what you paid for it. Assume you have no privacy online. SSL won't save you.

 

[draketungsten]

When it all boils down my point is that we should take a vested interest in our constitutional rights and put forth a gesture in protecting those rights even if it is a weak and futile one. Sometimes lost causes are the only causes worth fighting for.

 

[pudly]

Here is a crazy idea. How about enabling SSL for the login page? I'd really prefer to not make it easy for anyone on the local network, my ISP, or random wireless sniffer at a coffee shop to be able to access my login credentials. I'm really not worried about the general traffic as this info is being posted on a public forum, but protecting my account is another matter.

And yes, basic SSL certs can be had rather cheaply.

 

[indymike]

Agreed on the need for SSL. A must for the login page but I'd also like it when doing PMs on deals and I'm sure many users would like the ability to surf the forums at work or other locations without worrying about our overlords knowing the content we are surfing. We all how people ignorant of firearms would jump to conclusions if an I.T. guy reported a "gun nut" in the office.

 

[Scutter01]

The login is hashed and encrypted. You are not passing your credentials in the clear. If you don't believe me, fire up your handy packet sniffer or Paros Proxy and see for yourself.

Also, SSL site-wide is possible, but unlikely. There's a not-insignificant amount of CPU overhead attached to encrypting each user session that will have to be paid for on the server side. There are ways to offload that to other systems, but those all cost money. The cost/benefit analysis does not justify an SSL front-end, especially given that essentially everything on the site is already publicly-accessible and certainly accessible by subpoena if it's needed for a legal case. Furthermore, even with SSL encryption, your company IT will almost certainly still know that you're browsing to "ingunowners.com" (even if they can't read the contents of the session) because of the way SSL encryption generally works. You're better off just not going to sites that violate your company's IT policies and saving your INGO browsing for when you're on your own time.

 

[indymike]

"even if they can't read the contents of the session"

That's my reason for wanting SSL. And not worried about any company policy, just worried about ignorance. Kind of like when the cops are called by a person who sees someone practicing open carry.

 

[Scutter01]

If you're that worried about your company spying on what you're doing on the internet, then SSL-encrypting your session is the least of your worries. You should be more worried that they feel the need to spy on you at that level, or that you're surfing INGO on company time, or any one of a dozen other things. Seriously, just browse at home and get back to work already.