- This topic has 83 replies, 1 voice, and was last updated 7 months, 3 weeks ago by
.
-
Posts
-
-
Are there any decent reasons for a government website to not support https in 2021 or is it just incompetence?
-
there are no decent reasons for any website to not support https in 2012.
-
The crazy thing is they do support HTTPS. They have a server supplying that redirect page on HTTPS.
> From the Government’s perspective:
How much money can I cut before the public starts bitching about it?
The number of staff should be bare minimal.
Keep cutting until the lack of warning from the next weather woke af disaster (floods, storm, cyclone, etc) highlights the bare skeleton crew that has to run show…
After which, I MAY provide a short term increase in funding, but only to core delivery staff.> From the perspective of core ground/delivery staff
Our job is to maintain sensors, make sure the data is sane, update models for better forecasts. I spend most of my time reading research papers and either test/integrate new methods into our own models and compare outputs against observations, or work in the lab to calibrate/improve existing sensors or create sensors for things we are interested in and are unable to measure remotely as of yet. I don’t care about the details of the system delivering data to the public as long as it works and as long as it is simple on my end.> From the perspective of the only IT staff resposible for the website
The cluster responsible for doing the daily forecasts has another NFS issue that requires urgent attention. There is a request to transfer ~2 PB of historical hindcast data (half of which have incorrect filenames or metadata as they were produced whilst the code was in testing) to NCI. Whilst there are demands to update the visualization and to provide REST APIs to access the data, not one stakeholder who makes these demands offer a single dime to help upgrade or pay for additional staff to deliver any upgrades (and taxes barely covers what you have now). Thus you get the bare minimum required by our charter. You get a website delivered from a random desktop. Data is pushed as a cron job daily to this server. For data access, you get FTP access and no documentation to explain the directory structure cause quite frankly it’s not my job…-
>glowie explains why the weather machines have been on the fritz
-
more like, these dumb .gov scrotes would rather spend $1000/yr on a TLS cert that some fat negress in HR fails to renew, grinding the whole TLS-crypto to a halt, than let a white man slap let’s encrypt on there so that user credentials aren’t transmitted in plaintext over the internet
i’m not exaggerating when i say that it took 5 years to secure a freaking login form
-
>5 years to secure a freaking login form
i thought college was bad-
i could’ve done it in 15 minutes but it took at least 4 wordpress hacks to wear down my manager enough to say, "i guess it’s easier to do LE than it is to request an https cert, wait for approval, dick around for 4 months, consider installing it, and finally encrypt the freaking site after i take 3 vacations and the HR cunt takes another 2 vacations before communications looks at it and asks IT whether we should do it, then the IT manager takes a vacation and gets back to my manager in 2 months, who finally decides that yes, we can add https to the site"
-
lmao how can someone be using WordPress but also have such a convoluted bureaucracy letting literally the entire office bikeshed over shit that doesn’t concern them
-
dunno. now that i set it up to auto-update, all i gotta do at my job now is sit around and get pinged by scrotebrains so i can email them their passwords in plaintxt. it’s a sweet deal but .gov is bonked beyond belief, i wouldn’t mind except they started with vax mandates and anti-white classes, now i have to take a chinese virus test every week, and if i pass, i have to tak 2 weeks paid sick leave, because apparently everyone forgot how to work from home after doing it for 15 months
-
-
-
-
-
-
-
-
Are there any decent reasons for a bureau of meteorology site to encrypt your connection?
-
imagine getting a MTIM’d weather forecast
-
It’s a good thing that nothing in Australia is important
-
-
This. HTTPS is bloat.
-
because if everything is encrypted (and there’s no good reason for it not to be) then the things that do need encryption won’t stand out.
-
Why would it matter if they stood out?
-
So that that traffic that """needs""" encryption can be more closely monitored.
Also to
‘s point, just because the information is publicly-accessible doesn’t mean it doesn’t """need""" encryption. Why should anyone else get to know that I looked up the weather?
-
Why does it matter if they monitor the traffic if it’s encrypted?
-
If encryption makes monitoring irrelevant, when why shouldn’t all web traffic be encrypted 100% of the time to preclude it?
-
Because most traffic isn’t worth monitoring.
-
Says who, you?
SHALL NOT BE INFRINGED-
It’s a government website, my man.
-
-
That doesn’t mean they don’t do it anyway.
This is a bit like saying "Well, I won’t apply security patches on my computer. I don’t need them, I’m unlikely to be attacked." Which is a.) stupid and b.) not even saving you much effort, since you can just run one command. The same is true of using HTTPS.
Also, that chucklefuck says:
>None of those things are my problem. If people don’t want to see my site with random trash inserted into it, they can choose not to access it through broken and/or compromised networks.
The internet is a broken and/or compromised network. Which is why anyone who puts a site on it should serve it through HTTPS. In any case, at some point he won’t have a choice, browsers will refuse to load it if they can’t negotiate encryption.-
>This is a bit like saying "Well, I won’t apply security patches on my computer. I don’t need them, I’m unlikely to be attacked."
I should have expected you were an updooter. -
>use https or you will be h4x0r3d
compelling argument-
Why wouldn’t you? It no longer costs anything and there’s no longer any significant speed penalty. It takes a few minutes to set up. Do you lock your doors when you go out? I do. It’s unlikely anyone will come and try the knob and steal shit from me if I don’t, but so what? It takes five seconds to protect against it.
-
More like,
>Do you wear a full body disguise and erratically drive to throw off potential surveillance operations when going out in public?
>Why not? You’re basically scrotebrained if you don’t. And it’s free. -
fuck off glowscrote you can have a https certificate for free nowadays
-
>if you don’t install this cert, you’re going to get mugged
-
why didn’t you use that same logic when taking the vax scrotebrain
-
that very analogy has been used before, and way before the wu flu.
https://scotthelme.co.uk/https-anti-vaxxers/ -
https is good
vax is bad
simple as -
lunduke is right though:
certs expiring is obnoxious (and dangerous)certs are easy for bad guys to spoof (i.e. corps, police and state gov) and its only slightly harder for malicious or benevolent "hackers" to do the same.
what lunduke doesnt mention, but he should, is that the centralization of power in a certificate "authority" is in itself a threat – for censorship, surveillance, and many other social ills.
perhaps instead of https we should have adopted a cryptonet like tor/i2p, but now it is already too late.
-
>centralization of power in a certificate "authority" is in itself a threat
Then it’s a really good thing that the majority of certificates are issued by a fully transparent nonprofit organization. -
a "nonprofit", but power corrupts.
transparency has always been a lie and a meme. -
>sis trust me
-
Why do we even have certs for the web in the first place? You don’t need them if all you want is encrypted traffic.
And the "identity verification" part is pretty much obsolete. You can get them for free. And even those payed ones are never checked thoroughly. You can’t trust the 3rd party to verify the identity correctly anymore. That’s why browsers stopped showing a green bar. Cause it’s a false sense of security.
-
You’re confusing authentication and encryption. The only thing a TLS certificate proves (authenticates) is that the person it was issued to did have control of the respective domain **or** website at the time of issuance.
It does not prove that you’re connecting to the right server or that the website hasn’t been compromised.
The encryption part helps guarantee that nobody has tampered with the communication between you and the server.You seem to criticize some imaginary TLS guarantees but there really aren’t any, that’s all there is to it and the certificates do deliver on their promises.
-
> is that the person it was issued to did have control of the respective domain **or** website at the time of issuance
Yes, that’s what I meant with identity verification. And it’s also completely useless in the context of the web.Honestly I don’t understand why browsers don’t allow self signed certs. If all you want is encryption that’s enough.
-
Because anyone can self-sign certs for any domain and users have no idea whose self-signed cert is presented to them since every cert is as valid as all the others.
-
Yes but why would I care about that? What sort of attack could a hacker do to take advantage of this? My traffic is still encrypted, right?
-
The attacker may sit between you and the website, reading all the traffic and changing it as they want, simply because the certificate for "websi.te" might have been presented to you by the attacker, not by the website.
This is trivial stuff, not CIA conspiracy theories. -
>Do you wear a full body disguise and erratically drive to throw off potential surveillance operations when going out in public
you don’t? -
i dress as a women in public
j-just in case -
>glowie running up to an empty cabin radioing for backup
>the hon is out of the base i repeat the hon is out of the base -
>use https or you will be h4x0r3d by non 5eye actors
ftfy good sir
-
-
>at some point he won’t have a choice, browsers will refuse to load it if they can’t negotiate encryption.
That will be great. You won’t be able to use self-signed certs either because those are A Bad Thing™ so it will be yet another way for people to get deplatformed.-
Self signed certificates are a bad thing though because the certificate signing system is secure woke af on government secured third parties
The only alternative is to have a content management and routing system that doesn’t rely on a trusted third party.
Even if you use IPFS to serve your entire website and memechains to change state, users still need to learn that your service exists through a trusted third party. -
if your argument is that the CA/PKI system is scrotebrained, that I agree with you on. It was designed by ITU bureaucrats in the 80s and X.509 is actually one of the less-obtuse parts of it, incredibly.
The only alternative is to have a content management and routing system that doesn’t rely on a trusted third party.
Even if you use IPFS to serve your entire website and memechains to change state, users still need to learn that your service exists through a trusted third party.is wrong, the "authentication" provided by CAs is meaningless and never should have been there, and once you’ve dumped that there’s no reason to bother with certs and signing at all. Both sides should just do DH and set up encryption only.
>users still need to learn that your service exists through a trusted third party.
That’s called DNS, and we don’t need CAs for it.But, y’know, it’s the system we have, and it’s easier to route around it with something like Lets Encrypt that admits the authentication is meaningless and just gives anyone an automated cert if they can prove they control the domain. As opposed to replacing it wholesale. (look how that went with IPv6)
-
I really doubt Let’s Encrypt will continue handing out certs to everyone without bias forever. We’re already at a point where your browser give you excessive grief over both unencrypted connections and self-signed certs. Once nobody has a choice they’ll have all the power. I get very strong early Google vibes from them.
-
so you can use someone else. Since I happen to still have the tab to that site open, here’s two other choices that use the same automation LE does.
https://scotthelme.co.uk/having-a-backup-ca-for-lets-encrypt/
https://scotthelme.co.uk/introducing-another-free-ca-as-an-alternative-to-lets-encrypt/ -
>encryption only
Certificates are exclusively about the server validating it’s authenticity to the user; i.e. "letsencrypt performed a satanic ritual so it’s definitely you"
How would you verify that the server returned by 9.9.9.9 is actually dragon dildos.com?
"dude trust me"? -
because dragon dildos.com actually sends you big cocks
-
>how do I be sure that the IP I’m connecting to is the website I think it is?
DNSSEC -
So I should assume that the user has DoH or some kind of meme DNS over IPFS set up?
Isn’t there a fundamental issue design issue here? The party who is most concerned with being attacked should also be the most concerned about defending themselves from attack, and maximize the length of a chain of vulnerabilities.
I don’t rely on cops to protect me from oogaboogas and neither should you.
-
Which is why every website should only be served though Tor or some similar anonymizing network.
Anything less is just not responsible security practices. -
>>So I should assume that the user has DoH
well yeah, everyone should be using that (or DoT or DNSCrypt or…) just like everyone should be using HTTPS for web pages. -
Isn’t there a huge hole in your plan? There are tons of cloud services operating on subdomains.
DNS encryption is a shitty solution for all multi-tenant DNS, which is all clouds and anyone using Kubernetes -
Even further, certificates can be internally signed by organizations using their own bureaucratic processes and used to identify the routes of production servers vs a server spun up by a glow in the dark.
-
-
Oh, we live in a freaking clown world.
While everything is encrypted, I’m supposed to visit sites with a hugely complex piece of software that’s full of possible exploits, downloading megabytes of turing complete code for "user experience" over a protocol so extensible, everyone and their mom had a go at it, so it too is wildly complex.
TLS itself has become somewhat mature though. I like how it’s starting to patch over the mess that is PKI. Oh, and "security appliances" can still decrypt your shit. Never ever look at your trusted CAs.
-
-
-
-
-
-
No one of any importance needs to monitor traffic.
They can just subpoena the site for logs.
-
-
-
-
-
>serves a page about not supporting connections over https
>while connected over https -
It probably doesn’t support HTTPS because a lot of old services and programs connect to their servers that haven’t been updated to support secured connections.
-
>He doesn’t know you can configure web servers to serve both
-
Nice well-informed opinion, I should invite you to my startup.
-
-
this is how they hide weather machines
-
Science is public.
-
>83628538
jesus christ that glow -
https is a meme
-
Australia’s BOM being http only has been a meme for years. I can’t believe they don’t fix it even if it’s just to stop people asking about it.
The crazy thing is they do support HTTPS. They have a server supplying that redirect page on HTTPS.
-
yeah it would cost money to change it. the government has a responsibility to not tax the public unless it is for a significant cause.
hiring someone to switch the BoM, and all serives that interface with it, to https is not
at all significant. there is a high risk of something going wrong, some legacy system breaking, and very little upside.-
>the government has a responsibility to not tax the public unless it is for a significant cause.
lmao
The federal government isn’t funded by tax payer dollars. Taxation exists to control inflation, keep you poor and beholden to the garden gnomes that control the money supply.
Changing a website to https is a better use than most government expenditure anyway because it doesn’t actively harm the population. -
>there is a high risk of something going wrong, some legacy system breaking, and very little upside.
Just don’t do 301 redirect to https and specify 301 to http for those "old legacy parts".If 9.9.9.9 manages to convince the CA to give the same cert, your PC will trust it. This is an architectural flaw in PKI, however some CAs did lose their status when their deeds became public, and BTW, Google et al. pushes to make CAs publicly display every cert they sign.
-
-
scrote I just implemented HTTPS on a .gov site that handles user credentials after trying and failing for 5 years, and I was only allowed to do so because one of the wordpesses got hacked so thoroughly that 5 russians made themselves admin accounts. If we weren’t .gov, we’d be out of business decades ago, but because we’re .gov, money is infinite so it’s impossible to fail/
-
https is a freaking meme
whens the last time someone was actually victimized by a MITM attack over http? like, in real life? and not a hypothetical?
WDTMH
-
It’s an information portal. You are not sending any data to it, and the data you are being sent is public can be gathered from a number of API and other sources.
Why does it need to be secure?
-
>Are there any reason … to not support https … ?
To avoid fuckups like the current LetsEncrypt root certificate shit going around right now.-
That’s not a fuckup. A certificate expired, exactly as intended.
-
>To avoid fuckups like the current LetsEncrypt root certificate shit going around right now.
what a dumb cunt. -
they could at the very least offer self-signed
also i’m pretty sure governments have their own roots-
>also i’m pretty sure governments have their own roots
australia uses digicert for most of its services
-
-
-
compatibility for old (really old) industrial/scientific appliance that cannot run modern encryption like tls
-
[…]
>mass reply
>shit opinion
Eat shit scrote-
Not against the rules so suck my cock scrote, make me stop
-
-
- You must be logged in to reply to this topic.