Re: [ubuntu-studio-devel] Our website

[Hank Stanglow]

Count me in with those who thing everything should be encrypted, 
including email and SMS. Now that Let's Encrypt exists I can't see any 
reason not to use https. I just did a nmap of ubuntustudio.org and see 
that it's running Apache 2.4.7 on Ubuntu which I believe means 14.04 
(Trusty). Setting up Let's Encrypt on 14.04 is a bit of a hassle. I 
tried it for a few days before giving up and upgrading my server to 
16.04 to use the new and improved letsencrypt tool. It's works almost 
perfectly, you just need to make a script and cron job to renew the 
certificate every three months (there is a plan to make newer versions 
of the letsencrypt utility environment aware).


I would definitely contact the ubuntustudio.org webmaster and discuss https.


On 05/30/2017 01:07 PM, lukefro...@hushmail.com wrote:

Many feel that all of the Internet should move to https simply to remove
the usefulness of governmental bulk surveillance tools, many of which
cannot handle https for "off the wire" surveillance. Thus the existance of
things like the "https everywhere" extension for Firefox.

On 5/30/2017 at 3:12 PM, "Len Ovens"  wrote:

I had this conversation on IRC. Anyone know if this is a problem?
My web
understanding is old.


--
ubuntu-studio-devel mailing list
ubuntu-studio-devel@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-studio-devel

Re: [ubuntu-studio-devel] Our website

[Len Ovens]

On Tue, 30 May 2017, Hank Stanglow wrote:

use https. I just did a nmap of ubuntustudio.org and see that it's running 
Apache 2.4.7 on Ubuntu which I believe means 14.04 (Trusty). Setting up Let's 
Encrypt on 14.04 is a bit of a hassle. I tried it for a few days before


As happens I have set up letsencript on 14.04 and found it easy. I use it 
for squirrelmail, but having read this, I will probably move the rest of 
my web pages into https as well.



--
Len Ovens
www.ovenwerks.net


--
ubuntu-studio-devel mailing list
ubuntu-studio-devel@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-studio-devel

Re: [ubuntu-studio-devel] Our website

[lukefromdc]

First reason is to defeat Verizon's "UIDH" online tracking header 
https://www.verizonwireless.com/support/unique-identifier-header-faqs/
and no doubt to defeat similar tracking that other ISPs will roll out. They
are used as unblockable trackers for ad serving partners but do not work
with https because they require modification of content. I would not visit
any non-https website over Verizon mobile due to that header, and also 
would  not buy Internet service from Verizon mobile.

The UIDH header, unlike cookies, supercookies, and machine fingerprinting
cannot be blocked at the browser level The only defense is https, and if
enough of the net moves to https the incentive for other telecoms to develop
similar tracking schemes is ended.

In the same way,  https prevents an attacker from modifying a downloaded
file in  transit without replacing the certificate to decrypt the content and 
then re-encrypt it, which requires the replacement certificate.

That will trigger a warning in browser. A user who clicks through the warning
will still get the botted file. An example of such a modified file could be a
custom compiled binary claiming to be from almost any source that adds
a keylogger binary and a systemd unit to start it up on every reboot. 

Some years ago a Russian malicious Tor exit node was caught patching binary
files that moved through it other than via https, and Trobrowser now includes
the https everywhere extension due among other things to this form of attack.

Many feel that all of the Internet should move to https simply to remove
the usefulness of governmental bulk surveillance tools, many of which 
cannot handle https for "off the wire" surveillance. Thus the existance of
things like the "https everywhere" extension for Firefox.

On 5/30/2017 at 3:12 PM, "Len Ovens"  wrote:
>
>I had this conversation on IRC. Anyone know if this is a problem? 
>My web 
>understanding is old.
>
>---
>--
>06:11 < mchelen> any reason why ubuntustudio.org doesn't default 
>to HTTPS?
>07:56 < OvenWerks> mchelen: no idea.
>09:15 < mchelen> OvenWerks: it's not great security practice, 
>given that 
>there are links to .iso downloads (which are also HTTP)
>09:50 < OvenWerks> mchelen: that may be true, however, web page 
>setup is 
>not my thing. I am not sure who is doing web stuff right now.
>09:59 < mchelen> OvenWerks: ok, yeah I wasn't sure where to create 
>an 
>issue or anything
>09:59 < OvenWerks> mchelen: do you know if xubuntu's site is any 
>different? I think the same person worked on both
>10:01 < mchelen> OvenWerks: visiting http://xubuntu.org correctly 
>redirects to https
>10:04 < OvenWerks> mchelen: I will drop this coversation on the 
>dev 
>mailing list and see what comes from it.
>10:36 < mchelen> OvenWerks: ok thanks! hopefully its just a matter 
>of 
>creating a redirect
>---
>---
>My understanding, is that https is useful when personal info is 
>shared 
>over the net. ubuntustudio.org is, so far as I can tell, one way. 
>That is, 
>we provide info/files and the user DL them, they do not sign in or 
>give 
>comments or anything. Am I missing something?
>
>
>
>--
>Len Ovens
>www.ovenwerks.net
>
>
>-- 
>ubuntu-studio-devel mailing list
>ubuntu-studio-devel@lists.ubuntu.com
>Modify settings or unsubscribe at: 
>https://lists.ubuntu.com/mailman/listinfo/ubuntu-studio-devel


-- 
ubuntu-studio-devel mailing list
ubuntu-studio-devel@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-studio-devel

[ubuntu-studio-devel] Our website

[Len Ovens]

I had this conversation on IRC. Anyone know if this is a problem? My web 
understanding is old.


-
06:11 < mchelen> any reason why ubuntustudio.org doesn't default to HTTPS?
07:56 < OvenWerks> mchelen: no idea.
09:15 < mchelen> OvenWerks: it's not great security practice, given that 
there are links to .iso downloads (which are also HTTP)
09:50 < OvenWerks> mchelen: that may be true, however, web page setup is 
not my thing. I am not sure who is doing web stuff right now.
09:59 < mchelen> OvenWerks: ok, yeah I wasn't sure where to create an 
issue or anything
09:59 < OvenWerks> mchelen: do you know if xubuntu's site is any 
different? I think the same person worked on both
10:01 < mchelen> OvenWerks: visiting http://xubuntu.org correctly 
redirects to https
10:04 < OvenWerks> mchelen: I will drop this coversation on the dev 
mailing list and see what comes from it.
10:36 < mchelen> OvenWerks: ok thanks! hopefully its just a matter of 
creating a redirect

--
My understanding, is that https is useful when personal info is shared 
over the net. ubuntustudio.org is, so far as I can tell, one way. That is, 
we provide info/files and the user DL them, they do not sign in or give 
comments or anything. Am I missing something?




--
Len Ovens
www.ovenwerks.net


--
ubuntu-studio-devel mailing list
ubuntu-studio-devel@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-studio-devel