HTTPS vs HTTP - why every one of us here should care

[NSABot]

This is a repost of a comment reply I made earlier - but the topic is important enough that I think it deserves it's own thread.

I wanted to let everyone know that IdleBoast's information about the importance of HTTPS is not correct and it negatively impacts the security of all users of this site.

I work in the computer security industry (which includes secure website design) and
I felt compelled to create an account just to reply to this dangerous misconseption in order to help keep all of my fellow kinksters safe.

HTTP vs HTTPS is not just about usernames/passwords - although that is very important obviously. You  see, when a website is presented in HTTP only everything on the website is visible to your Internet Service Provider (ISP). The ISP can literally read every story along with you, see every forum comment you make, look at any file you may download from an unsafe, unencrypted website.

Of course, they also see your username (or email address) and password in plain text.

One thing to consider is that most people reuse their password for more than one website. Maybe even their bank or paypal accounts...

You should consider everything done on unsafe unencrypted sites to be the equivalent of sending a post card.[/b] Every postman along the route from your mailbox to Kristen's house can read exactly what is written on that postcard.

HTTPS is like doing a secret code cypher on your postcard to Kristen, then sealing your message in an envelope. After all what you have to say to Kristen is between you and her - nobody needs to read your letter - even if all it has is good, clean family stuff.

We all will generally spend the few coins to buy an envelope (since postcards need stamps anyway...) just for a simple letter to our mum. Our internet privacy is just as important.

Thanks to places like the "Let's Encrypt" project website admins can now offer secure websites to their users for FREE. There is no catch and there is no excuse these days. Setting it up on a site takes a matter of minutes, and help is available if needed. I would even totally be willing to assist the webserver admin myself.

https://letsencrypt.org/

Just to be clear - I am not affialiated with Let's Encrypt in any way!

Anyway, in our online world the "mailman" here is the ISP or Internet Service Provider.

Now, when I say "ISP" you may think that definition is limited to Cox or Comcast or whoever - but that actually is too narrow of a way to think about it. An ISP is anyone you get your internet from at that moment.

These places are also types of ISPs:

• A coffee shop
• An airport
• Your parent's / grandparent's house
• Hotel internet
• Your cellular carrier
• Your work
• McDonalds
• Your neighbor with the "free" WiFi
• I could go on and on...

In fact, everything you do can be seen by EVERY single network provider along the way from you to the server w/o HTTPS.

The point is any of these types of entities could not only get your password you may have reused elsewhere, they are also able to simply read along with you in real time as you go about your business on a site that does not encrypt your data.

The suggestion that users disable important security warnings has wider implications than may generally be realized. Turning off that feature impacts EVERY website people go to on their computer - not just one forum.

That security feature is there in part to alert folks when they may have accidentally gone to a malicious website that was made to look just like the real Wells Fargo website perhaps. These types of alerts are meant to protect users from these sorts of weapons used by criminals to steal money and personal information every day.

Telling users to turn off browser protections like this is unethical and dangerous.

Computer users that follow this advice are unlikely to have the technical knowledge to notice a malicious website before it's too late.

These warning give us all a way to step back and think for a moment before pressing that "Submit" button. They are important and should not be disabled.

Instead, users should ask their favorite website operators to take the small amount of time required to secure their websites and the community's private data.

Thank for reading. :-)

NSABot

[RopeFiend]

Only one 'gotcha' there - you're presuming that HTTPS support is *free* from all web hosts.  Ours charges for it... (I forgot what the added monthly fee is).

Other than that, I agree (mostly) with what you'd written, sans the scare tactics.

Let's get real, for just a moment.  The chance of anyone packet-sniffing and seeing your password is indescribably small, due to the HUGE MOTHERFUCKING bandwidth passed every day on the Internet.  Even the NSA can only look at a tiny percentage of the stuff that's out in the clear, and they have to target specific IP addresses that they're interested in or they get utterly overwhelmed.  ISPs don't have ANYTHING like the kind of packet-sniffing horsepower that the NSA (and Microsoft) does.  ISPs have a shitpile of big routers, but no real ability to monitor the traffic except for a few IP addresses of interest.  If you're already on the radar to receive special attention due to your 'purported' criminal activities, then yeah you're probably up shit creek.  The rest of us don't have to worry.

Everything on *this* board is legal (and safe) under US law: it's all fantasy.  Fantasy is protected by our Supreme Court.  There's no warez here, no kiddo porn, nothing illegal under US law.  None of the admins or mods want to have the feebs knocking on our doors, so we take a vested interest in keeping the place safe to surf.  If you're in a backwards country that makes stories (and the occasional nudie image) illegal, then I suggest you surf using an anonymous proxy.  Several are free and easy to use here:
http://www.rosinstrument.com/cgi-proxy.htm
(check the box that says "select random proxy only from secure HTTPS list")

That covers the handful of our members that live under a nanny regime.


Here's how hard it is with the rosinstrument link above:

If one bookmark is too hard for any of our members, then they need to go to disney.com.  

[NSABot]

Listen, this isn't about fear-mongering. For users, this is about privacy - while for ISPs this is about money.

"There probably isn’t someone sitting behind his desk at your ISP watching every click you make, but that doesn’t mean your browsing history isn’t getting stored somewhere on their systems.

Your ISP tracks your clicks for a number of reasons. For them, you browsing history is a revenue stream."  - http://privacypolicies.com/blog/isp-tracking-you/

IPSs already are logging every website we go to as well as every other bit of data they can gather on our online behavior. They then use this data for custom marketing, and to sell to other marketing firms. They have an economic incentive to collect as much data as they can. This means that you no longer have to be a bad guy with something to hide in order for your internet traffic to be collected by various parties. You don't have to take my word for it either - here are several articles saying the same thing from sources across the political spectrum.

-  http://www.foxnews.com/tech/2017/03/30/how-will-isps-collect-and-sell-your-browser-history.html

-  https://www.usatoday.com/story/tech/news/2017/04/04/isps-can-now-collect-and-sell-your-data-what-know-internet-privacy/100015356/

-  https://www.washingtonpost.com/news/the-switch/wp/2017/03/29/what-to-expect-now-that-internet-providers-can-collect-and-sell-your-web-browser-history/

HostGator (where it looks like this board is hosted) charges $10 to install a certificate you bring them yourself. They charge $50 to install a certificate they generate for you - set it and forget it.

I just want people to understand the implications there are when they use unsafe, unencrypted websites everywhere on the entire web (not just this forum).

I also wanted to draw attention to the dangerous unintended consequences of the advice I was seeing here when folks were trying to help each other "solve" the problem - that caused me great concern.

I want to end with a good summary of why I think forum members should at least think about this a bit before dismissing it as unimportant in this instance, or in their lives.


Why Should You Care?

The obvious question here is, what does it matter? We’re advertised to all day long on the Internet, what’s a few more targeted ads? And who cares if the government uses ISP information to bust some criminals or crack down on terrorism.

That’s a good thing, right?

If only it were that simple. For most people, knowing the government could view our online activity probably doesn’t seem too scary. But if you live under an oppressive government, even seemingly innocent online activity can be very dangerous. Plus, in an era of almost-daily data breaches, assuming your information is safe with anyone is naïve at best. Even ISPs can be affected.

So take a moment and think about everything your ISP could potentially know about you. Maybe you use BitTorrent to download the occasional copyrighted song or movie. Maybe you’ve been viewing sites you would prefer your family not know about. If you did some research on cancer warning signs, would you want your health insurance provider to know? And do you really want your boss to find out how actively you’re looking for a new job? Your browsing history says a lot about you, and most of us would prefer that it stayed between us and our computer.

Since your Internet Service Provider stands between you and everything online, you can’t completely hide from them. The best you can do is confuse them by covering your tracks.

http://privacypolicies.com/blog/isp-tracking-you/

[herschel]

Thanks NSAbot. Now that you're a member, you're welcome to stick around, enjoy the show.

[IdleBoast]

I wanted to let everyone know that IdleBoast's information about the importance of HTTPS is not correct and it negatively impacts the security of all users of this site.

Huh? My information?

I recall asking a question...?

[herschel]

Well in any case, thanks for bringing it up. Discussions like this are always useful. (As distinguished from political discussions, where no minds are changed.)

[watasch]

I agree with the discussion and the information passed.  Now if folks can voice their disagreement without resorting to such things as insults.  If you disagree, state your reason for the disagreement, not that the writer is a jerk or such.

Look forward to more "information" as it comes along.  Thanks NSABot!

[Lois]

Sorry, but us going https is not going to prevent anyone from checking your browser history.  That is totally separate.

Furthermore, if you don't want bots seeing your email address, don't make it visible.  Plus, only registered members have access to profiles on this board.  The Google bot is not registered, so it cannot see or index this information.

However, if https is so important to you, we will go that route if you pay for the service.  Please PM me and I will provide you with details on how to send me the money.

[GEMINIGUY]

I've mentioned before, I can't use HTTPS. I can no longer get on some sites because of them changing to HTTPS.

[Lois]

I had no idea GG.

[GEMINIGUY]

Eh... Times are a-changing.

[Lois]

I wanted to let everyone know that IdleBoast's information about the importance of HTTPS is not correct and it negatively impacts the security of all users of this site.

Huh? My information?

I recall asking a question...?

And no response to me either.  He said he's a 'bot. 

[NSABot]

Sorry IdleBoast - I made a mistake about who the original poster was or who was advising folks to disable the HTTPS alert. My bad!

At any rate, I didn't mean to call anyone out specifically. I just intended to get the info out there for community discussion.

Apologies!

[Newspeak]

My $0.02:

The problem of writing a story in this site is minimal, unless you come from a restrictive country, such as Iran or China, but a proxy could solve it.

The bad thing here is the unencrypted message, so do not leak your personal identities here, it would be dangerous.