Beefy Boxes and Bandwidth Generously Provided by pair Networks
Syntactic Confectionery Delight
 
PerlMonks  

Re: Monastery login over http

by marto (Archbishop)
on Apr 25, 2018 at 12:00 UTC ( #1213523=note: print w/replies, xml ) Need Help??


in reply to Monastery login over http

"which one may share across many sites"

This should never be the case, people should not reuse passwords, which isn't to say this doesn't happen, but in the modern world with the tools available there's no sane reason for this.

In the interests of security there's no reason not to run the site (or any site) over https. Awareness of security is a big issue, always has been, and the general public are being made more aware, either by changes in applications (browsers warning them) or data breaches, well publicised hardware and software vulnerabilities, network shenanigans...

Tools and services exist to make this easier for users and administrators, (e.g. lets enrcypt/https everywhere). Even this doesn't seem to be enough. As long as go as yesterday, for a couple of hours, people ignored the big https error message, logged into what looked like their myetherwallet wallet anyway, resulting in a heist:

"Victims had to click through a HTTPS error message, as the fake MyEtherWallet.com was using an untrusted TLS/SSL certificate. The bandits have amassed $17m in Ethereum in their own wallet over time."

Another BGP hijack. You say you don't trust the networks you use, I know people who run their own VPN servers, exclusively for their own use, and route all their traffic over this, regardless of device or where they are, and even this doesn't protect from everything, as this example shows.

When do you stop? Hardware? At the moment, realistically a 'blobless' ARM based system is likely your best bet, but it's not a realistic option for most people at the right now.

Anyway, hammers are still pretty cheap.

Replies are listed 'Best First'.
Re^2: Monastery login over http
by Anonymous Monk on Apr 25, 2018 at 17:28 UTC

    (Web) technology can not solve the fundamental problem of trust. With hierarchical chain of certificates (control), one would have to tacitly assume the custodians have your best interests in mind.

      You seem to be asserting that secure communication online (and perhaps everywhere) is literally impossible and only appears to function through goodwill. Or do I misunderstand?

        Secure communication is possible, the question is who is in control. Abolishing that pesky 'net neutrality' and Let's Encrypt are two faces of the same coin. One will allow — no, not allow, it will obligate — the policing of content#1; the other will allow, in the long run, *all* ports to be locked down so that only certified content can flow.

        Basically, what is (or has been for quite some time now) happening is that the Internet is being upgraded from a dangerous Wild Wild Web place it is today into a Secure, Business-friendly platform of Content and News dissemination.

        Today, any site that potentially hosts media content needs to handle DMCA. Tomorrow, any site that potentially distributes tidings and news, must abide by similar policies so that Fake News (information that runs contrary to prevailing mainline news) can be swiftly corrected. Expect higher moderation costs and/or disabling of Anonymous, etc. Some of those costs may of course be recovered by installing ads and telemetry and so on.

        I know where you stand, Your Mother. After all, you're the one who likened Anonymous Monk to bums in another post.

        #1 But many industries like the Common Carrier model. Not going to be an easy fight.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1213523]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others lurking in the Monastery: (6)
As of 2019-10-22 23:34 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    Notices?