Suggesting TLS encryption and SSL certificate for PiratesAhoy

[Sheepie]

Hey guys/gals, just wondering when are we getting an encrypted connection to the website? Right now I'm uncomfortable using plain HTTP and sending credentials unencrypted. So how about adding a certificate and TLS? just my twocents.

 

[The Nameless Pirate]

There is a version of the site with HTTPS:
PiratesAhoy!

But beware of this:
Solved - Getting logged out when pressing the home button

 

[Sheepie]

There is a version of the site with HTTPS:
PiratesAhoy!

But beware of this:
Solved - Getting logged out when pressing the home button

Just add an s after http does not solve the problem. the connection is still partially secure.

 

[The Nameless Pirate]

Just add an s after http does not solve the problem. the connection is still partially secure.

True, I thought that it was secure.
Though, I haven't been on the https site in a while, so I may be misremembering.

 

[Cerez]

I hate using SSL just for the sake of using it. It slows things down considerably and makes the site quite inaccessible on slow connections.

Are you really that worried that an advanced hacker might hijack your PA! account? If it did happen (the chances of which are negligible if you take care not to make your email and login details public), all you'd have to do is create a new account and inform the staff. They could reset the password and/or change the email address for your account, and voila, problem solved.

HTTPS was designed with credit card transactions in mind -- you know, actually private and confidential information. Not ordinary online user accounts, and certainly not for every frickin' website in existence!

To be clear, I'm not mocking you, I'm saying all this to you with friendly intentions. I have considerable working experience in web design and development as well as server environments, and I hate to see it all go where it's headed.

That being said, we should be aware that Google is forcing everyone to switch to HTTPS and they intend to eventually penalise sites in their Google Search ranking system who haven't switched. A big hurray for evil corporations, in control of our lives...

 

[DavyJack]

Wait, can they really do this?

 

[Cerez]

Wait, can they really do this?

Yes, about the same way that a burglar can break into your house: theoretically, more than in practice. Using HTTPS everywhere is akin to placing guards around every house because you never know when a burglar might try to break into one of them. (And the guard analogy works well, because the guards are set there not just to protect your property, but also to keep a watch on your activities, as I'll explain shortly.)

The only people truly capable of this are hackers working for Internet Service Providers (the companies that are providing you with Internet access). The better question is why on earth someone would go to such lengths while you are using a regular website. What could they possibly have to gain from all that effort? (Don't worry, your thoughts are not that important. )

All this is a scare-tactic to get the public to do what the company wants them to do, which is to encrypt the whole net -- because that means that companies can better collect and hoard information about you without your knowledge. It actually does exactly the opposite to what it promises -- by putting your personal information under the control of companies/corporations:

If the information they collect about you is encrypted, it is harder to trace.

Note that none of this, even with HTTPS, means that you're truly safe from anyone listening in on your conversations. Governments and corporations always have that power (even when this is legislated against).

Any piece of technology can and will be abused by people, sooner or later.

But by putting all of the web under encryption, companies are doing more to take away from people's freedom, privacy, and rights on the Internet, by making the whole thing less transparent and closed. There is very little to absolutely no benefit actually to gain from doing this for regular website use, and for the protection of regular user accounts and online conversations.

As usual, people are being exploited by their lack of awareness/knowledge, and Google, as usual, is being very aggressive in their efforts to control public perception and social habits.

 

[Cerez]

Also note, guys, that the Internet has worked for over 20 years without general websites being encrypted, and the same technology has been available to hackers all this time. It's not like you're in any real danger without HTTPS.

Practically the only time you actually need to watch out for having valid HTTPS (encryption) is when you're entering/sending credit card information, or such highly personal information (that you shouldn't even be putting online in the first place) -- which is what HTTPS was created for, to add an extra layer of protection to the sharing of such exploitable, delicate information.

 

[Cerez]

People should be more aware of and careful about the following.

This is an independently produced, satirically honest presentation, using relevant, real-life data, about how Facebook collects personal information about every one of its users:

So what does Facebook have to benefit from HTTPS? A lot! It means that whatever information it collects (and sells behind the scenes) is done so without the general awareness of the public, and much harder to acquire and track while it is happening. It allows Facebook to do what they want to do in taking away people's privacy and freedom.

This is why corporations like Google want the whole web encrypted -- because it means they can track you wherever you go without anyone really knowing about it. It gives them freedom to exploit you.

Kind of changes the perspective, doesn't it?

Suddenly that lone-person hacker simply looking to steal your credit card information doesn't feel so threatening.

(Personally, I'd rather have that danger than have to face this on the net... )

 

[Cerez]

I'll also mention for anyone looking to keep their Internet activity wholly secret (which is your valid right to privacy), the Tor Browser is a community funded effort to allow this (to a certain extent).

What it does is channel your Internet connection through public hubs so that ISP's (and corporations and governments) will have it difficult to track your activity. It also automatically erases all hiddenly stored information on your computer (such as browsing history and cookies) when you end your browsing session and quit the browser.

 

[Sheepie]

I hate using SSL just for the sake of using it. It slows things down considerably and makes the site quite inaccessible on slow connections.

Well, now this days net connections are not that horrible. I've never faced a slow page load coz of HTTPS. AS a mitigation I'm using 2FA to my PA! account. Also I know about Facebook and Google tracking. Actually, I'm already de-googled

I regularly use Tor but I've configured it to force HTTPS everywhere, so no go with PA!

 

[Cerez]

I know about Facebook and Google tracking. Actually, I'm already de-googled

Smart. Good on ya!

Well, now this days net connections are not that horrible. I've never faced a slow page load coz of HTTPS.

Some of us... *points to self* ...are still forced to use a 64K connection at times, when the wireless Internet goes crappy. I know governments and corporations would like everyone to think that Broadband is the world standard, but this simply isn't the practical case. Most of the world still experiences a slower than ADSL Internet connection, either periodically or on a constant basis -- that is if they have access to Internet at all!

I regularly use Tor but I've configured it to force HTTPS everywhere, so no go with PA!

Why? The site works with HTTPS as well. Is that because it doesn't have a valid SSL certificate, and with the HTTPS strict rule on Tor won't let you access the site?

AS a mitigation I'm using 2FA to my PA! account.

Probably overkill, but it doesn't hurt.

 

[Sheepie]

Why? The site works with HTTPS as well. Is that because it doesn't have a valid SSL certificate, and with the HTTPS strict rule on Tor won't let you access the site?

Oh it does, I just don't trust the Tor nodes to send my traffic unencrypted. Thus I force HTTPS everywhere.

 

[Cerez]

Oh it does, I just don't trust the Tor nodes to send my traffic unencrypted. Thus I force HTTPS everywhere.

For the nature of the content you'll be sharing on here, I don't think you need to worry so much about anyone seeing/snooping it. It won't be of much interest to anyone but your fellow users and friends here.

Bear in mind that HTTPS fundamentally means encryption. Why on earth would you need to encrypt your aliased contributions about your love for pirate stories and the Sea Dogs games, seeking help with playing, or modding? (The only people who may be interested in exploiting that are companies and corporations, trying to sell you stuff.) And for everything else, such as IP tracking, Tor has you covered. So you are about as anonymous as you can possibly be online, short of setting up your own personal VPN.

And this is a community-run forum, that respects people's privacy and won't share/sell your personal information. So as long as you're signed out and clean of cookies from Facebook, Google, and such, your computer is malware-free (and preferably running Linux, not Apple's Mac OS or Microsoft's Windows), and you're using the Tor Browser, your full privacy is ensured.

That said, you have full rights and control over your personal information, and you should never share something online that you know/feel can be compromised and/or exploited. Fundamentally, everything that goes online can be made public -- much like a phone conversation -- whether it's encrypted or not.

(Not meaning to sound sinister, but that's the raw truth, and it's good to be cautious and aware.)

 

[Cerez]

@Sheepie, if it helps to ease your mind, whether you're accessing the site via an HTTP or (the incomplete) HTTPS connection, this is a complex board where you will have posted previous content -- both public and private. This means that even in the very unlikely event that a hacker intervenes in your connection and tries to present you with a different site that looks like this one, they will not be able to replicate all the content that you have posted on here. This way you can be sure that what you're submitting is indeed submitted to these forums (this site), and will see straight away if you have logged in to a false site (by the content of the private messages) -- at which point you can quickly close that instance, and notify the staff of the breach before the hacker gets around to compromising your account, or change/reset the login details yourself.

(Feel free to send me a first PM, and I'll send you a unique secret line in my answer as proof/confirmation that you can hold on to.)

 

[Sheepie]

@Sheepie, if it helps to ease your mind, whether you're accessing the site via an HTTP or (the incomplete) HTTPS connection, this is a complex board where you will have posted previous content -- both public and private. This means that even in the very unlikely event that a hacker intervenes in your connection and tries to present you with a different site that looks like this one, they will not be able to replicate all the content that you have posted on here. This way you can be sure that what you're submitting is indeed submitted to these forums (this site), and will see straight away if you have logged in to a false site (by the content of the private messages) -- at which point you can quickly close that instance, and notify the staff of the breach before the hacker gets around to compromising your account, or change/reset the login details yourself.

(Feel free to send me a first PM, and I'll send you a unique secret line in my answer as proof/confirmation that you can hold on to.)

Thanks @Cerez, I'm aware of phishing attacks. I login through my password manager, so the chance is unlikely.