This topic is currently marked as "dormant"—the last message is more than 90 days old. You can revive it by posting a reply.
1lorannen
Sysadmin Pedro has been hard at work on new security measures lately. Specifically, we've updated the non-English LT sites (so Librarything.de, .es, .nl, .it, .fr) to include valid TLS certificates.
What does this mean for you? On the front end—not much. LibraryThing will look and work as it always has, with the addition of HTTPS to your URL, instead of HTTP. But, as we discussed when we first added this measure to LibraryThing.com (blog post here), this is an encryption measure that helps protect your data as you enter it into LibraryThing.
What does this mean for you? On the front end—not much. LibraryThing will look and work as it always has, with the addition of HTTPS to your URL, instead of HTTP. But, as we discussed when we first added this measure to LibraryThing.com (blog post here), this is an encryption measure that helps protect your data as you enter it into LibraryThing.
2lorax
It actually would mean a great deal to people who use the other sites. Don't sell yourselves short, security is important.
3lorannen
>2 lorax: Absolutely! It's very important, I mostly just meant that it won't look too different for anyone. :)
4davidgn
Excellent prioritization.
ETA: I fear, though, that the threat model may have shifted.
It's likely the threat may be along these lines:
https://www.surf.nl/binaries/content/assets/surf/nl/2015/sheets_tweedaagse_2015-...
(see roughly pp. 24-37)
ETA: I fear, though, that the threat model may have shifted.
It's likely the threat may be along these lines:
https://www.surf.nl/binaries/content/assets/surf/nl/2015/sheets_tweedaagse_2015-...
(see roughly pp. 24-37)
5davidgn
You mean TLS, not SSL, I hope?
https://trofisecurity.com/assets/img/ssl-tls.pdf
ETA Apparently yes, per:
https://www.ssllabs.com/ssltest
But there are a few other issues it's picking up (not least that the certificates are still registering as mismatched on non-.com domains... at least for the moment).
(And as long as we're working on it, how about deploying an implementation (re-)written by a competent team? https://en.wikipedia.org/wiki/LibreSSL -- evaluate for compatibility, of course, but I read enough horror stories from their flensing of OpenSSL to make me permanently queasy)
Bedtime reading:
https://policyreview.info/articles/news/post-snowden-cryptography-and-network-se...
https://trofisecurity.com/assets/img/ssl-tls.pdf
ETA Apparently yes, per:
https://www.ssllabs.com/ssltest
But there are a few other issues it's picking up (not least that the certificates are still registering as mismatched on non-.com domains... at least for the moment).
(And as long as we're working on it, how about deploying an implementation (re-)written by a competent team? https://en.wikipedia.org/wiki/LibreSSL -- evaluate for compatibility, of course, but I read enough horror stories from their flensing of OpenSSL to make me permanently queasy)
Bedtime reading:
https://policyreview.info/articles/news/post-snowden-cryptography-and-network-se...
6lorannen
>5 davidgn: I almost certainly do. Sorry for the confusion—I was going off of our old post, plus Tim's note to me that HTTPS works on all LT domains, and we have valid certificates on .de, .es, .nl, .it, .fr. No mention was made of SSL, so we're up to date on HTTPS standards, as far as I know. I'll take that mention out of my OP, and hopefully get confirmation from Tim tomorrow.
7davidgn
Yeah, I'm being a nitpicker. Legacy nomenclature: SSL is dead and buried and replaced by TLS, which is beleaguered, yet just about every major implementation of TLS has SSL as part of its name. Also SSLLabs which, among other things, now exists to help you make sure you haven't accidentally failed to deprecate SSL. ;-)
8davidgn
A few presentations that were memorable:
https://www.youtube.com/watch?v=BMwPe2KqYn4
https://www.youtube.com/watch?v=3v9t_IoOgyI
https://www.youtube.com/watch?v=fwcl17Q0bpk
More and better exist, but that's top-of-my-head.
And setting up robust TLS at least makes you a stakeholder here:
https://queue.acm.org/detail.cfm?id=2904894
https://www.youtube.com/watch?v=BMwPe2KqYn4
https://www.youtube.com/watch?v=3v9t_IoOgyI
https://www.youtube.com/watch?v=fwcl17Q0bpk
More and better exist, but that's top-of-my-head.
And setting up robust TLS at least makes you a stakeholder here:
https://queue.acm.org/detail.cfm?id=2904894
Political strategies regarding cryptography are all horrible: Kazakhstan brutally inserts state monitors into the middle of all encrypted traffic. France forbids all online anonymity. The USA wants backdoors built into all crypto. These ideas are all based on the same principle: If we cannot break the crypto for a specific criminal on demand, we will preemptively break it for everybody. And whatever you may feel about politicians, they do have the legitimacy and power to do so. They have the constitutions, legislative powers, courts of law, and police forces to make this happen.
The IT and networking communities overlooked a wise saying from soldiers and police officers: "Make sure the other side has an easier way out than destroying you."
But we didn't, and they are.
Slapping unbreakable crypto onto more and more packets is just going to make matters worse. The only way to retain any amount of electronic privacy is through political engagement.
9elenchus
I draw a parallel between these ongoing security efforts on LT and my maintenance of my home. Fixing catch basins and tuckpointing are never fun, they're expensive and in the end I see little or no difference in my daily life. But I am reassured by both that the edifice rests on a firm base, even though I must forego other improvements I've long been looking forward to adding.
10lorannen
Pedro assures me that I did, in fact, mean TLS and not SSL in my original post. I knew we wouldn't have wasted his time with outdated standards. Not being a security buff myself, I just missed the change.
11bnielsen
>9 elenchus: Thanks for teaching me a new word "Tuckpointing" :-)
12NTMHML
Should the links be redirecting from HTTP to HTTPS? I had a bookmark go to HTTP and did not change.
13lorannen
>12 NTMHML: Right. You can still access the site on HTTP, so your bookmarks will be unaffected. However, it's now also available on HTTPS, which is more secure. I'd recommend updating them!
14jjwilson61
>12 NTMHML: I believe that NTMHML is saying that their http bookmark is getting redirected to a https url. I'm not completely sure, but I think that is normal and not a problem.
15lorannen
>14 jjwilson61: You might be right, but I read the "did not change" part as the fact that it didn't redirect. But yes, depending on what browser you're using, you may be redirected automatically to HTTPS, which is good!

