HTTPS across all LT domains

TalkNew features

Join LibraryThing to post.

HTTPS across all LT domains

This topic is currently marked as "dormant"—the last message is more than 90 days old. You can revive it by posting a reply.

1lorannen
Edited: Feb 2, 2017, 11:38 am

Sysadmin Pedro has been hard at work on new security measures lately. Specifically, we've updated the non-English LT sites (so Librarything.de, .es, .nl, .it, .fr) to include valid TLS certificates.

What does this mean for you? On the front end—not much. LibraryThing will look and work as it always has, with the addition of HTTPS to your URL, instead of HTTP. But, as we discussed when we first added this measure to LibraryThing.com (blog post here), this is an encryption measure that helps protect your data as you enter it into LibraryThing.

2lorax
Feb 1, 2017, 11:44 am

It actually would mean a great deal to people who use the other sites. Don't sell yourselves short, security is important.

3lorannen
Feb 1, 2017, 11:48 am

>2 lorax: Absolutely! It's very important, I mostly just meant that it won't look too different for anyone. :)

4davidgn
Edited: Feb 1, 2017, 3:29 pm

Excellent prioritization.

ETA: I fear, though, that the threat model may have shifted.
It's likely the threat may be along these lines:
https://www.surf.nl/binaries/content/assets/surf/nl/2015/sheets_tweedaagse_2015-...
(see roughly pp. 24-37)

5davidgn
Edited: Feb 2, 2017, 9:34 am

You mean TLS, not SSL, I hope?

https://trofisecurity.com/assets/img/ssl-tls.pdf

ETA Apparently yes, per:
https://www.ssllabs.com/ssltest

But there are a few other issues it's picking up (not least that the certificates are still registering as mismatched on non-.com domains... at least for the moment).

(And as long as we're working on it, how about deploying an implementation (re-)written by a competent team? https://en.wikipedia.org/wiki/LibreSSL -- evaluate for compatibility, of course, but I read enough horror stories from their flensing of OpenSSL to make me permanently queasy)

Bedtime reading:
https://policyreview.info/articles/news/post-snowden-cryptography-and-network-se...

6lorannen
Feb 1, 2017, 7:49 pm

>5 davidgn: I almost certainly do. Sorry for the confusion—I was going off of our old post, plus Tim's note to me that HTTPS works on all LT domains, and we have valid certificates on .de, .es, .nl, .it, .fr. No mention was made of SSL, so we're up to date on HTTPS standards, as far as I know. I'll take that mention out of my OP, and hopefully get confirmation from Tim tomorrow.

7davidgn
Edited: Feb 1, 2017, 8:05 pm

Yeah, I'm being a nitpicker. Legacy nomenclature: SSL is dead and buried and replaced by TLS, which is beleaguered, yet just about every major implementation of TLS has SSL as part of its name. Also SSLLabs which, among other things, now exists to help you make sure you haven't accidentally failed to deprecate SSL. ;-)

8davidgn
Edited: Feb 2, 2017, 9:14 am

A few presentations that were memorable:

https://www.youtube.com/watch?v=BMwPe2KqYn4
https://www.youtube.com/watch?v=3v9t_IoOgyI
https://www.youtube.com/watch?v=fwcl17Q0bpk

More and better exist, but that's top-of-my-head.
And setting up robust TLS at least makes you a stakeholder here:
https://queue.acm.org/detail.cfm?id=2904894
Political strategies regarding cryptography are all horrible: Kazakhstan brutally inserts state monitors into the middle of all encrypted traffic. France forbids all online anonymity. The USA wants backdoors built into all crypto. These ideas are all based on the same principle: If we cannot break the crypto for a specific criminal on demand, we will preemptively break it for everybody. And whatever you may feel about politicians, they do have the legitimacy and power to do so. They have the constitutions, legislative powers, courts of law, and police forces to make this happen.

The IT and networking communities overlooked a wise saying from soldiers and police officers: "Make sure the other side has an easier way out than destroying you."

But we didn't, and they are.


Slapping unbreakable crypto onto more and more packets is just going to make matters worse. The only way to retain any amount of electronic privacy is through political engagement.

9elenchus
Feb 2, 2017, 9:48 am

I draw a parallel between these ongoing security efforts on LT and my maintenance of my home. Fixing catch basins and tuckpointing are never fun, they're expensive and in the end I see little or no difference in my daily life. But I am reassured by both that the edifice rests on a firm base, even though I must forego other improvements I've long been looking forward to adding.

10lorannen
Feb 2, 2017, 11:38 am

Pedro assures me that I did, in fact, mean TLS and not SSL in my original post. I knew we wouldn't have wasted his time with outdated standards. Not being a security buff myself, I just missed the change.

11bnielsen
Feb 3, 2017, 7:54 am

>9 elenchus: Thanks for teaching me a new word "Tuckpointing" :-)

12NTMHML
Feb 28, 2017, 11:03 am

Should the links be redirecting from HTTP to HTTPS? I had a bookmark go to HTTP and did not change.

13lorannen
Feb 28, 2017, 3:34 pm

>12 NTMHML: Right. You can still access the site on HTTP, so your bookmarks will be unaffected. However, it's now also available on HTTPS, which is more secure. I'd recommend updating them!

14jjwilson61
Feb 28, 2017, 3:36 pm

>12 NTMHML: I believe that NTMHML is saying that their http bookmark is getting redirected to a https url. I'm not completely sure, but I think that is normal and not a problem.

15lorannen
Feb 28, 2017, 3:40 pm

>14 jjwilson61: You might be right, but I read the "did not change" part as the fact that it didn't redirect. But yes, depending on what browser you're using, you may be redirected automatically to HTTPS, which is good!

16jjwilson61
Feb 28, 2017, 3:42 pm

You're probably right. I'm not doing very well reading today.