Securing the Internet, Re: ICMag and SSL

[spurr]

A primer:
Everyone should use end-to-end encryption whilst online, wherever/whenever possible. HTTPS (SSL) is a form of end-to-end encryption for web browsing, etc. Using (at lest) SSL on sites where you log-in is critical to sound security.

Of all the web browsers available at this time, only Firefox and Chromium (or at lest Chrome) should be used in terms of security; Chromium being the most secure. However, in terms of SSL access to a wide range of websites, Firefox is the best choice due to the Add-on "HTTPS-Everywhere".

HTTPS-Everywhere is being co-developed by Mike Perry from the Tor Project as well as Chris Palmer from the Electronic Frontier Foundation.

Long story short:
HTTPS-Everywhere (link to web site) is a Firefox Add-on that automatically forwards all HTTP connections to HTTPS for all web sites with rules (aka "rulesets") in the repo of HTTPS-Everywhere. And there are many sites in the repo.

I wrote a ruleset for the Add-on for ICmag, so anytime a person using HTTPS-Everywhere access any of the following ICmag URLS their connection will instead use the other URL.

One reason I wrote this ruleset for ICmag is to avoid getting 'bumped' off HTTPS unknowingly. I am not sure if this is still an issue on forums, but it was before, where person A is on HTTPS and person B is on HTTP; both are at ICmag. Person B posts a HTTP link to ICmag thread Z and then person A clicks on the link from person B and person A is taken to HTTP version of thread Z.

• http:// icmag.com > https:// www. icmag.com
• http:// icmag.com/ic > https:// www. icmag.com/ic
• https:// www. icmag.com > https:// www. icmag.com
• https:// www. icmag.com/ic > https:// www. icmag.com/ic
• https:// icmag.com > https:// www. icmag.com
• https:// icmag.com/ic > https:// www. icmag.com/ilc

If one accesses ICmag SSL via https:// icmag.com a SSL cert warning will load. That is because the SSL cert for ICmag is only for WWW domain; so https:// www. icmag.com is OK but https:// icmag.com will give a SSL cert warning. My ruleset avoids the SSL cert warning if one is not using WWW by moving connections to WWW automatically.

The most recent development version of HTTPS-Everywhere (v0.9.9.development.5) includes my ICmag rulesets. The most recent version is also the best so far, it is what I suggest people use in terms of GUI (searchable repo of rulesets for web sites) and large repo (incl. my rulesets for ICmag). The most recent version of HTTPS-Everywhere dev can be found here: https://www.eff.org/files/https-everywhere-devel.xpi

In case anyone doesn't want to use the development branch I have attached the ruleset as a text (.txt) file to the post. To use the ruleset download the file to your Firefox directory (under "profile"), into the folder(directory) "HTTPSEverywhereUserRules", then rename the file extension from ".txt" to ".xml" (just delete the appending ".txt"). Then re-start Firefox.

If the download doesn't work I put the same rulesets at GitHub, which is easy to download from, or copy/paste into a file called Cannagraphic.xml, into the folder(directory) as above: https://gist.github.com/6e8aacc2d57ed059fddb

 

[daheadies]

security bump

 

[spurr]

Edit:

Due to ICmag auto-formatting there are a few errors in my post above:

1) https :// icmag.com and https :// icmag.com/ic are forwarded to their respective https :// www. URLs.

 

[spurr]

Oh yea,

For editing/writing/reading formats like xml, bat, etc., I like using "NotePad++" on Windows. It's free and a great program. I suggest people use NotePad++ for working with xml files if they don't already have a solution.

 

[Capital G]

hey spur got a ???

if, i'm secure "everywhere" why don't i have https on my url after the add on for "every" site i visit?

edit: nevermind read the frequently asked G......

good looking spur!!!!

 

[GrowItOut]

Spurr,

You advised "HTTPS-Everywhere (v0.9.9.development.5) includes my ICmag rulesets".

I do not see ICmag in the "HTTPS redirection rules" list when viewing Firefox 4.0.1:
Tools/Add-ons/Extensions/(HTTPS-Everywhere v0.9.9.development.5)-Options/HTTPS Everywhere Preferences.

Since you indicted your ruleset is included in that release, why is it not confirmed in the preferences for the application's HTTPS redirection rules?

Thanks.

 

[spurr]

hey spur got a ???

if, i'm secure "everywhere" why don't i have https on my url after the add on for "every" site i visit?

edit: nevermind read the frequently asked G......

good looking spur!!!!

Ha, you're welcome. I sure wish we magically could force all sites to use SSL (HTTPS); but that isn't gonna happen. I do give Gypsy major props for offering SSL on all pages; very kind of him. Only after I and a couple of other people expressed why SSL is important, and asked for it a few times, did Mr Nice forums start offering SSL. If a cannabis site doesn't offer SSL (or some other type of end-to-end encryption, like Tor Hidden Services) I won't join the site.

 

[Capital G]

after reading your thread i'm convinced that i'm gonna pursue my information systems degree i started man years ago. knowing the in and outs of is soooo important!!!!

 

[spurr]

Spurr,

You advised "HTTPS-Everywhere (v0.9.9.development.5) includes my ICmag rulesets".

I do not see ICmag in the "HTTPS redirection rules" list when viewing Firefox 4.0.1:
Tools/Add-ons/Extensions/(HTTPS-Everywhere v0.9.9.development.5)-Options/HTTPS Everywhere Preferences.

Under the HTTPS-Everywhere GUI, after you click the "options" button (under Tools > Add-ons), use the following ruleset title as the search term: "Intl Cannagraphic Magazine". If the ruleset is enabled it will have a green check mark next to it.

Since you indicted your ruleset is included in that release, why is it not confirmed in the preferences for the application's HTTPS redirection rules?

Thanks.

It is, the ruleset title is "Intl Cannagraphic Magazine".

 

[spurr]

after reading your thread i'm convinced that i'm gonna pursue my information systems degree i started man years ago. knowing the in and outs of is soooo important!!!!

Good to hear, best of luck to you

 

[spurr]

Note:

Some HTTP content is still served (delivered) over ICmag, even when using HTTPS-Everywhere with my ruleset. Some of the ads and/or banners at ICmag serve some unencrypted content; which isn't good, but isn't the end of the world.

To fix that problem, as well as speed up surfing (ex., I use Tor so surfing can be slower), I wrote set of allow/block rules (i.e., white-list and black-list) for the Firefox add-on AdBlock Plus, for Icmag. So if one uses AdBlock Plus with my rulesets all ads and banners will be blocked from loading, so no unencrypted content will be delivered. Also, because the ads and banners won't load, it makes surfing faster. I white-listed ads for the 'Boo and the 'Bay, as to not upset Gypsy.

There are two issues with my rulesets for AdBlock Plus with respect to ICmag. I need to edit my rules to allow use of emoticons via buttons (ex., emoticons to the right of text subject field), and allow text formatting via buttons (ex., bold, italic, etc.).

I am still trying to figure out how to script rules to block loading of seed breeder icons and country flags (the sub-forums icons). But that is only due to my pseudo-ADD, I gotta get it perfect! I am trying to block those icons to speed up surfing, even if just by a few seconds or even just a couple dozen milliseconds per page ...

I am unsure if the 'powers that be' will allow me to post my Adblock Plus rulesets, considering the rules block ads and banners ICmag is trying to have us read (and hopefully buy from). Granted, no ads from Gypsy are blocked (re 'Boo and 'Bay). I will PM JJ Scorpio and ask his opinion/ruling, if it's okay I will post my Adblock Plus rulesets.

 

[GrowItOut]

Under the HTTPS-Everywhere GUI, after you click the "options" button (under Tools > Add-ons), use the following ruleset title as the search term: "Intl Cannagraphic Magazine". If the ruleset is enabled it will have a green check mark next to it.




It is, the ruleset title is "Intl Cannagraphic Magazine".

Spurr,

Thank you very much. I will recheck that list tonight when I return to my other PC loaded with HTTPS-Everywhere.

Your responsiveness is appreciated very much. Thanks again.

 

[spurr]

Spurr,

Thank you very much. I will recheck that list tonight when I return to my other PC loaded with HTTPS-Everywhere.

Your responsiveness is appreciated very much. Thanks again.

You're very welcome. If you have any other questions feel free to ask. I plan on writing rulesets for all cannabis sites that offer SSL.

 

[supermanlives]

thanks for all you do . keeping us safe.

 

[GrowItOut]

Under the HTTPS-Everywhere GUI, after you click the "options" button (under Tools > Add-ons), use the following ruleset title as the search term: "Intl Cannagraphic Magazine". If the ruleset is enabled it will have a green check mark next to it.




It is, the ruleset title is "Intl Cannagraphic Magazine".

Spurr,

I've rechecked. You're absolutely correct! The "Intl Cannagraphic Magazine" ruleset is there and active in the app.

Thanks, good job.

 

[dddaver]

Or just follow the old basic security rule and don't click on the links posted in threads. Links are easy to "fake" so you can't really be sure what they are. Easy-peazy.

 

[spurr]

@ dddaver,

That is a non-starter, mostly because that limits the functionally of ICmag to end users. Not clicking on any links from ICmag would never work, at least not for me.

The ruleset I wrote for ICmag is about much more than clicking an HTTP link on ICmag to another ICmag thread. Using SSL (HTTPS) is very important for anonymous and non-anonymous ICmag users; ex., to encrypt your log-in username and password, which otherwise could easily be stolen off of Wifi, Internet Cafe (recording packets; even though keystoke logger would be easier), Internet backbones, etc. Not only that, but if a user forgets to type HTTPS, and instead uses HTTP without realzing it, this ruleset would protect that user by forcing HTTPS before any (and preventing any) HTTP communication from take[ing] pace.

Here is a good read on this topic by one of the authors of the Firefox add-on HTTPS-Everywhere, Seth Schoen:

https://lists.torproject.org/pipermail/tor-talk/2011-June/020639.html

Seth Schoen writes:

> Joe Btfsplk writes:
> I'm not a guru in this dept - only what I've read. Reason usually
> given not to use Tor for Banking is because the Tor exit node has to
> send unencrypted data to your target site (like bank PWs). Unless
> your communication w/ that site was somehow encrypted (& a login PW
> wouldn't be). A malicious exit node operator could sniff the
> packets coming thru the relay.

Your communication with an online banking site usually _would_ be
encrypted with HTTPS, which would encrypt your login password. For
instance, if you were banking with Bank of America, you would normally
start your login process at

https://www.bankofamerica.com/

This encryption is complementary to Tor because Tor protects the anonymity
of where you're connecting from, while HTTPS protects the confidentiality
of your communications, including the password.

There's a different problem with using Tor for online banking: some
financial institutions consider it a likely sign of fraud attempts,
since (for most financial institutions) few legitimate customers
currently try to hide their location from the financial institution,
but many people committing fraud do. If the financial institution
misinterprets your Tor use as a sign of fraud, they might block your
on-line access or restrict it in some way.

> Just visiting a site where you're not required to enter private data
> doesn't allow a malicious exit node operator (or anyone else) to
> capture private data. In the case of banking, instead of just
> making a direct connection between you & the bank https (using SSL /
> TLS), using Tor is introducing an "unknown" 3rd party. That's
> basically why.

Although Tor is introducing an unknown third party, it doesn't in any
way prevent you from also using HTTPS to protect your communications
against that third party. In fact, all the published Tor documentation
strongly urges Tor users to always use HTTPS for this reason, and the Tor
Project is co-developing HTTPS Everywhere with EFF for this reason, and
has now included it with the Tor Browser Bundle.

> Same thing w/ unencrypted email. An exit node could intercept it
> (though by far, most don't), but if it's really confidential info,
> don't send unencrypted email thru Tor. If it's that confidential,
> you might out to encrypt email anyway. There are services (like
> Hush Mail) - for max privacy, I'd opt to install their software vs
> doing everything on their servers.

But if you're using webmail, you could use HTTPS to connect to the
webmail operator over Tor, thereby protecting your e-mail from the
exit node operator.

> Also a Firefox addon, Enigmail that allows using open PGP (GNU PG)
> encryption in a client like Thunderbird. Haven't used it, but been
> thinking of checking it out.

This can be complementary to Tor _and_ HTTPS, because e-mail encryption
protects your e-mail contents from your e-mail service provider and the
other person's e-mail service provider. I think it would be nice to
have a threat-model diagram to show what's meant to protect you against
whom, but let me try to summarize in text:

Suppose you're using Hotmail (Windows Live Mail) and e-mailing with your
friend who's using Gmail.

If you didn't use any security tools, then, among other things,

* other people on your wifi network would see what you're doing and could
steal your password or read your e-mail;
* your ISP could do the same thing;
* the other ISPs that carry your communications to Hotmail could do the
same thing;
* Hotmail would record your IP address, so they would know where you are
connecting from, which could be used to trace your identity or location
later on;
* Hotmail could read the e-mail that you ask them to deliver;
* the ISPs that carry your communications between Hotmail and Gmail could
read the e-mail too (depending on whether Hotmail and Gmail are
successfully using a security technology called ESMTP STARTTLS);
* Gmail could read the e-mail at any time after it's delivered to them;
* depending on how securely your friend accesses Gmail, other people like
your friend's ISP might be able to read the e-mail as your friend opens it.

Also, people who are doing wiretaps (like tapping fiber optic cables or
microwave links) could read the communications between ISPs, perhaps
with the ISPs' knowledge or perhaps without it. This goes to show that,
in the absence of security technology, there are plenty of entities that
might be in a position to spy on you in some way.

Different security tools try to address very different parts of this
problem.

Primarily, Tor tries to address the "Hotmail would record your IP address"
problem. It incidentally solves the "other people on your wifi network"
and "your ISP" problems while adding a new, related problem: "the Tor exit
node operator could spy on you and read the e-mail".

Using HTTPS to connect to Hotmail addresses the "other people on your
wifi network", "your ISP", and "the other ISPs" problems, and, if you're
using Tor, it also addreses "the Tor exit node operator could spy on you"
problem.

Using GPG addresses the "Hotmail could read the e-mail" and "Gmail could
read the e-mail" problems. It partially addresses all the problems
related to any ISP reading the e-mail: it prevents any of the ISPs from
understanding the content of the message, but it doesn't conceal the fact
that you're e-mailing a particular person at a particular time.

--
Seth Schoen <schoen at eff.org>
Senior Staff Technologist https://www.eff.org/
Electronic Frontier Foundation https://www.eff.org/join
454 Shotwell Street, San Francisco, CA 94110 +1 415 436 9333 x107

 

[quantic_soul]

Spurr, I would love a PM of a specific ruleset which will remain unnamed.

 

[quantic_soul]

Spurr, also I would be curious as to any insight you have pertaining to to security while using free WiFi such as coffee shops, ect. I am sure this is a topic of importance to many ICmag users.

 

[spurr]

Spurr, also I would be curious as to any insight you have pertaining to to security while using free WiFi such as coffee shops, ect. I am sure this is a topic of importance to many ICmag users.

Use HTTPS (SSL), whenever possible, and/or setup a VPN with HTTPS access and use that as a HTTPS-proxy (ex., if a web site does snot offer HTTPS). The latter case, when the web site does not offer HTTPS, means your connection is not encrypted end-to-end, only from computer to VPN (thus preventing eavesdropping at WiFI spots), from VPN to web site would still be HTTP (so ISP and others could still read data like password; but it's less likely than at a Wifi spot).