Security Updates
July 10, 2013 at 6:24 pm
(This post was last modified: July 10, 2013 at 6:58 pm by Tiberius.)
As a computer security professional, I know that security on the internet is very important. This applies even more so today, with the disclosure of programs like PRISM and the UK's apparent wire-tapping of international fibre-optic cables.
For the last year, Atheist Forums has supported encrypted SSL connections. Whilst using this connection, all content that travels between your computer and the Atheist Forums server is encrypted and should be secret.
To use this connection, all you have to do is change the http:// at the start of the URL to https:// or simply click this link. I have written a script which should automatically detect whether you are using this connection, and alter all forum links accordingly (so you don't click on a forum link which takes you back to the regular connection). There are some limitations to this script, but I'm working them out.
That said, SSL is a nightmare to set up correctly. There are a number of configuration options that are subject to various security weaknesses, and a lot of sites will just use the insecure default settings, leaving their users with some level of security, but not a decent level of security. Since I understand SSL quite well, I've spent a number of hours configuring it so that we have an almost perfect score on Qualys SSL Labs (very good automated testing tool).
One thing that I have configured recently is Forward Secrecy. With our old SSL configuration, communication between a user and the server was secure, but if someone intercepted the encrypted data and managed to compromise the server, they could decrypt the data very easily. Of course, we don't expect someone to compromise the server, but with Forward Secrecy enabled, your encrypted communications will be protected even if at some point in the future, the server is compromised.
I have tested the connection in all major modern browsers and it seems to work fine, but please report any issues if you see them.
- Tiberius
For the last year, Atheist Forums has supported encrypted SSL connections. Whilst using this connection, all content that travels between your computer and the Atheist Forums server is encrypted and should be secret.
To use this connection, all you have to do is change the http:// at the start of the URL to https:// or simply click this link. I have written a script which should automatically detect whether you are using this connection, and alter all forum links accordingly (so you don't click on a forum link which takes you back to the regular connection). There are some limitations to this script, but I'm working them out.
That said, SSL is a nightmare to set up correctly. There are a number of configuration options that are subject to various security weaknesses, and a lot of sites will just use the insecure default settings, leaving their users with some level of security, but not a decent level of security. Since I understand SSL quite well, I've spent a number of hours configuring it so that we have an almost perfect score on Qualys SSL Labs (very good automated testing tool).
One thing that I have configured recently is Forward Secrecy. With our old SSL configuration, communication between a user and the server was secure, but if someone intercepted the encrypted data and managed to compromise the server, they could decrypt the data very easily. Of course, we don't expect someone to compromise the server, but with Forward Secrecy enabled, your encrypted communications will be protected even if at some point in the future, the server is compromised.
I have tested the connection in all major modern browsers and it seems to work fine, but please report any issues if you see them.
- Tiberius