Gah! November 5, 2010 5:10 AM   Subscribe

Logging on is not dangerous, is it? Is it?

Firefox at home is suddenly giving me a huge ass warning whenever I try to log on (browsing anonymously seems to be no problem) to Metafilter, to the effect that the connection isn't safe and if I never got this warning before then this might be because the site has been hijacked.

I'm not getting the warning in Firefox at work.

Please reassure me this is just some effect of Firefox updates or something?
posted by Omnomnom to Bugs at 5:10 AM (45 comments total) 2 users marked this as a favorite

We recently updated the security certificate on the SSL login site but there was a slight snag verifying the identity of MetaFilter Inc with the certificate company. I'm working on fixing it but it will take several days more.
posted by mathowie (staff) at 5:20 AM on November 5, 2010 [1 favorite]


This is why you should never log out.
posted by OmieWise at 5:22 AM on November 5, 2010 [14 favorites]


Ah ok. Thanks for the heads up. I'll ignore the warning, then.
posted by Omnomnom at 5:24 AM on November 5, 2010


It was visiting MetaFilter in the first place that was dangerous.

I just clicked in to see some links. Now look at me.
posted by Joe Beese at 5:31 AM on November 5, 2010 [23 favorites]


I'm just surprised to learn that Firefox has two editions. Does the @Work one block porn?
posted by gman at 5:39 AM on November 5, 2010


We're watching you.
posted by nomadicink at 5:50 AM on November 5, 2010


Anyone who tells you logging on is safe is logged on, so of course that's just what they would say.
posted by Wolfdog at 5:50 AM on November 5, 2010 [4 favorites]


From what I read on the front page today, logging on actually prevents prostate cancer.
posted by Astro Zombie at 6:03 AM on November 5, 2010 [5 favorites]


You can log out any time you like but you can never leave.
posted by Sailormom at 6:04 AM on November 5, 2010 [13 favorites]


Is that iPhone Firefox thing actually good for anything?
posted by box at 6:04 AM on November 5, 2010


I just clicked in to see some links. Now look at me.

I was assigned to read a particular Metafilter thread for a college course. I think Matt has some profs on payroll.
posted by shakespeherian at 6:22 AM on November 5, 2010


Oh, that was me, sorry. Slight typo while I was hacking into meatfilter trying to infringe me some bacon.
posted by Dano St at 6:28 AM on November 5, 2010


From what I read on the front page today, logging on actually prevents prostate cancer.

I believe that was flogging on.
posted by Dipsomaniac at 6:39 AM on November 5, 2010 [1 favorite]


I was assigned to read a particular Metafilter thread for a college course.

Ooh, do tell!
posted by cortex (staff) at 7:00 AM on November 5, 2010


No, Astro Zombie. That's masturbation you're thinking of.
posted by slogger at 7:08 AM on November 5, 2010


Logging on is not dangerous, is it? Is it?

Depends on your definition of "dangerous". I logged in eight or nine years ago and haven't broken free since. I'm not saying I'm addicted, I'm just suggesting that were Mefi a drug, it might be schedule 1.
posted by quin at 7:24 AM on November 5, 2010


Ooh, do tell!

I was fortunate enough in college to find a handful of professors whom I would follow anywhere and from whom I would take any class, because the energy and love of knowledge that they brought to task could make any subject interesting and instructive. One of these professors was in the media studies department, a youngish guy who used to teach creative writing before moving on to film and communications. It was from him that I learned how to watch film, how to make film, how to think about film. In any case, one semester my junior year, he approached me after some cinema class and told me that he was preparing to teach a course called Digital Society, and he wanted me to sign up for it.

'What's it about?' I asked.

'I don't really know,' he said.

Well, how can you turn down an offer like that? EJ (for that is what we called him) had exactly the sort of passion for learning that you can only pray to be fortunate enough to find in an instructor. Digital Society turned out to be an experiment as much as a class. The idea, I guess, was basically this: Digital technology is evolving rapidly, and communication is developing around it, ad hoc. Isn't that interesting?

We weren't allowed to bring paper into the classroom. If we wanted to take notes, it had to be on a laptop or a Blackberry or something non-analog. All homework was done by posting on the class's website. We did things like bring an Xbox into class and get two students who had never played video games to play a street racing game in front of the whole class. (It was amazing to see the language that has sprouted to support gaming; clearly one of the students was disoriented, so several helpful gamers exhorted her to 'change views'-- what the hell does that mean, unless you've played games before?)

Anyway, I lied earlier. We were assigned two different Metafilter threads to read for this class. The first was the Kaycee Nicole thread, which was interesting and instructive and prompted a lot of the arguments that you'd expect from a bunch of undergraduates at a fairly conservative school about the inherent morals of technology or whether online communication was intrinsically more dishonest than more established forms of communication. But the thread to which I was referring, the one which got me to keep coming back here (and eventually to get an account, once I was able to save up five dollars) was #10034, Plane crashes in to the word trade center.

Bear in mind that fall of 2001 was the beginning of my freshman year at college. Looking at it now, it's pretty amazing that that thread has fewer than 500 comments-- I've seen recipe swaps go on longer than that. At the time-- this must have been 2004, now-- 9/11 was still a very raw, visceral thing in our memories, and it was amazing, after arguments about what the point of internet fora was, or whether the anonymity of the online environment created an atmosphere of mistrust, and so on, to read a bunch of strangers helping each other in real time, calling phones for the loved ones of internet friends, keeping one another updated on facts national, international, and local, being a community of support and, honestly, love, in a way impossible just a few years ago.

So, anyway, yeah, origin story.
posted by shakespeherian at 7:26 AM on November 5, 2010 [109 favorites]


On a related security note - has there been any thought given to whether or not MeFi users are vulnerable to FireSheep and what might be done to protect those users who are checking MeFi from unprotected networks (i.e., libraries, airports, etc.)?
posted by aberrant at 7:47 AM on November 5, 2010 [1 favorite]


So, anyway, yeah, origin story.

Wait, what? When did the strange powers kick in? What led you to adopt your mysterious alter-ego? The chance meeting that led to your nemesis? I mean, this is an origin story, right?
posted by Ghidorah at 7:48 AM on November 5, 2010 [1 favorite]


Radioactive meteorite.
posted by shakespeherian at 7:57 AM on November 5, 2010


I haven't grrrrwff *scratch* strange powers or side effects of any sort.
posted by Wolfdog at 8:06 AM on November 5, 2010


Radioactive sidehug.
posted by SpiffyRob at 8:10 AM on November 5, 2010 [3 favorites]


My superpower is awkwardness. My nemesis is Iridic, because he is so clean looking.
posted by shakespeherian at 8:14 AM on November 5, 2010


wait, what's this log out thing you people are talking about?
posted by The Whelk at 8:15 AM on November 5, 2010


wait, what's this log out thing you people are talking about?

Something I have done several times on this site, always by accident when meaning to click something else. Seriously, it's at the point where I'm considering writing a Greasemonkey thing to disable all the logout links.
posted by FishBike at 8:21 AM on November 5, 2010 [1 favorite]


I was wondering why nobody else seems to have had the problem!
posted by Omnomnom at 8:29 AM on November 5, 2010


I've logged out twice in 6 years -- both times by accident, and accompanied by immediate panic: "AUUGGHH WHAT IS MY PASSWORD??" Fortunately, I keep my feathers numbered for just such an occasion.
posted by Devils Rancher at 8:46 AM on November 5, 2010 [1 favorite]


...whether or not MeFi users are vulnerable to FireSheep...

Yes, just about every site that doesn't encrypt all traffic is vulnerable. As far as we know no one has written a specific Firesheep exploit for MetaFilter, but it is possible. It might be a good idea to change your password after you use public WiFi. With a new password, any cookies that existed before that point become invalid. We've talked about offering encryption everywhere, but it is expensive and will require new hardware. We'll probably go this route when it's time for us to move—but there's no timeline for that right now.
posted by pb (staff) at 9:16 AM on November 5, 2010 [1 favorite]


For various definitions of "logging" and "on", I'd say no. Otherwise, yes.
posted by not_on_display at 9:19 AM on November 5, 2010


I'd forgotten how depressing the 9/11 thread was. Jesus. It's an RDA of prophesy for armageddon-- not the terrorism, but the xenophobia, jingoism, and political opportunism so accurately embodied and predicted, all within hours of the event itself.
posted by norm at 10:00 AM on November 5, 2010


I think Matt has some profs on payroll.

Call me, Matt! Please.
posted by joe lisboa at 11:38 AM on November 5, 2010


What's happening?

No idea. We don't pre-load anything at the login page. Sounds like it could be a Mobile Safari bug. Maybe clearing passwords didn't work? Is it happening at any other sites on your iPhone?
posted by pb (staff) at 1:42 PM on November 5, 2010


Steve Jobs is personally keeping track of your Metafilter login information.
posted by shakespeherian at 1:44 PM on November 5, 2010 [2 favorites]


Maan, I MUST write stuff about old Beethoven and there I can't get these random non-seqitur things out of my head, like
logging a dead pony,
how many cookies has your iphony secretly swallowed...
something vague about flogging and pass-out
(I also like the term "Mobile Safari bug". You need more than flogging to get rid of those).

stooop
posted by Namlit at 2:17 PM on November 5, 2010


Logging on is perfectly safe. I can send you a certificate of perfect safety but basically, in order to issue the safety certificate I am required to first of all confirm your identities... so ah, basically madam, I will require your sort code and your account numbers... and then I can eh, wire you the safety certificate.
posted by Biru at 2:20 PM on November 5, 2010


I think "log on" is the source of your problem. You're supposed to log in to MetaFilter.
posted by deborah at 6:24 PM on November 5, 2010


You can thank me for not posting this to the Moon Disaster thread:
Odd that Safire couldn't find a poem for this purpose.

I have killed
the spacemen
who were on
the moon

and whom
you were probably
going to
idolize

Forgive me
they had no air
water
or spaceship

posted by miyabo at 7:43 PM on November 5, 2010 [5 favorites]


I have been forbearing for months from starting a MeTa thread on the whole Williams Carlos Williams thing.
posted by Mid at 8:22 PM on November 5, 2010


I have stalled
in making the
MeTa Thread

About how much I
hate that poem

Forgive me,
I was rash
and it sounded
so stupid
posted by The Whelk at 8:24 PM on November 5, 2010 [3 favorites]


Exactly.
posted by Mid at 8:25 PM on November 5, 2010


Jofus has the correct attitude.
posted by cortex (staff) at 8:36 PM on November 5, 2010


And that attitude can best be summed up as 'I thought there was going to be rum punch?'
posted by Jofus at 6:40 AM on November 6, 2010


I had wondered why
I could never
log in to metafilter
from my phone.

I'm using MetroPCS.
It hates
the certificate
and hangs, persistently.

On the other hand,
I get a lot more done
those days
away from home.
posted by toodleydoodley at 11:51 AM on November 6, 2010 [1 favorite]


The "SSL is too expensive" meme has been pretty throughly debunked at this point. Correct me if I'm wrong, but, you're probably not CPU bound now and adding mandatory SSL probably won't change that.

Session hijacking is trivial; Mac users can do it without even installing any extra software (assuming Apple still ships tcpdump).

Is it really necessary for someone to add MeFi support to firesheep for you to believe that this is a threat?
posted by finite at 9:03 PM on November 7, 2010 [1 favorite]


SSL isn't too expensive if you're Facebook. If you're a small operation like this, it does have an impact. We run on two servers, and our computing power is limited. We're running ColdFusion on Windows, both technologies that aren't known for their speed. We spent the last couple years digging out of a CPU hole and we're doing fine now with our current setup. Encrypting everything would add a significant load for us. I can't speak for everyone.

Like I said, I'm pretty sure we're going to make this move when it's time for us to upgrade hardware. We aren't waiting for a specific exploit. Luckily 80% of what people do at MeFi is public. We aren't a bank or even Facebook with the facade of privacy. Of course we don't want MeFi sessions hijacked, and we'll do what we can when we can.

Security is a two way street. We'll do some things on this end to make sure accounts are secure, and people will do things on their end to make sure their account is secure. We can't have 100% security, even with completely encrypted traffic. I know that won't be enough for everyone, but that's where we are right now.
posted by pb (staff) at 8:29 AM on November 8, 2010


« Older It seemed so clever until I saw it in print   |   I never know what to put here Newer »

You are not logged in, either login or create an account to post comments