Somebody already made a pony. Can we borrow it?
December 15, 2012 7:02 PM   Subscribe

I don't know, I think it's kind of overkill for all but the most sensitive sites, it's not like anyone could do anything with your login besides post a comment. In the 13 years this site has been around, I think we've only had 2-3 cases where someone left themselves logged in on a shared computer and a bad post or comment went up for a few minutes before we removed it.

Also as mods we deal with about 4-5 people a day with login issues, I imagine going to this more complicated setup would throw another layer on top of that.

I think a better approach would be for us to do SSL everywhere for members (if you're asking for this because you are worried about security).
posted by mathowie (staff) at 7:34 PM on December 15, 2012 [10 favorites]

I should also add that I'm a huge fan of 2-step auth and I use it on Google, LastPass, and my Dropbox account. I've considered it for admin/mods of MeFi since our logins give us tons of rights to do stuff most people don't get, but for the average MeFi user, I'm not seeing the reason why this would be necessary (just like I'm fine with Twitter/FB not having 2-step auth though I imagine someday they might).
posted by mathowie (staff) at 7:36 PM on December 15, 2012 [2 favorites]

SSL would be fantastic and I think it's definitely a higher priority (and all-around high priority) than two-factor. Not that 2FA is a bad idea but I'd much rather have SSL first.
posted by Kadin2048 at 7:39 PM on December 15, 2012 [2 favorites]

Fair enough. It would be nice and it is just for peace of mind but if you don't ask you don't get.

As a point of interest though, Facebook does actually have two factor authentication.
posted by Talez at 7:50 PM on December 15, 2012 [2 favorites]

Yeah, I'd say that SSL everywhere would be significantly more valuable than two-factor authentication. I mean, if you have two-factor authentication but someone can snoop on everything you look at anyways because it's not encrypted, it doesn't seem like it would add that much.
posted by XMLicious at 8:48 PM on December 15, 2012 [1 favorite]

SSL Everywhere Would Be Awesome. Include chat, which is upticking in utility, please.
posted by boo_radley at 9:36 PM on December 15, 2012

I'm kinda confused as to why metafilter isn't already SSL everywhere. There's like a billion server tools to do SSL termination. I guess the domain explosion makes certs expensive though.
posted by pwnguin at 10:16 PM on December 15, 2012

We've been laying the groundwork for SSL everywhere for a while now and plan to do it at some point in the new year. We have to touch a lot of code to make it happen. It's not like flipping a switch would do it. But it is something we want to do in the near term.
posted by pb (staff) at 10:20 PM on December 15, 2012 [3 favorites]

There is a new axe on the market. Can we chop stuff down that doesn't need chopping?
posted by special-k at 10:27 PM on December 15, 2012 [3 favorites]

Please! No captchas. On the internet no one is supposed to know that you are a dog.
posted by Cranberry at 11:00 PM on December 15, 2012 [2 favorites]

Captchas make me irrationally angry. Or rationally angry, I haven't decided. I'm too angry in the moment to figure it out!
posted by shelleycat at 1:26 AM on December 16, 2012 [9 favorites]

Captchas make me irrationally angry.


Captchas make me irrationally and rationally angry. And they give me gas and I feel bloated. And then there is the heartburn. It is just no fun and never stops.

I know it was just mentioned in the last 2 comments, but I am chiming with my downvote in just in case. I haven't spent the last decade+ on this site to have to start in with captcha stupidity now. There has to be a better way (if it ever is considered).
posted by lampshade at 4:40 AM on December 16, 2012 [1 favorite]

I'm ashamed to be as bad at Captchas as I apparently am, makes me feel like a defective robot.
posted by Blasdelb at 4:57 AM on December 16, 2012 [2 favorites]

makes me feel like a defective robot.

you don't know that half of it. As a friend of mine use to say, "the pain"
posted by lampshade at 5:06 AM on December 16, 2012

There's never been a physical layer packet capture attack reported on the Internet. Why are we worried about SSL even? I guess someone could pick your password on a crappy open wifi network, but why is that matthowie's job to fix?
posted by roboton666 at 8:53 AM on December 16, 2012 [1 favorite]

There's never been a physical layer packet capture attack reported on the Internet.

Do keep up.
posted by flabdablet at 9:18 AM on December 16, 2012 [3 favorites]

Please! No captchas. On the internet no one is supposed to know that you are a dog.

No one was talking about CAPTCHAs. Hey, wait a minute — are you a dog?
posted by stopgap at 1:18 PM on December 16, 2012 [1 favorite]

Please! No captchas. On the internet no one is supposed to know that you are a dog.

*cries, deletes patent application for ButtSnif™ authentication*
posted by George_Spiggott at 1:23 PM on December 16, 2012 [1 favorite]

"No one was talking about CAPTCHAs. Hey, wait a minute — are you a dog?"

NO ONE IS SUPPOSED TO KNOW
posted by Blasdelb at 2:38 PM on December 16, 2012 [1 favorite]

SSL everywhere would make me jump for joy. Seriously I'll actually get out of my chair and jump.
posted by Skorgu at 5:23 PM on December 16, 2012

Given that the only thing one can do at metafilter is comment -- and even then, if someone did use someone else's account to comment, the mods could just delete them -- it seems overkill. Every added layer of security is more inconvenience; I'll put up with it for my online banking because money is involved, but it's pointless and annoying elsewhere. And I NEVER want anything social online connected to my cell phone (which would completely defeat the purpose of having a username/pseudonym). The only social place that has my real name is Facebook, and that account exists to connect to elderly relatives.

As for the lack of SSL: just use a low-level password. I have passwords for high-security stuff that I change frequently, and I have low-level passwords for things like metafilter - actually, I'm still using the same password I used for my first hotmail account in 1997. 15 years later, no one has hacked into either my (so very defunct) hotmail or my metafilter account. Funny enough, it turns out that no one can be bothered. Privacy by obscurity works very well.

The biggest threat to privacy online is from the companies - Google, Facebook, etc - who run sites themselves and thus already have access to all of your information regardless of security precautions. (Though, I would not include Metafilter staff in this category - they are too few and really don't care).
posted by jb at 9:20 AM on December 17, 2012

And I also hate having to do the word recognition thing -- all that twisting and strike-outs that they do to try to fool optical character recognition also works to fool bad eyes.
posted by jb at 9:22 AM on December 17, 2012

SSL everywhere isn't referring to the login, which is already SSL, or your password; the point is to try to prevent some forms of surveillance by making every page on every MeFi site accessed through encrypted https:// URLs, which could actually happen even for people who aren't logged in if Matt &co chose to set it up that way.

Without that, traffic between your computer and the server is unencrypted. So anyone who is listening anywhere between you and the server can see everything you're doing that involves communication between those two systems, including for example any MeMail you view or if you preview a comment but don't post it. It also makes it easier to take over your connection and impersonate you to the server with tools like the one flabdablet linked to, and work other evil.

(And actually, even with SSL everywhere, there is still the possibility that at some point in the chain all of the traffic is being recorded and stored, and the encryption broken at some point in the future when computer speeds have increased so as to make that easier. Unfortunately, you don't necessarily find out in the here-and-now whether or not you have privacy and may never find out.)

Metafilter uses Google Analytics, so Google actually gets quite a bit of information about your browsing activities here unless you're blocking that. (As is true for most of the sites on the internet, which use services of that sort and end up allowing third parties in on the interaction you have with their servers.)
posted by XMLicious at 10:12 AM on December 17, 2012

I could think of a bunch of unpleasant ways to take advantage of the lack of SSL. Particularly in Ask, people tread into some fairly personal territory, and you can use the lack of SSL to poke holes in someone's anonymity if you wanted to. (Set up hostile AP, grab all HTTP POSTs. You can do this in a coffee shop using a laptop with two NICs [or one of these] in about 90 seconds. Even easier if you control the AP, as in the case of a creepster roommate.)

This is particularly severe when someone's MetaFilter handle is reused on other sites, and is linked to the rest of someone's online identity.

But more generally, whenever the issue of security comes up particularly on 'social' sites, there are always people ready to complain that additional security isn't necessary because of the nature of the site, "because it's not a bank", etc. It's important to remember that not everyone uses the site in the same way. Some people may care pretty intensely about the separation of their online and IRL lives, or their ability to ask for advice here without their real-world friends/roommates/whatevers knowing about it.

SSL is an easy solution to this problem. It's not 100% perfect, but it's pretty good and raises the bar for casual/creepy snooping tremendously.
posted by Kadin2048 at 10:46 AM on December 17, 2012

Flabdablet: A corporate or private network is not the Internet, but thanks for playing anyway!

I'm talking about getting out your Internet gateway and onto the Internet providers networks, in the BGP peering points, carrier hotels etc. zero attacks there, like none. Ever.

My point is that it's not matthowie's job to protect us from layer 2/3 hacks on our own personal networks, and you pointing out firesheep is exactly what I'm talking about.
posted by roboton666 at 4:04 PM on December 17, 2012

Given that the only thing one can do at metafilter is comment -

Well, and MeMail, which is presumed private. And make anonymous posts. Not everything at Metafilter is totally public.

As for the lack of SSL: just use a low-level password.

SSL is more about FireSheep style attacks than password stealing. Even if you have 2-factor auth and strong passwords, if the rest of your browsing is not SSL then any interaction can be observed by anyone on the same unsecured network. While people can use VPN, etc the reality is most don't, which is why big sites that care about this sort of thing have been SSL-by-default for a while (like Gmail).

I'm glad to hear its in the works, it is often less trivial than some think depending on site architecture but all things considered is a relatively painless way to protect users.
posted by wildcrdj at 5:38 PM on December 17, 2012

Yeah, you guys are right, SSL across the site is the best pragmatic option currently available to protect Mefi users against the last 300 feet.

That being said, as a network engineer by trade I'd really like to see the tiered internet access providers setting up SSL VPN gateways for all connected end users. I feel that would go a long way towards securing coffee shops, home networks and other public network access points. Anyway, that's just my perspective, and it's not germane at all to this thread, really...
posted by roboton666 at 6:30 PM on December 17, 2012

making every page on every MeFi site accessed through encrypted https:// URLs, which could actually happen even for people who aren't logged in if Matt &co chose to set it up that way

Please don't choose that. It's quite bad enough that elinks is unable to log in; I'd be sad if I couldn't use it to browse MeFi even a little bit ever.
posted by flabdablet at 5:48 AM on December 18, 2012

Yeah, that was the first thing I thought of. Even if there really aren't any documented reports of anything like that, roboton666, I don't understand how you could be certain that it never happens - like, you know enough about China's "Golden Shield" censorship and surveillance infrastructure to say definitively that even they don't do anything at that level?

flabdablet - I've never used it but the Wikipedia entry for ELinks says that it supports cookies and https, so what doesn't work?
posted by XMLicious at 6:55 AM on December 18, 2012

The version that comes baked into the Trinity Rescue Kit was apparently built with the SSL support optioned off. Don't know if that's changed; most of the time I'll just grab whatever old TRK disk is lying about on the desk - only time I ever need a new one is if I'm working on hardware that's too new for the old kernels, which is very rare for me.
posted by flabdablet at 8:57 AM on December 18, 2012

In any case I can see no utility in cloaking site activity for non-logged-in lurkers.
posted by flabdablet at 8:58 AM on December 18, 2012

Sure, my PC shows up on a network diagram as hanging off a LAN link rather than obscured by a cloud, but if it can talk to www.metafilter.com then it's still part of the Internet.

SSL across the site is the best pragmatic option currently available to protect Mefi users against the last 300 feet

Even SSL is no guarantee of privacy in this day and age. Increasing numbers of workplace computers are fitted with bogus root certs installed specifically to enable the corporate proxy server(s) to run a MITM attack against every single SSL session, allegedly for security and filtering purposes. This stuff is even being sold as a service.

Still usually effective on personal machines, though, and with far less performance loss than the typical VPN.
posted by flabdablet at 9:14 AM on December 18, 2012

uhh yeah, I guess my definition of intent is different from yours?
posted by roboton666 at 7:04 PM on December 18, 2012

Your LAN is not part of the internet, but we are going to disagree and I'm not going to try to convince you otherwise to help prevent you from making further ridiculous statements.

Legal Packet Capture happens. Packet Capture is not a crime, unless your intent is criminal in nature. Change the laws if you don't like what AT&T did.

Legal MITM happens, load balancers, SSL proxies, all of it. These connections are sourced from inside private corporate networks (not the internet, see?) and are not part of what the internet is. If you don't like it, tether to your android and use your 4G data plan.
posted by roboton666 at 7:15 PM on December 18, 2012

Your LAN is not part of the internet ... Legal MITM happens, load balancers, SSL proxies, all of it. These connections are sourced from inside private corporate networks (not the internet, see?) and are not part of what the internet is.

Of the two of us, I think your own use of the term "internet" is the more idiosyncratic.

Wikipedia:

The Internet (or internet) is a global system of interconnected computer networks that use the standard Internet protocol suite (often called TCP/IP, although not all applications use TCP) to serve billions of users worldwide. It is a network of networks that consists of millions of private, public, academic, business, and government networks, of local to global scope, that are linked by a broad array of electronic, wireless and optical networking technologies.

Legal Packet Capture happens. Packet Capture is not a crime, unless your intent is criminal in nature. Change the laws if you don't like what AT&T did.

The discussion at hand is not about legality, but privacy.

Do keep up.
posted by flabdablet at 7:32 PM on December 18, 2012

"Do keep up" LOL, thanks but no thanks, arguing with uniformed people online is not how I spend my days.

Thanks for playing!
posted by roboton666 at 7:49 PM on December 18, 2012

Oh FFS, Let me direct you to this from the same article you reference, then I am out of here for good.

http://en.wikipedia.org/wiki/File:Internet_Connectivity_Distribution_%26_Core.svg

posted by roboton666 at 7:54 PM on December 18, 2012

Everything on that diagram is part of "the Internet" in a well-understood, general sense. Any system that can route packets to and from other systems on the Internet is part of the Internet (and any network which has routing is also part of the Internet). The edge case that everyone seems to be wrapped up about is that of LANs which are stuck behind NAT, but that's a crappy example because it's only done because of a lack of IPv4 addresses forcing a dirty hack on everyone. IPv6 fixes that, thankfully, so eventually we'll go back to the topology that God, DARPA, and Tim Berners-Lee intended. Pretending that NATted hosts aren't part of the Internet, especially with stuff like UPnP being very common, is silly.

The security of a connection should never assume anything other than secure endpoints, because those are the only things that you can (hopefully, although not always) assume the two entities communicating with each other will have control over. Everything else should be assumed to be hostile. The fact that I, as a user at home, have some control over the router in my house and its wireless network is nice but shouldn't be counted on. And you can easily come up with common scenarios where that isn't the case.

Which brings me around to my real point, which is that this discussion is silly because in the real world this is stuff that nobody argues about much anymore. Using TLS is best practice. We can acknowledge that it's not perfect, but at the same time realize it's the best thing out there currently, and certainly represents the lowest-hanging fruit for a security and privacy standpoint.
posted by Kadin2048 at 9:44 AM on December 19, 2012 [2 favorites]