Why doesn't MetaFilter use SSL by default for everyone? September 16, 2016 11:12 AM   Subscribe

It's opt-in for members, but why not use it by default for everyone?
posted by gorcha to Feature Requests at 11:12 AM (52 comments total) 5 users marked this as a favorite

We talked about this a little bit near the start of this year; here's my comment at the time, and that's where we remain at the moment: if we can satisfy ourselves that turning it on by default for everybody won't cause significant problems for the MeFi userbase, it seems like a good idea, but we need to in fact be satisfied of that.

Which will be a bit of work, but is worth doing if we can manage it; if you read through the rest of that thread, there's some good discussion of where the sticking points are, including notably that third-party widgets we include on the site need to not break, and greasemonkey scripts users depend on need to likewise not break (or to be updated by their authors or, in cases where it's okay to do so, by other coders).

So at some point it'd be nice to circle up and try to e.g. identify which scripts folks are using and which ones break with SSL forced on, get ahold of script authors appropriate, and getting that stuff fixed up as needed and loudly broadcasting the fact that that's been done so less active users will have a decent chance of actively updating scripts before they break. Will be a little bit of a todo, and not something we have time to tackle right at this moment, but I'd like to get there eventually.
posted by cortex (staff) at 11:18 AM on September 16, 2016 [2 favorites]


Why do people put their first sentence in the title?
posted by Chrysostom at 11:26 AM on September 16, 2016 [10 favorites]


So you can apply Betteridge's law to them.
posted by bjrn at 11:40 AM on September 16, 2016 [4 favorites]


Why do people put their first sentence in the title?

Because it makes it more exciting for people who have titles turned off. I know I felt a small thrill when I looked at this and wondered what I was opting-in to.
posted by octobersurprise at 12:15 PM on September 16, 2016 [31 favorites]


I figured the opt-in they were talking about was hiding titles and so the Meta itself was meta.
posted by Mitheral at 12:42 PM on September 16, 2016 [7 favorites]


I use nine separate greasemonkey scripts for MetaFilter, and have manually updated mine to work with the SSL site. However, I don't feel like greasemonkey script compatibility should get in the way of a site transition to SSL, and I worry that waiting for the authors of every user script out there to update their scripts is prioritizing the needs of a small minority of people over the wider majority that would benefit from a transition to SSL.

One sort of under-the-radar problem with the site being available on both is that links get posted with the protocol in them, so when you click to link back to a previous comment, it has to reload the page. This could be fixed with a separate pony that rewrites the URLs to relative ones that would stay on whatever protocol the user is already using, but in lieu of that, I feel like GM compatibility shouldn't be a primary concern, especially when it's pretty trivial for us as as community to rewrite any of the ones that break.
posted by tonycpsu at 1:34 PM on September 16, 2016 [21 favorites]


I'd love to see MetaFilter on Sesame Street Live!
posted by Joseph Gurl at 3:34 PM on September 16, 2016 [3 favorites]


1 URL, 2 URLs, 3 URLs... Ah, ah, ah!
posted by It's Raining Florence Henderson at 4:21 PM on September 16, 2016 [8 favorites]


Thanks IRFH, now I have this running through my head.
posted by hippybear at 4:25 PM on September 16, 2016 [1 favorite]


We didn't bother to synchronize greasemonkey scripts when Modern was introduced; at least, my recollection is that a bunch of scripts broke and had to be updated. I also recall folks being pretty good-natured about it and the script-fixing getting taken care of without much grumbling. Maybe I'm misremembering, or maybe there's some important difference between that update and the proposed one, but I feel like we've broken the scripts before in the name of updating the site, and it wasn't that big a deal. I agree with tonycpsu that greasemonkey compatibility ought not be seen as critical in this instance. Give people some warning, sure, but ultimately there should be a deadline and after that anything that breaks, breaks.
posted by Anticipation Of A New Lover's Arrival, The at 7:34 PM on September 16, 2016 [4 favorites]


Isn't Google's pagerank going to start punishing non-SSL sites soon?
posted by Ivan Fyodorovich at 8:05 PM on September 16, 2016 [7 favorites]


I also recall folks being pretty good-natured about it and the script-fixing getting taken care of without much grumbling.

To be fair, part of that probably has to do with the fact that they didn't eliminate the classic theme. And if they ever do WE WILL HAVE WORDS.
posted by tonycpsu at 8:10 PM on September 16, 2016 [3 favorites]


Do a countdown.
posted by aramaic at 9:00 PM on September 16, 2016


Go ssl-only one day a week, then two days a week, then flip the bit.
posted by jenkinsEar at 5:15 AM on September 17, 2016 [1 favorite]


I find trying to access ssl-only sites from public wifi is problematic when you get forwarded to their wifi page, because improper certificates etc etc. Metafilter is one of the few sites I routinely visit that aren't default ssl, so it's my go-to site when determining if the public wifi is working or needs a login.

Long story short, my nonstandard use case makes your obvious improvement untenable.
posted by Mr.Encyclopedia at 12:28 PM on September 17, 2016 [5 favorites]


MetaFilter: my nonstandard use case makes your obvious improvement untenable.
posted by jessamyn (retired) at 12:43 PM on September 17, 2016 [44 favorites]


If the concern is a few people with scripts/etc, why not make it opt-out rather than opt-in?
posted by thefoxgod at 4:11 PM on September 17, 2016 [5 favorites]


It's my go-to site when determining if the public wifi is working or needs a login

When I want to trigger the portal login or test that, I use zombo!

Chrome will start classifying non-SSL sites as "unsecure" eventually and I expect other browsers will follow suit. The browser world is moving towards treating http like Flash... something to be gotten rid of, not all at once because of the consequences, but an inevitable end goal.
posted by thefoxgod at 4:15 PM on September 17, 2016 [6 favorites]


Metafilter is one of the few sites I routinely visit that aren't default ssl, so it's my go-to site when determining if the public wifi is working or needs a login.

Long story short, my nonstandard use case makes your obvious improvement untenable.


But you could make exactly the same argument about any site, e.g. "I use Google to check my connectivity, therefore Google shouldn't use SSL." Why not just use a different non-HTTPS site? There are plenty of popular ones to choose from.

Or even better, use a modern browser or operating system that can automatically detect captive portals. (Chrome has supported this for ages on OSes that don't have it built-in; Firefox is getting captive portal support in version 50.)
posted by teraflop at 4:49 PM on September 17, 2016 [3 favorites]


example.com is also a good placeholder site that's good for checking your connection or DNS.
posted by schmod at 5:29 PM on September 17, 2016 [1 favorite]


I'd love to see MetaFilter on Sesame Street Live!

I could switch to cookies for the evening.
posted by The Underpants Monster at 6:17 AM on September 18, 2016 [5 favorites]


Underpants are also a sometimes food.
posted by GenjiandProust at 6:44 AM on September 18, 2016 [5 favorites]


Needs more Beaker
posted by y2karl at 11:52 AM on September 18, 2016


if we can satisfy ourselves that turning it on by default for everybody won't cause significant problems for the MeFi userbase, it seems like a good idea, but we need to in fact be satisfied of that.

Broken Greasemonkey scripts for the small fraction of users who use them constitute "significant problems"? More significant than lax security for everyone? It takes all of fifteen seconds to add an s to all the URL lines in a Greasemonkey script. Just include instructions in the announcement post -- even give a heads-up months before the change -- if you're really worried about it, which, frankly, you shouldn't be.

Are you waiting for everyone to spontaneouly pre-update everything for a change that hasn't been announced? 'Cause, like, that's not gonna happen.
posted by Sys Rq at 1:26 PM on September 18, 2016 [14 favorites]


Stop trying to make (encrypted by default) fetch happen.
posted by phearlez at 6:17 AM on September 19, 2016 [1 favorite]


Metafilter is one of the few sites I routinely visit that aren't default ssl, so it's my go-to site when determining if the public wifi is working or needs a login.

I also do this.

Or even better, use a modern browser or operating system that can automatically detect captive portals.

It's typically my phone and the mobile version of Chrome at least doesn't automatically do this.

I don't really think this is a reason not to move to SSL by default, but I was amused that Mr.Encyclopedia and I both do the same thing.
posted by Jahaza at 12:33 PM on September 19, 2016


Long story short, my nonstandard use case makes your obvious improvement untenable

Here you go:

1. open a terminal:

2. without quotes type "telnet icanhazip.com 80"

3. look for "Connected to icanhazip.com.
Escape character is '^]'."

If you're on windows there's a way to enable telnet outbound but it's a PITA to remember how to do it off the top o me head so use the googlez.

Now, turn on SSL so google doesn't put Mefi on the "bad pile" and start driving metafilter slowly out of business all over again.
posted by Annika Cicada at 5:03 PM on September 19, 2016 [4 favorites]


Chrome will start classifying non-SSL sites as "unsecure" eventually

Lack of SSL is probably one of the reasons MetaFilter's search ranking (and revenues) tanked a few years ago. In this era of donations I don't think search ranking is super important, but Google and many reputable Internet security organizations think SSL is a best practice, so...
posted by My Dad at 1:49 PM on September 20, 2016


trying to access ssl-only sites from public wifi is problematic when you get forwarded to their wifi page, because improper certificates etc etc

This.

The more the Web at large goes SSL "because Security", the more accustomed people are going to become to needing to install Something Mysterious in order to get it to work from public hotspots. Since those Somethings Mysterious are actually MITM SSL bump certificates, and since there is no reason to believe that the private keys for those will be held anything like properly securely, SSL will eventually become nothing more than a minor speed bump for script kiddies instead of the formidable defence it is today.

If there are genuine and well thought out reasons for a particular site to go SSL, well and good. But doing it from some kneejerk need to Keep Up With Google is as irresponsible, in my view, as choosing a stock feed laced with antibiotics.
posted by flabdablet at 10:45 PM on September 20, 2016 [1 favorite]


that's interesting, I've never encountered this outside corporate environments on corporate liable machines.

I've even, installed SSL MITM appliances and gone through this process. It's painful as hell getting root certs pushed out.

That's a pretty fucked thing up for a wireless hotspot provider to do.

At that point tethering off a phone seems like the best option.
posted by Annika Cicada at 2:10 AM on September 21, 2016 [2 favorites]


With all due respect, if Keep Up With Google means it helps MetaFilter's Bottom Line and helps ensure that the staff Keeps Getting Paid and that the site Continues to Exist, well, that doesn't seem irresponsible at all to me.

And to the extent that there is some kind of SSL creep going on that's leading to hacky workarounds in a small number of edge cases, MetaFilter choosing to switch to all SSL isn't going to meaningfully affect that trend one way or another.
posted by tonycpsu at 7:48 AM on September 21, 2016 [2 favorites]


The more the Web at large goes SSL "because Security", the more accustomed people are going to become to needing to install Something Mysterious in order to get it to work from public hotspots.

This is really, really shady behavior for a wifi hotspot. I absolutely would not trust a hotspot that requires you to install anything order to work. At least hosting on HTTPS gives the user the option to recognize that something bad is going on. If you're on plaintext HTTP, you can just get random malignant shit injected by the hotspot without ever knowing about it. HTTPS is just as much about message integrity as it is message secrecy.

If you want to avoid conditioning people to kneecap themselves on network security, make it very hard (or impossible) to do this in the walled garden OSes like iOS and Android where there's already an expectation that they will protect people from themselves.
posted by indubitable at 12:42 PM on September 21, 2016 [4 favorites]


"The more the Web at large goes SSL "because Security", the more accustomed people are going to become to needing to install Something Mysterious in order to get it to work from public hotspots."

Since this is not a thing that actually happens with basically any public hotspots, and would break a bunch of the web if they did it anyways, and is basically impossible to do on current-gen mobile devices even if they wanted to, I don't think any weight should be given to this as a part of a decision to go SSL-only.

While it may not work for metafilter for technical reasons, I think it's probably worth considering making the default for non-logged-in users, if only for the google mojo. It's certainly not "irresponsible" to consider.
posted by grandsham at 2:02 PM on September 21, 2016 [4 favorites]


Actually, there are indeed hotspots that attempt to MITM your SSL connections. I removed COMODO from the trust stores on all my devices because they provided an intermediate certificate authority for some of these hotspot appliances.

For the less-technical: SSL certificates operate on a "chain of trust". If the root of the chain is trusted and there's an unbroken chain between the root and the final certificate your client is presented, the final certificate is considered trustworthy. An intermediate certificate authority is a middle link on the chain, which exists so that Google (e.g.) doesn't have to keep going back to Verisign whenever one of their X million cloud servers has an expired certificate.

This is all well and good provided that the root certificate authorities are behaving nicely and intermediate certificate authorities are used sparingly and in a responsible manner.

However, it also creates the opportunity for a malicious actor to obtain an intermediate certificate from a lax or irresponsible certificate authority (e.g.: COMODO) and spoof certificates willy-nilly while redirecting traffic wherever they want. Because SSL only cares that it trusts the root of the chain, it doesn't distinguish between a (Verisign -> Google Intermediate CA -> Google Server) certificate chain and a (COMODO -> MITM Hotspot -> Google Server) certificate chain.
posted by tobascodagama at 2:52 PM on September 21, 2016


Actually, I think I'm misremembering slightly and conflating a few things. The issue wasn't with WiFi hotspots but with "security" software installed locally. Superfish and PrivDog. But Comodo was implicated in another situation where they issued fraudulent certificates.

Which is getting further and further off-topic now (sorry), because I don't think any of this actually affects the decision about whether MeFi should enable SSL by default. We should. MITM is possible even on HTTPS, but it's trivially easy on HTTP.
posted by tobascodagama at 3:03 PM on September 21, 2016


SSL MITM is based on the ability to install a private root CA on the endpoint then do what is called "certificate re-chaining" during the SSL handshake on a network device that switches, inspects, routes or proxies your data flow.

The MITM part is easy. Getting root certs installed on devices is kind of a pain in the ass, since each browser can implement their own certificate stores and mobile devices have a lot of other considerations as well. It's not as easy as "click a thing and now you're hosed". Getting a root CA installed on every device, OS keystore and browser keystore is not trivial work in my experience. And that's just for RSA certs. If you wanna break into ECC crypto then you need to load a totally other root CA that is based on the DH cipher. It's doable, but again a pain the ass.

It's probably more lucrative to compromise a major trusted CA, which at that point you're dealing with nation states trolling the net to serve the panopticon and to protect from that you're probably better off using an "always-on" private VPN connection so you don't have to worry about government eavesdropping so much, but then again who knows if the cipher you're using is safe from 5 eyes?
posted by Annika Cicada at 7:00 PM on September 21, 2016


Maybe I'm missing something, but what would the benefit of ssl be for non-members?
posted by ODiV at 12:23 PM on September 22, 2016


Google's indexing-robots are non-members. In Aug 2014, Google announced that they had started giving small "good job on the security!"-type pagerank boosts to SSL sites that the indexers found, and that they expected the strength of these boosts to increase going forward.
posted by Dr. Eddie Evil at 6:18 PM on September 22, 2016 [1 favorite]


what would the benefit of ssl be for non-members?

With HTTP, its trivially easy to MITM a request. So you try to go to Metafilter, but you get back Dr. Evil's Super Bad Javascript Page instead. Without HTTPS, any proxy can redirect/replace your request.
posted by thefoxgod at 7:20 PM on September 22, 2016 [4 favorites]


They could even return Metafilter, but with additional scripts/info/etc in it. Or change the text in a comment. Or whatever. Any proxy can see the full text of the request and response in HTTP.
posted by thefoxgod at 7:22 PM on September 22, 2016 [4 favorites]


Also, without SSL/TLS, your internet provider, phone company, government, etc. can easily monitor what you are reading, scan it for keywords, etc. Service providers like to sell this data to advertisers, or presumably anyone else who will pay enough.
posted by mbrubeck at 10:11 AM on September 23, 2016 [1 favorite]


Google's indexing-robots are non-members.

YOUR ASSUMPTION IS INCORRECT, HUMANOID.
posted by Google indexing-robot #476 at 10:48 AM on September 23, 2016 [18 favorites]


Another consideration is that HTTPS by default may hit the Adsense revenue which keeps Metafilter afloat.
posted by Lanark at 10:18 AM on September 24, 2016


> what would the benefit of ssl be for non-members?

An active attacker could replace the "Sign Up" link with an http (no s) one, and then listen to the new user's password.

A passive attacker could also read e.g. the embarassing AskMes a user is searching for.
posted by l_zzie at 1:16 PM on September 24, 2016


A passive attacker could also read e.g. the embarassing AskMes a user is searching for.

AskMe would firmly but politely counsel against such passive-aggressive tendencies, though, of course, with solemn exhortations to seek therapy.
posted by Joseph Gurl at 8:06 PM on September 24, 2016


Allow me to firmly and politely counsel you against your passive-aggressive tendencies, Joseph Gurl. Therapy, as always, is totally your own choice and lookout.

First though, maybe you'd let me AskYou: Why do you people like you read what you clearly disdain? Why do you converse with people you think so poorly of, or make fun of vast swathes of well-meaning folks in a not-so-subtle-fashion right to their faces? Let's get to the bottom of this once and for all. Tell me about your childhood.

As for this business? For ffs just make the site safe not merely because of lucre motives but also because you know you've got malefactors galore constantly attacking it and your users. In the meantime, at least for you chromebook kids and/or olds : HTTPS EVERYWHERE.

You can hug me later.
posted by melissa may at 9:06 PM on September 24, 2016 [1 favorite]


Why do you converse with people you think so poorly of, or make fun of vast swathes of well-meaning folks in a not-so-subtle-fashion right to their faces?

Zuh?
posted by Joseph Gurl at 10:30 PM on September 24, 2016 [2 favorites]


> A passive attacker could also read e.g. the embarassing AskMes a user is searching for.

HTTPS won't fully protect you from that because it doesn't encrypt domain requests. If your employer's firewall logs your activity, they'll have a record of how often you've been hitting ask.metafilter.com, although they need other means to determine which pages you're viewing, whether you're posting responses, etc. A readable discussion about it on StackExchange. See also this comment about how the full URL for a site can still be visible through the referrer (so, hypothetically, your employer won't directly know what pages you're viewing on Ask Metafilter, but they can see you followed a lot of links from Ask about corporate sabotage to third-party pages.)
posted by ardgedee at 7:32 AM on September 25, 2016


Seems like a good time to switch to IPv6 and HTTP/2 as well.

This internets goes to 11!
posted by blue_beetle at 8:02 AM on September 25, 2016 [2 favorites]


In all seriousness, can we also get Subresource integrity hashes on the third party and CDN scripts? This can prevent a great deal of malicious script injection issues.
posted by blue_beetle at 8:07 AM on September 25, 2016 [3 favorites]


ardgedee: I think that comment is incorrect. If a page was loaded over HTTPS, browsers won't send its address in a Referer header over HTTP. (The commenter speculates that some browsers might not obey this rule, but I know that Chrome and Firefox do, at least.)
posted by teraflop at 11:40 AM on September 25, 2016 [1 favorite]


> HTTPS won't fully protect you from that because it doesn't encrypt domain requests. If your employer's firewall logs your activity, they'll have a record of how often you've been hitting ask.metafilter.com, although they need other means to determine which pages you're viewing, whether you're posting responses, etc.

Sure, but the specific content will be obscured.

> See also this comment about how the full URL for a site can still be visible through the referrer (so, hypothetically, your employer won't directly know what pages you're viewing on Ask Metafilter, but they can see you followed a lot of links from Ask about corporate sabotage to third-party pages.)

Links from HTTPs to HTTP don't have a referer. (one r ;) )
posted by l_zzie at 3:09 PM on September 25, 2016


« Older Any chance of resurrecting this favorites pony...   |   The Election Debate Logistics Thread Newer »

You are not logged in, either login or create an account to post comments