Why?
posted by inigo2 at 11:59 AM on December 14, 2010

Planning to insult /b/, are we?
posted by quonsar II: smock fishpants and the temple of foon at 12:00 PM on December 14, 2010 [13 favorites]

We've been discussing this internally, and it's something we'd like to do someday. We understand the need for security, especially on open public wifi, and we'd like to help. But with our current hardware, flipping the switch for https everywhere would overload our servers.

In the meantime, there are things you can do to secure your mefi browsing on a public network. Here's a good article at Lifehacker: How to Stay Safe on Public Wi-Fi Networks.

We currently secure sensitive account activity including logging in and changing your password, but we're not prepared to encrypt everything at this time.
posted by pb (staff) at 12:01 PM on December 14, 2010 [1 favorite]

doesn't want it staff at work to read his posts?
posted by empath at 12:01 PM on December 14, 2010

I guess that makes sense. I forget that just because everything you post here is visible to everyone, doesn't mean it has to be easy to connect poster with real person.l
posted by inigo2 at 12:07 PM on December 14, 2010 [1 favorite]

576735a5ee5b5cd6a34c5117f2b44f8b
posted by carsonb at 12:07 PM on December 14, 2010 [4 favorites]

beerbajay: Feature request: enable https for everything on mefi, including posting.

Yay! I want this, too.
posted by paisley henosis at 12:09 PM on December 14, 2010 [1 favorite]

"SSL used to be expensive back with HTTP 1.0, when browsers were dropping and reestablishing connections. Now browsers are maintaining those persistent connections to web servers. The only expense is during the public key negotiation at the beginning of a transaction. And SSL now caches credentials. So even browsers that drop connections and reconnect, you're able to use a cached credential. The overhead is negligible because of other advances that have been made in the protocols. So it's not expensive for the end user, and it's not even expensive for the aggregation of all those connections at the server. There's just no reason not to do it." -- Steve Gibson, Security Now.
posted by crunchland at 12:09 PM on December 14, 2010 [4 favorites]

Meh. IT staff can manipulate DNS and install root certs in order to MITM websites. This would be more about protecting sessions from hijack.
posted by pwnguin at 12:11 PM on December 14, 2010

flipping the switch for https everywhere would overload our servers.

I didn't mean it should be default for everybody, but that if I go to https://ask.metafilter.com/ on purpose it should stay in https mode instead of asking me to log in and then redirecting me to the normal site.
posted by beerbajay at 12:13 PM on December 14, 2010 [1 favorite]

But with our current hardware, flipping the switch for https everywhere would overload our servers.

Give us a dollar figure. We'll make it happen.
posted by blue_beetle at 12:14 PM on December 14, 2010 [2 favorites]

Well, off the top of my head, we would need to buy at least 8 new SSL certs (at about $200/yr/cert) and I think we'd need a dedicated IP for each (a few hundred extra bucks a year). Processor wise, we are near our limits on our current hardware, which runs over $3k/month and moving to new bigger servers is also a giant endeavor.

Right now we encrypt the most sensitive actions, logging in, changing our email, and updating your password. It's a pretty huge project to provide secure browsing.

It's pretty easy and cheap to find a secure VPN that would give you basically HTTPS everywhere, at all times. HotSpotVPN is like $8/month last I checked, and is pretty easy to set up and securely tunnel all your data.
posted by mathowie (staff) at 12:19 PM on December 14, 2010 [2 favorites]

Yeah, I guess when Gibson meant "used to be expensive," he was talking about hardware overhead, not the actual costs of the certifications, which isn't exactly trivial. Seems like they're more expensive than they should be.
posted by crunchland at 12:41 PM on December 14, 2010

mathowie: "Well, off the top of my head, we would need to buy at least 8 new SSL certs (at about $200/yr/cert) and I think we'd need a dedicated IP for each (a few hundred extra bucks a year). Processor wise, we are near our limits on our current hardware, which runs over $3k/month and moving to new bigger servers is also a giant endeavor."

You could purchase a SAN cert, which would only require a single cert and IP address.
posted by mkb at 12:48 PM on December 14, 2010

We actually just made the leap at work a few weeks ago.

If you're really CPU bound already, then that's a fair reason to delay the switchover. But, you can get a wildcard SSL certificate for only a few hundred dollars. While it won't work with particularly outdated browsers, we have yet to run into any issues with it in the real world. This is especially true if you include your main domains (metatalk, www, ask, jobs, etc.) as alternate names.

Right now we encrypt the most sensitive actions, logging in, changing our email, and updating your password. It's a pretty huge project to provide secure browsing.

While I hear you that it's a big project to make the switch, you should be aware that protecting those actions is essentially pointless for somebody browsing from an open network. The entire sidejacking attack is based around stealing the session cookie, not on stealing somebody's password. Once the cookie is stolen, the attacker can use it for as long as its lifetime--even after the victim is no longer on the same network (unless you're assigning new cookies when client IPs change, which doesn't seem to be the case).
posted by Netzapper at 12:54 PM on December 14, 2010 [2 favorites]

blue_beetle: Give us a dollar figure. We'll make it happen.

Seriously. I'll chip in another 5$ per account right now, and I bet lots of people would do the same. I'm glad to hear that you guys are talking about this, but don't let a little thing like a few hundred bucks slow you down.
posted by paisley henosis at 12:58 PM on December 14, 2010

re: the financial issues... I wouldn't be surprised if the vast majority of regular posters here would not think twice about paying $5/year, rather than $5 as a one time fee. Any money that was left over from what are deemed to be necessary tech upgrades, staff salaries, and deserved profit could be earmarked for annual charitable donations that users could vote on or something.

I've no idea about the technical side of things in terms of costs of servers etc, but $5 a year would still be unbelieveably cheap to me in terms of my interaction with this site.
posted by modernnomad at 1:27 PM on December 14, 2010 [6 favorites]

I love that the $5 charge was a one-time only fee to keep out the riffraff. However, I also realize that good things are worth paying for. Finally, if my http cookie was hijacked, it really would have no effect on me whatsoever, assuming that Team Mod could fix up anything that was put awry by the attacker.
posted by Roger Dodger at 1:45 PM on December 14, 2010

modernnomad: "I wouldn't be surprised if the vast majority of regular posters here would not think twice about paying $5/year, rather than $5 as a one time fee."

I would not want to pay. Seriously, what are you worried about? Someone compromising your MeFi account? I've got news for you- no one cares. There's nothing worth stealing.
posted by mkultra at 2:07 PM on December 14, 2010 [2 favorites]

Everything should be https, everywhere. I will happily put my money where my mouth is too.
posted by Skorgu at 2:18 PM on December 14, 2010

I would not want to pay. Seriously, what are you worried about? Someone compromising your MeFi account? I've got news for you- no one cares. There's nothing worth stealing.

I'm worried about nothing and have no need for https -- I didn't start the thread. I was simply stating that if there is a perceived need for for anything to do with running the site that ends up being spendy, I think there are lot of people out there that already see $5 as far less than the value they receive from being a member of the community.
posted by modernnomad at 2:41 PM on December 14, 2010

If you have a hardware load balancer in front of your servers, you may be able to install the certificate(s) on that, and it may have built-in SSL hardware acceleration. As others have mentioned, you should be able to get away with a single wildcard certificate for the domain.

But it is a non-trivial thing to change everything that needs to be changed, and I'm not sure whether it's worth the effort.
posted by me & my monkey at 2:41 PM on December 14, 2010

carsonb: “576735a5ee5b5cd6a34c5117f2b44f8b”

Look, I understand the temptation to be jokey during conversations about security and stuff, but posting my real name like this where anybody can read it is not cool.
posted by koeselitz at 2:43 PM on December 14, 2010 [3 favorites]

Yeah, I guess when Gibson meant "used to be expensive," he was talking about hardware overhead, not the actual costs of the certifications, which isn't exactly trivial.

The hardware overhead is also non-trivial. It's not impossible by any means, but there's a definite cost.
posted by GuyZero at 3:06 PM on December 14, 2010

crunchland: "Yeah, I guess when Gibson meant "used to be expensive," he was talking about hardware overhead, not the actual costs of the certifications, which isn't exactly trivial."

When Gibson said "expensive", he was either talking about network overhead or he was talking out of his ass. Encryption will never be free, in terms of processing costs. It may approach zero, but it'll never get there. Improvements in processors and algorithms may make encrypting and decrypting data cheaper, but it will never be equivalent to talking in plaintext. Even if P=NP (which it almost certainly does not) encryption will never be a zero-cost add-on.
posted by Plutor at 3:43 PM on December 14, 2010

I thought SSL certs were more like $10/year now for something that works with modern browsers. No? Plus HTTPS sessions don't cache so everything is requested every time? That would add a fair amount of overhead.
posted by ChrisHartley at 4:01 PM on December 14, 2010

Seriously, what are you worried about?

Yeah, I figure if anything bad happened, one can still use the contact link located at the bottom of every page and explain things to the mods.
posted by nomadicink at 4:40 PM on December 14, 2010

Well, off the top of my head, we would need to buy at least 8 new SSL certs (at about $200/yr/cert) and I think we'd need a dedicated IP for each (a few hundred extra bucks a year).

Wildcard certs.

Processor wise, we are near our limits on our current hardware, which runs over $3k/month and moving to new bigger servers is also a giant endeavor.

Rather than upgrading all your servers, let a reverse proxy terminate all your SSL on one server and take care of the overhead - Squid, Varnish + stunnel, etc. It would likely remove load from your existing systems.
posted by rodgerd at 4:46 PM on December 14, 2010

Someone compromising your MeFi account? I've got news for you- no one cares. There's nothing worth stealing.

Yeah, that's why spammers spend all that time and effort trying to stealth their way into the site at five bucks a throw.
posted by rodgerd at 4:47 PM on December 14, 2010

Well, off the top of my head, we would need to buy at least 8 new SSL certs (at about $200/yr/cert) and I think we'd need a dedicated IP for each (a few hundred extra bucks a year). Processor wise, we are near our limits on our current hardware, which runs over $3k/month and moving to new bigger servers is also a giant endeavor.

Right now we encrypt the most sensitive actions, logging in, changing our email, and updating your password. It's a pretty huge project to provide secure browsing.



That does sound expensive. As an alternative you could install pneumatic tubes like drive-through banks in all major cities. Once a day we can drive to the nearest post/comment deposit center, enter our PIN, and securely post away. Rural mefites can send in their stuff via certified mail.
posted by special-k at 5:03 PM on December 14, 2010

https - I'm in favour of, but I'd gladly chip in a little extra $ just to pay for hardware upgrades or simply cookies for the mods. This community is worth it.
posted by arcticseal at 5:08 PM on December 14, 2010

Right now we encrypt the most sensitive actions

I hope spousing is on the list.
posted by special-k at 5:17 PM on December 14, 2010 [2 favorites]

Yeah, that's why spammers spend all that time and effort trying to stealth their way into the site at five bucks a throw.

Spammers do that to post, not get data, and it's really low ROI- those posts get nuked quickly. Pretty much the only thing you can get as a logged in user that you can't as an anonymous one is user profile pages, which just aren't that interesting to marketers.
posted by mkultra at 5:23 PM on December 14, 2010

Yeah, that's why spammers spend all that time and effort trying to stealth their way into the site at five bucks a throw.

Most of the spammers we deal with seem to be profoundly careless and likely drop the $5 bucks because they think the payoff in terms of presumed-to-be-uncombatted spamming/linkfarming will be worth it. They're about as stealthy as rhinos about 95% of the time. This is neither here nor there on the SSL question, but let's not be silly.
posted by cortex (staff) at 5:29 PM on December 14, 2010

Spammers do that to post, not get data, and it's really low ROI- those posts get nuked quickly. Pretty much the only thing you can get as a logged in user that you can't as an anonymous one is user profile pages, which just aren't that interesting to marketers.

You understand that a sidejacked session can be used to post as the user, right?

So, spammers could yoink my profile, and then spam for Enzyte (or whatever) as Netzapper. Which might be amusing, but I don't want to get permabanned for self-linkage that I didn't do.
posted by Netzapper at 6:22 PM on December 14, 2010

Wildcard SSL certs are down to about $99/year, if you buy a multiyear certificate. Only one would be needed for the whole site.

It took a while, but the prices on certs are finally coming down ... no thanks to you, Verisign.

I'd definitely support SSL just on general principle. If we could come up with a hard cost estimate of what it's going to take, I'd contribute as well.
posted by Kadin2048 at 6:39 PM on December 14, 2010

I'll chip in another 5$ per account right now
What are we up to now? 150k accounts? That's very generous of you;-)

pretty much the only thing you can get as a logged in user that you can't as an anonymous one is user profile pages, which just aren't that interesting to marketers.
Profile pages give you e-mail addresses, right? Marketers are very interested in those.
posted by dg at 7:27 PM on December 14, 2010 [1 favorite]

So, spammers could yoink my profile, and then spam for Enzyte (or whatever) as Netzapper. Which might be amusing, but I don't want to get permabanned for self-linkage that I didn't do.

That'd be an embarrassing email conversation afterwards, I'm sure, but the difference between "long time user clearly willfully spams" and "long time user's account obviously compromised by spammer" isn't a hard one to recognize in practice, and makes all the difference in whether it'd be a bannable offense. One of the nice things about having human mods.

Profile pages give you e-mail addresses, right? Marketers are very interested in those.

Scraping emails off profile pages is totally doable, yes. It's doable under the radar for $5, though, so using a MITM attack to hijack an account seems like a ridiculous tactic for anyone actually casing the joint enough to want access specifically to that information.

The only way to be sure no one with ill intent gets at your semi-publically-readable email address is to not list one. SSL doesn't come into it. Which, again, not an argument against the idea in principle because pragmatic issues aside I'm all for it. But it is worth putting this stuff in context.
posted by cortex (staff) at 7:49 PM on December 14, 2010

Seriously, what are you worried about? Someone compromising your MeFi account?

If Lex Luthor sidejacks mathowie's session cookie, he will use MetaFilter to kill Superman. Do you want that? Do you?
posted by qxntpqbbbqxl at 9:12 PM on December 14, 2010

So, spammers could yoink my profile, and then spam for Enzyte (or whatever) as Netzapper. Which might be amusing, but I don't want to get permabanned for self-linkage that I didn't do.

Sure, it's possible, but show me this is actually happening before I get worried about it.

Profile pages give you e-mail addresses, right? Marketers are very interested in those.

Lists of verified email addresses are dirt cheap. Scraping them from MeFi profile pages, then filtering out all the garbage, just isn't worth it.
posted by mkultra at 9:21 PM on December 14, 2010

Normally, I take GRC's statements as evidence to the contrary. I guess he's started to read the things on the internet he claims to be an expert of. Not gonna waste 30 minutes on a podcast though.

But the claim has some credible evidence. Google engineer Adam Langley on the subject of SSL performance:

In January this year (2010), Gmail switched to using HTTPS for everything by default. Previously it had been introduced as an option, but now all of our users use HTTPS to secure their email between their browsers and Google, all the time. In order to do this we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that.

Now maybe Google had some spare load balancers they weren't using. And they're not using (reportedly) windows 2003. And I have no clue how the site's backend is designed and whether spent here delays some ultrasecret subsite project. But maybe the "SSL is too slow" argument isn't as valid as assumed.
posted by pwnguin at 9:33 PM on December 14, 2010

NameCheap (they're legit despite the stupid name) has certs for $9/year now that are trusted in every browser that would ever hit the site. I don't remember their wildcard prices. As mentioned above if you've got a hardware load balancer you may be able to install the SSL cert(s) on there to mitigate the hardware overhead concerns on the actual servers. Certainly not a trivial amount of work, but if you've got the pieces in place already it's probably less expensive (and time consuming) than you think.
posted by togdon at 9:49 PM on December 14, 2010

paisley henosis: "I'll chip in another 5$ per account right now"

Really? We have over 100,000 users, so you're donating $500,000 at least? If so, you're my new hero!

In all seriousness, it costs over $3,000 a month to keep Mefi up? How do you do it?!
posted by IndigoRain at 9:53 PM on December 14, 2010

Since the load balancer idea has come up a couple times I'll just say: nope, we don't have one.
posted by pb (staff) at 9:54 PM on December 14, 2010

floam: "I like using SSL wherever I can just so I don't have to worry that some weirdo at my university or workplace knows what I'm up to."

If you're really that concerned about your overall security, set up an SSH proxy server for all your traffic. You're not going to solve that problem one website at a time.

(You should also have no expectation of privacy browsing MeFi at the workplace.)
posted by mkultra at 7:23 AM on December 15, 2010

floam: "I'm the IT guy, I do what I please. I do have an certain level of expectation of privacy because there's not supposed to be anybody else but me snooping around."

If that's the position you're arguing from, you have no standing to be asking anyone to do anything for you. Either "do what you please" and handle your own encryption or accept it and move on. I don't see how what you want is MeFi's responsibility.
posted by mkultra at 11:03 AM on December 15, 2010

You are not logged in, either login or create an account to post comments