| Mandatory SSL login & SSL posting I'd like to request that DSLr begin offering SSL-based posting as the default.
Currently you offer optional SSL login - which is great, but that should be the default. SSL posting should also be the default.
More and more governments are wanting to force ISPs to retain not only logs of sites surfed by individual customers, but to also capture content for either warrantless or with warrant searches, the time has come to protect your users privacy better.
Many people using DSLr post opinions critical of government actions (political, telecom-related, or otherwise). It would be nice if it were made at least a little harder for governments to build a profile up on DSLr posters.
It should be more difficult for telco's and cable companies to spy on their users using their DPI boxes. Having the means is the first step on the slippery slope do actually doing it. SSL login and SSL posting helps in this regard.
Just in the same way that many prospective employers now view people's Facebook pages to see if they should be hired or not, with automated systems (DPI) scavenging every byte and capable of correlating them back to specific people, it's time to help your users protect themselves a bit better.
I know that implementing mandatory SSL posting will require additional horsepower @ your servers, but I think it's worth it.
Thanks for listening. |
|
 nwrickertsand groperPremium,MVM
join:2004-09-04
Geneva, IL
kudos:7
 ·AT&T U-Verse
| SSL login would be fine.
The rest of the suggesting is nonsense.
If you want what you post to DSLR to be private, then don't post it.
*object*
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 11.4; firefox 4.0 |
|
OZOPremium
join:2003-01-17
kudos:2 | If you don't see a sense, it doesn't make it automatically a nonsense. After you make SSL login you return to a common (and opened) session, that transmits your login cookies every time you send any request to web server. So, what's the point to make SSL login (if you connect for example from a WIFi hot spot) if then everyone can get your cookies and make posts in behalf of your account...
I'm not sure about to make it mandatory. But, I'm more declined to make it an optional. At least, let's make it (I mean, SSL posting).
--
Keep it simple, it'll become complex by itself... |
|
nwrickertsand groperPremium,MVM
join:2004-09-04
Geneva, IL
kudos:7 Reviews:
·AT&T U-Verse
| said by OZO:After you make SSL login you return to a common (and opened) session, that transmits your login cookies every time you send any request to web server.
When I last logged in, I did so at the secure page. And it took me to a secure forum page for posting and reading. Only when I visited a normally secure page (a "direct" forum page), then clicked a tab for another forum in the group, did it redirect me away from secure pages.
If you are worried about that cookie being stolen, then just logout when you have finished your session. That kills the validity of the cookie.
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 11.4; firefox 4.0 |
|
| Logging out after each post is not really an option. Many of us jump into many forums during a single session. And it isn't necessarily the stolen cookie that's the issue - it's the content of the data stream associated with an IP and username that's readable via DPI or ATT/NSA type diversion.
I'll admit that posting on DSLr isn't the same as doing transactions on a banking website. However even on many banking websites when navigating away from a 'transaction' page to help page which is not top secret (maybe a page explaining when debit/credit are actually posted/made available) you're typically still within a SSL session.
Telco's and governments are doing DPI, they're keyword spotting, and building dossiers on their users and citizens. Do you really think that the two biggest (or nearly so) data centers in the world, in Texas & Utah, run by the NSA, have been built to hold only the signals traffic of a few people holed-up in caves? That could be done on a single Drobo with four 3TB drives and still have lots of room for years to come.
The classic argument is that if you're doing nothing wrong then you should have nothing to hide. However, time and again we have been disappoint by our governments, whom it would appear have plenty to hide about how they violate the privacy of their citizens. |
|
nwrickertsand groperPremium,MVM
join:2004-09-04
Geneva, IL
kudos:7 Reviews:
·AT&T U-Verse
| said by MaynardKrebs:...- it's the content of the data stream associated with an IP and username that's readable via DPI or ATT/NSA type diversion.
But think of the advantages. You are filling the NSA logs with piles of data in which they have no interest, thus making their filtering job harder.
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 11.4; firefox 4.0 |
|
 removedPremium,VIP
join:2002-02-08
Houston, TX
kudos:36 | reply to MaynardKrebs
*object* - not necessary. |
|
| »www.newyorker.com/reporting/2011···Page=all
from the article above...
"As Binney imagined it, ThinThread would correlate data from financial transactions, travel records, Web searches, G.P.S. equipment, and any other “attributes” that an analyst might find useful in pinpointing “the bad guys.”
........
Binney considers himself a conservative, and, as an opponent of big government, he worries that the N.S.A.’s data-mining program is so extensive that it could help “create an Orwellian state.” Whereas wiretap surveillance requires trained human operators, data mining is automated, meaning that the entire country can be watched. Conceivably, U.S. officials could “monitor the Tea Party, or reporters, whatever group or organization you want to target,” he says. “It’s exactly what the Founding Fathers never wanted.”
---------------------------------------
If you're trusting the government to really know who the "bad guys" are, them maybe you don't need SSL posting. Just remember that there once was a guy named J. Edgar Hoover, who wanted to know everything about everyone and catalog it all.....then there was a guy named John Poindexter who wanted to do the same in the internet age with 'Total Information Awareness'.
No reason to make it easy for them. |
|
