Chronology	Current Month	Current Thread	Current Date
[Year List] [Month List (current year)]	[Date Index] [Thread Index]	[Thread Prev] [Thread Next]	[Date Prev] [Date Next]

Re: [Phys-L] security warnings ... HTTPS versus HTTP

From: John Denker <jsd@av8n.com>
Date: Tue, 10 Feb 2015 07:57:22 -0700

On 02/10/2015 05:00 AM, Paul Lulai wrote:

The spreadsheet wont open and provides a warning notice.

I assume we are talking about a security warning.

this has been mentioned in the past.

Yes.

Short answer: If you want to turn off security, change
the URL from
https://www.av8n.com/physics/measure-k-oscillator.xls
to
http://www.av8n.com/physics/measure-k-oscillator.xls

i.e. HTTP instead of HTTPS. This is quick and dirty.
It is convenient, but not as secure as it could be.

Longer answer: On 12/24/2014 09:12 AM, I wrote:

The other day I wanted to send somebody some secure email.
I asked the guy's secretary if she had ever heard of electronic
signatures. Nope.
I asked if she had ever heard of PGP. Nope
I asked if she had ever heard of Edward Snowden. Nope.

Being able to do stuff on the internet confers tremendous
advantages, but it comes at a price. Part of the price is
learning about security. Some people grew up in wholesome
rural Pollyannaville where they never locked their doors
... but when they move to the big city they need to learn
to lock up.

Internet security is far from perfect. I spend a fair bit
of my time trying to make it better. In the meantime,
consider the following:

0% security --- no warning.
99% security --- scary warning.
99.9% security --- no warning.
100% security --- (does not exist)

That seems remarkably non-monotonic. Downgrading from
99% security (HTTPS) to no security (HTTP) should cause
more warnings, not less, but that's not what happens at
present.

The /first/ time you try to make an HTTPS connection to
a place like av8n.com or phys-l.org, the browser will
complain because it hasn't seen the security certificate
before. You should accept the certificate. Thereafter
you have confidence that the site you are visiting is
the correct site ... or at least it is the /same/ site
as specified in the accepted certificate.

If you want to verify the certificate, see below.

Also (!) using HTTPS means third parties cannot tamper
with the data. In theory they cannot spy on the connection
to see what it is you are reading, although at present
there are ways around this.

In the near future there will be zero-cost ways of making
the security warning go away. Right now there are ways
of making it go away, but they cost money, and I'm too
cheap to pay for something that provides no real security
and will very soon be completely pointless.

If you want even better security, verify the security
certificates. In firefox, click on the "padlock"
symbol in the URL bar, then view the certificate.

av8n.com server certificate SHA-256 fingerprint
D0:66:4E:63:0E:5B:6A:57:B7:97:B3:0C:E8:9A:25:76:
0B:B9:E3:9B:84:7E:F1:AB:CA:AF:3A:23:43:DC:70:02

SHA-1 fingerprint
DB:E9:2C:A3:F0:47:BE:6C:5F:4F:F4:8C:CD:D0:22:B4:BC:67:8F:AA

phys-l.org server certificate SHA-256 fingerprint
31:CE:A8:E2:C6:52:3C:25:21:E0:DD:DF:60:A1:28:2A:
44:F1:47:23:FD:32:09:86:CD:2B:CC:85:35:21:EE:AA

SHA-1 fingerprint
0B:CA:F2:AF:38:6A:CA:00:D6:21:CA:E3:18:F9:D0:8D:48:83:20:CA

References:
- Re: [Phys-L] determine k
  - From: Paul Lulai <plulai@stanthony.k12.mn.us>

Prev by Date: Re: [Phys-L] determine k
Next by Date: Re: [Phys-L] spring energy and other equation-hunting puzzles
Previous by thread: Re: [Phys-L] determine k
Next by thread: [Phys-L] political interference in publication Was: Re: False memories
Index(es):
- Date
- Thread