Re: [Phys-L] Using https links ... was: aerodynamics

[John Denker <jsd@av8n.com>]

The other day I wanted to send somebody some secure email.
I asked the guy's secretary if she had ever heard of electronic 
signatures.  Nope.
I asked if she had ever heard of PGP.  Nope
I asked if she had ever heard of Edward Snowden.  Nope.

Being able to do stuff on the internet confers tremendous
advantages, but it comes at a price.  Part of the price is
learning about security.  Some people grew up in wholesome
rural Pollyannaville where they never locked their doors
... but when they move to the big city they need to learn
to lock up.

Internet security is far from perfect.  I spend a fair bit
of my time trying to make it better.  In the meantime,
consider the following:

  0% security --- no warning.
  99% security --- scary warning.
  99.9% security --- no warning.
  100% security --- (does not exist)

That seems remarkably non-monotonic.  Downgrading from
99% security (HTTPS) to no security (HTTP) should cause
more warnings, not less, but that's not what happens at
present.

The /first/ time you try to make an HTTPS connection to 
a place like av8n.com or phys-l.org, the browser will
complain because it hasn't seen the security certificate
before.  You should accept the certificate.  Thereafter
you have confidence that the site you are visiting is
the correct site ... or at least it is the /same/ site
as specified in the accepted certificate.

  If you want to verify the certificate, see below.

Also (!) using HTTPS means third parties cannot tamper
with the data.  In theory they cannot spy on the connection
to see what it is you are reading, although at present
there are ways around this.

In the near future there will be zero-cost ways of making 
the security warning go away.  Right now there are ways
of making it go away, but they cost money, and I'm too
cheap to pay for something that provides no real security
and will very soon be completely pointless.

On 12/24/2014 08:03 AM, Bill Norwood wrote:
> John,
> Below is what I get when using the link:
>  https://www.av8n.com/how/htm/airfoils.html#sec-spinners
> Bill
>
>
> This Connection is Untrusted
>
> You have asked Firefox to connect securely to www.av8n.com, but we can't
> confirm that your connection is secure.
>
> Normally, when you try to connect securely, sites will present trusted
> identification to prove that you are going to the right place. However,
> this site's identity can't be verified.
> What Should I Do?
>
> If you usually connect to this site without problems, this error could mean
> that someone is trying to impersonate the site, and you shouldn't continue.



On 11/03/2014 11:38 AM, John Denker wrote:
> On 11/03/2014 11:01 AM, Jeffrey Schnick wrote:
>
> > Try http://www.av8n.com/physics/hyperbolic-motion.htm
> > With secure socket links to www.av8n.com all you have to do is remove the "s" from "https".
>
> Better idea:  Accept the av8n.com server certificate!
> Tell your browser to remember it, so future connections
> will be secure.
>
> The overhead for doing this is really, really small.
> You only have to do it once (for each browser that
> you use).
>
> Worst case is to accept the certificate for this session
> only ... which is still more secure than using unadorned
> http.
>
> I'm encouraging people to use encryption unless there is
> a super-good reason not to.  Unless you've been living in
> a cave for the last 16 months, you can probably guess why.
> I can go into vastly more detail if anybody is interested.
>
> SHA-256 fingerprint of server certificate:
>   2C:24:F1:AD:15:80:B6:2C:4E:90:7D:EE:7B:71:21:8C:
>   A7:C7:76:3A:DC:62:58:D8:BA:4D:71:53:72:26:B3:ED
>
> SHA-1 fingerprint:
>   FE:42:9C:BC:F9:50:2F:3E:B9:A0:1C:0C:FC:53:13:DD:5B:57:08:0C
>
> =============================
>
> Similar remarks apply to security on the PHYS-L site:
>   https://www.phys-l.org/
>   https://www.phys-l.org/archives/
>
> SHA-256 fingerprint:
>   31:CE:A8:E2:C6:52:3C:25:21:E0:DD:DF:60:A1:28:2A:
>   44:F1:47:23:FD:32:09:86:CD:2B:CC:85:35:21:EE:AA
>
> SHA-1 fingerprint:
>   0B:CA:F2:AF:38:6A:CA:00:D6:21:CA:E3:18:F9:D0:8D:48:83:20:CA