morgandawn: (Default)
[personal profile] morgandawn
What's new about LJ is that they've turned off secured browsing (HTTPS ) so when you log into your account, your password can be seen by anyone monitoring the site and anyone else long the way (in transit). The payment page still seems to be encrypted (for now).  The lack of HTTPS security also means anything you post under lock is also accessible and your personal identity can be stolen
 
In the end my advice: make a new password just for LJ, do not pay anything through them and realize that anything you post or read there there can be intercepted by others
 
 
"There’s an important distinction between tweeting to the world or sharing thoughts on Facebook and having your browsing activity going over unencrypted HTTP. You intentionally share tweets, likes, pics and thoughts. The lack of encryption means you’re unintentionally exposing the controls necessary to share such things. It’s the difference between someone viewing your profile and taking control of your keyboard.....
 
...If my linguistic metaphors have left you with no understanding of the technical steps to execute sniffing attacks, you can quite easily execute these attacks with readily-available tools. A recent one is a plugin you can add to your Firefox browser. The plugin, called Firesheep, enables mouse-click hacking for sites like Amazon, Facebook, Twitter and others. The creation of the plugin demonstrates that technical attacks can be put into the hands of anyone who wishes to be mischievous, unethical, or malicious.
 
To be clear, sniffing attacks don’t need to grab your password in order to impersonate you. Web apps that use HTTPS for authentication protect your password. If they use regular HTTP after you log in, they’re not protecting your privacy or your temporary identity"
 
Edited: install HTTPS EVERYWHERE  which can be found at eff.org. It won't magically replace missing security (like what is happening on Livejournal), but it will turn on security if it is available. Ex: Up until 2013,  on Facebook you had the option to have secured browsing. Or not.  HTTPS Everywhere will toggle it on for you in case you mess up your default security settings
 
 

(no subject)

Date: 2017-01-02 04:44 pm (UTC)
wendelah1: (for the sake of argument)
From: [personal profile] wendelah1
Does Dreamwidth use https after log-in? Because I'm logged in and when I click the little circled i before my name it says the same thing as it does at livejournal: "this connection is not secure." Also, if log-in isn't secured, what good does changing my LJ password actually do? Sorry if these questions seem dumb.

(no subject)

Date: 2017-01-02 05:30 pm (UTC)
wendelah1: (Default)
From: [personal profile] wendelah1
Huh. HTTPS isn't listed anywhere in the Dreamwidth FAQ. I don't know how to enable it. I'm worried that installing the extension will break my computer. I'll try to find out. I have an older PC (2010 HP w1858) that runs fine but I try not to put much strain on it. I can only use Chrome now, too, which might be an issue. (A few years back, Firefox was redesigned and it became way too confusing for me. I tried to figure it out, but gave up. I used to love Firefox, too. Maybe it's better now and I could go back to it.)

(no subject)

Date: 2017-01-02 07:26 pm (UTC)
wendelah1: (Default)
From: [personal profile] wendelah1
Okay. I did. So far, so good. I see it on the webaddress now. Thank you.

(no subject)

Date: 2017-01-02 11:19 pm (UTC)
azurelunatic: A glittery black pin badge with a blue holographic star in the middle. (Default)
From: [personal profile] azurelunatic
HTTPS all over the site as a Dreamwidth-side option (rather than browser-side) is heading towards beta, according to a recent github update.

(no subject)

Date: 2017-01-03 04:20 am (UTC)
marahmarie: my initials (MM) (Default)
From: [personal profile] marahmarie
If you're not using the HTTPS Everywhere add-on, then typing https://dreamwidth.org into the address bar (or bookmarking it, then clicking from there) will take you the secure (encrypted) connection, so every page you visit on Dreamwidth from there should be secure (I say "should" only because there are a smattering of links that got missed in our last codepush to make all links support https://, but most of them just convert to the more secure connection automatically, as they should).
Edited (typo) Date: 2017-01-03 04:44 am (UTC)

(no subject)

Date: 2017-01-03 05:03 am (UTC)
wendelah1: (Default)
From: [personal profile] wendelah1
Thank you. I took [personal profile] morgandawn's advice and put the HTTPS Everywhere on my computer. It saves a lot of trouble.

(no subject)

Date: 2017-01-03 05:27 am (UTC)
marahmarie: my initials (MM) (Default)
From: [personal profile] marahmarie
It really does. Not only that, but the smattering of links that got missed for https:// rewrite in the last code push? Gets converted by the add-on, too, so you don't have to worry about them, either.

(no subject)

Date: 2017-01-02 09:12 pm (UTC)
promethia_tenk: (Default)
From: [personal profile] promethia_tenk
Hi, I found this post through my network. Thank you for writing this. I've been wanting to explain to people why this is freaking me out but not had the time to do the research to explain it authoritatively. Would you mind if I linked here?

(no subject)

Date: 2017-01-02 10:49 pm (UTC)
promethia_tenk: (Default)
From: [personal profile] promethia_tenk
Thanks very much, and I will do so!

(no subject)

Date: 2017-01-03 04:23 am (UTC)
rahirah: (Default)
From: [personal profile] rahirah
That's very useful, thank you.

(no subject)

Date: 2017-01-03 04:31 am (UTC)
marahmarie: my initials (MM) (Default)
From: [personal profile] marahmarie
It’s the difference between someone viewing your profile and taking control of your keyboard.....

Sounds fairly straightforward to me.

I thought of FireSheep in the midst of reading that LJ undid https:// support, too, but the thing is - if I recall correctly - that's not dependent on a site not having https:// support, but works regardless of secure connection by passing unencrypted cookies to the FireSheep user.

I'm not sure if DW encrypts its cookies or not* (see partial answer, below). And I don't know if LJ ever did, though I'm sure with dropping https:// support, if they did, they probably no longer do.

ETA*: it might depend on how one connects to DW, and for testing purposes I've been connecting tonight through both http:// and https://, so I think that's why I've got something like five encrypted Dreamwidth cookies and three unencrypted ones in my browser right now.
Edited (eta for more info) Date: 2017-01-03 04:42 am (UTC)

(no subject)

Date: 2017-01-04 06:28 am (UTC)
elf: LJ bought all the surplus stupid (Stupid)
From: [personal profile] elf
I finally decided to download All Of My LJ; I remembered LJBook, but they are now Blogbooker.com. Free accounts can only download 1 year at a time, and something like only once per six months; I'd done that a few times in the past and decided hey, I now have enough money - bought a paid account ($30, eep), and downloaded all my LJ, with comments, into a PDF.

Then again, into a Word file. Then again, just my posts and not the comments, because I can, and that gives me a nice record to poke through.

I changed my password to something not remotely like anything else I'm using. I'm considering deleting the account entirely; I having used it since 2010 except to make the occasional comment at Yuletide. (OTOH, if I delete it, I lose access to the few locked journals/communities I have access to.)

(no subject)

Date: 2017-01-04 06:42 am (UTC)
elf: LJ bought all the surplus stupid (Stupid)
From: [personal profile] elf
I haven't paid for LJ since Strikethrough; I decided my conditions for renewing my subscription after that were:
(1) an apology, in which they acknowledged what they'd done wrong, and
(2) a promise that they wouldn't do it again.

We got neither of those; I stopped giving LJ money.

(no subject)

Date: 2017-01-04 06:40 pm (UTC)
gattagrigia: (Default)
From: [personal profile] gattagrigia
Thank you for this. I changed my LJ password, email, and imported it all to DW. Much easier than I thought it would be fortunately I didn't post a great deal. Also installed HTTPS everywhere - I'd never heard of it before, and yes, it's a great extension to have.

You do good work!

(no subject)

Date: 2017-01-05 01:29 pm (UTC)
zaluzianskya: (Default)
From: [personal profile] zaluzianskya
Has LJ said anything about this change? I know they're notoriously reticent when it comes to explaining their stupid decisions, but removing HTTPS is an especially baffling one.

Profile

morgandawn: (Default)
morgandawn

July 2017

S M T W T F S
       1
234 5678
9 101112131415
16171819202122
23 24 2526272829
3031     

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags