ssl (1)

Browsing Peacepinks 'mixed content' SSL https site

Interesting fact about peacpink is it provides partial SSL content encryption when accessed via the alternate https:// address. When a sites partially encrypted, its called "mixed content" or secure and unsecure content, and from the standpoint of choosing between a regular http site and a mixed content https, the https is still better, but will usually have problems, especially by default, cause by default browsers simple refuse to show the unsecure content on https pages, so you get alotof missing onscreen elements, making them useless to browse.

For a quick visual of what https is good for see this representation. Id suspect its inaccurate concerning NSA but the rests interesting to consider. Https simply improves your online privacy by a fair margin and removes alotof virus type risks. And fwiw the Electronic Frontier Foundation is apparently the main organization pushing all the big players on the net to convert their sites to secure https encryption and is a big reason why its been implemented somuch, but you dont actually see as much as its been implemented when you go round the net cause theres a problem with hooks or something, so sites that HAVE implemented dont allways direct visitors to it. See their HTTPS Everywhere plugin below addressing that problem.

===Anyway How to do it===


The solutions to set the browser to always show unsecure elements if present on https pages, and strictly speaking isnt the greatest idea to keep always set like that, but as mixed contents better than fully unsecure http, you may wanto try it out, just remember how to reset the blocked rule. It only takes a second to do

In Google Chrome:
first close the browser and find the shortcut icon, say on your desktop, right click it, and goto properties, and under Target, will probably see it says
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
all you need to do is change that Target so it reads
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --allow-running-insecure-content

When you restart Chrome type https://peacepink.ning.com/ and youll be taken to the https version without the blocked content, and the icon for https is crossed out with a red line. Firefox's equivalent symbol is much less scary, just an orange ball.

In Firefox:
no need to close it, just open a new tab and type "about:config" (without parenthesis) into the url address bar, and itll ask you to confirm you know what your doing, and in the searchbox type "mixed" (without parenthesis) which'll display a few options. The one you wanto change is "security.mixed_content.block_active_content" (without parenthesis). Just double click it so the value changes from true to false.

====A few problems with it====

- the script elements for HTML text editing (posting replies etc) is deactivated so cant change elements like font, size, color, bold, italic or add embedded urls, but the layout formatings fine. Also with posting blogs at least, you cant preview them on the https site, and once its uploaded, cant edit them either. The preview issues fine, but the edit ones a real pain for habitual re-editors, you have to return to the regular http site just to access that option

-  subdomain links (to pages within the site) dont automatically redirect you to their https version just cause your on a https page to start with, they need a "force subdomain" rule to do the job, but you can install a Firefox plugin  to fix it called Force TLS or install an alternate version of Firefox or Chrome browsers  made by Comodo with that option built in

- and theres a curious quirk affecting the chatbot and the logout functions also. The chatbot feature only works on the main landing page of peacepink when using https, and its also the only page from which your able to actually log out! Funny but if you dont return to the main page, you need to change back to the http site just to do that. But if you remember to go back to the main page, is again no real problem.

- so presuming the issue with HTML text, and being able to edit posts that can be edited is no problem,  and remember about the chatbot and logout, its no real problem.

- oh and when you log in thru https, theres a message that "Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection" meaning its not actually a secure login. Idk if that means if its truely worthless for protecting your passwords, and thats a relevant question, cause originally http was mostly used for pages like login etc.

===Other browser options===

Anyhow, theres plenty of other things worth checking out in regard to security plugins for Firefox and Chrome, i still dont use Chrome for much so dont know all the equivalent plugins so the following are mostly for Firefox

- recommend HTTPS Everywhere, with versions for both browsers. Its uses a database of sites and uses rulesets for various exceptions, diverting your browser to visit the secure https versions of sites that have them but dont divert you automatically (eg: wordpress.com blogs which do need rule sets cause not all are equal)

- for Firefox to destroy cookies try Self Destroying Cookies and Better Privacy (Chrome has various cookie plugins ive not tried yet, and theres several others for ff aswell)

- for Firefox script blockers  NoScript and Request Policy however pretty complicated to manage

- a simpler script blocker is Do Not Track Me (for Firefox) or Do Not Track Me (for Chrome)

- or an alternative simple script blocker for either Firefox or Chrome is PrivDog (if you install Comodo Dragon its already installed, and if using Firefox/IceDragon wait a few days to download the 1.7.0.10 update -check cnets page shows that version number, that updates mostly for ff)

- for Firefox, things for https browsing are Force TLS and Site Identity Button Colors

- and as mentioned Comodos Dragon and IceDragon Browsers which are just security enhanced clones of Chrome and Firefox builds, making them  better featured out of the box, and still fully compatible with plugins

Also if you want an indication of the ideal TI forum site visit https://www.stopeg.com/forum/ Its got no unsecure content, no scripts or almost no cookies (in Chrome it lists only 2 cookies, while peacepink installs 21 cookies, including a super cookie, see Better Privacy above).  Its hands down what all forums should be like, especially these types

===Alternative to peacepinks chatbot===

If the chatbots bringing you grief, losing message, you might wanto try an alternative. I found one called CryptoCat that works in Firefox or Chrome or Safari/Mac (assume Safari Windows and Safari Mac). Have only tried it once, just now, and not sure what to make of it. My end got diconnected dozens of times, and tried a location near where the Crypto IPs meant to be but still had same trouble. The person i was talking with (in Europe) had no trouble at all, never disconnected. Abit confusing

Functionality has one drawbacks: when it disconnects it also wipes the conversation history (obviously only at your end) but ironically doesnt wipe what your mid way thru typing, normally youd expect that to be the thing wiped not the history. Anwway here a summary of security changes during its development, suggesting its now pretty secure, and fwiw, first saw it mentioned here.

the premise is anyone can start a conversation, and invite others by sharing its "conversation name" and it can have multiple people. Also necessary when making that name, to not use spaces. Otherwise its just a regular chatbot with encryption added, no setup required

Read more…