turn off JS

Public wifi/Verizon attack does require https to stop

An attacker injecting tracking cookies is easy to stop (reject 3ed party cookies) but an attacker like Verizon injecting tracking HEADERS into traffic is much more difficult to stop.



This attack (and any imitators on a malicious wifi hotspot) is defeated by HTTPS so long as websites are not permitted to make an HTTP connection if they refuse the HTTPS. Due to this limitation, the EFF warns that only Trobrowser or a VPN can definately defend against it. Verizon mobile customers are being advised to cancel service immediately and switch to another provider over this issue. Using Tor with mobile leads to incredibly slow bandwidth, to the point that if everyone on Verizon knew they needed Tor, the market value of the service would probably not exceed $5 to $10 a month. If you have this problem, you have bigger problems than whether or not Phoronix is encrypted and need to change providers immediately so as not to reward this behavior with your money. Like I've said elsewhere, a purchase is a VOTE.

This kind of attack tracks users across all unencrypted websites and can build a surfing history which in Verizon's case has been sold to advertisers. HTTPS stops the attack, but only if unencrypted connections are simply refused, thus the Tor/VPN recommendation.

Ideally there would not be any unencrypted traffic anywhere on the web because of the growth of this kind of attack and probability of future exploits by everyone from national security data miners to malicious blackhats with jobs in the telecoms. Getting to this point will require that free and yet trusted certificates (like the ones recommended in prior comments here) become the norm and that paid cert signers like GoDaddy are driven from the market.

Those certificates are only free for non-profit websites.
If you show ads on your website you break their rules.

And this is one more Chinese CA which is best choice for people who prefer privacy.

You should be encrypting the traffic by default for all users especially the free ones. You need to make sure the HTML you send is the one that gets delivered. The most important part being your ID's in the adverts you send. A MITM attack can swap those ID's/Tokens for their own meaning you get no revenue from them.

Your weak points are going to be public WiFi, Internet Cafes and ISPs that see another opportunity to make money without anybody knowing.

A lot of talk about HTTP2 encryption talks about how clients don't need it, however the main benefit is authentication of the data that the publisher knows their works are not being hijacked in transit.

+1. nginx + microcaching FTW!

Some notes about HTTPS, server load, reducing it, etc...

Couple of random notes about SSL/HTTPS:

If you make it premium only or registered users only... it basically means user must LOG IN ... err, WAY BEFORE you actually starting SSL usage! This defeats whole idea, because attacker would be able to intercept login data or insert arbitrary unrequested content, making whole https thing nearly useless as it would only waste resources without any measurable gains in security.

There is some fundamental problem: if you can distinguish users BEFORE https used and can upload some content... uhm, well, attacker could do the very same, all the way, and it not going to be detected by user. Hence it basically allows inserting arbitrary content, intercepting credentials or just showing fake version of poronix (e.g. to steal credentials in active, efficient way). Users will have no idea if it happens ... since HTTPS not used at this point and hence it is not possible to distinguish Phoronix server, it content vs attackers and their content.

The only right way to use HTTPS is when user visits https:// url at very begin of session and then it is HTTPS from the very begin (so credentials are protected and attackers facing difficulties inserting unrequested content). Everything less than that... could be easily hijacked by even some casual low-budged hackers when you just connect some silly wi-fi in some cafe, etc. Not to mention more powerful adversaries.

To keep server load sane you may want to show main page, etc without https by default (i.e. no forced https redirection, etc). Or if you're really low on hardware power, only use https for forum to protect credentials. Downside is that it allows to learn user habits and gives room for active MITM attackers for scamming/phishing users by fake version of credentials form, unless user is willing to type forum URL himself, using https:// protocol (or using bookmark, etc).

Also... I noticed your front end is Apache and you likely doing no caching, are you?

If could be wise to cache into static version, say, main phoronix page. Even if cache is very short living and expires in 30 seconds, so page is at most outdated by 30 seconds, it can be really drastic difference to call PHP script once per 30 seconds (when cache expires) rather than call it 1000 times a second for each and every visitor. It can drastically reduce server load in some cases and at least phoronix's main page and possibly news articles appear to be kind of pages which could be cached into static version without any obvious side effects, offloading server(s) from running heck a lot of PHP for each and every visitor. And not like if visitors can easily notice page data are stale, by, say, 30 seconds.

Something like nginx (opensource version which costs you nothing) will do, etc. It is blazing fast at serving static files, and then it can cache anything into static files cache, subject to flexible rules, turning many expensive PHP calls into blazing fast and cheap static files serving. You see, "top busiest sites" tend to like nginx for a reason, and this reason is very fast and lightweight serving of static files and being able to cache any backend responce (e.g. PHP output) to static files cache, using flexible rules, replacing expensive PHP calls with these blazing fast static uploads. Or maybe you can try Varnish, etc (I have little experience with it, but some people are using it for similar tasks).

Of course caching into static file and expiring cache could be tricky business and caching, say, forum thread page without some side effects visible to users could be much harder to implement. But I bet most visited pages are main phoronix page, news articles, some openbenchmarking things and so on which are more or less static (in sense page contains more or less same data). There could be some catches I'm not aware of, but at first glance it looks like if there is heck a lot of room for improvement.

My personal favorite for things like this is nginx. Apache just suxx in terms of system load and you can easily guess why it losing grounds on "top busiest sites".

Privacy and Safety

I would prefer using SSL and I would not stop using Adblocker.

The reasons for that are:

1: SSL is not only good because of "ohmigosh, my system administrator could see which super sensitive information I get from phoronix.com", but it is very important for data integrity.

Content that has been delivered with SSL encryption is ensured to not have been altered by an attacker on the way to the user. SSL content cannot be used to inject malicious code to be delivered to the browser in the name of Phoronix. Something that should clearly be vital to any site owner, especially if the target audience is tech savvy and security sensitive.

Every traffic in the internet should be encrypted to be safe from being altered, no matter if the attack comes from the own government, a foreign government or a malicious hacker that wants to ramp up his botnet using your PC.

Costs for certificates are dropping, there are many cheap alternatives, even some free ones, with some drawbacks of course. Thanks to Edward, the drawbacks are being eliminated as we talk, in 1-2 years there will be no significant expenditures anymore for any small and medium sized business when using SSL certificates.

About the unbelievable amount of CPU power needed by encryption (danger! sarcasm!), I want to point you to https://istlsfastyet.com/ to judge yourself.

2: Adblocking is for privacy.
I would happily look at any ad banner that is hosted directly on phoronix.com, and actually, my blocking equipment would happily deliver those to my browser without me needing to change any setting. But having my browsing behaviour sent to a dozen companies around the globe by just reading one article is not acceptable. Obviously self-hosting ads is not easy, but if I need to decide between "you having your (undoubtedly difficult) job more difficult" and "me handing out my profile to a dozen of advertising companies", then I have to choose the former.

Please check your "Data Flower" here to get a visual grip on what your page is doing to us: http://datenblumen.wired.de/
Hint: It's SCARY! Only data within the little purple circle is acceptable!

Oh, and US GoDaddy is? Haha haha.

No CA in the world is trustworthy. However, from the point of view of a person who's on open Wi-Fis from time to time, they all work equally against random sniffers in the neighborhood. Phoronix blocks Tor since a few weeks thanks to fucking Cloud Flare.

I can confirm this. Please fix this bug so I can enable HTTPS Everywhere on phoronix.