Ah. Late last night after 11 PM PST, VS was showing:

"Secure Connection Failed

An error occurred during a connection to videosift.com.

Cannot communicate securely with peer: no common encryption algorithm(s).

Error code: <a rel="nofollow" id="errorCode" title="SSL_ERROR_NO_CYPHER_OVERLAP">SSL_ERROR_NO_CYPHER_OVERLAP

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

Please contact the website owners to inform them of this problem."


https://s28.postimg.org/9id7f2tjx/ssl.jpg for a screen shot/capture from SM's Page Info's Security tab.


I could reproduce this error in both of my computers (64-bit W7 HPE SP1 OS & 64-bit Linux/Debian Jessie/stable)'s SeaMonkey v2.46 web browsers. Also, Firefox v51 in my Debian box. I could not reproduce it in W7's IE11 & Debian's Chrome v50 web browsers that aren't based on Mozilla's Gecko engine.


I told Dag and Lucky760 about it, and it was fixed about 1.5 hours later. Kudos to the quick fixes!

videosift.com is advertising 2600:3c00::f03c:91ff:fe70:f3af as its IPv6 address. However, that address is not listening on 443. So either don't advertise IPv6 or enable ssl on it.

Additionally, your current configuration supports SSLv3 protocol, which is old and insecure and should be disabled. And some other sub-optimal settings.
Check out https://www.ssllabs.com/ssltest/analyze.html?d=videosift.com
Consider updating your OpenSSL library and configuring nginx as shown at https://cipherli.st/

And please make sure you have some sort of automated way to renew letsencrypt cert since it's only for 3 months.

See also:

https://videosift.com/talk/SSL-Now-Enforced-Site-Wide

Nope, none at all if I"m being honest.

...

It's incredible that it's so easy to create an SSL certificate supported in most browsers now (and for free!) - good times.

Finally!!!!! I hope SSL doesn't suck up a lot of resources on VS!

Dag, you look so different!

Finally some changes for 2017. What's next, @lucky760 and @dag?

Relatively soon, actually. Dag and I discussed a few weeks ago getting an SSL certificate before long.

His school is very impressive, but I wonder if it would scale. Could we do this everywhere? I think we could, with enough buyin from government.

They have a tuition scale: https://fluencycontent-schoolwebsite.netdna-ssl.com/FileCluster/TheRonClarkAcademy/Mainfolder/RCA-Admissions-Class-of-2020-DOWNLOAD.pdf

For a household like mine, its a bit expensive to attend. ~$10,000 a year. I think he's doing a lot of things right for education, but at that price, its simply not scalable. My wife teaches in a low income area where some families can barely afford an $8 t-shirt.

As any geek will be able to tell you, our login capability was not affected by Heartbleed...

because our login form is not encrypted.

We did upgrade everything within a day or so that Heartbleed was announced because there are other SSL-related things that may have been affected, but our logins have always been vulnerable to sniffing without the aid of a massive two-year bug in SSL.

Got some crazy ssl error. Same talk i'm assuming? http://www.youtube.com/watch?v=txRdOjgokQ4

"Owing to secrecy and obfuscation, it is hard to know how much of the NSA’s relationship with the Valley is based on voluntary cooperation, how much is legal compulsion through FISA warrants and how much is a matter of the NSA surreptitiously breaking into technology companies’ systems."

Did you read about the latest massive bug in Apple's SSL implementation? It's a particularly stupid mistake that would have been found instantly if they had adhered to programming standards. It's also easily explained by a botched code-merger or a simple copy-paste misshap.

Yet when I looked into the details that some folks found out, I couldn't help but think that it's odd how this particular bug was introduced in late September of 2012.

Remember, Snowden's files showed us that Apple became part of PRISM in October of 2012.

So my paranoia-driven brain tries to work out the scenario:
- did the NSA know about it?
- did the NSA exploit it?
- did the NSA plant it through a mole?
- did Apple add it themselves, at the NSA's request?

Pre-Snowden, I'd have said somebody fucked up and that's the end of it. Nowadays however, Hanlon's razor doesn't fly anymore, so I wouldn't rule out malicious intent.

There's an ongoing trial, Newegg vs patent troll TQP, who try to blackmail corporations by claiming a patent on SSL+RC4.

Yesterday, Whit Diffie himself was called upon as an expert witness. Check out this dialogue between him (D) and Newegg's lawyer Alan Albright (A):

A: "We've heard a good bit in this courtroom about public key encryption. Are you familiar with that?"

D: "Yes, I am."

A: "And how is it that you're familiar with public key encryption?"

D: "I invented it."

Standard SSL uses 2048byte key size. It's a standard key size considered to be secure enough for commercial and financial transactions.
However it takes no effort for them to use 16kb key size and implement 100 million key transformation cycles.
No amount of GPUs in the world will be able to bruteforce that kind of encryption. Not even NSA.

"Intelligence agencies" asked them to remove the specific details, and they did so (see the article I linked above)

Now I have no specific knowledge of what the NSA can or can't do either, but can speculate (holds finger up in air):

- SSLv3 and old TLS versions are compromised. Newer versions are better, but most web sites still support the compromised ones. With a man in the middle attack you can force the negotiation to use the compromised standards, and in some cases you can even persuade it to use the "plaintext" option (!?!?). In addition, some of the ciphers supported have flaws, like MD4/MD5/SHA1. Everyone is supposed to be moving off the weaker ciphers and using larger keys to mitigate known attacks, but not everybody has done so, or even knows or cares that they should.
- NSA have access to servers in the U.S., confirmed by multiple sources.
- NSA have access to data being transmitted, basically anywhere.
- Although the crypto systems themselves are probably better than you assume, there are trust issues - in many cases the vendors or certificate authorities have provided private keys. If you were able to replace these compromised keys with your own, that problem could be mitigated.

Your assumption is pretty much spot on, there are a wide variety of backdoors, known bugs, flawed implementations etc., but the ability to decrypt a particular well implemented SSL connection is not guaranteed for anyone (as far as I know).

None of the news I've seen on this make it clear just what is going on. Is SSL/TLS compromised? Have the NSA simply gotten access to the servers of major corporations storing people's data? Is this simply about weaknesses in closed crypto implementations people trust?

IOW, which common encryptions can the NSA break, and is that because they have found ways to access the information before or after encryption, because they have found ways to get the encryption keys/seeds, because they've found flaws in specific implementations of some algorithms (which ones?), or because they've found flaws in basic assumptions of some algorithms (again, which ones?)

The more clued-up articles I've read make it sound more likely this is about the NSA having a wide array of coercive tools and backdoors at their disposal, not so much that they can decrypt, say, SSL on the fly at will.

This isn't really new, except that Snowden's documents confirm what everybody strongly suspected.

All of the encrypted communications mentioned use SSL, or TLS, and although strong crypto is supported it's more likely that weaker variants will be used almost all the time. This is partly from wanting to support older browsers, partly from not upgrading server keys and config when older ciphers are broken.

There are additional problems protecting communication from the NSA if they are really after you and not just indiscriminately gathering your data.

I would point out that Usama bin Laden did a rather good job though.

http://www.abc.net.au/news/2013-09-06/new-snowden-documents-say-nsa-can-break-common-internet-encrypt/4940138