pair Networks customers received the following mail (linkified):

On Monday, June 4th, pair Networks will be updating how traffic is handled on SSL-enabled sites. Sites with SSL will now default to using https:// connections. Sites that do not have SSL will not be impacted.

Currently, the default is to allow sites with SSL certificates to be accessed from both http:// and https://, thus allowing the site to be browsed via the insecure http:// method. However, with the upcoming change, sites with SSL will now default to redirecting all traffic from the insecure http:// method to the secure https:// method. This helps improve site security.

For more information about changing the default handling of http:// connections to the site, see our article:

"Changing How the HTTP Version of Your Site Works"

If you would prefer to continue using the insecure version of the site, check out our knowledge base article:

"How to Change Your Site from HTTPS to HTTP"

Changes you make now will be retained after the upcoming update.

For more information about the update, you can also check out our blog post:

"We're Changing the Site's with SSL to default to HTTPS"

If you have any questions about this change, please feel free to contact us.

Thank you,
pair Networks Customer Support

indeed something happened, probably few seconds after June 7 2018 21:54 CEST.

See also this subthread for more details.

The weird thing is that the few gods and god-like beings are just not there and no announcements were given. Just happened. CB history is also broken since this moment too.

Having anything below https is not such bad thing: at least your password cannot anymore, easely be spoofed. Volunteers who maintain this site ( ora pro eis.. ) planned to switch everything under https since long time, iirc.

I do not understand why you see in this happening (even if weird and not announced) a falling of the site. I hope you'll contine contributing here.

L*

As Anonymous Monk wrote, this is an uplevel decision. PerlMonks is a public site, and the only assets it keeps are the reputations of its members within, and to a certain degree to the outside world - and private scratchpads. Then, of course, the innards of the engine running this site.

Stolen credentials from this site generally aren't an entry point for higher level mischief, as are e.g. credit card numbers and their checksum digits, except for cases were monks reuse their password on this site for logins elsewhere. So there is no need to encrypt the general traffic, but the login process should be diverted to https by default imho.

During all my time here at PerlMonks I have never been impersonated, not even after the famous hack which disclosed a fair number of logins and passwords.

The most important major security improvements necessary for this site are, in my eyes

• transition from plain text password storage to encrypted
• overhaul of the procedure behind What's my password? which would send a new generated password in case of encrypted storage
• a check box in User Settings labelled "allow HTTP login (insecure)" which would not be available to cabalists

These would comprise changes not only to nodes of the everything engine, but also to database tables. As always, the urgent doesn't leave time for the important...

All of my notes were published in the good faith, and with the implicit intent that they be distributed with no restrictions, freely, no strings attached, to the benefit of anyone seeking education.

In what way do you perceive an https-only site to be more restricted, less free, and/or having strings attached?

The only thing I can think of would be if you object to the site saying "you must use this specific protocol (https) to access the site's content", but requiring the https protocol is no different in that respect than requiring the http protocol. Both are widely supported in pretty much any software you might want to use to access the site - you can even get telnet clients with TLS support if you feel requiring the use of a dedicated web browser to be too restrictive.

From my understanding are the admins busy to fix the Apache configs of our generous provider and are too busy for live comments from the sidelines.

Personally I don't see the point to restrict all traffic to https, I find metacpan unfortunate in this respect.

At the same time there is pressure to allow only encrypted logins.

Not easy to please everyone. ..

So please keep good faith. :)

this is a recent change

"Spelling it out"

The Powers that Be have apparently decided to bring rule and regulation into the websphere, somewhat similar to how road traffic and motor vehicles are regulated.

The ramifications of Secure-Only web are both wide ranging and far reaching, and they all smack of totalitarian control. Not wanting to go into long rants, I'll offer just one example, one aspect of it.

But first, you'll have to keep in mind that those policies are made looking years ahead into the future. Sometimes the immediate effects are less important than the potential for further developments that opens up.

"My device is my passport"

Let us say that the requirements are three: (a) processors meeting the modern standards, (b) competently engineered crypto libraries, and (c) universal https adoption. Part (a) is just a matter of patience (but can be helped along by things like Windows 10 supported hardware, etc.). The (b) is simple as well: mere mortals don't dabble with the important system components, let alone crypto libraries (but some oversight of open source repositories is prudent; we wouldn't want a fiasco like the DeCSS again.) Now (c) is the hard part. It requires lots of PR jedi work, lots of stick and candy.

Now connect the dots. Crypto library will use CPU facilities for the session key, and maybe for padding as well. The processor-generated random fields contain a unique digital watermark. Et voilą! All of your communication, each and every query, will be signed in your name. Or rather, with the serial number of the device, but there are ways to connect the two.

There is nothing novel about serial numbers. Pentium III had the feature, although that snake met a rather swift end. If you know about laser printers, probably all of those devices embed identifying watermarks. Practically invisible to the naked eye, but it's there: forensics are able to tell if two pages come from same source, and so on.

The difference between net and printer forensics is that the latter requires work in physical space, specialized tools and expertise, and is therefore expensive. The former can, and will, be automated by Alphabet, wholesale. Now this is unprecedented in the history. Mail system never had this much resolution, this cheap.

"Doom and gloom"

In a way, we have arrived at crossroads. It hearkens back to the time when Oppenheimer spoke the famous words of physicists having known sin, laying the guilt on entire scientific community. Today we have Data Science and Big Data. Engineers and technocrats can put in place formidable structures that can only be described as weapons of mass control.

But considering the bit of a pickle mankind has found itself in—overpopulation and climate change and all—then maybe this is all perfectly indicated: a soul-crushing, totalitarian regime to suppress the breeding pests.

I would contend though, that Global Thermonuclear War may have an advantage there: not only does it solve population problems in a blink of an eye, it can also put the brakes on global warming.

So you see, we do have a choice! ;->

The CB log http://pthbb.org/cb/last.cgi (listed in https://perlmonks.org/index.pl?node=ChatterBox%20FAQ#history) stopped working on 2018-06-07 due to the forced switch of Pair to HTTPS.

belg4mit just fixed it in a heroic attempt to apply "an unreleased patch for a bug in LWP::UserAgent".

All praise to belg4mit ! =)

I misspoke earlier, it's actually a missing dependency in IO::Socket::SSL. It's been pushed to github, but not CPAN.

P.S. fsck chrome and it's SSL obsession. Can someone do a Let's Encrypt! or get perlmonks.org added as a subjectAltName?

--
In Bob We Trust, All Others Bring Data.