Why not even a self-signed HTTPS certificate?

Have something to say about forums.debian.net itself?

Re: Why not even a self-signed HTTPS certificate?

Postby kedaha » 2016-11-25 23:54

In the hypothetical case that it were adopted, there's no need for a self-signed HTTPS certificate now that letsencrypt is available from Debian backports.
Mate DE & OSSv4.
LaMp, WordPress; ispmail
Debian Stable & Software

Words, as is well known, are the great foes of reality. Joseph Conrad.
User avatar
kedaha
 
Posts: 2789
Joined: 2008-05-24 12:26

Re: Why not even a self-signed HTTPS certificate?

Postby stevepusser » 2016-11-25 23:56

The Free Software Foundation is giving certificates away; there's even a Debian package for it in the repos: https://packages.debian.org/jessie-backports/certbot
The MX Linux repositories: Backports galore! If we don't have something, just ask and we'll try--we like challenges. New packages: AzPainter 2.1.0, Pale Moon 27.4.2, Liquorix kernel 4.12-8, mpv 0.27.0, Kodi 17.3, 0ad 0.0.22, Mesa 13.0.6
User avatar
stevepusser
 
Posts: 8707
Joined: 2009-10-06 05:53

Re: Why not even a self-signed HTTPS certificate?

Postby kedaha » 2016-11-26 00:28

I see it says there:
The objective of Certbot, Let's Encrypt, and the ACME (Automated Certificate Management Environment) protocol is to make it possible to set up an HTTPS server and have it automatically obtain a browser-trusted certificate, without any human intervention. This is accomplished by running a certificate management agent on the web server.

I've set it up for all my domains but I was unable to do it without any human intervention on my part in less than a minute; but setting it up for sub-domains like forums.debian.net might require some human intervention... :wink:
Mate DE & OSSv4.
LaMp, WordPress; ispmail
Debian Stable & Software

Words, as is well known, are the great foes of reality. Joseph Conrad.
User avatar
kedaha
 
Posts: 2789
Joined: 2008-05-24 12:26

Re: Why not even a self-signed HTTPS certificate?

Postby GarryRicketson » 2016-11-26 02:12

I do not know the reasons the forum admins have for not using https,
but for the kind of forum it is, and the purpose of the forum, I think
it is better not to use it (https), personally I do not like it much.
Why ?, to many times it is problematic, I find it very annoying
when I try to access a site, and get that stupid warning, or error
saying something is wrong with the certificate, bla , bla.
Some times, if one jumps through some hoops, the site still
can be accessed, but other times no.
I think something to consider, if someone is trying to install Debian,
and having problems, maybe they do not even have a DE and working
"fancy browser", or also maybe the date and time on the system is not yet
set correctly and that is something that can cause a "access denied" error,
when https is being used.
The point is, the user is trying to get help, maybe on a "crippled" system,
the last thing I need, or others , is to get the (bad words) HTTPS "access denied"
error,...
I am glad this forum does not use https,...
The other day, there was a problem here posted, and when I did some searches,
one of the most promising looking links was at "archlinux",... Guess what ?
When I tried to follow the link, the good for nothing https, " sorry this site can not be
accessed, the certificate is expired ",.... something to that extent,...It said
the date it would be good, was in a few days,...and now, the "archlinux" site
is accessable, but this is not the only time,..or only site,...it is a regularly occuring
problem with any site using https,...
I can see how a e-mail service, banking, or some kinds of business sites need and should have the additional security,... but I don't think https is a good idea on a site
where many of the people trying to access need help, and may be trying to access
with a system not working properly, ...and those are the people that need to be
able to access the most.
On many sites, the error message , is more like a warning, but it says "This
site is not secure" Bla , Bla,...but does offer a "advanced" option, where one can
still access the site, if they want to , and don't mind the risk,... well on many of those
kind of sites,.... that is enough to scare me, and decide to try elsewhere,
look for a site not using the "https" abomination,..... honestly most of the
time I find https just plain annoying.
And just because a site uses https, does not make it secure,...https is mostly a gimmick, being promoted to make money selling certificates,.....hopefully the
"free certificates" maybe bring a end to that,
I found some interesting things, ....of course the "https" promoters won't like
this , but ,........ anyway:

From: https://perezbox.com/2015/07/https-does-not-secure-your-website/

The actual act of securing a website is a very complex process. HTTPS does not stop attackers from hacking a website, web server or network. It will not stop an attacker from exploiting software vulnerabilities, brute forcing your access controls or ensure your websites availability by mitigating Distributed Denial of Services (DDOS) attacks.
Here are a number of articles I’ve written that better explain the dynamic nature of securing your websites, and what happens when you don’t. Notice how HTTPS has very little to do with the process. ---snip---
To prove this point, you can see various examples in recent history in which several entities had their certificates spoofed. In 2014, Threatpost reported that a number of popular entities were having theircertificates spoofed:---- read more--

------------------------

Another:
https://www.sott.net/article/275524-Why-HTTPS-and-SSL-are-not-as-secure-as-you-think
----------------------------
Some searches will show there are more,...in a nut shell "https" does not make anything more secure,... a server or website , forum can be hacked, scraped, etc, and all the data, "stolen", even when they are using https,.......so what is the point ?
I suppose though, if it gives the forums members a false sense of security, and
keeps them happy, well, then we need https,. sort of like a "pacifier",......
Then we will have the other,
"unhappy members" complaining, "Hey why can't I access, it says the date is wrong",
or the "certificate expired", etc..... Oh,... no that won't be a problem, they won't
be able to access the forum,...so we won't get any complaints from them.
The forum is working quite well, like it is. If it isn't broken, maybe it is best to
not try to fix it.
Last edited by GarryRicketson on 2016-11-26 15:44, edited 1 time in total.
"What we expect you have already Done"

Before doing anything, read the Debian documentation:
Debian Documentation
How to ask the smart way
Debian Foro Español
======================
For the Birds
User avatar
GarryRicketson
 
Posts: 4208
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Why not even a self-signed HTTPS certificate?

Postby kedaha » 2016-11-26 07:46

Unlike self-issued certificates —which, for reasons described by GarryRicketson, admittedly can be a bit of a pain—I've had no issues with https certificates for my domains after installing the Debian packages for letsencrypt on my server which runs apache2. And I was able to set it up in no time at all.
I take the view that —on principle— logins and passwords should under no circumstances be sent unencrypted over the 'net so as far as I'm concerned, the absence of https for these forums goes against the grain.
One advantage of letsencrypt is that the option to access the site via https could be implemented easily in addition to http for users who prefer it.
Since forums.debian.net is a subdomain of the domain debian.net —which I notice redirects to debian.org—then a letsencrypt certificate could only be done by the administrator of the main domain. See also viewtopic.php?f=12&t=129653&p=623723#p623720.There should be no problem doing this for the subdomain; for example:
stevepusser wrote:The Free Software Foundation is giving certificates away; there's even a Debian package for it in the repos: https://packages.debian.org/jessie-backports/certbot

Notice that sub-domain link packages.debian.org given by stevepusser is secured with a letsencrypt certificate whilst the main domain, debian.org, is verified by gandi.
I recently set up a free letsencrypt certificate for a subdomain and the procedure is very similar to doing it for a virtual host; it's easy peasy once you know how.
Mate DE & OSSv4.
LaMp, WordPress; ispmail
Debian Stable & Software

Words, as is well known, are the great foes of reality. Joseph Conrad.
User avatar
kedaha
 
Posts: 2789
Joined: 2008-05-24 12:26

Re: Why not even a self-signed HTTPS certificate?

Postby GarryRicketson » 2017-04-19 21:42

by kedaha » after installing the Debian packages for letsencrypt on my server which runs apache2. And I was able to set it up in no time at all.



From: https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/
====
We even managed to get an SSL certificate for our demonstration attack domain from LetsEncrypt . Getting the SSL certificate took us 5 minutes and it was free. By doing this we received the word ‘Secure’ next to our domain in Chrome and the little green lock symbol in Firefox


I know it is a old topic, but any way, just because a site has a ssl certificate,
does not mean it is secure, nor that it is the site one thinks it is.
One thing though, not having the "https", results in the site no longer showing
in the google search results, if it does show at all it is way down at the bottom,
the "https" sites get listed first.
The browsers now , also are making it harder to visit http sites, giving a warning, claiming it is not secure,...
Interesting approach, the browser tells
me, this site is not secure because it does not use SSL, but they set a default
setting, so that if I go to a site using the "punny code" ,
"Do a search for ‘punycode’ without quotes" (see the article)
The default setting does not tell me or give me any warning, that the site is
not the one I think it is. I wonder why they put the default setting that way ?
--------------------------
Postby kedaha »One advantage of letsencrypt is that the option to access the site via https could be implemented easily in addition to http for users who prefer it.

This would be the ideal situation, as I mentioned earlier, some one struggling with a crippled system, could have trouble accessing if it is https, that would give them a alternative.
The other advantage, is having a https url (ssl certificate), would get this site back into the google search results , when people do do a search for solutions to problems, that have been solved here.
All though it seems to come up pretty good on other search engines, it is not
showing in google and startpage as much as it used to, I don't know if any body else has noticed that, I have.
After all said and done though, only the server/site owner, admin can do this,
and if he does not want to, or does not have the time,..it will not happen.
User avatar
GarryRicketson
 
Posts: 4208
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Previous

Return to Forum stuff & feedback

Who is online

Users browsing this forum: No registered users and 1 guest

fashionable