Why not even a self-signed HTTPS certificate?

Have something to say about forums.debian.net itself?

Why not even a self-signed HTTPS certificate?

Postby daedalus.mythos » 2014-11-20 08:05

Well, hello!

I was quite baffled when I saw that on register/login there was no HTTPS per default. But after manually addressing https://forums.debian.net.. Unable to connect..

I understand that buying a decent certificate may be expensive. But I don't see any reason not to offer HTTPS with a self-signed certificate..

Could someone explain this to me?

best regards,
daedalus
daedalus.mythos
 
Posts: 11
Joined: 2014-11-20 07:56

Re: Why not even a self-signed HTTPS certificate?

Postby dilberts_left_nut » 2014-11-20 08:30

We don't take credit cards, so not much point really... :wink:
AdrianTM wrote:There's no hacker in my grandma...
User avatar
dilberts_left_nut
 
Posts: 4591
Joined: 2009-10-05 07:54
Location: enzed

Re: Why not even a self-signed HTTPS certificate?

Postby daedalus.mythos » 2014-11-20 09:05

dilberts_left_nut wrote:We don't take credit cards, so not much point really... :wink:


sorry.. it's quite early.. I don't get what you're trying to say.
daedalus.mythos
 
Posts: 11
Joined: 2014-11-20 07:56

Re: Why not even a self-signed HTTPS certificate?

Postby dilberts_left_nut » 2014-11-20 09:32

It's been plain http since it was first turned on, and presumably the admin sees no compelling reason to change.

Besides, it think the server this runs on lies forgotten in a corner of a disused closet, covered in dust next to the pile of retired 40MB hard drives. :lol:
AdrianTM wrote:There's no hacker in my grandma...
User avatar
dilberts_left_nut
 
Posts: 4591
Joined: 2009-10-05 07:54
Location: enzed

Re: Why not even a self-signed HTTPS certificate?

Postby daedalus.mythos » 2014-11-20 10:04

well ok.. but since this forum is suggested on the official debian site (https://www.debian.org/support), I think this should be kept at least a bit up to date.. but hey.. I'm not the one in charge..
daedalus.mythos
 
Posts: 11
Joined: 2014-11-20 07:56

Re: Why not even a self-signed HTTPS certificate?

Postby dilberts_left_nut » 2014-11-20 10:12

Sorry, joking again.

But now I'm curious why you think https is more "up to date"?
AdrianTM wrote:There's no hacker in my grandma...
User avatar
dilberts_left_nut
 
Posts: 4591
Joined: 2009-10-05 07:54
Location: enzed

Re: Why not even a self-signed HTTPS certificate?

Postby daedalus.mythos » 2014-11-20 10:22

dilberts_left_nut wrote:Sorry, joking again.

But now I'm curious why you think https is more "up to date"?


Well plain http websites where any user input is given, or not even that, is to me out-of-date.. It's no black magic to secure the connection, which helps to protect against data (username, password, messages, ..) theft and should help keeping the users activity at least a bit more private.
daedalus.mythos
 
Posts: 11
Joined: 2014-11-20 07:56

Re: Why not even a self-signed HTTPS certificate?

Postby dilberts_left_nut » 2014-11-20 10:30

But it's a public forum - what you post is, well, public.
And you shouldn't use the same credentials in two places anyway.

It's functionality that hasn't been deemed necessary and has nothing to do with the date.
AdrianTM wrote:There's no hacker in my grandma...
User avatar
dilberts_left_nut
 
Posts: 4591
Joined: 2009-10-05 07:54
Location: enzed

Re: Why not even a self-signed HTTPS certificate?

Postby daedalus.mythos » 2014-11-20 10:43

dilberts_left_nut wrote:But it's a public forum - what you post is, well, public.
And you shouldn't use the same credentials in two places anyway.

It's functionality that hasn't been deemed necessary and has nothing to do with the date.


Of course, of course..!
You're completely correct about the posts being public and the necessity of having different passwords for different services.
But you can't tell me that you don't mind that anyone, that sniffs your traffic anywhere on the route between your PC and this website reading your credentials, private messages and whatever.

By up to date I consider state-of-the-art technology, including the (personal opinion) fact, that a website/service should do everything in their power to protect the users privacy and up/downloaded information.
daedalus.mythos
 
Posts: 11
Joined: 2014-11-20 07:56

Re: Why not even a self-signed HTTPS certificate?

Postby dilberts_left_nut » 2014-11-20 11:06

Yes I understand, but if you want a private and secure messaging service, this clearly isn't it.
AdrianTM wrote:There's no hacker in my grandma...
User avatar
dilberts_left_nut
 
Posts: 4591
Joined: 2009-10-05 07:54
Location: enzed

Re: Why not even a self-signed HTTPS certificate?

Postby daedalus.mythos » 2014-11-20 12:02

Yes, I understand.. But it's not just about messaging.

Nevermind, I see we won't agree on that any time soon :lol:
daedalus.mythos
 
Posts: 11
Joined: 2014-11-20 07:56

Re: Why not even a self-signed HTTPS certificate?

Postby reinob » 2014-11-21 10:29

dilberts_left_nut wrote:And you shouldn't use the same credentials in two places anyway.


Do you really mean this? or are you just making up an excuse for the fact that the login credentials are sent in plain text?

Reused or not, this is not OK. What was your password again?
reinob
 
Posts: 494
Joined: 2014-06-30 11:42

Re: Why not even a self-signed HTTPS certificate?

Postby dilberts_left_nut » 2014-11-21 10:40

reinob wrote:Do you really mean this?
Yes.
Reused or not, this is not OK. What was your password again?

You tell me - it's sent in plain text after all... :)
AdrianTM wrote:There's no hacker in my grandma...
User avatar
dilberts_left_nut
 
Posts: 4591
Joined: 2009-10-05 07:54
Location: enzed

Re: Why not even a self-signed HTTPS certificate?

Postby daedalus.mythos » 2014-11-24 09:03

hunter2 ?
daedalus.mythos
 
Posts: 11
Joined: 2014-11-20 07:56

Re: Why not even a self-signed HTTPS certificate?

Postby esp7 » 2016-11-25 08:34

daedalus.mythos wrote:well ok.. but since this forum is suggested on the official debian site (https://www.debian.org/support), I think this should be kept at least a bit up to date.. but hey.. I'm not the one in charge..


I fully agree... not having https in 2016 is a bit of a joke.
Software is like sex: it's better when it's free © Linus Torvalds
User avatar
esp7
 
Posts: 123
Joined: 2013-06-23 20:31

Next

Return to Forum stuff & feedback

Who is online

Users browsing this forum: No registered users and 1 guest

fashionable