Debian User Forums

Well, hello!

I was quite baffled when I saw that on register/login there was no HTTPS per default. But after manually addressing https://forums.debian.net.. Unable to connect..

I understand that buying a decent certificate may be expensive. But I don't see any reason not to offer HTTPS with a self-signed certificate..

Could someone explain this to me?

best regards,
daedalus

We don't take credit cards, so not much point really...

dilberts_left_nut wrote:We don't take credit cards, so not much point really...

sorry.. it's quite early.. I don't get what you're trying to say.

It's been plain http since it was first turned on, and presumably the admin sees no compelling reason to change.

Besides, it think the server this runs on lies forgotten in a corner of a disused closet, covered in dust next to the pile of retired 40MB hard drives.

well ok.. but since this forum is suggested on the official debian site (https://www.debian.org/support), I think this should be kept at least a bit up to date.. but hey.. I'm not the one in charge..

Sorry, joking again.

But now I'm curious why you think https is more "up to date"?

dilberts_left_nut wrote:Sorry, joking again.

But now I'm curious why you think https is more "up to date"?

Well plain http websites where any user input is given, or not even that, is to me out-of-date.. It's no black magic to secure the connection, which helps to protect against data (username, password, messages, ..) theft and should help keeping the users activity at least a bit more private.

But it's a public forum - what you post is, well, public.
And you shouldn't use the same credentials in two places anyway.

It's functionality that hasn't been deemed necessary and has nothing to do with the date.

dilberts_left_nut wrote:But it's a public forum - what you post is, well, public.
And you shouldn't use the same credentials in two places anyway.

It's functionality that hasn't been deemed necessary and has nothing to do with the date.

Of course, of course..!
You're completely correct about the posts being public and the necessity of having different passwords for different services.
But you can't tell me that you don't mind that anyone, that sniffs your traffic anywhere on the route between your PC and this website reading your credentials, private messages and whatever.

By up to date I consider state-of-the-art technology, including the (personal opinion) fact, that a website/service should do everything in their power to protect the users privacy and up/downloaded information.

Yes I understand, but if you want a private and secure messaging service, this clearly isn't it.

Yes, I understand.. But it's not just about messaging.

Nevermind, I see we won't agree on that any time soon

dilberts_left_nut wrote:And you shouldn't use the same credentials in two places anyway.

Do you really mean this? or are you just making up an excuse for the fact that the login credentials are sent in plain text?

Reused or not, this is not OK. What was your password again?

reinob wrote:Do you really mean this?

Yes.

Reused or not, this is not OK. What was your password again?

You tell me - it's sent in plain text after all...

hunter2 ?

daedalus.mythos wrote:well ok.. but since this forum is suggested on the official debian site (https://www.debian.org/support), I think this should be kept at least a bit up to date.. but hey.. I'm not the one in charge..

I fully agree... not having https in 2016 is a bit of a joke.