Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Why not even a self-signed HTTPS certificate?

Code of conduct, suggestions, and information on forums.debian.net.
Message
Author
daedalus.mythos
Posts: 11
Joined: 2014-11-20 07:56

Why not even a self-signed HTTPS certificate?

#1 Post by daedalus.mythos »

Well, hello!

I was quite baffled when I saw that on register/login there was no HTTPS per default. But after manually addressing https://forums.debian.net.. Unable to connect..

I understand that buying a decent certificate may be expensive. But I don't see any reason not to offer HTTPS with a self-signed certificate..

Could someone explain this to me?

best regards,
daedalus

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5343
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: Why not even a self-signed HTTPS certificate?

#2 Post by dilberts_left_nut »

We don't take credit cards, so not much point really... :wink:
AdrianTM wrote:There's no hacker in my grandma...

daedalus.mythos
Posts: 11
Joined: 2014-11-20 07:56

Re: Why not even a self-signed HTTPS certificate?

#3 Post by daedalus.mythos »

dilberts_left_nut wrote:We don't take credit cards, so not much point really... :wink:
sorry.. it's quite early.. I don't get what you're trying to say.

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5343
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: Why not even a self-signed HTTPS certificate?

#4 Post by dilberts_left_nut »

It's been plain http since it was first turned on, and presumably the admin sees no compelling reason to change.

Besides, it think the server this runs on lies forgotten in a corner of a disused closet, covered in dust next to the pile of retired 40MB hard drives. :lol:
AdrianTM wrote:There's no hacker in my grandma...

daedalus.mythos
Posts: 11
Joined: 2014-11-20 07:56

Re: Why not even a self-signed HTTPS certificate?

#5 Post by daedalus.mythos »

well ok.. but since this forum is suggested on the official debian site (https://www.debian.org/support), I think this should be kept at least a bit up to date.. but hey.. I'm not the one in charge..

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5343
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: Why not even a self-signed HTTPS certificate?

#6 Post by dilberts_left_nut »

Sorry, joking again.

But now I'm curious why you think https is more "up to date"?
AdrianTM wrote:There's no hacker in my grandma...

daedalus.mythos
Posts: 11
Joined: 2014-11-20 07:56

Re: Why not even a self-signed HTTPS certificate?

#7 Post by daedalus.mythos »

dilberts_left_nut wrote:Sorry, joking again.

But now I'm curious why you think https is more "up to date"?
Well plain http websites where any user input is given, or not even that, is to me out-of-date.. It's no black magic to secure the connection, which helps to protect against data (username, password, messages, ..) theft and should help keeping the users activity at least a bit more private.

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5343
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: Why not even a self-signed HTTPS certificate?

#8 Post by dilberts_left_nut »

But it's a public forum - what you post is, well, public.
And you shouldn't use the same credentials in two places anyway.

It's functionality that hasn't been deemed necessary and has nothing to do with the date.
AdrianTM wrote:There's no hacker in my grandma...

daedalus.mythos
Posts: 11
Joined: 2014-11-20 07:56

Re: Why not even a self-signed HTTPS certificate?

#9 Post by daedalus.mythos »

dilberts_left_nut wrote:But it's a public forum - what you post is, well, public.
And you shouldn't use the same credentials in two places anyway.

It's functionality that hasn't been deemed necessary and has nothing to do with the date.
Of course, of course..!
You're completely correct about the posts being public and the necessity of having different passwords for different services.
But you can't tell me that you don't mind that anyone, that sniffs your traffic anywhere on the route between your PC and this website reading your credentials, private messages and whatever.

By up to date I consider state-of-the-art technology, including the (personal opinion) fact, that a website/service should do everything in their power to protect the users privacy and up/downloaded information.

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5343
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: Why not even a self-signed HTTPS certificate?

#10 Post by dilberts_left_nut »

Yes I understand, but if you want a private and secure messaging service, this clearly isn't it.
AdrianTM wrote:There's no hacker in my grandma...

daedalus.mythos
Posts: 11
Joined: 2014-11-20 07:56

Re: Why not even a self-signed HTTPS certificate?

#11 Post by daedalus.mythos »

Yes, I understand.. But it's not just about messaging.

Nevermind, I see we won't agree on that any time soon :lol:

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 45 times

Re: Why not even a self-signed HTTPS certificate?

#12 Post by reinob »

dilberts_left_nut wrote:And you shouldn't use the same credentials in two places anyway.
Do you really mean this? or are you just making up an excuse for the fact that the login credentials are sent in plain text?

Reused or not, this is not OK. What was your password again?

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5343
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: Why not even a self-signed HTTPS certificate?

#13 Post by dilberts_left_nut »

reinob wrote:Do you really mean this?
Yes.
Reused or not, this is not OK. What was your password again?
You tell me - it's sent in plain text after all... :)
AdrianTM wrote:There's no hacker in my grandma...

daedalus.mythos
Posts: 11
Joined: 2014-11-20 07:56

Re: Why not even a self-signed HTTPS certificate?

#14 Post by daedalus.mythos »

hunter2 ?

User avatar
esp7
Posts: 177
Joined: 2013-06-23 20:31
Has thanked: 2 times
Been thanked: 4 times

Re: Why not even a self-signed HTTPS certificate?

#15 Post by esp7 »

daedalus.mythos wrote:well ok.. but since this forum is suggested on the official debian site (https://www.debian.org/support), I think this should be kept at least a bit up to date.. but hey.. I'm not the one in charge..
I fully agree... not having https in 2016 is a bit of a joke.
ThinkPad X220: i5-2520M CPU 2.5GHz - 8GB RAM 1333 MHz - SSD 860 EVO 250GB - Debian - ME_cleaned
ThinkPad X230: i5-3320M CPU 3.3GHz - 8GB RAM 1600 MHz - SSD 860 EVO 500GB - Debian - ME_cleaned

kedaha
Posts: 3521
Joined: 2008-05-24 12:26
Has thanked: 33 times
Been thanked: 77 times

Re: Why not even a self-signed HTTPS certificate?

#16 Post by kedaha »

In the hypothetical case that it were adopted, there's no need for a self-signed HTTPS certificate now that letsencrypt is available from Debian backports.
DebianStable

Code: Select all

$ vrms

No non-free or contrib packages installed on debian!  rms would be proud.

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: Why not even a self-signed HTTPS certificate?

#17 Post by stevepusser »

The Free Software Foundation is giving certificates away; there's even a Debian package for it in the repos: https://packages.debian.org/jessie-backports/certbot
MX Linux packager and developer

kedaha
Posts: 3521
Joined: 2008-05-24 12:26
Has thanked: 33 times
Been thanked: 77 times

Re: Why not even a self-signed HTTPS certificate?

#18 Post by kedaha »

I see it says there:
The objective of Certbot, Let's Encrypt, and the ACME (Automated Certificate Management Environment) protocol is to make it possible to set up an HTTPS server and have it automatically obtain a browser-trusted certificate, without any human intervention. This is accomplished by running a certificate management agent on the web server.

I've set it up for all my domains but I was unable to do it without any human intervention on my part in less than a minute; but setting it up for sub-domains like forums.debian.net might require some human intervention... :wink:
DebianStable

Code: Select all

$ vrms

No non-free or contrib packages installed on debian!  rms would be proud.

User avatar
GarryRicketson
Posts: 5644
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Why not even a self-signed HTTPS certificate?

#19 Post by GarryRicketson »

I do not know the reasons the forum admins have for not using https,
but for the kind of forum it is, and the purpose of the forum, I think
it is better not to use it (https), personally I do not like it much.
Why ?, to many times it is problematic, I find it very annoying
when I try to access a site, and get that stupid warning, or error
saying something is wrong with the certificate, bla , bla.
Some times, if one jumps through some hoops, the site still
can be accessed, but other times no.
I think something to consider, if someone is trying to install Debian,
and having problems, maybe they do not even have a DE and working
"fancy browser", or also maybe the date and time on the system is not yet
set correctly and that is something that can cause a "access denied" error,
when https is being used.
The point is, the user is trying to get help, maybe on a "crippled" system,
the last thing I need, or others , is to get the (bad words) HTTPS "access denied"
error,...
I am glad this forum does not use https,...
The other day, there was a problem here posted, and when I did some searches,
one of the most promising looking links was at "archlinux",... Guess what ?
When I tried to follow the link, the good for nothing https, " sorry this site can not be
accessed, the certificate is expired ",.... something to that extent,...It said
the date it would be good, was in a few days,...and now, the "archlinux" site
is accessable, but this is not the only time,..or only site,...it is a regularly occuring
problem with any site using https,...
I can see how a e-mail service, banking, or some kinds of business sites need and should have the additional security,... but I don't think https is a good idea on a site
where many of the people trying to access need help, and may be trying to access
with a system not working properly, ...and those are the people that need to be
able to access the most.
On many sites, the error message , is more like a warning, but it says "This
site is not secure" Bla , Bla,...but does offer a "advanced" option, where one can
still access the site, if they want to , and don't mind the risk,... well on many of those
kind of sites,.... that is enough to scare me, and decide to try elsewhere,
look for a site not using the "https" abomination,..... honestly most of the
time I find https just plain annoying.
And just because a site uses https, does not make it secure,...https is mostly a gimmick, being promoted to make money selling certificates,.....hopefully the
"free certificates" maybe bring a end to that,
I found some interesting things, ....of course the "https" promoters won't like
this , but ,........ anyway:
From: https://perezbox.com/2015/07/https-does ... r-website/

The actual act of securing a website is a very complex process. HTTPS does not stop attackers from hacking a website, web server or network. It will not stop an attacker from exploiting software vulnerabilities, brute forcing your access controls or ensure your websites availability by mitigating Distributed Denial of Services (DDOS) attacks.
Here are a number of articles I’ve written that better explain the dynamic nature of securing your websites, and what happens when you don’t. Notice how HTTPS has very little to do with the process. ---snip---
To prove this point, you can see various examples in recent history in which several entities had their certificates spoofed. In 2014, Threatpost reported that a number of popular entities were having theircertificates spoofed:---- read more--
------------------------

Another:
https://www.sott.net/article/275524-Why ... -you-think
----------------------------
Some searches will show there are more,...in a nut shell "https" does not make anything more secure,... a server or website , forum can be hacked, scraped, etc, and all the data, "stolen", even when they are using https,.......so what is the point ?
I suppose though, if it gives the forums members a false sense of security, and
keeps them happy, well, then we need https,. sort of like a "pacifier",......
Then we will have the other,
"unhappy members" complaining, "Hey why can't I access, it says the date is wrong",
or the "certificate expired", etc..... Oh,... no that won't be a problem, they won't
be able to access the forum,...so we won't get any complaints from them.
The forum is working quite well, like it is. If it isn't broken, maybe it is best to
not try to fix it.
Last edited by GarryRicketson on 2016-11-26 15:44, edited 1 time in total.

kedaha
Posts: 3521
Joined: 2008-05-24 12:26
Has thanked: 33 times
Been thanked: 77 times

Re: Why not even a self-signed HTTPS certificate?

#20 Post by kedaha »

Unlike self-issued certificates —which, for reasons described by GarryRicketson, admittedly can be a bit of a pain—I've had no issues with https certificates for my domains after installing the Debian packages for letsencrypt on my server which runs apache2. And I was able to set it up in no time at all.
I take the view that —on principle— logins and passwords should under no circumstances be sent unencrypted over the 'net so as far as I'm concerned, the absence of https for these forums goes against the grain.
One advantage of letsencrypt is that the option to access the site via https could be implemented easily in addition to http for users who prefer it.
Since forums.debian.net is a subdomain of the domain debian.net —which I notice redirects to debian.org—then a letsencrypt certificate could only be done by the administrator of the main domain. See also viewtopic.php?f=12&t=129653&p=623723#p623720.There should be no problem doing this for the subdomain; for example:
stevepusser wrote:The Free Software Foundation is giving certificates away; there's even a Debian package for it in the repos: https://packages.debian.org/jessie-backports/certbot
Notice that sub-domain link packages.debian.org given by stevepusser is secured with a letsencrypt certificate whilst the main domain, debian.org, is verified by gandi.
I recently set up a free letsencrypt certificate for a subdomain and the procedure is very similar to doing it for a virtual host; it's easy peasy once you know how.
DebianStable

Code: Select all

$ vrms

No non-free or contrib packages installed on debian!  rms would be proud.

Post Reply