Page 1 of 2

Why not even a self-signed HTTPS certificate?

PostPosted: 2014-11-20 08:05
by daedalus.mythos
Well, hello!

I was quite baffled when I saw that on register/login there was no HTTPS per default. But after manually addressing https://forums.debian.net.. Unable to connect..

I understand that buying a decent certificate may be expensive. But I don't see any reason not to offer HTTPS with a self-signed certificate..

Could someone explain this to me?

best regards,
daedalus

Re: Why not even a self-signed HTTPS certificate?

PostPosted: 2014-11-20 08:30
by dilberts_left_nut
We don't take credit cards, so not much point really... :wink:

Re: Why not even a self-signed HTTPS certificate?

PostPosted: 2014-11-20 09:05
by daedalus.mythos
dilberts_left_nut wrote:We don't take credit cards, so not much point really... :wink:


sorry.. it's quite early.. I don't get what you're trying to say.

Re: Why not even a self-signed HTTPS certificate?

PostPosted: 2014-11-20 09:32
by dilberts_left_nut
It's been plain http since it was first turned on, and presumably the admin sees no compelling reason to change.

Besides, it think the server this runs on lies forgotten in a corner of a disused closet, covered in dust next to the pile of retired 40MB hard drives. :lol:

Re: Why not even a self-signed HTTPS certificate?

PostPosted: 2014-11-20 10:04
by daedalus.mythos
well ok.. but since this forum is suggested on the official debian site (https://www.debian.org/support), I think this should be kept at least a bit up to date.. but hey.. I'm not the one in charge..

Re: Why not even a self-signed HTTPS certificate?

PostPosted: 2014-11-20 10:12
by dilberts_left_nut
Sorry, joking again.

But now I'm curious why you think https is more "up to date"?

Re: Why not even a self-signed HTTPS certificate?

PostPosted: 2014-11-20 10:22
by daedalus.mythos
dilberts_left_nut wrote:Sorry, joking again.

But now I'm curious why you think https is more "up to date"?


Well plain http websites where any user input is given, or not even that, is to me out-of-date.. It's no black magic to secure the connection, which helps to protect against data (username, password, messages, ..) theft and should help keeping the users activity at least a bit more private.

Re: Why not even a self-signed HTTPS certificate?

PostPosted: 2014-11-20 10:30
by dilberts_left_nut
But it's a public forum - what you post is, well, public.
And you shouldn't use the same credentials in two places anyway.

It's functionality that hasn't been deemed necessary and has nothing to do with the date.

Re: Why not even a self-signed HTTPS certificate?

PostPosted: 2014-11-20 10:43
by daedalus.mythos
dilberts_left_nut wrote:But it's a public forum - what you post is, well, public.
And you shouldn't use the same credentials in two places anyway.

It's functionality that hasn't been deemed necessary and has nothing to do with the date.


Of course, of course..!
You're completely correct about the posts being public and the necessity of having different passwords for different services.
But you can't tell me that you don't mind that anyone, that sniffs your traffic anywhere on the route between your PC and this website reading your credentials, private messages and whatever.

By up to date I consider state-of-the-art technology, including the (personal opinion) fact, that a website/service should do everything in their power to protect the users privacy and up/downloaded information.

Re: Why not even a self-signed HTTPS certificate?

PostPosted: 2014-11-20 11:06
by dilberts_left_nut
Yes I understand, but if you want a private and secure messaging service, this clearly isn't it.

Re: Why not even a self-signed HTTPS certificate?

PostPosted: 2014-11-20 12:02
by daedalus.mythos
Yes, I understand.. But it's not just about messaging.

Nevermind, I see we won't agree on that any time soon :lol:

Re: Why not even a self-signed HTTPS certificate?

PostPosted: 2014-11-21 10:29
by reinob
dilberts_left_nut wrote:And you shouldn't use the same credentials in two places anyway.


Do you really mean this? or are you just making up an excuse for the fact that the login credentials are sent in plain text?

Reused or not, this is not OK. What was your password again?

Re: Why not even a self-signed HTTPS certificate?

PostPosted: 2014-11-21 10:40
by dilberts_left_nut
reinob wrote:Do you really mean this?
Yes.
Reused or not, this is not OK. What was your password again?

You tell me - it's sent in plain text after all... :)

Re: Why not even a self-signed HTTPS certificate?

PostPosted: 2014-11-24 09:03
by daedalus.mythos
hunter2 ?

Re: Why not even a self-signed HTTPS certificate?

PostPosted: 2016-11-25 08:34
by esp7
daedalus.mythos wrote:well ok.. but since this forum is suggested on the official debian site (https://www.debian.org/support), I think this should be kept at least a bit up to date.. but hey.. I'm not the one in charge..


I fully agree... not having https in 2016 is a bit of a joke.