Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

SSL in Debian Forums

Code of conduct, suggestions, and information on forums.debian.net.
Message
Author
jesus92gz
Posts: 121
Joined: 2015-02-06 18:07

SSL in Debian Forums

#1 Post by jesus92gz »

Hello.

Website: forum
Severity: wishlist

I have noticed that while other websites in Debian are SSL secured, the forum is not.

Is there any possibility to secure the forum with SSL?
Last edited by jesus92gz on 2015-05-29 07:28, edited 1 time in total.

User avatar
levlaz
Posts: 179
Joined: 2012-09-27 12:06
Location: San Francisco, CA

Re: SSL in Forums

#2 Post by levlaz »

I didn't even realize that this was the case.

+1 for SSL
Best,

Lev
Blog

User avatar
Sarge-in-charge
Posts: 113
Joined: 2012-07-21 08:41

Re: SSL in Debian Forums

#3 Post by Sarge-in-charge »

jesus92gz wrote:Is there any possibility to secure the forum with SSL?
I vote NO if it's going to be with a self-signed certificate or with a certificate chained up to a CA not by default in Firefox.

Otherwise, I vote YES.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: SSL in Debian Forums

#4 Post by Head_on_a_Stick »

Why does this matter?
deadbang

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: SSL in Debian Forums

#5 Post by Head_on_a_Stick »

Sorry, I meant: why does it matter if the forums use SSL?
deadbang

User avatar
roseway
Posts: 1528
Joined: 2007-12-31 22:50
Location: Kent, UK
Has thanked: 3 times
Been thanked: 4 times

Re: SSL in Debian Forums

#6 Post by roseway »

Anyone who uses the same password on a public forum as they use for something confidential is asking for trouble anyway. SSL is pointless on a forum like this.
Eric

User avatar
Sarge-in-charge
Posts: 113
Joined: 2012-07-21 08:41

Re: SSL in Debian Forums

#7 Post by Sarge-in-charge »

roseway wrote:SSL is pointless on a forum like this.
This is so wrong on many levels.

No HTTP traffic should be sent on the clear. Period. That's just the way it is in the post-Snowden era.

User avatar
levlaz
Posts: 179
Joined: 2012-09-27 12:06
Location: San Francisco, CA

Re: SSL in Debian Forums

#8 Post by levlaz »

Once this is live we should just use it. It costs nothing and works in any browser.

https://letsencrypt.org/
Best,

Lev
Blog

User avatar
levlaz
Posts: 179
Joined: 2012-09-27 12:06
Location: San Francisco, CA

Re: SSL in Debian Forums

#9 Post by levlaz »

Honestly after thinking about this some more I think there is no excuse to not have a valid SSL certificate. I will buy (and if needed configure) the SSL cert for this site, does anyone know who we need to talk to in order to make this happen?
Best,

Lev
Blog

jesus92gz
Posts: 121
Joined: 2015-02-06 18:07

Re: SSL in Debian Forums

#10 Post by jesus92gz »

Head_on_a_Stick wrote:Why does this matter?
Apart from the previous users' replies, I can see the Debian site is using SSL everywhere.
For example:
Official Site: https://debian.org/
Wiki: https://wiki.debian.org/
...

Why should the forum not use SSL as well?

jesus92gz
Posts: 121
Joined: 2015-02-06 18:07

Re: SSL in Debian Forums

#11 Post by jesus92gz »

wizard10000 wrote:forums.debian.net isn't an official Debian resource.
Really? I thought it was.
Anyways, I think supporting SSL could improve the security of the forums to the end users. Just in case.

User avatar
kolker
Posts: 81
Joined: 2013-08-22 07:16

Re: SSL in Debian Forums

#12 Post by kolker »

it not a end of the world thing but imo it should be a default on all sites. this is not because some thing sensative is happening per se or anything its just a good policy for all comunications.


millpond
Posts: 698
Joined: 2014-06-25 04:56

Re: SSL in Debian Forums

#14 Post by millpond »

Personally, I would love to have the NSA listen to what I have to say about systemd.

Chiefahol
Posts: 30
Joined: 2015-08-27 11:39

Re: SSL in Debian Forums

#15 Post by Chiefahol »

+1

You know mint just got their website completely owned. :shock:

It's probably time to use HTTPS on the main website and forums.

What's the delay about? :mrgreen:

alderaan
Posts: 90
Joined: 2013-07-25 20:20

Re: SSL in Debian Forums

#16 Post by alderaan »

+1

levlaz wrote:Once this is live we should just use it. It costs nothing and works in any browser.

https://letsencrypt.org/
It is in beta since 2015-12-03:
https://letsencrypt.org/2015/12/03/ente ... -beta.html

The Debian package migrated to testing just a few days ago:
https://tracker.debian.org/pkg/python-letsencrypt

User avatar
Crewp
Posts: 61
Joined: 2013-08-02 18:25

Re: SSL in Debian Forums

#17 Post by Crewp »

i vote yes, for SSL for this forum.

User avatar
edbarx
Posts: 5401
Joined: 2007-07-18 06:19
Location: 35° 50 N, 14 º 35 E
Been thanked: 2 times

Re: SSL in Debian Forums

#18 Post by edbarx »

Since this is a public forum where everyone can blather whatever nonsense comes to one's mind, I see no benifits in using SSL. The only 'benefits' I see, are higher load on the servers as these will also have to deal with encryption and decryption.

Vote: NO.
Debian == { > 30, 000 packages }; Debian != systemd
The worst infection of all, is a false sense of security!
It is hard to get away from CLI tools.

User avatar
cpoakes
Posts: 99
Joined: 2015-03-29 04:54

Re: SSL in Debian Forums

#19 Post by cpoakes »

Sarge-in-charge wrote:...This is so wrong on many levels.

No HTTP traffic should be sent on the clear. Period. That's just the way it is in the post-Snowden era.
Really? Show me the contents of your apt sources.list. NOTHING coming from the package archives is run through https because of the huge encryption overhead; security is managed by other means. ISOs downloaded from most sources are not encrypted for the same reason. And that video or audio stream arriving at your browser is also generally not encrypted (even if you started it from an HTTPS secured web page).

HTTPS is NOT free. Every frakin' byte that arrives and departs has to be individually encrypted. While generally imposing little noticeable overhead on the client-side ("browser"), there is an added burden on the server side that can require server upgrades to meet volume demands.

BTW, when it comes to discussing computers, software, and protocols "never say never" is generally good policy. There are enough corner cases to prove most "never do this" scenarios wrong.

tomazzi
Posts: 730
Joined: 2013-08-02 21:33

Re: SSL in Debian Forums

#20 Post by tomazzi »

wizard10000 wrote:Only reason I can think of is sending passwords in plain text.
Chiefahol wrote: You know mint just got their website completely owned. :shock:

It's probably time to use HTTPS on the main website and forums.
cpoakes wrote:
Sarge-in-charge wrote:...This is so wrong on many levels.

No HTTP traffic should be sent on the clear. Period. That's just the way it is in the post-Snowden era.
Really? Show me the contents of your apt sources.list. NOTHING coming from the package archives is run through https because of the huge encryption overhead; security is managed by other means. ISOs downloaded from most sources are not encrypted for the same reason. And that video or audio stream arriving at your browser is also generally not encrypted (even if you started it from an HTTPS secured web page).

HTTPS is NOT free. Every frakin' byte that arrives and departs has to be individually encrypted. While generally imposing little noticeable overhead on the client-side ("browser"), there is an added burden on the server side that can require server upgrades to meet volume demands.
...
Of course encryption is costly on the server side, but let's face the truth: http://forums.debian.net is not the most frequently visited web page...

On the other hand, every serious webpage is using encryption today - so I don't think that would be a problem for such a small forums...

Vote: Yes.

Regards.
Odi profanum vulgus

Post Reply