Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

SSL in Debian Forums

Code of conduct, suggestions, and information on forums.debian.net.
Message
Author
alderaan
Posts: 90
Joined: 2013-07-25 20:20

Re: SSL in Debian Forums

#16 Post by alderaan »

+1

levlaz wrote:Once this is live we should just use it. It costs nothing and works in any browser.

https://letsencrypt.org/
It is in beta since 2015-12-03:
https://letsencrypt.org/2015/12/03/ente ... -beta.html

The Debian package migrated to testing just a few days ago:
https://tracker.debian.org/pkg/python-letsencrypt

User avatar
Crewp
Posts: 61
Joined: 2013-08-02 18:25

Re: SSL in Debian Forums

#17 Post by Crewp »

i vote yes, for SSL for this forum.

User avatar
edbarx
Posts: 5401
Joined: 2007-07-18 06:19
Location: 35° 50 N, 14 º 35 E
Been thanked: 2 times

Re: SSL in Debian Forums

#18 Post by edbarx »

Since this is a public forum where everyone can blather whatever nonsense comes to one's mind, I see no benifits in using SSL. The only 'benefits' I see, are higher load on the servers as these will also have to deal with encryption and decryption.

Vote: NO.
Debian == { > 30, 000 packages }; Debian != systemd
The worst infection of all, is a false sense of security!
It is hard to get away from CLI tools.

User avatar
cpoakes
Posts: 99
Joined: 2015-03-29 04:54

Re: SSL in Debian Forums

#19 Post by cpoakes »

Sarge-in-charge wrote:...This is so wrong on many levels.

No HTTP traffic should be sent on the clear. Period. That's just the way it is in the post-Snowden era.
Really? Show me the contents of your apt sources.list. NOTHING coming from the package archives is run through https because of the huge encryption overhead; security is managed by other means. ISOs downloaded from most sources are not encrypted for the same reason. And that video or audio stream arriving at your browser is also generally not encrypted (even if you started it from an HTTPS secured web page).

HTTPS is NOT free. Every frakin' byte that arrives and departs has to be individually encrypted. While generally imposing little noticeable overhead on the client-side ("browser"), there is an added burden on the server side that can require server upgrades to meet volume demands.

BTW, when it comes to discussing computers, software, and protocols "never say never" is generally good policy. There are enough corner cases to prove most "never do this" scenarios wrong.

tomazzi
Posts: 730
Joined: 2013-08-02 21:33

Re: SSL in Debian Forums

#20 Post by tomazzi »

wizard10000 wrote:Only reason I can think of is sending passwords in plain text.
Chiefahol wrote: You know mint just got their website completely owned. :shock:

It's probably time to use HTTPS on the main website and forums.
cpoakes wrote:
Sarge-in-charge wrote:...This is so wrong on many levels.

No HTTP traffic should be sent on the clear. Period. That's just the way it is in the post-Snowden era.
Really? Show me the contents of your apt sources.list. NOTHING coming from the package archives is run through https because of the huge encryption overhead; security is managed by other means. ISOs downloaded from most sources are not encrypted for the same reason. And that video or audio stream arriving at your browser is also generally not encrypted (even if you started it from an HTTPS secured web page).

HTTPS is NOT free. Every frakin' byte that arrives and departs has to be individually encrypted. While generally imposing little noticeable overhead on the client-side ("browser"), there is an added burden on the server side that can require server upgrades to meet volume demands.
...
Of course encryption is costly on the server side, but let's face the truth: http://forums.debian.net is not the most frequently visited web page...

On the other hand, every serious webpage is using encryption today - so I don't think that would be a problem for such a small forums...

Vote: Yes.

Regards.
Odi profanum vulgus

User avatar
GarryRicketson
Posts: 5644
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: SSL in Debian Forums

#21 Post by GarryRicketson »

Well I am glad it is not SSL, Just now experiementing with a freshly installed NETBSD system, and it said I don't have the ssl certificates setup, or configured, if it was "https" I would not be able to connect.
Making it https could make it difficult for some people to connect, expecially for those with problems in a newly installed system and they might not have some of those things configured yet.
I can see where https is needed on some sites, especially like banking sites, or sites where the information being exchanged must be kept confidentual , but I don't think it is needed here and it could very well be a hinderance.

kedaha
Posts: 3521
Joined: 2008-05-24 12:26
Has thanked: 33 times
Been thanked: 77 times

Re: SSL in Debian Forums

#22 Post by kedaha »

levlaz wrote:Once this is live we should just use it. It costs nothing and works in any browser.

https://letsencrypt.org/
I've just obtained a free certificate for one of my domains for a raspberry pi server running raspbian-jessie based on Debian Jessie, using letsencrypt and it was a breeze & works just fine.
DebianStable

Code: Select all

$ vrms

No non-free or contrib packages installed on debian!  rms would be proud.

User avatar
squeeze
Posts: 299
Joined: 2010-06-14 23:16
Location: thimbleweedpark

Re: SSL in Debian Forums

#23 Post by squeeze »

wizard10000 wrote:forums.debian.net isn't an official Debian resource.
Whois says otherwise:
Registrant Organization: Software in the Public Interest, Inc. - Debian Project
“Have you tried turning it off and on again?”

User avatar
4D696B65
Site admin
Site admin
Posts: 2696
Joined: 2009-06-28 06:09
Been thanked: 85 times

Re: SSL in Debian Forums

#24 Post by 4D696B65 »

The only reason I see in support of SSL on this forum is protection of passwords.
I as a forum admin have no power or tools to implement SSL.
If you feel strongly about this, you should pm the server admins, Mez and Ganneff.

User avatar
squeeze
Posts: 299
Joined: 2010-06-14 23:16
Location: thimbleweedpark

Re: SSL in Debian Forums

#25 Post by squeeze »

4D696B65 wrote:If you feel strongly about this, you should pm the server admins, Mez and Ganneff.
Thanks for the reply. I pm'd the admins.
“Have you tried turning it off and on again?”

alderaan
Posts: 90
Joined: 2013-07-25 20:20

Re: SSL in Debian Forums

#26 Post by alderaan »

squeeze wrote:
wizard10000 wrote:forums.debian.net isn't an official Debian resource.
Whois says otherwise:
Registrant Organization: Software in the Public Interest, Inc. - Debian Project
I can't find an official statement for this but debian.net is for projects that are not official (such as this site). When a project becomes official it is moved to debian.org.

User avatar
GarryRicketson
Posts: 5644
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: SSL in Debian Forums

#27 Post by GarryRicketson »

I don't know what it matters if it is "official" or not, it exists for users to get help and support,and functions, and so it is real.
Debian.org lists the forum as source for support.
https://www.debian.org/support#web
Web sites
Forums

debianHELP and Debian User Forums are web portals on which you can discuss Debian-related topics, submit questions about Debian, and have them answered by other users.

jesus92gz
Posts: 121
Joined: 2015-02-06 18:07

Re: SSL in Debian Forums

#28 Post by jesus92gz »

I understand that in order to use SSL, the server should need extra-power, as more CPU and memory would be required. I think it's worth, though.

Anyways, Let's encrypt is now issuing free/gratis SSL certificates, and I would consider this option: https://letsencrypt.org/

eg: FreeBSD forums are encrypted (though it's the official one). https://forums.freebsd.org/

lukas
Posts: 87
Joined: 2011-07-30 15:43

Re: SSL in Debian Forums

#29 Post by lukas »

jesus92gz wrote:I understand that in order to use SSL, the server should need extra-power, as more CPU and memory would be required. I think it's worth, though.

Anyways, Let's encrypt is now issuing free/gratis SSL certificates, and I would consider this option: https://letsencrypt.org/

eg: FreeBSD forums are encrypted (though it's the official one). https://forums.freebsd.org/
All that is fine. Truth to be told: The forum is pretty abandoned, when it comes to administration.
It is pointless to ask here for enhancements.
You can try your luck here:
http://forums.debian.net/viewtopic.php?f=11&t=47049

johnw
Posts: 6
Joined: 2014-06-05 05:05

Re: SSL in Debian Forums

#30 Post by johnw »

Yes, support https please ...
At least for login / password, thank.

Or no admin/root here?

compute34ymk
Posts: 6
Joined: 2016-05-19 07:55

Re: SSL in Debian Forums

#31 Post by compute34ymk »

I upvote using SSL on the forums.
IT MAKES SENSE
Any website which you enter informaiton such as passwords should be secure.

More and more websites are using it. Even yahoo.
The most recent website that could have any relevance here being linux mint.

They were hacked recently, their .iso images and forums. At this time 0% of their website used https.
Now the linux mint forums and site uses https. The blog is the only part that doesn't.

Changes to password policies
http://blog.linuxmint.com/?p=3007
All forums users should change their passwords.
Beware of hacked ISOs if you downloaded Linux Mint on February 20th!

Post Reply