Debian User Forums

Hello.

Website: forum
Severity: wishlist

I have noticed that while other websites in Debian are SSL secured, the forum is not.

Is there any possibility to secure the forum with SSL?

I didn't even realize that this was the case.

+1 for SSL

jesus92gz wrote:Is there any possibility to secure the forum with SSL?

I vote NO if it's going to be with a self-signed certificate or with a certificate chained up to a CA not by default in Firefox.

Otherwise, I vote YES.

Why does this matter?

Sorry, I meant: why does it matter if the forums use SSL?

Anyone who uses the same password on a public forum as they use for something confidential is asking for trouble anyway. SSL is pointless on a forum like this.

roseway wrote:SSL is pointless on a forum like this.

This is so wrong on many levels.

No HTTP traffic should be sent on the clear. Period. That's just the way it is in the post-Snowden era.

Once this is live we should just use it. It costs nothing and works in any browser.

https://letsencrypt.org/

Honestly after thinking about this some more I think there is no excuse to not have a valid SSL certificate. I will buy (and if needed configure) the SSL cert for this site, does anyone know who we need to talk to in order to make this happen?

Head_on_a_Stick wrote:Why does this matter?

Apart from the previous users' replies, I can see the Debian site is using SSL everywhere.
For example:
Official Site: https://debian.org/
Wiki: https://wiki.debian.org/
...

Why should the forum not use SSL as well?

wizard10000 wrote:forums.debian.net isn't an official Debian resource.

Really? I thought it was.
Anyways, I think supporting SSL could improve the security of the forums to the end users. Just in case.

it not a end of the world thing but imo it should be a default on all sites. this is not because some thing sensative is happening per se or anything its just a good policy for all comunications.

https://www.eff.org/https-everywhere

Personally, I would love to have the NSA listen to what I have to say about systemd.

+1

You know mint just got their website completely owned.

It's probably time to use HTTPS on the main website and forums.

What's the delay about?

dotlj wrote:https://www.eff.org/https-everywhere

+1

levlaz wrote:Once this is live we should just use it. It costs nothing and works in any browser.

https://letsencrypt.org/

It is in beta since 2015-12-03:
https://letsencrypt.org/2015/12/03/ente ... -beta.html

The Debian package migrated to testing just a few days ago:
https://tracker.debian.org/pkg/python-letsencrypt

i vote yes, for SSL for this forum.

Since this is a public forum where everyone can blather whatever nonsense comes to one's mind, I see no benifits in using SSL. The only 'benefits' I see, are higher load on the servers as these will also have to deal with encryption and decryption.

Vote: NO.

Sarge-in-charge wrote:...This is so wrong on many levels.

No HTTP traffic should be sent on the clear. Period. That's just the way it is in the post-Snowden era.

Really? Show me the contents of your apt sources.list. NOTHING coming from the package archives is run through https because of the huge encryption overhead; security is managed by other means. ISOs downloaded from most sources are not encrypted for the same reason. And that video or audio stream arriving at your browser is also generally not encrypted (even if you started it from an HTTPS secured web page).

HTTPS is NOT free. Every frakin' byte that arrives and departs has to be individually encrypted. While generally imposing little noticeable overhead on the client-side ("browser"), there is an added burden on the server side that can require server upgrades to meet volume demands.

BTW, when it comes to discussing computers, software, and protocols "never say never" is generally good policy. There are enough corner cases to prove most "never do this" scenarios wrong.

wizard10000 wrote:Only reason I can think of is sending passwords in plain text.

Chiefahol wrote: You know mint just got their website completely owned.

It's probably time to use HTTPS on the main website and forums.

cpoakes wrote:

Sarge-in-charge wrote:...This is so wrong on many levels.

No HTTP traffic should be sent on the clear. Period. That's just the way it is in the post-Snowden era.

Really? Show me the contents of your apt sources.list. NOTHING coming from the package archives is run through https because of the huge encryption overhead; security is managed by other means. ISOs downloaded from most sources are not encrypted for the same reason. And that video or audio stream arriving at your browser is also generally not encrypted (even if you started it from an HTTPS secured web page).

HTTPS is NOT free. Every frakin' byte that arrives and departs has to be individually encrypted. While generally imposing little noticeable overhead on the client-side ("browser"), there is an added burden on the server side that can require server upgrades to meet volume demands.
...

Of course encryption is costly on the server side, but let's face the truth: http://forums.debian.net is not the most frequently visited web page...

On the other hand, every serious webpage is using encryption today - so I don't think that would be a problem for such a small forums...

Vote: Yes.

Regards.