Page 1 of 2

Re: SSL in Debian Forums

Posted: 2016-02-22 16:29
by alderaan
+1

levlaz wrote:Once this is live we should just use it. It costs nothing and works in any browser.

https://letsencrypt.org/
It is in beta since 2015-12-03:
https://letsencrypt.org/2015/12/03/ente ... -beta.html

The Debian package migrated to testing just a few days ago:
https://tracker.debian.org/pkg/python-letsencrypt

Re: SSL in Debian Forums

Posted: 2016-02-29 01:13
by Crewp
i vote yes, for SSL for this forum.

Re: SSL in Debian Forums

Posted: 2016-02-29 23:43
by edbarx
Since this is a public forum where everyone can blather whatever nonsense comes to one's mind, I see no benifits in using SSL. The only 'benefits' I see, are higher load on the servers as these will also have to deal with encryption and decryption.

Vote: NO.

Re: SSL in Debian Forums

Posted: 2016-03-02 01:09
by cpoakes
Sarge-in-charge wrote:...This is so wrong on many levels.

No HTTP traffic should be sent on the clear. Period. That's just the way it is in the post-Snowden era.
Really? Show me the contents of your apt sources.list. NOTHING coming from the package archives is run through https because of the huge encryption overhead; security is managed by other means. ISOs downloaded from most sources are not encrypted for the same reason. And that video or audio stream arriving at your browser is also generally not encrypted (even if you started it from an HTTPS secured web page).

HTTPS is NOT free. Every frakin' byte that arrives and departs has to be individually encrypted. While generally imposing little noticeable overhead on the client-side ("browser"), there is an added burden on the server side that can require server upgrades to meet volume demands.

BTW, when it comes to discussing computers, software, and protocols "never say never" is generally good policy. There are enough corner cases to prove most "never do this" scenarios wrong.

Re: SSL in Debian Forums

Posted: 2016-03-21 22:22
by tomazzi
wizard10000 wrote:Only reason I can think of is sending passwords in plain text.
Chiefahol wrote: You know mint just got their website completely owned. :shock:

It's probably time to use HTTPS on the main website and forums.
cpoakes wrote:
Sarge-in-charge wrote:...This is so wrong on many levels.

No HTTP traffic should be sent on the clear. Period. That's just the way it is in the post-Snowden era.
Really? Show me the contents of your apt sources.list. NOTHING coming from the package archives is run through https because of the huge encryption overhead; security is managed by other means. ISOs downloaded from most sources are not encrypted for the same reason. And that video or audio stream arriving at your browser is also generally not encrypted (even if you started it from an HTTPS secured web page).

HTTPS is NOT free. Every frakin' byte that arrives and departs has to be individually encrypted. While generally imposing little noticeable overhead on the client-side ("browser"), there is an added burden on the server side that can require server upgrades to meet volume demands.
...
Of course encryption is costly on the server side, but let's face the truth: http://forums.debian.net is not the most frequently visited web page...

On the other hand, every serious webpage is using encryption today - so I don't think that would be a problem for such a small forums...

Vote: Yes.

Regards.

Re: SSL in Debian Forums

Posted: 2016-03-25 20:47
by GarryRicketson
Well I am glad it is not SSL, Just now experiementing with a freshly installed NETBSD system, and it said I don't have the ssl certificates setup, or configured, if it was "https" I would not be able to connect.
Making it https could make it difficult for some people to connect, expecially for those with problems in a newly installed system and they might not have some of those things configured yet.
I can see where https is needed on some sites, especially like banking sites, or sites where the information being exchanged must be kept confidentual , but I don't think it is needed here and it could very well be a hinderance.

Re: SSL in Debian Forums

Posted: 2016-03-26 10:20
by kedaha
levlaz wrote:Once this is live we should just use it. It costs nothing and works in any browser.

https://letsencrypt.org/
I've just obtained a free certificate for one of my domains for a raspberry pi server running raspbian-jessie based on Debian Jessie, using letsencrypt and it was a breeze & works just fine.

Re: SSL in Debian Forums

Posted: 2016-04-08 14:46
by squeeze
wizard10000 wrote:forums.debian.net isn't an official Debian resource.
Whois says otherwise:
Registrant Organization: Software in the Public Interest, Inc. - Debian Project

Re: SSL in Debian Forums

Posted: 2016-04-08 17:29
by 4D696B65
The only reason I see in support of SSL on this forum is protection of passwords.
I as a forum admin have no power or tools to implement SSL.
If you feel strongly about this, you should pm the server admins, Mez and Ganneff.

Re: SSL in Debian Forums

Posted: 2016-04-08 17:33
by squeeze
4D696B65 wrote:If you feel strongly about this, you should pm the server admins, Mez and Ganneff.
Thanks for the reply. I pm'd the admins.

Re: SSL in Debian Forums

Posted: 2016-04-09 18:50
by alderaan
squeeze wrote:
wizard10000 wrote:forums.debian.net isn't an official Debian resource.
Whois says otherwise:
Registrant Organization: Software in the Public Interest, Inc. - Debian Project
I can't find an official statement for this but debian.net is for projects that are not official (such as this site). When a project becomes official it is moved to debian.org.

Re: SSL in Debian Forums

Posted: 2016-04-10 00:07
by GarryRicketson
I don't know what it matters if it is "official" or not, it exists for users to get help and support,and functions, and so it is real.
Debian.org lists the forum as source for support.
https://www.debian.org/support#web
Web sites
Forums

debianHELP and Debian User Forums are web portals on which you can discuss Debian-related topics, submit questions about Debian, and have them answered by other users.

Re: SSL in Debian Forums

Posted: 2016-04-24 14:47
by jesus92gz
I understand that in order to use SSL, the server should need extra-power, as more CPU and memory would be required. I think it's worth, though.

Anyways, Let's encrypt is now issuing free/gratis SSL certificates, and I would consider this option: https://letsencrypt.org/

eg: FreeBSD forums are encrypted (though it's the official one). https://forums.freebsd.org/

Re: SSL in Debian Forums

Posted: 2016-04-24 18:24
by lukas
jesus92gz wrote:I understand that in order to use SSL, the server should need extra-power, as more CPU and memory would be required. I think it's worth, though.

Anyways, Let's encrypt is now issuing free/gratis SSL certificates, and I would consider this option: https://letsencrypt.org/

eg: FreeBSD forums are encrypted (though it's the official one). https://forums.freebsd.org/
All that is fine. Truth to be told: The forum is pretty abandoned, when it comes to administration.
It is pointless to ask here for enhancements.
You can try your luck here:
http://forums.debian.net/viewtopic.php?f=11&t=47049

Re: SSL in Debian Forums

Posted: 2016-05-20 03:03
by johnw
Yes, support https please ...
At least for login / password, thank.

Or no admin/root here?

Re: SSL in Debian Forums

Posted: 2016-05-20 04:03
by compute34ymk
I upvote using SSL on the forums.
IT MAKES SENSE
Any website which you enter informaiton such as passwords should be secure.

More and more websites are using it. Even yahoo.
The most recent website that could have any relevance here being linux mint.

They were hacked recently, their .iso images and forums. At this time 0% of their website used https.
Now the linux mint forums and site uses https. The blog is the only part that doesn't.

Changes to password policies
http://blog.linuxmint.com/?p=3007
All forums users should change their passwords.
Beware of hacked ISOs if you downloaded Linux Mint on February 20th!