Page 1 of 1

Debian Forum security issue ?

Posted: 2017-01-25 10:56
by ticojohn
I recently updated my Firefox browser to version 51.0 and am now seeing a security warning indicating that forums.debian.net is not secure. I assume that is because it is not https. Is that a correct assumption and should users be concerned? For myself, I think I can come to this site with confidence but just wonder how that warning might affect potential future users.

Re: Debian Forum security issue ?

Posted: 2017-01-25 18:41
by horgh
Is it happening just when visiting the forum? Or is it just on the login page/when logging in? I think there is a warning in that version now for password fields on non-HTTPS sites.

Making the site HTTPS would definitely be a good idea. Maybe that Firefox behaviour will help make it happen.

Re: Debian Forum security issue ?

Posted: 2017-01-25 21:30
by GarryRicketson
This all ready had been brought up here:
http://forums.debian.net/viewtopic.php?f=12&t=118960

http://forums.debian.net/viewtopic.php? ... 15#p629939



Just because a site is "https", and has a ssl certificate, does not
in any way mean it is a safe or secure site,..
http://www.spamtitan.com/web-filtering/ ... fe-to-use/

However in their effort to make people believe they must be using
and purchasing ssl certificates, even google has started "not listing" sites
that do not have https,...Apparently now the newest versions of Firefox as well.
So yes, if one is concerned about "google ratings", it would be important
to use https, and the certificates, but it is really just a gimmick, and
has nothing to do with if the site really is safe and secure,..If one
is really concerned about a website or forums security, just assuming
it is secure just because it is https, is plain foolish.
A search will show results that can help you determine the security and safety of a website,..

Re: Debian Forum security issue ?

Posted: 2017-01-25 22:07
by ticojohn
GarryRicketson wrote: Just because a site is "https", and has a ssl certificate, does not in any way mean it is a safe or secure site,..
I understand that. I think my question was more about why it is showing as not secure, and I think that is clear in your answer. Just another gimmick, or maybe a tactic to try to get more sites to pay for ssl certificates. Which, as you state, doesn't by itself make a site safe; just more expensive to operate.

Re: Debian Forum security issue ?

Posted: 2017-01-25 22:18
by kedaha
ticojohn wrote:Just another gimmick, or maybe a tactic to try to get more sites to pay for ssl certificates. Which, as you state, doesn't by itself make a site safe; just more expensive to operate.
Except that it's easy to install a free certificate from letsencrypt.org to enable HTTPS (SSL/TLS) without incurring any cost at all. debian.org itself now uses this.

Re: Debian Forum security issue ?

Posted: 2017-01-25 22:36
by horgh
Safety/security is a spectrum. There is no absolute security. No one is saying having HTTPS will magically make the forum totally secure.

Enabling HTTPS on the forum would increase security. It is definitely less secure without it.

Consider the case where you connect to a coffee shop wireless network. A malicious network operator could harvest your forum username and password and spy on what you are doing currently. They could also serve up a fake version of the forum and have users run malicious commands.

Yes it is not the end of the world having your forum password exposed, but given certificates are free these days, there's no reason not to do this.

Re: Debian Forum security issue ?

Posted: 2017-01-25 22:51
by GarryRicketson
I was going to edit my post, but now it is to late, ...
anyway, I shouldn't say "just a gimmick", the ssl certificates do have
a use full purpose, especially for commercial sites where on-line sales
are made, and also they could be applied even for sites that just
have a donation option,... the main thing they are good for is to help
prevent scammers setting up duplicate sites,or re-routing , and the victims think they are on the legit site, make a purchase, the money goes to the "fake site" , operator, and nothing gets delivered.
In other words , the certificate does help assure you are really connected
to the site you think you are.
by ticojohn ยป I think my question was more about why it is showing as not secure,
I am not sure on that, it seems like the Firefox people should make a effort to make it where the "site not secure " message is more clear, and
includes why,...
I do agree, this could have a negative effect on new users, or visitors,
that do not know better,
Why does Firefox say a site is not secure
There are many results, here is one :
https://support.mozilla.org/en-US/kb/wh ... ecure-mean

The only times I have gotten those kind of messages with Firefox were
on sites that have https, and either the certificate really was expired,
or in one case, it was because my clock/date on my computer was set
wrong, I was in the wrong year !,... so it actually had absolutely nothing
to do with the actual website being insecure,....
You really have not provided enough details to determine why it says
that, and is it just FDN, or do you get these messages on other sites as well ?

Re: Debian Forum security issue ?

Posted: 2017-01-25 23:09
by ticojohn
GarryRicketson wrote: You really have not provided enough details to determine why it says
that, and is it just FDN, or do you get these messages on other sites as well ?
I see a little information icon to the left of the URL. When I click on the icon it gives a message that the connection is not secure. I see this icon for all sites that do not have https in the URL. Don't see it on those that do. I'm not going to let it bother me. I don't do a lot of exploring of unknown sites.

Thanks for the feedback.