Use HTTPS

Have something to say about forums.debian.net itself?

Re: Use HTTPS

Postby dotlj » 2018-01-22 06:35

I think https is way overdue on Debian forums.
Let's Encrypt provides free certificates to encourage http websites to move to https websites. https://letsencrypt.org/
Most people don't like to log into a forum with a password sent in plain text, but would prefer to use TLS 1.2 encryption.
https://letsencrypt.org/stats/ reports the percentage of web pages loaded by Firefox using https during the past twelve months has climbed from below 50% to over 50%.
The trend over a longer time frame shows a clear movement to https websites.
EFF through Let's Encrypt is pushing for 100% encryption and they have support from many Linux users.
User avatar
dotlj
 
Posts: 591
Joined: 2009-12-25 17:21

Re: Use HTTPS

Postby debiman » 2018-01-22 06:43

by using letsencrypt, one enters a contract with some entity (not sure association, foundation, or company etc.) in the US of A, under US law.
so unless debian forums is based in the US anyway, it is something to consider.
User avatar
debiman
 
Posts: 2216
Joined: 2013-03-12 07:18

Re: Use HTTPS

Postby dotlj » 2018-01-23 06:29

https://letsencrypt.org/
Let’s Encrypt is a free, automated, and open certificate authority brought to you by the non-profit Internet Security Research Group (ISRG).

https://en.wikipedia.org/wiki/Internet_Security_Research_Group
The Internet Security Research Group (ISRG) is a California public-benefit corporation which focuses on Internet security. [2][3]

Let's Encrypt—its first major initiative—aims to make Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates available for free in an automated fashion.

Josh Aas serves as the group's executive director and board chair.[4][1] The board also contains individuals from Akamai, Cisco, University of Michigan, Mozilla, ACLU, CoreOS, and the Electronic Frontier Foundation.[1]


The current system of Certificate Authorities where nation states and anyone who wants to pay for it, can have their own CA and issue certificates that are accepted by browsers, allowing MiTM attacks is broken.
Until something better is available we have to choose what to use.
1. HTTP with passwords in plain text
2. HTTPS with passwords and other data encrypted.
[url]
https://letsencrypt.org/2017/12/07/look ... -2018.html[/url]
Let’s Encrypt had a great year in 2017. We more than doubled the number of active (unexpired) certificates we service to 46 million, we just about tripled the number of unique domains we service to 61 million, and we did it all while maintaining a stellar security and compliance track record. Most importantly though, the Web went from 46% encrypted page loads to 67% according to statistics from Mozilla - a gain of 21 percentage points in a single year - incredible. We’re proud to have contributed to that, and we’d like to thank all of the other people and organizations who also worked hard to create a more secure and privacy-respecting Web.

While we’re proud of what we accomplished in 2017, we are spending most of the final quarter of the year looking forward rather than back. As we wrap up our own planning process for 2018, I’d like to share some of our plans with you, including both the things we’re excited about and the challenges we’ll face. We’ll cover service growth, new features, infrastructure, and finances.


Many other CAs are also U.S. based. Does that bother you when you connect to Amazon, Apple, Google, or any other of the most commonly used websites?
I can't see how being U.S. based means the Let's Encrypt certificates are less trustworthy than any other CA. Why pay any of the big companies when Let's Encrypt is doing so much to promote and support a safer Internet?
User avatar
dotlj
 
Posts: 591
Joined: 2009-12-25 17:21

Re: Use HTTPS

Postby debiman » 2018-01-23 07:23

dotlj wrote:Many other CAs are also U.S. based. Does that bother you when you connect to Amazon, Apple, Google, or any other of the most commonly used websites?
I can't see how being U.S. based means the Let's Encrypt certificates are less trustworthy than any other CA. Why pay any of the big companies when Let's Encrypt is doing so much to promote and support a safer Internet?

i should have clarified:
my comment was from the point of view of the server owner who decides to employ letsencrypt.
i was on the verge of doing it once and, apart from a deep mistrust in handing control to my complete system over to some unknown python script, i remember 100% that i read that i am effectively entering into some sort of contract with said entity, under US law.
i think you will understand that i, a citizen of an entirely different continent, both online and IRL, do not want to do that.

this has no impact on the person who browses the site, i'll agree to that.

btw, cacert.org is based in australia.
i used them for a while, but unfortunately their certificates are not "browser trusted" :(
i think it takes serious money to buy that trust (sic) - another interesting thought, what's letsencrypt's motivation of spending that and then giving the certificates away for free?
User avatar
debiman
 
Posts: 2216
Joined: 2013-03-12 07:18

Re: Use HTTPS

Postby GarryRicketson » 2018-01-23 17:49

The trend over a longer time frame shows a clear movement to https websites.

Absolutely, by all means, it is "the trend", and we need to keep the forum "trendy". Https is the trendy thing to do, and if letsencrypt is the trend, it should be promoted, instead of of others, like "openssl" .
I suppose openssl is not trendy enough, ? Or perhaps we shouldn't have so many choices, and it should all be MS, INTEL, and "letsencrypt",? Also, no more http should be allowed on the internet.
:mrgreen: (in a sarcastic mood today)
User avatar
GarryRicketson
 
Posts: 4797
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Previous

Return to Forum stuff & feedback

Who is online

Users browsing this forum: No registered users and 2 guests

fashionable