Use HTTPS

Have something to say about forums.debian.net itself?

Re: Use HTTPS

Postby Gerowen » 2019-10-14 21:52

Head_on_a_Stick wrote:So you're using the same password everywhere? That's not wise.


No, I'm not, and that's not the point, you're deflecting. By that logic, you're basically saying it's perfectly ok for people to be allowed to see usernames and passwords being sent to this website in an unencrypted form. You're basically admitting that this website has weak security, but it's acceptable because we shouldn't be reusing passwords anyway.
Gerowen
 
Posts: 146
Joined: 2011-04-11 05:12

Re: Use HTTPS

Postby kopper » 2019-10-15 05:51

Head_on_a_Stick wrote:And what information would that be then? This is a public forum, all of the posts are visible even to non-members.

Head_on_a_Stick wrote:So you're using the same password everywhere? That's not wise.


So you (deliberately?) miss the point to share assumptions on other users' behavior you have no knowledge about? Really builds your case.

I do agree, it's a public forum. I don't think that's conflicting with anything I said in my post.
Debian 10.2 Stable with i3
Secure your stuff: Securing Debian Manual
Don't break your stuff: Source List Management DontBreakDebian
kopper
 
Posts: 136
Joined: 2016-09-30 14:30

Re: Use HTTPS

Postby Head_on_a_Stick » 2019-10-15 18:11

Gerowen wrote:you're basically saying it's perfectly ok for people to be allowed to see usernames and passwords being sent to this website in an unencrypted form.

Yes.

Gerowen wrote:You're basically admitting that this website has weak security, but it's acceptable because we shouldn't be reusing passwords anyway.

Correct.

My $DAY_JOB is sufficiently dangerous that body armour is considered a legitimate tax-deductible expense so perhaps my perception of risk is skewed but I am very happy with the provisions of these boards.

The electrons aren't free and this site isn't under the aegis of debian.org so the orange folks have my gratitude for this playground :)
Black Lives Matter

Debian buster-backports ISO image: for new hardware support
User avatar
Head_on_a_Stick
 
Posts: 12194
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Use HTTPS

Postby Gerowen » 2019-10-15 22:13

Head_on_a_Stick wrote:
Gerowen wrote:you're basically saying it's perfectly ok for people to be allowed to see usernames and passwords being sent to this website in an unencrypted form.

Yes.

Gerowen wrote:You're basically admitting that this website has weak security, but it's acceptable because we shouldn't be reusing passwords anyway.

Correct.

My $DAY_JOB is sufficiently dangerous that body armour is considered a legitimate tax-deductible expense so perhaps my perception of risk is skewed but I am very happy with the provisions of these boards.

The electrons aren't free and this site isn't under the aegis of debian.org so the orange folks have my gratitude for this playground :)


What does your job have to do with the discussion at hand? You don't see me talking about getting free (to me anyway) body armor and ammo in Iraq because it doesn't have jack to do with what we're talking about here. Nice, not-so-low key humble brag though I guess.

On your other statement though about the electrons not being free, nobody is asking the forum admins to spend extra money; you can generate self signed certs, or if you don't want people to have to click past the message about an unknown cert, you can get a lets encrypt cert free of charge.
Gerowen
 
Posts: 146
Joined: 2011-04-11 05:12

Re: Use HTTPS

Postby cuckooflew » 2019-10-16 00:01

Yea but to do that, it takes someone with full administrative privileges, full access to the server, and no one that is active here has those kind of privileges.

By that logic, you're basically saying it's perfectly ok for people to be allowed to see usernames and passwords being sent to this website in an unencrypted form.

I sure can't see any ones passwords,but sounds interesting, maybe you could explain how that is possible, and show some passwords you have seen, ? You probably can't. because you can not see other peoples passwords, if you can , prove it.

Oh, and then this is hilarious :
You don't see me talking about getting free (to me anyway) body armor and ammo in Iraq because it doesn't have jack to do with what we're talking about here. Nice, not-so-low key humble brag though I guess.
But you just had to brag about that, and now we all do see it.
cuckooflew
 
Posts: 434
Joined: 2018-05-10 19:34
Location: Some where out west

Re: Use HTTPS

Postby andre@home » 2019-10-16 04:59

On the quoted weblink the discussion stopped in 2017.
viewtopic.php?f=12&t=118960

What I see on the internet there are 2 groups: the ones are "pro" htpps and the others are "against" https.
Apparently is seems virtually impossible for the one to convince the other, so it seems to be become more and more long semantic discussions....

So currently the choice is for the user, accept what it i now and stay or leave.
As users we do not have the influence to change this.

I'm putting my energy into other things....
andre@home
 
Posts: 386
Joined: 2011-10-02 08:00

Re: Use HTTPS

Postby Head_on_a_Stick » 2019-10-16 17:02

Gerowen wrote:Nice, not-so-low key humble brag though I guess.

Thanks, I've been waiting ages for an opportunity to shoehorn that into a post :mrgreen:

Gerowen wrote:You don't see me talking about getting free (to me anyway) body armor and ammo in Iraq

Holy shit d00d that's pretty extreme, why are you worrying about something as trivial as https?

Gerowen wrote:nobody is asking the forum admins to spend extra money; you can generate self signed certs, or if you don't want people to have to click past the message about an unknown cert, you can get a lets encrypt cert free of charge.

The admins have donated the server space that runs these forums, it is not covered by Debian donations (AFAIK) and so constitutes a gift to the community. With that in mind demands for "better service" seem a bit, well, rude. IMO.
Black Lives Matter

Debian buster-backports ISO image: for new hardware support
User avatar
Head_on_a_Stick
 
Posts: 12194
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Use HTTPS

Postby sickpig » 2019-10-21 12:22

welcome to the club Gerowen, I have been d00ded by hoas too! cryptic bloke it is, but quite helpful
User avatar
sickpig
 
Posts: 378
Joined: 2019-01-23 10:34

Re: Use HTTPS

Postby efdevse » 2020-06-25 23:51

debian.org is using an LE cert. Since LE can do wildcards, it's a bit odd why this forum haven't got it yet.
User avatar
efdevse
 
Posts: 23
Joined: 2020-06-19 21:07

Re: Use HTTPS

Postby cuckooflew » 2020-06-26 01:35

Considering that this forum is .net ,(debian.forums.net), and debian.org is a entirely different website, nothing odd about it. It does strike me as odd that some one would still want to beat this dead horse, after all that has been said in various older topics.
Please Read What we expect you have already Done
Google knows a lot,
God, our Father knows all, maybe ask Him ,
…one flew east, one flew west,
One flew over the cuckoo’s nest.

I am not the right colour, so my life does not matter ?
to God it does :)
cuckooflew
 
Posts: 434
Joined: 2018-05-10 19:34
Location: Some where out west

Re: Use HTTPS

Postby efdevse » 2020-06-26 01:53

cuckooflew wrote:Considering that this forum is .net ,(debian.forums.net), and debian.org is a entirely different website, nothing odd about it. It does strike me as odd that some one would still want to beat this dead horse, after all that has been said in various older topics.

Missed that part. Still, it's not a hard thing to do.

// The dead horse… I assume the horse is http.
User avatar
efdevse
 
Posts: 23
Joined: 2020-06-19 21:07

Re: Use HTTPS

Postby cuckooflew » 2020-06-26 02:18

No , the dead horse is the endless discussion on using https, it is clear for some reason, the administrator of the forum has choosen not to use https, but they have never posted a response explaining their reasons. There is no reason to expect they will either. I will say this much, I agree, there is no real reason to use it on this forum/site, all though many persons in the endless discussion on this, have pointed the many reasons they imagine we need it.
I will add, I don't use it my self on any of my webistes and forums that I administer....no need to spam the forum with a list though,...
Years ago, I did honestly have a problem with my system clock, and setting it,...I needed help with that, every other forum I tried to connect to was https, and I was not able to connect. Finally I stumbled on to this one, it was listed in the search results, but way down toward the bottom, any finally , I found a forum that was http, and I was able to connect just fine, and got the help I needed. SOOOO, go figure, Is https really such a good thing , for a OS support forum, where many of the users are trying to connect with a perhaps crippled system ? Supposedly there is optional choice, where one can select to use http instead,
and I suppose as long as the http option is available , then it would not matter, but in anyevent , that goes back to the same point that I mentioned to start with,...
Me: it is clear for some reason, the administrator of the forum has choosen not to use https, but they have never posted a response explaining their reasons. There is no reason to expect they will either.

So you see , it is just a endless loop, and if you actually read all of the posts in the 5 or 6 various topics, but on the same subject, you will see what I mean. I could post links to all the topics, but it is a "dead horse", and I really don't feel like beating it any more. It won't do any good, no one will ever convince those that do not want https that we should use it. and like wise no one that wants http will ever convince the people that promote https that http is ok. In other words, the ones that like and want https, will always argue that it is necessary, the ones that don't want it will all ways argue that it isn't. So it is a deadhorse, a old and pointless , endless discussion. :mrgreen:
Please Read What we expect you have already Done
Google knows a lot,
God, our Father knows all, maybe ask Him ,
…one flew east, one flew west,
One flew over the cuckoo’s nest.

I am not the right colour, so my life does not matter ?
to God it does :)
cuckooflew
 
Posts: 434
Joined: 2018-05-10 19:34
Location: Some where out west

Re: Use HTTPS

Postby efdevse » 2020-06-26 04:14

Yes, I can imagine there's been a few posts about this. I just replied to this one, since it was fairly rescent. No, there's no reason to repeat, but since you took the time to write a good reply, I'll response to some of it.

cuckooflew wrote:I will say this much, I agree, there is no real reason to use it on this forum/site, all though many persons in the endless discussion on this, have pointed the many reasons they imagine we need it.
I will add, I don't use it my self on any of my webistes and forums that I administer....no need to spam the forum with a list though, // ... //

Years ago, I did honestly have a problem with my system clock, and setting it,...I needed help with that, every other forum I tried to connect to was https, and I was not able to connect.

Yes, that can be tough… There are simular cases with Rasbery Pi's (no hwclock), but it usually helps to use ntpd or crony to get the clock running as it should.

If your clock was an hour or a day off or so… and it was because of an expired certificate - then you had really bad luck. But, if you had serveral site that didn't let you in… Perhaps their HTTPS settings were too “modern” for your browser? That's always a delicate balance – how far back you shuold support old browsers. (Example: ssl-config.mozilla.org. Look at the different browser support between old, intermediate and modern.) I usually go with intermediate if it's a larger site or someone else site, and modern on my own sites.


cuckooflew wrote:Is https really such a good thing , for a OS support forum, where many of the users are trying to connect with a perhaps crippled system ?

If it's not good here, then it's not good on the Wiki either. That'd be one of the first places I look for answers if my system is crippled.


cuckooflew wrote:Supposedly there is optional choice, where one can select to use http instead, and I suppose as long as the http option is available , then it would not matter, // ... //

Unless you (force) redirect all traffic to 443, on the server level, there's always the option for the visitor to use http instead. For a place like this (OS support forum), that would maybe be considered, for those reasons you mentioned earlier. So, even if you add HTTPS to a site and make that default - you can always have HTTP available. It's just how you configure it. Then no one will get hurt.


cuckooflew wrote:It won't do any good, no one will ever convince those that do not want https that we should use it. and like wise no one that wants http will ever convince the people that promote https that http is ok. In other words, the ones that like and want https, will always argue that it is necessary, the ones that don't want it will all ways argue that it isn't. So it is a deadhorse, a old and pointless , endless discussion. :mrgreen:

I think we all can agree on that HTTPS is a better choice, but the “why's” and reasons to use it may differ. For example, I don't see any reason not to - where you have a few ones.

One good reason though… Since browsers are punishing non-HTTPS sites now in different ways (blocking, lower page rank, display page as unsecure, etc.). I think it's soon hard to avoid it.

Old and pointless… naah. :–)
Endless… Well, that is actullay “fixable”:
cuckooflew wrote:it is clear for some reason, the administrator of the forum has choosen not to use https, but they have never posted a response explaining their reasons. There is no reason to expect they will either.


It would be great if they decided to speak up, and explain their reasons why, or when …or why not. Until then it will always seem a bit odd to me, since they have it on all the other pages. But, since they are the ones to decide… If they'd speak up, then there's no reason speculate anymore. And the endless becomes end… :–)

/2¢
User avatar
efdevse
 
Posts: 23
Joined: 2020-06-19 21:07

Re: Use HTTPS

Postby cuckooflew » 2020-06-26 05:29

by efdevse » 2020-06-26 04:14
Yes, I can imagine there's been a few posts about this.

A few posts ? that's funny, more like "A lot of posts, and several topics",...to many to count.

efdevse »It would be great if they decided to speak up, and explain their reasons why, or when …or why not. Until then it will always seem a bit odd to me, since they have it on all the other pages.


Ahh, ok, I guess I forgot to mention, or was not clear,
You mean they , as in the Debian.org website admins ? The Debian.org website is administered by differnt persons, they have nothing to do with the administration of the forums.debian.net site. Originally the forum was setup and started by a individual, using hardware they had for the server, they do have some other projects, websites , etc on that server, but Debian.org is not one of them.
This forum is mentioned on the Debian.org website, but it is only a mention,and is called a "web portal" providing the link and some details. There used to be some other forums mentioned as well, but they are not there any more.
https://www.debian.org/support
Forums

Debian User Forums is a web portal on which you can discuss Debian-related topics, submit questions about Debian, and have them answered by other users.
Last edited by cuckooflew on 2020-07-02 02:44, edited 1 time in total.
Please Read What we expect you have already Done
Google knows a lot,
God, our Father knows all, maybe ask Him ,
…one flew east, one flew west,
One flew over the cuckoo’s nest.

I am not the right colour, so my life does not matter ?
to God it does :)
cuckooflew
 
Posts: 434
Joined: 2018-05-10 19:34
Location: Some where out west

Re: Use HTTPS

Postby cuckooflew » 2020-06-26 05:47

Here is one other topic/thread, there are even more though:
http://forums.debian.net/viewtopic.php?f=12&t=135350
=========================
and yet another: http://forums.debian.net/viewtopic.php?f=12&t=122422
To be continued --------forever :mrgreen:
Please Read What we expect you have already Done
Google knows a lot,
God, our Father knows all, maybe ask Him ,
…one flew east, one flew west,
One flew over the cuckoo’s nest.

I am not the right colour, so my life does not matter ?
to God it does :)
cuckooflew
 
Posts: 434
Joined: 2018-05-10 19:34
Location: Some where out west

Previous

Return to Forum stuff & feedback

Who is online

Users browsing this forum: No registered users and 6 guests

fashionable