Debian User Forums

[NewHere]

Hi,
I know that I am new in this forum but IMO it is very important to use HTTPS to prevent leaking data (also over the new KRACK WiFi bug) such as Email adress or password (many people still use the same password for many websites so this also matters for a forum).

Best,
Me ;D

[GarryRicketson]

This has been brought up on serveral occasions, we all know abot HTTPS and the
certbot, and there is also openssl, maybe some other as well.
http://forums.debian.net/viewtopic.php?f=12&t=122422
==========================================================
http://forums.debian.net/viewtopic.php?f=12&t=118960
===========================================================
http://forums.debian.net/viewtopic.php?f=12&t=118960&p=642117#p642117

===================================
http://forums.debian.net/viewtopic.php?f=12&t=131345
---------------------------------------------------
Sure would be nice if people would read and use the existing topics , instead of all ways just starting a new
one on the same old subject.

As far as the

by NewHere it is very important to use HTTPS to prevent leaking data (also over the new KRACK WiFi bug)

You really need to learn to do some research.

From:https://www.krackattacks.com/
Our attack is not limited to recovering login credentials (i.e. e-mail addresses and passwords). In general, any data or information that the victim transmits can be decrypted. Additionally, depending on the device being used and the network setup, it is also possible to decrypt data sent towards the victim (e.g. the content of a website). Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations. For example, HTTPS was previously bypassed in non-browser software, in Apple's iOS and OS X, in Android apps, in Android apps again, in banking apps, and even in VPN apps.

And

From: https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/ The site went on to warn that visiting only HTTPS-protected Web pages wasn't automatically a remedy for the risk.

"Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations," the researchers explained. "For example, HTTPS was previously bypassed in ---- snip-----

What useing ssl does accomplish is it gives people a false sense of security, imagineing they are safe and secure, and the doing nothing to protect their selfs.
For example:

NewHere » (many people still use the same password for many websites so this also matters for a forum).

Combined with the fact that https does nothing to prevent some one from getting the password, once some one gets it, they have the 1 password and it works every where, maybe it is even the same one used for their banking site, Common sense would say to use complex paswords and differnt ones,...and change them randomly , but often. This forum and site is secure, but of course if you don't trust it, then it is just plain silly to use a forum or site you don't trust.
Nothing is 100% secure, that is the sad reality.

[NewHere]

I have a different view on this false sense of security:
(1) Most users here have enough experience to know what SSL does for them and what not.
(2) New users have, as you said correctly this false sense of security so they also think that every website using HTTP (they only really notice this big green shield) is safe AND trustworthy. So why not giving them the feel to be on a trustworthy site because this is indeed much more trustworthy than 70% of any other websites out there. Also this might help them to use Linux so they'll be safer in the future (you know malware and this stuff on Windows).

I know of this double posting but thought that most won't read it.

[debiman]

welcome to fdn.
you are preaching to the choir!

nevertheless:

You can get a SSL certificate by following the instructions (guide from a non-profit organisation) on: https://certbot.eff.org/

i wonder why you put it like this?
are you deliberately obfuscating the fact that letsencrypt is not the EFF, but rather a "public benefit" frontend for various for-profit organisations?

[NewHere]

i wonder why you put it like this?
are you deliberately obfuscating the fact that letsencrypt is not the EFF, but rather a "public benefit" frontend for various for-profit organisations?

I don't want to obfuscate anything. Just wanted to mention that this not a guide like to get SSL you need to subscribe to our premium service. And IMO letsencrypt is anyway better than most other certificate servers.

[GarryRicketson]

by NewHere »And IMO letsencrypt is anyway better than most other certificate servers.

Oh, In your opinion,
Can you back your opinion up with facts, that show why it is any better then the others ?
If you want to start a promotion thread/topic to promote your "letsencrypt", you should do so in the
"off topic" forum.
Also re: IMO, I had to do a search to figure out what that means, because when I tried to translate to Spanish, :

Y IMO letsencrypt es de todos modos mejor que la mayoría de los otros servidores de certificados.

English:

And IMO letsencrypt is anyway better than most other certificate servers.

PLEASE READ THIS, (you should have before your first post)
Forum guidelines. Please read before first post!

The language on this board is primarily English but we do not exclude people with little or no English. When replying to posts in other languages please include an English translation. It's a good idea to help non-English speakers find resources in their language.
A forum is a means of written communication so make sure your posts are as readable as possible. That means: Use capital letters and punctuation, and use the formatting features of the forum wisely in order to make your post attractive. Try to avoid 'l33t speak', 'chatspeak,' and 'SMS language'.
There is no need to apologize for poor English skills. We have users from all over the world and trying your best is more than adequate.

Please use full words, IMO is not a word , and does not translate well.
Thank you.

[NewHere]

I know that this not a real argument but mozilla is one of the sponsors of letsencrypt.
"IMO" is VERY popular (I haven't seen any forum where nobody uses this).
So then my question: What means

fdn

?

[GarryRicketson]

forums.debian.net

[NewHere]

Okay xD

[GarryRicketson]

It is not that big of a deal, and yes the same could apply to saying FDN instead of Forums Debian Net.
These acronyms , chat speak, etc, all make it much harder for those that do not speak / write English, and when they put the text into a translator, it does not translate well.
Back to the https issue, and this is something I said before in the other topics. To start with the only person that can add https, or ssl to the forum / website is the owner/admin of the server, the suggestion or request has been made several times, but for what ever reason they choose not to do that.
One reason I think, and valid, if you give it some thought:
We get many people coming here with "crippled" systems, or in the middle of installing, configuring, etc.
If it was https, they might have a lot of trouble accessing the forum and being able to post details, ask the question. For example, if your clock, time and date is not yet set properly, it can lead to not being able to access a site using https.
Another example, not to long ago someone asked about a problem, apparently the solution was available but at another site, so someone posted a link to that site, and the thread with the solution. I was going to look at it, but couldn't. Why ? It said the "certificate is expired",... So great, the site uses https, but nobody could access because the certificate is expired.
It would not be appropriate, nor is it necessary to be using https here. This is not a "banking" site and
it needs to be easily accessed, for those that need to get help immediately.

[NewHere]

You don't have to enforce https, you can set https as an option.

[debiman]

"better" - that's vague at best.
please elaborate.
why is letsencrypt "better" than e.g. http://www.cacert.org/ ?
why should anyone living in a country with sane laws, voluntarily make a contract with an organization in the USA, under US law?
essentially, for increased security, lol?

but even taking all that into account, i'm not a fan of letsencrypt.
it just seems like one of the many cases where "you get security for free, as long as we own you".
sound familiar?

if i had a strong need for browser-accepted ssl certificates (i don't), i don't see why paying for it would be "worse".

[NewHere]

As far as I know letsencrypt is free because of the many sponsors.

[kopper]

I've seen this being discussed previously. While I understand that it may be inconvenient to arrange, I wonder why it hasn't been implemented.

Sure would be nice if people would read and use the existing topics , instead of all ways just starting a new
one on the same old subject.

Fresh table for fresh ideas.

Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations. For example, HTTPS was previously bypassed in non-browser software, in Apple's iOS and OS X, in Android apps, in Android apps again, in banking apps, and even in VPN apps.

Funny to discredit websites using HTTPS by saying that non-browser applications have had problems with it.

From: https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/ The site went on to warn that visiting only HTTPS-protected Web pages wasn't automatically a remedy for the risk.

It would not be appropriate, nor is it necessary to be using https here. This is not a "banking" site and
it needs to be easily accessed, for those that need to get help immediately.

Nothing is automatically a remedy to everything. But this isn't any kind of excuse to not provide SSL as option. It's standard security. So basic that many modern browsers give a red flag for not having it.

What useing ssl does accomplish is it gives people a false sense of security, imagineing they are safe and secure, and the doing nothing to protect their selfs.

I really don't think that's how it works. People don't drop gloves any more than they do when using non-HTTPS sites.

One reason I think, and valid, if you give it some thought:
We get many people coming here with "crippled" systems, or in the middle of installing, configuring, etc.

True, that's why there should be non-SSL option.

Another example, not to long ago someone asked about a problem, apparently the solution was available but at another site, so someone posted a link to that site, and the thread with the solution. I was going to look at it, but couldn't. Why ? It said the "certificate is expired",... So great, the site uses https, but nobody could access because the certificate is expired.

To be honest, that is just lazy management. I'd assume there are other things amiss if that's the problem. Again, can be bypassed by providing non-SSL option as well.

EDIT: Two typos.

[debiman]

^ oh, someone still bothers to actually read garryricketson's essays!

but that last quote caught me:

Another example, not to long ago someone asked about a problem, apparently the solution was available but at another site, so someone posted a link to that site, and the thread with the solution. I was going to look at it, but couldn't. Why ? It said the "certificate is expired",... So great, the site uses https, but nobody could access because the certificate is expired.

a web browser should warn you about an expired or "invalid"(*) certificate, but never make it impossible to still access that website. i know that mozilla products don't do that, so i suspect a google product here (or ineptitude).

btw, is this thread still about the forums not using https?

(*) this actually means that the certificate hasn't been bought for money and is thus not "browser-trusted"