Page 1 of 5

Use HTTPS

Posted: 2017-10-22 09:39
by NewHere
Hi,
I know that I am new in this forum but IMO it is very important to use HTTPS to prevent leaking data (also over the new KRACK WiFi bug) such as Email adress or password (many people still use the same password for many websites so this also matters for a forum).

Best,
Me ;D

Re: Use HTTPS

Posted: 2017-10-22 23:56
by GarryRicketson
This has been brought up on serveral occasions, we all know abot HTTPS and the
certbot, and there is also openssl, maybe some other as well.
http://forums.debian.net/viewtopic.php?f=12&t=122422
==========================================================
http://forums.debian.net/viewtopic.php?f=12&t=118960
===========================================================
http://forums.debian.net/viewtopic.php? ... 17#p642117

===================================
http://forums.debian.net/viewtopic.php?f=12&t=131345
---------------------------------------------------
Sure would be nice if people would read and use the existing topics , instead of all ways just starting a new
one on the same old subject.

As far as the
by NewHere it is very important to use HTTPS to prevent leaking data (also over the new KRACK WiFi bug)
You really need to learn to do some research.
From:https://www.krackattacks.com/
Our attack is not limited to recovering login credentials (i.e. e-mail addresses and passwords). In general, any data or information that the victim transmits can be decrypted. Additionally, depending on the device being used and the network setup, it is also possible to decrypt data sent towards the victim (e.g. the content of a website). Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations. For example, HTTPS was previously bypassed in non-browser software, in Apple's iOS and OS X, in Android apps, in Android apps again, in banking apps, and even in VPN apps.
And
From: https://arstechnica.com/information-tec ... sdropping/ The site went on to warn that visiting only HTTPS-protected Web pages wasn't automatically a remedy for the risk.

"Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations," the researchers explained. "For example, HTTPS was previously bypassed in ---- snip-----
What useing ssl does accomplish is it gives people a false sense of security, imagineing they are safe and secure, and the doing nothing to protect their selfs.
For example:
NewHere » (many people still use the same password for many websites so this also matters for a forum).
Combined with the fact that https does nothing to prevent some one from getting the password, once some one gets it, they have the 1 password and it works every where, maybe it is even the same one used for their banking site, Common sense would say to use complex paswords and differnt ones,...and change them randomly , but often. This forum and site is secure, but of course if you don't trust it, then it is just plain silly to use a forum or site you don't trust.
Nothing is 100% secure, that is the sad reality.

Re: Use HTTPS

Posted: 2017-10-23 19:50
by NewHere
I have a different view on this false sense of security:
(1) Most users here have enough experience to know what SSL does for them and what not.
(2) New users have, as you said correctly this false sense of security so they also think that every website using HTTP (they only really notice this big green shield) is safe AND trustworthy. So why not giving them the feel to be on a trustworthy site because this is indeed much more trustworthy than 70% of any other websites out there. Also this might help them to use Linux so they'll be safer in the future (you know malware and this stuff on Windows).

I know of this double posting but thought that most won't read it.

Re: Use HTTPS

Posted: 2017-10-24 15:10
by debiman
welcome to fdn.
you are preaching to the choir!

nevertheless:
NewHere wrote:You can get a SSL certificate by following the instructions (guide from a non-profit organisation) on: https://certbot.eff.org/
i wonder why you put it like this?
are you deliberately obfuscating the fact that letsencrypt is not the EFF, but rather a "public benefit" frontend for various for-profit organisations?

Re: Use HTTPS

Posted: 2017-10-24 15:43
by NewHere
i wonder why you put it like this?
are you deliberately obfuscating the fact that letsencrypt is not the EFF, but rather a "public benefit" frontend for various for-profit organisations?
I don't want to obfuscate anything. Just wanted to mention that this not a guide like to get SSL you need to subscribe to our premium service. And IMO letsencrypt is anyway better than most other certificate servers.

Re: Use HTTPS

Posted: 2017-10-24 16:08
by GarryRicketson
by NewHere »And IMO letsencrypt is anyway better than most other certificate servers.
Oh, In your opinion,
Can you back your opinion up with facts, that show why it is any better then the others ?
If you want to start a promotion thread/topic to promote your "letsencrypt", you should do so in the
"off topic" forum.
Also re: IMO, I had to do a search to figure out what that means, because when I tried to translate to Spanish, :
Y IMO letsencrypt es de todos modos mejor que la mayoría de los otros servidores de certificados.
English:
And IMO letsencrypt is anyway better than most other certificate servers.
PLEASE READ THIS, (you should have before your first post)
Forum guidelines. Please read before first post!
The language on this board is primarily English but we do not exclude people with little or no English. When replying to posts in other languages please include an English translation. It's a good idea to help non-English speakers find resources in their language.
A forum is a means of written communication so make sure your posts are as readable as possible. That means: Use capital letters and punctuation, and use the formatting features of the forum wisely in order to make your post attractive. Try to avoid 'l33t speak', 'chatspeak,' and 'SMS language'.
There is no need to apologize for poor English skills. We have users from all over the world and trying your best is more than adequate.
Please use full words, IMO is not a word , and does not translate well.
Thank you.

Re: Use HTTPS

Posted: 2017-10-24 16:23
by NewHere
I know that this not a real argument but mozilla is one of the sponsors of letsencrypt.
"IMO" is VERY popular (I haven't seen any forum where nobody uses this).
So then my question: What means
fdn
?

Re: Use HTTPS

Posted: 2017-10-24 16:28
by GarryRicketson
forums.debian.net

Re: Use HTTPS

Posted: 2017-10-24 16:29
by NewHere
Okay xD

Re: Use HTTPS

Posted: 2017-10-24 16:58
by GarryRicketson
It is not that big of a deal, and yes the same could apply to saying FDN instead of Forums Debian Net.
These acronyms , chat speak, etc, all make it much harder for those that do not speak / write English, and when they put the text into a translator, it does not translate well.
Back to the https issue, and this is something I said before in the other topics. To start with the only person that can add https, or ssl to the forum / website is the owner/admin of the server, the suggestion or request has been made several times, but for what ever reason they choose not to do that.
One reason I think, and valid, if you give it some thought:
We get many people coming here with "crippled" systems, or in the middle of installing, configuring, etc.
If it was https, they might have a lot of trouble accessing the forum and being able to post details, ask the question. For example, if your clock, time and date is not yet set properly, it can lead to not being able to access a site using https.
Another example, not to long ago someone asked about a problem, apparently the solution was available but at another site, so someone posted a link to that site, and the thread with the solution. I was going to look at it, but couldn't. Why ? It said the "certificate is expired",... So great, the site uses https, but nobody could access because the certificate is expired.
It would not be appropriate, nor is it necessary to be using https here. This is not a "banking" site and
it needs to be easily accessed, for those that need to get help immediately.

Re: Use HTTPS

Posted: 2017-10-24 17:11
by NewHere
You don't have to enforce https, you can set https as an option.

Re: Use HTTPS

Posted: 2017-10-25 04:58
by debiman
"better" - that's vague at best.
please elaborate.
why is letsencrypt "better" than e.g. http://www.cacert.org/ ?
why should anyone living in a country with sane laws, voluntarily make a contract with an organization in the USA, under US law?
essentially, for increased security, lol?

but even taking all that into account, i'm not a fan of letsencrypt.
it just seems like one of the many cases where "you get security for free, as long as we own you".
sound familiar?

if i had a strong need for browser-accepted ssl certificates (i don't), i don't see why paying for it would be "worse".

Re: Use HTTPS

Posted: 2017-10-25 10:48
by NewHere
As far as I know letsencrypt is free because of the many sponsors.

Re: Use HTTPS

Posted: 2017-11-01 15:32
by kopper
I've seen this being discussed previously. While I understand that it may be inconvenient to arrange, I wonder why it hasn't been implemented.
GarryRicketson wrote: Sure would be nice if people would read and use the existing topics , instead of all ways just starting a new
one on the same old subject.
Fresh table for fresh ideas. :)
GarryRicketson wrote: Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations. For example, HTTPS was previously bypassed in non-browser software, in Apple's iOS and OS X, in Android apps, in Android apps again, in banking apps, and even in VPN apps.
Funny to discredit websites using HTTPS by saying that non-browser applications have had problems with it.
From: https://arstechnica.com/information-tec ... sdropping/ The site went on to warn that visiting only HTTPS-protected Web pages wasn't automatically a remedy for the risk.
It would not be appropriate, nor is it necessary to be using https here. This is not a "banking" site and
it needs to be easily accessed, for those that need to get help immediately.
Nothing is automatically a remedy to everything. But this isn't any kind of excuse to not provide SSL as option. It's standard security. So basic that many modern browsers give a red flag for not having it.
What useing ssl does accomplish is it gives people a false sense of security, imagineing they are safe and secure, and the doing nothing to protect their selfs.
I really don't think that's how it works. People don't drop gloves any more than they do when using non-HTTPS sites.
One reason I think, and valid, if you give it some thought:
We get many people coming here with "crippled" systems, or in the middle of installing, configuring, etc.
True, that's why there should be non-SSL option.
Another example, not to long ago someone asked about a problem, apparently the solution was available but at another site, so someone posted a link to that site, and the thread with the solution. I was going to look at it, but couldn't. Why ? It said the "certificate is expired",... So great, the site uses https, but nobody could access because the certificate is expired.
To be honest, that is just lazy management. I'd assume there are other things amiss if that's the problem. Again, can be bypassed by providing non-SSL option as well.

EDIT: Two typos.

Re: Use HTTPS

Posted: 2017-11-02 05:22
by debiman
^ oh, someone still bothers to actually read garryricketson's essays!

but that last quote caught me:
GarryRicketson wrote:Another example, not to long ago someone asked about a problem, apparently the solution was available but at another site, so someone posted a link to that site, and the thread with the solution. I was going to look at it, but couldn't. Why ? It said the "certificate is expired",... So great, the site uses https, but nobody could access because the certificate is expired.
a web browser should warn you about an expired or "invalid"(*) certificate, but never make it impossible to still access that website. i know that mozilla products don't do that, so i suspect a google product here (or ineptitude).

btw, is this thread still about the forums not using https?

(*) this actually means that the certificate hasn't been bought for money and is thus not "browser-trusted"

Re: Use HTTPS

Posted: 2018-01-22 06:35
by dotlj
I think https is way overdue on Debian forums.
Let's Encrypt provides free certificates to encourage http websites to move to https websites. https://letsencrypt.org/
Most people don't like to log into a forum with a password sent in plain text, but would prefer to use TLS 1.2 encryption.
https://letsencrypt.org/stats/ reports the percentage of web pages loaded by Firefox using https during the past twelve months has climbed from below 50% to over 50%.
The trend over a longer time frame shows a clear movement to https websites.
EFF through Let's Encrypt is pushing for 100% encryption and they have support from many Linux users.

Re: Use HTTPS

Posted: 2018-01-22 06:43
by debiman
by using letsencrypt, one enters a contract with some entity (not sure association, foundation, or company etc.) in the US of A, under US law.
so unless debian forums is based in the US anyway, it is something to consider.

Re: Use HTTPS

Posted: 2018-01-23 06:29
by dotlj
https://letsencrypt.org/
Let’s Encrypt is a free, automated, and open certificate authority brought to you by the non-profit Internet Security Research Group (ISRG).

https://en.wikipedia.org/wiki/Internet_ ... arch_Group
The Internet Security Research Group (ISRG) is a California public-benefit corporation which focuses on Internet security. [2][3]

Let's Encrypt—its first major initiative—aims to make Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates available for free in an automated fashion.

Josh Aas serves as the group's executive director and board chair.[4][1] The board also contains individuals from Akamai, Cisco, University of Michigan, Mozilla, ACLU, CoreOS, and the Electronic Frontier Foundation.[1]
The current system of Certificate Authorities where nation states and anyone who wants to pay for it, can have their own CA and issue certificates that are accepted by browsers, allowing MiTM attacks is broken.
Until something better is available we have to choose what to use.
1. HTTP with passwords in plain text
2. HTTPS with passwords and other data encrypted.
https://letsencrypt.org/2017/12/07/loo ... -2018.html
Let’s Encrypt had a great year in 2017. We more than doubled the number of active (unexpired) certificates we service to 46 million, we just about tripled the number of unique domains we service to 61 million, and we did it all while maintaining a stellar security and compliance track record. Most importantly though, the Web went from 46% encrypted page loads to 67% according to statistics from Mozilla - a gain of 21 percentage points in a single year - incredible. We’re proud to have contributed to that, and we’d like to thank all of the other people and organizations who also worked hard to create a more secure and privacy-respecting Web.

While we’re proud of what we accomplished in 2017, we are spending most of the final quarter of the year looking forward rather than back. As we wrap up our own planning process for 2018, I’d like to share some of our plans with you, including both the things we’re excited about and the challenges we’ll face. We’ll cover service growth, new features, infrastructure, and finances.
Many other CAs are also U.S. based. Does that bother you when you connect to Amazon, Apple, Google, or any other of the most commonly used websites?
I can't see how being U.S. based means the Let's Encrypt certificates are less trustworthy than any other CA. Why pay any of the big companies when Let's Encrypt is doing so much to promote and support a safer Internet?

Re: Use HTTPS

Posted: 2018-01-23 07:23
by debiman
dotlj wrote:Many other CAs are also U.S. based. Does that bother you when you connect to Amazon, Apple, Google, or any other of the most commonly used websites?
I can't see how being U.S. based means the Let's Encrypt certificates are less trustworthy than any other CA. Why pay any of the big companies when Let's Encrypt is doing so much to promote and support a safer Internet?
i should have clarified:
my comment was from the point of view of the server owner who decides to employ letsencrypt.
i was on the verge of doing it once and, apart from a deep mistrust in handing control to my complete system over to some unknown python script, i remember 100% that i read that i am effectively entering into some sort of contract with said entity, under US law.
i think you will understand that i, a citizen of an entirely different continent, both online and IRL, do not want to do that.

this has no impact on the person who browses the site, i'll agree to that.

btw, cacert.org is based in australia.
i used them for a while, but unfortunately their certificates are not "browser trusted" :(
i think it takes serious money to buy that trust (sic) - another interesting thought, what's letsencrypt's motivation of spending that and then giving the certificates away for free?

Re: Use HTTPS

Posted: 2018-01-23 17:49
by GarryRicketson
The trend over a longer time frame shows a clear movement to https websites.
Absolutely, by all means, it is "the trend", and we need to keep the forum "trendy". Https is the trendy thing to do, and if letsencrypt is the trend, it should be promoted, instead of of others, like "openssl" .
I suppose openssl is not trendy enough, ? Or perhaps we shouldn't have so many choices, and it should all be MS, INTEL, and "letsencrypt",? Also, no more http should be allowed on the internet.
:mrgreen: (in a sarcastic mood today)