Debian User Forums

[dotlj]

I think https is way overdue on Debian forums.
Let's Encrypt provides free certificates to encourage http websites to move to https websites. https://letsencrypt.org/
Most people don't like to log into a forum with a password sent in plain text, but would prefer to use TLS 1.2 encryption.
https://letsencrypt.org/stats/ reports the percentage of web pages loaded by Firefox using https during the past twelve months has climbed from below 50% to over 50%.
The trend over a longer time frame shows a clear movement to https websites.
EFF through Let's Encrypt is pushing for 100% encryption and they have support from many Linux users.

[debiman]

by using letsencrypt, one enters a contract with some entity (not sure association, foundation, or company etc.) in the US of A, under US law.
so unless debian forums is based in the US anyway, it is something to consider.

[dotlj]

https://letsencrypt.org/
Let’s Encrypt is a free, automated, and open certificate authority brought to you by the non-profit Internet Security Research Group (ISRG).

https://en.wikipedia.org/wiki/Internet_Security_Research_Group

The Internet Security Research Group (ISRG) is a California public-benefit corporation which focuses on Internet security. [2][3]

Let's Encrypt—its first major initiative—aims to make Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates available for free in an automated fashion.

Josh Aas serves as the group's executive director and board chair.[4][1] The board also contains individuals from Akamai, Cisco, University of Michigan, Mozilla, ACLU, CoreOS, and the Electronic Frontier Foundation.[1]

The current system of Certificate Authorities where nation states and anyone who wants to pay for it, can have their own CA and issue certificates that are accepted by browsers, allowing MiTM attacks is broken.
Until something better is available we have to choose what to use.
1. HTTP with passwords in plain text
2. HTTPS with passwords and other data encrypted.
[url]
https://letsencrypt.org/2017/12/07/look ... -2018.html[/url]

Let’s Encrypt had a great year in 2017. We more than doubled the number of active (unexpired) certificates we service to 46 million, we just about tripled the number of unique domains we service to 61 million, and we did it all while maintaining a stellar security and compliance track record. Most importantly though, the Web went from 46% encrypted page loads to 67% according to statistics from Mozilla - a gain of 21 percentage points in a single year - incredible. We’re proud to have contributed to that, and we’d like to thank all of the other people and organizations who also worked hard to create a more secure and privacy-respecting Web.

While we’re proud of what we accomplished in 2017, we are spending most of the final quarter of the year looking forward rather than back. As we wrap up our own planning process for 2018, I’d like to share some of our plans with you, including both the things we’re excited about and the challenges we’ll face. We’ll cover service growth, new features, infrastructure, and finances.

Many other CAs are also U.S. based. Does that bother you when you connect to Amazon, Apple, Google, or any other of the most commonly used websites?
I can't see how being U.S. based means the Let's Encrypt certificates are less trustworthy than any other CA. Why pay any of the big companies when Let's Encrypt is doing so much to promote and support a safer Internet?

[debiman]

Many other CAs are also U.S. based. Does that bother you when you connect to Amazon, Apple, Google, or any other of the most commonly used websites?
I can't see how being U.S. based means the Let's Encrypt certificates are less trustworthy than any other CA. Why pay any of the big companies when Let's Encrypt is doing so much to promote and support a safer Internet?

i should have clarified:
my comment was from the point of view of the server owner who decides to employ letsencrypt.
i was on the verge of doing it once and, apart from a deep mistrust in handing control to my complete system over to some unknown python script, i remember 100% that i read that i am effectively entering into some sort of contract with said entity, under US law.
i think you will understand that i, a citizen of an entirely different continent, both online and IRL, do not want to do that.

this has no impact on the person who browses the site, i'll agree to that.

btw, cacert.org is based in australia.
i used them for a while, but unfortunately their certificates are not "browser trusted"
i think it takes serious money to buy that trust (sic) - another interesting thought, what's letsencrypt's motivation of spending that and then giving the certificates away for free?

[GarryRicketson]

The trend over a longer time frame shows a clear movement to https websites.

Absolutely, by all means, it is "the trend", and we need to keep the forum "trendy". Https is the trendy thing to do, and if letsencrypt is the trend, it should be promoted, instead of of others, like "openssl" .
I suppose openssl is not trendy enough, ? Or perhaps we shouldn't have so many choices, and it should all be MS, INTEL, and "letsencrypt",? Also, no more http should be allowed on the internet.
(in a sarcastic mood today)

[slim shady 45]

everybody here has already assumed that the whole world uses wifi.....
nobody uses cable ethernet broadband/that can be easily tapped via packet capturing.
so easy to get passwords............
unrelated KRACK stories.
Mint, Ubuntu ... ...... .............. mostly have https.............
ssl is not needed

[arzgi]

everybody here has already assumed that the whole world uses wifi.....
nobody uses cable ethernet broadband

Nobody has told me, that I should not use etheret. So I've plugged every box that has ethernet connector to my router. Some I use don't have one, so I enabled also wifi.

And surely you know, if you are using wifi, net trafic very soon goes to cable, Wif's range is short.

[debiman]

everybody here has already assumed that the whole world uses wifi.....

no, nobody assumed that in this thread. it is simply not true. why are you saying it?

nobody uses cable ethernet broadband...

again, this is not true.

...that can be easily tapped via packet capturing.

what? why should that be easy? how? and compared to what?

so easy to get passwords............

no, it is not easy to get passwords........

unrelated KRACK stories.

your post is unrelated indeed.

Mint, Ubuntu ... ...... .............. mostly have https.............
ssl is not needed

yes, ALL linux distros "have" https ... just like windows, iOS etc.
however, saying SSL is not needed without mentioning TLS betrays deep ignorance. that goes for the post before that one, too.

[slim shady 45]

sorry i meant that the people thinking ssl is not needed. my fault///
i meant certificates are not needed. without it also will be fine.


and my local cable operator LAN is not very secure..... people always reported about net theft// i.e using software like net cut - MAC copy and paste.
that is why https is always preferred.
login passwords have been stolen in the past.
we are using linux over windows as a privacy issue.
if a linux user refuses to acknowledge this... then there is nothing more that i can say.

[debiman]

sorry i meant that the people thinking ssl is not needed. my fault///
i meant certificates are not needed. without it also will be fine.


and my local cable operator LAN is not very secure..... people always reported about net theft// i.e using software like net cut - MAC copy and paste.
that is why https is always preferred.
login passwords have been stolen in the past.
we are using linux over windows as a privacy issue.
if a linux user refuses to acknowledge this... then there is nothing more that i can say.

your post doesn't make any more sense than the previous one.
you are really confusing things, using wrong terms, mushing them together...

whatever, we're still glad you're using linux and not windows.

[slim shady 45]

its just that you like the old way only

[slim shady 45]

and this is not my post either

[debiman]

and this is not my post either