Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Use HTTPS
Re: Use HTTPS
I think https is way overdue on Debian forums.
Let's Encrypt provides free certificates to encourage http websites to move to https websites. https://letsencrypt.org/
Most people don't like to log into a forum with a password sent in plain text, but would prefer to use TLS 1.2 encryption.
https://letsencrypt.org/stats/ reports the percentage of web pages loaded by Firefox using https during the past twelve months has climbed from below 50% to over 50%.
The trend over a longer time frame shows a clear movement to https websites.
EFF through Let's Encrypt is pushing for 100% encryption and they have support from many Linux users.
Let's Encrypt provides free certificates to encourage http websites to move to https websites. https://letsencrypt.org/
Most people don't like to log into a forum with a password sent in plain text, but would prefer to use TLS 1.2 encryption.
https://letsencrypt.org/stats/ reports the percentage of web pages loaded by Firefox using https during the past twelve months has climbed from below 50% to over 50%.
The trend over a longer time frame shows a clear movement to https websites.
EFF through Let's Encrypt is pushing for 100% encryption and they have support from many Linux users.
Re: Use HTTPS
by using letsencrypt, one enters a contract with some entity (not sure association, foundation, or company etc.) in the US of A, under US law.
so unless debian forums is based in the US anyway, it is something to consider.
so unless debian forums is based in the US anyway, it is something to consider.
Re: Use HTTPS
https://letsencrypt.org/
Let’s Encrypt is a free, automated, and open certificate authority brought to you by the non-profit Internet Security Research Group (ISRG).
https://en.wikipedia.org/wiki/Internet_ ... arch_Group
Until something better is available we have to choose what to use.
1. HTTP with passwords in plain text
2. HTTPS with passwords and other data encrypted.
https://letsencrypt.org/2017/12/07/loo ... -2018.html
I can't see how being U.S. based means the Let's Encrypt certificates are less trustworthy than any other CA. Why pay any of the big companies when Let's Encrypt is doing so much to promote and support a safer Internet?
Let’s Encrypt is a free, automated, and open certificate authority brought to you by the non-profit Internet Security Research Group (ISRG).
https://en.wikipedia.org/wiki/Internet_ ... arch_Group
The current system of Certificate Authorities where nation states and anyone who wants to pay for it, can have their own CA and issue certificates that are accepted by browsers, allowing MiTM attacks is broken.The Internet Security Research Group (ISRG) is a California public-benefit corporation which focuses on Internet security. [2][3]
Let's Encrypt—its first major initiative—aims to make Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates available for free in an automated fashion.
Josh Aas serves as the group's executive director and board chair.[4][1] The board also contains individuals from Akamai, Cisco, University of Michigan, Mozilla, ACLU, CoreOS, and the Electronic Frontier Foundation.[1]
Until something better is available we have to choose what to use.
1. HTTP with passwords in plain text
2. HTTPS with passwords and other data encrypted.
https://letsencrypt.org/2017/12/07/loo ... -2018.html
Many other CAs are also U.S. based. Does that bother you when you connect to Amazon, Apple, Google, or any other of the most commonly used websites?Let’s Encrypt had a great year in 2017. We more than doubled the number of active (unexpired) certificates we service to 46 million, we just about tripled the number of unique domains we service to 61 million, and we did it all while maintaining a stellar security and compliance track record. Most importantly though, the Web went from 46% encrypted page loads to 67% according to statistics from Mozilla - a gain of 21 percentage points in a single year - incredible. We’re proud to have contributed to that, and we’d like to thank all of the other people and organizations who also worked hard to create a more secure and privacy-respecting Web.
While we’re proud of what we accomplished in 2017, we are spending most of the final quarter of the year looking forward rather than back. As we wrap up our own planning process for 2018, I’d like to share some of our plans with you, including both the things we’re excited about and the challenges we’ll face. We’ll cover service growth, new features, infrastructure, and finances.
I can't see how being U.S. based means the Let's Encrypt certificates are less trustworthy than any other CA. Why pay any of the big companies when Let's Encrypt is doing so much to promote and support a safer Internet?
Re: Use HTTPS
i should have clarified:dotlj wrote:Many other CAs are also U.S. based. Does that bother you when you connect to Amazon, Apple, Google, or any other of the most commonly used websites?
I can't see how being U.S. based means the Let's Encrypt certificates are less trustworthy than any other CA. Why pay any of the big companies when Let's Encrypt is doing so much to promote and support a safer Internet?
my comment was from the point of view of the server owner who decides to employ letsencrypt.
i was on the verge of doing it once and, apart from a deep mistrust in handing control to my complete system over to some unknown python script, i remember 100% that i read that i am effectively entering into some sort of contract with said entity, under US law.
i think you will understand that i, a citizen of an entirely different continent, both online and IRL, do not want to do that.
this has no impact on the person who browses the site, i'll agree to that.
btw, cacert.org is based in australia.
i used them for a while, but unfortunately their certificates are not "browser trusted"
i think it takes serious money to buy that trust (sic) - another interesting thought, what's letsencrypt's motivation of spending that and then giving the certificates away for free?
- GarryRicketson
- Posts: 5644
- Joined: 2015-01-20 22:16
- Location: Durango, Mexico
Re: Use HTTPS
Absolutely, by all means, it is "the trend", and we need to keep the forum "trendy". Https is the trendy thing to do, and if letsencrypt is the trend, it should be promoted, instead of of others, like "openssl" .The trend over a longer time frame shows a clear movement to https websites.
I suppose openssl is not trendy enough, ? Or perhaps we shouldn't have so many choices, and it should all be MS, INTEL, and "letsencrypt",? Also, no more http should be allowed on the internet.
(in a sarcastic mood today)
-
- Posts: 8
- Joined: 2018-08-02 14:40
Re: Use HTTPS
everybody here has already assumed that the whole world uses wifi.....
nobody uses cable ethernet broadband/that can be easily tapped via packet capturing.
so easy to get passwords............
unrelated KRACK stories.
Mint, Ubuntu ... ...... .............. mostly have https.............
ssl is not needed
nobody uses cable ethernet broadband/that can be easily tapped via packet capturing.
so easy to get passwords............
unrelated KRACK stories.
Mint, Ubuntu ... ...... .............. mostly have https.............
ssl is not needed
Re: Use HTTPS
Nobody has told me, that I should not use etheret. So I've plugged every box that has ethernet connector to my router. Some I use don't have one, so I enabled also wifi.slim shady 45 wrote:everybody here has already assumed that the whole world uses wifi.....
nobody uses cable ethernet broadband
And surely you know, if you are using wifi, net trafic very soon goes to cable, Wif's range is short.
Re: Use HTTPS
no, nobody assumed that in this thread. it is simply not true. why are you saying it?slim shady 45 wrote:everybody here has already assumed that the whole world uses wifi.....
again, this is not true.nobody uses cable ethernet broadband...
what? why should that be easy? how? and compared to what?...that can be easily tapped via packet capturing.
no, it is not easy to get passwords........so easy to get passwords............
your post is unrelated indeed.unrelated KRACK stories.
yes, ALL linux distros "have" https ... just like windows, iOS etc.Mint, Ubuntu ... ...... .............. mostly have https.............
ssl is not needed
however, saying SSL is not needed without mentioning TLS betrays deep ignorance. that goes for the post before that one, too.
-
- Posts: 8
- Joined: 2018-08-02 14:40
Re: Use HTTPS
sorry i meant that the people thinking ssl is not needed. my fault///
i meant certificates are not needed. without it also will be fine.
and my local cable operator LAN is not very secure..... people always reported about net theft// i.e using software like net cut - MAC copy and paste.
that is why https is always preferred.
login passwords have been stolen in the past.
we are using linux over windows as a privacy issue.
if a linux user refuses to acknowledge this... then there is nothing more that i can say.
i meant certificates are not needed. without it also will be fine.
and my local cable operator LAN is not very secure..... people always reported about net theft// i.e using software like net cut - MAC copy and paste.
that is why https is always preferred.
login passwords have been stolen in the past.
we are using linux over windows as a privacy issue.
if a linux user refuses to acknowledge this... then there is nothing more that i can say.
Re: Use HTTPS
your post doesn't make any more sense than the previous one.slim shady 45 wrote:sorry i meant that the people thinking ssl is not needed. my fault///
i meant certificates are not needed. without it also will be fine.
and my local cable operator LAN is not very secure..... people always reported about net theft// i.e using software like net cut - MAC copy and paste.
that is why https is always preferred.
login passwords have been stolen in the past.
we are using linux over windows as a privacy issue.
if a linux user refuses to acknowledge this... then there is nothing more that i can say.
you are really confusing things, using wrong terms, mushing them together...
whatever, we're still glad you're using linux and not windows.
-
- Posts: 8
- Joined: 2018-08-02 14:40
-
- Posts: 8
- Joined: 2018-10-17 08:47
Re: Use HTTPS
What's the mailing list for contacting those in charge of the server?GarryRicketson wrote: Back to the https issue, and this is something I said before in the other topics. To start with the only person that can add https, or ssl to the forum / website is the owner/admin of the server, the suggestion or request has been made several times, but for what ever reason they choose not to do that.
-
- Emeritus
- Posts: 2435
- Joined: 2010-12-07 19:55
- Has thanked: 14 times
- Been thanked: 54 times
Re: Use HTTPS
http://forums.debian.net/memberlist.php ... le&u=22484What's the mailing list for contacting those in charge of the server?
Re: Use HTTPS
It is unbelievable that this needs to be discussed in 2018...
The reasons given for not implementing HTTPS are ridiculous. The logic is completely flawed. Just because HTTPS does not provide 100% security and can be bypassed by exploiting security vulnerabilities in apps implementing or using it, does not at all mean that it doesn't add security at all.
"Only a Sith deals in absolutes."
Admin here = Sith?
The reasons given for not implementing HTTPS are ridiculous. The logic is completely flawed. Just because HTTPS does not provide 100% security and can be bypassed by exploiting security vulnerabilities in apps implementing or using it, does not at all mean that it doesn't add security at all.
"Only a Sith deals in absolutes."
Admin here = Sith?
-
- Posts: 2
- Joined: 2018-11-24 09:21
Re: Use HTTPS
I don't suppose you would care at all, but I use an old computer and an old browser. Adding https to this site would lock me out of using it (as my browser will not recognize the certificate). The same has happened with numerous other sites already. I can no longer use those sites. I cannot update my browser (because mozilla says my OS is "deprecated"). I cannot update my OS (because microsoft and linux both say my computer is "deprecated"). I cannot buy a new computer because I have no money (I guess I'm "deprecated").needsch wrote:It is unbelievable that this needs to be discussed in 2018...
The reasons given for not implementing HTTPS are ridiculous. The logic is completely flawed. Just because HTTPS does not provide 100% security and can be bypassed by exploiting security vulnerabilities in apps implementing or using it, does not at all mean that it doesn't add security at all.
Not everyone in the world is rich enough to buy whatever they're told to whenever large corporations decide to boost their profits by "deprecating" all the stuff that would otherwise still work just fine.
I'm just pointing it out, that's all.
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
Re: Use HTTPS
Have you tried OpenBSD? They support much older machines than Linux and the resource usage is significantly lower as well.sallybrown wrote:I cannot update my OS (because microsoft and linux both say my computer is "deprecated").
In respect of https:
http://n-gate.com/software/2017/07/12/0/
^ I'm with that guy
deadbang
-
- Posts: 2
- Joined: 2018-11-24 09:21
Re: Use HTTPS
It took me a while to work out if that page (and therefore you) were for or against https, mostly because I have no idea what a "block quote" is and because, laughably, when I go to the site that it links to (https://doesmysiteneedhttps.com/), I get "An error occurred during a connection to doesmysiteneedhttps.com. Cannot communicate securely with peer: no common encryption algorithm(s)." Perhaps that only seems laughable to me though.Head_on_a_Stick wrote:In respect of https:
http://n-gate.com/software/2017/07/12/0/
^ I'm with that guy
I tried that once and didn't like it. It reminds me of the terminals we had to use when I made the mistake of doing a university degree. Perhaps I should add to "I cannot update my OS", that "I don't want to update my OS". I'm perfectly happy with XP and I don't really care how safe/unsafe anyone else thinks it is. I've never had a virus in 20 years of using it, and I've never run an antivirus either. I have a firewall and a HIPS system. The only time either have ever flagged anything was when I purposefully ran that sample virus whatnot (the one that all antivirus programs recognize as a virus, and that's used to test if your antivirus is working).Head_on_a_Stick wrote:Have you tried OpenBSD? They support much older machines than Linux and the resource usage is significantly lower as well.sallybrown wrote:I cannot update my OS (because microsoft and linux both say my computer is "deprecated").
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
Re: Use HTTPS
No, that is funnysallybrown wrote:when I go to the site that it links to (https://doesmysiteneedhttps.com/), I get "An error occurred during a connection to doesmysiteneedhttps.com. Cannot communicate securely with peer: no common encryption algorithm(s)." Perhaps that only seems laughable to me though.
n-gate.com is utterly brilliant but the author is rather scathing (which I find entertaining).
Fair play to you, I loved Win XP, it was ace.sallybrown wrote:I'm perfectly happy with XP
deadbang