Logging on to this forum

Have something to say about forums.debian.net itself?

Logging on to this forum

Postby Ahtiga Saraz » 2011-02-21 19:58

Shouldn't username and password be sent through TLS/SSL encrypted tunnel?

I know that SSL key exchange places some computational burden on the server. I am not asking that the entire session be encrypted point-to-point, but it seems that username and password should be.
Ahtiga Saraz

Le peuple debout contre les tyrans! De l'audace, encore de l'audace, toujours l'audace!
Ahtiga Saraz
 
Posts: 1015
Joined: 2009-06-15 01:19

Re: Logging on to this forum

Postby llivv » 2011-02-21 20:04

Ahtiga Saraz wrote:Shouldn't username and password be sent through TLS/SSL encrypted tunnel?

I know that SSL key exchange places some computational burden on the server. I am not asking that the entire session be encrypted point-to-point, but it seems that username and password should be.

Yes it should..
And mods should not fud with your post[s]
in the kitchen with Julia
The Past, Christmas Present and Future
Get on the Dbus to Bcan
User avatar
llivv
 
Posts: 5634
Joined: 2007-02-14 18:10
Location: cold storage

Re: Logging on to this forum

Postby smallchange » 2011-02-21 20:14

There is really no reason to add the overhead of encrypted passwords for something that contains only public information, like this forum.
smallchange
 
Posts: 1740
Joined: 2009-05-04 15:56

Re: Logging on to this forum

Postby Ahtiga Saraz » 2011-02-21 20:33

lliv, thanks for supporting my proposal. What do you mean by saying "moderators should not FUD with my posts"?

smallchange, the reason is that username and password of forum users can be snagged in transit. And possibly session cookies could be hijacked. That certainly would not be good, even though I do not reuse passwords.

Forgive me please for not being able to check what actually happens since I have limited system access right now.... I am going by memory of what I found using Wireshark while logging on here some time ago.
Ahtiga Saraz

Le peuple debout contre les tyrans! De l'audace, encore de l'audace, toujours l'audace!
Ahtiga Saraz
 
Posts: 1015
Joined: 2009-06-15 01:19

Followup

Postby Ahtiga Saraz » 2011-02-21 20:48

Smallchange, it might help if you (a forum admin?) gave us some idea of an yearly dollar amount or a percentage increase in the estimated cost to run the server if username/password were sent via an SSL tunnel.
Ahtiga Saraz

Le peuple debout contre les tyrans! De l'audace, encore de l'audace, toujours l'audace!
Ahtiga Saraz
 
Posts: 1015
Joined: 2009-06-15 01:19

Re: Logging on to this forum

Postby oOarthurOo » 2011-02-21 20:54

Ahtiga Saraz wrote:What do you mean by saying "moderators should not FUD with my posts"?

FUD is Fear Uncertainty and Doubt. Usually it means spreading false or misleading information to discredit something / someone. I'm not sure how what lliv means by it either, but it is certainly a threadjack of your post and should probably be raised in a thread of its own rather than dilluting the focus of your suggestion.
oOarthurOo
 
Posts: 545
Joined: 2008-10-25 12:00
Location: Canada

Re: Logging on to this forum

Postby llivv » 2011-02-21 21:01

oOarthurOo wrote: I'm not sure how what lliv means by it either, but it is certainly a threadjack
:oops:
Not sure how to read that....
Maybe, if Elmer read it I'd be able to understand it.... no guarantees though...
Last edited by llivv on 2011-02-21 21:32, edited 1 time in total.
in the kitchen with Julia
The Past, Christmas Present and Future
Get on the Dbus to Bcan
User avatar
llivv
 
Posts: 5634
Joined: 2007-02-14 18:10
Location: cold storage

Re: Logging on to this forum

Postby Ahtiga Saraz » 2011-02-21 21:04

OK, I don't come here very often so I don't really know what is going on with this forum, but the other day I did see some threads indicating there are some current conflicts.... which I want to stay out of.

Back to the issue of whether the time as come to bear the cost of point-to-point encrypting at least username and password during transmision.

I'd be willing to pay my share to Debian... but there's a problem for me there too, my country (don't ask) makes it very difficult to send money to Germany and other countries where Debian has a presence.
Ahtiga Saraz

Le peuple debout contre les tyrans! De l'audace, encore de l'audace, toujours l'audace!
Ahtiga Saraz
 
Posts: 1015
Joined: 2009-06-15 01:19

Re: Logging on to this forum

Postby Telemachus » 2011-02-21 21:50

There was some talk a few months ago among moderators about adding SSL. People supported the idea, and as far as I know, it was going to happen. It hasn't yet, but I believe it's a only question of moderators' time, nothing to do with expense.

I can't be sure but I think smallchange meant only "effort" when he spoke of "adding overhead", not money. (Also, I don't believe he's an admin. I mention this only since Ahtiga half asked.)
"We have not been faced with the need to satisfy someone else's requirements, and for this freedom we are grateful."
Dennis Ritchie and Ken Thompson, The UNIX Time-Sharing System
User avatar
Telemachus
 
Posts: 4677
Joined: 2006-12-25 15:53

Re: Logging on to this forum

Postby smallchange » 2011-02-21 22:05

I was speaking in terms of computer resource usage and admin time. That should give you an idea of how much value I would place on having this forum SSL protected. I am not an admin on this forum.
smallchange
 
Posts: 1740
Joined: 2009-05-04 15:56

Oh fearless leaders

Postby Ahtiga Saraz » 2011-02-22 06:20

I think that it would be a very good idea to encrypt via SSL/TLS the username and password combination. THOSE are sensitive, even for users who do not reuse passwords. I do take your point that the posts themselves are public information anyway, but even here you may not have thought hard enough about the consequences of a GET or POST in the clear for those who live in repressive countries.

Anyway, I hope the moderators can find the time to secure encryption of logon sessions. Clearly in future all forums will have to do so, and I like to see Debian leading, not lagging.

Eventually, it might be a good idea to offer encryption of the full session to users in certain countries during times of turmoil, financial cost permitting.
Ahtiga Saraz

Le peuple debout contre les tyrans! De l'audace, encore de l'audace, toujours l'audace!
Ahtiga Saraz
 
Posts: 1015
Joined: 2009-06-15 01:19

Re: Logging on to this forum

Postby eric1959 » 2011-02-22 08:23

FUD is Fear Uncertainty and Doubt.

I didn't know the meaning of FUD, so I had to Google it.....
Debian Bits And Snips
Squeeze, Gnome, amd64, Intel Core i3-530, Geforce GT330
eric1959
 
Posts: 1299
Joined: 2008-12-15 13:17
Location: Amsterdam

Re: Logging on to this forum

Postby Globetrotter » 2011-02-22 09:49

eric1959 wrote:
FUD is Fear Uncertainty and Doubt.

I didn't know the meaning of FUD, so I had to Google it.....


There's even a forum for it: http://fudforum.org/
Globetrotter
 
Posts: 119
Joined: 2011-02-09 06:26

SSL Now!

Postby Ahtiga Saraz » 2011-03-05 23:22

@moderators: any progress on implementing encrypted communication of password to the forum server?

Please note: a Javascript "solution" won't work, at least not for those who have disabled Javascript for security reasons.
Ahtiga Saraz

Le peuple debout contre les tyrans! De l'audace, encore de l'audace, toujours l'audace!
Ahtiga Saraz
 
Posts: 1015
Joined: 2009-06-15 01:19

Bump

Postby Ahtiga Saraz » 2011-04-24 18:20

Moderators, any progress or firm decision or timeline on encrypting logon (at least)?

Regarding the issue of additional costs, I have seen some claims that Google and Amazon say that transiting their websites to https pages only increased costs by about 1%. I think I take the point that this might not hold true for a bulletin board type website, but I still insist that logon should be protected by SSL.
Ahtiga Saraz

Le peuple debout contre les tyrans! De l'audace, encore de l'audace, toujours l'audace!
Ahtiga Saraz
 
Posts: 1015
Joined: 2009-06-15 01:19

Next

Return to Forum stuff & feedback

Who is online

Users browsing this forum: No registered users and 1 guest

fashionable