Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Logging on to this forum
-
- Posts: 1014
- Joined: 2009-06-15 01:19
Logging on to this forum
Shouldn't username and password be sent through TLS/SSL encrypted tunnel?
I know that SSL key exchange places some computational burden on the server. I am not asking that the entire session be encrypted point-to-point, but it seems that username and password should be.
I know that SSL key exchange places some computational burden on the server. I am not asking that the entire session be encrypted point-to-point, but it seems that username and password should be.
Ahtiga Saraz
Le peuple debout contre les tyrans! De l'audace, encore de l'audace, toujours l'audace!
Le peuple debout contre les tyrans! De l'audace, encore de l'audace, toujours l'audace!
Re: Logging on to this forum
Yes it should..Ahtiga Saraz wrote:Shouldn't username and password be sent through TLS/SSL encrypted tunnel?
I know that SSL key exchange places some computational burden on the server. I am not asking that the entire session be encrypted point-to-point, but it seems that username and password should be.
And mods should not fud with your post
In memory of Ian Ashley Murdock (1973 - 2015) founder of the Debian project.
-
- Posts: 1740
- Joined: 2009-05-04 15:56
- Been thanked: 1 time
Re: Logging on to this forum
There is really no reason to add the overhead of encrypted passwords for something that contains only public information, like this forum.
-
- Posts: 1014
- Joined: 2009-06-15 01:19
Re: Logging on to this forum
lliv, thanks for supporting my proposal. What do you mean by saying "moderators should not FUD with my posts"?
smallchange, the reason is that username and password of forum users can be snagged in transit. And possibly session cookies could be hijacked. That certainly would not be good, even though I do not reuse passwords.
Forgive me please for not being able to check what actually happens since I have limited system access right now.... I am going by memory of what I found using Wireshark while logging on here some time ago.
smallchange, the reason is that username and password of forum users can be snagged in transit. And possibly session cookies could be hijacked. That certainly would not be good, even though I do not reuse passwords.
Forgive me please for not being able to check what actually happens since I have limited system access right now.... I am going by memory of what I found using Wireshark while logging on here some time ago.
Ahtiga Saraz
Le peuple debout contre les tyrans! De l'audace, encore de l'audace, toujours l'audace!
Le peuple debout contre les tyrans! De l'audace, encore de l'audace, toujours l'audace!
-
- Posts: 1014
- Joined: 2009-06-15 01:19
Followup
Smallchange, it might help if you (a forum admin?) gave us some idea of an yearly dollar amount or a percentage increase in the estimated cost to run the server if username/password were sent via an SSL tunnel.
Ahtiga Saraz
Le peuple debout contre les tyrans! De l'audace, encore de l'audace, toujours l'audace!
Le peuple debout contre les tyrans! De l'audace, encore de l'audace, toujours l'audace!
-
- Posts: 544
- Joined: 2008-10-25 12:00
- Location: Canada
Re: Logging on to this forum
FUD is Fear Uncertainty and Doubt. Usually it means spreading false or misleading information to discredit something / someone. I'm not sure how what lliv means by it either, but it is certainly a threadjack of your post and should probably be raised in a thread of its own rather than dilluting the focus of your suggestion.Ahtiga Saraz wrote:What do you mean by saying "moderators should not FUD with my posts"?
Re: Logging on to this forum
oOarthurOo wrote: I'm not sure how what lliv means by it either, but it is certainly a threadjack
Not sure how to read that....
Maybe, if Elmer read it I'd be able to understand it.... no guarantees though...
Last edited by llivv on 2011-02-21 21:32, edited 1 time in total.
In memory of Ian Ashley Murdock (1973 - 2015) founder of the Debian project.
-
- Posts: 1014
- Joined: 2009-06-15 01:19
Re: Logging on to this forum
OK, I don't come here very often so I don't really know what is going on with this forum, but the other day I did see some threads indicating there are some current conflicts.... which I want to stay out of.
Back to the issue of whether the time as come to bear the cost of point-to-point encrypting at least username and password during transmision.
I'd be willing to pay my share to Debian... but there's a problem for me there too, my country (don't ask) makes it very difficult to send money to Germany and other countries where Debian has a presence.
Back to the issue of whether the time as come to bear the cost of point-to-point encrypting at least username and password during transmision.
I'd be willing to pay my share to Debian... but there's a problem for me there too, my country (don't ask) makes it very difficult to send money to Germany and other countries where Debian has a presence.
Ahtiga Saraz
Le peuple debout contre les tyrans! De l'audace, encore de l'audace, toujours l'audace!
Le peuple debout contre les tyrans! De l'audace, encore de l'audace, toujours l'audace!
- Telemachus
- Posts: 4574
- Joined: 2006-12-25 15:53
- Been thanked: 2 times
Re: Logging on to this forum
There was some talk a few months ago among moderators about adding SSL. People supported the idea, and as far as I know, it was going to happen. It hasn't yet, but I believe it's a only question of moderators' time, nothing to do with expense.
I can't be sure but I think smallchange meant only "effort" when he spoke of "adding overhead", not money. (Also, I don't believe he's an admin. I mention this only since Ahtiga half asked.)
I can't be sure but I think smallchange meant only "effort" when he spoke of "adding overhead", not money. (Also, I don't believe he's an admin. I mention this only since Ahtiga half asked.)
"We have not been faced with the need to satisfy someone else's requirements, and for this freedom we are grateful."
Dennis Ritchie and Ken Thompson, The UNIX Time-Sharing System
Dennis Ritchie and Ken Thompson, The UNIX Time-Sharing System
-
- Posts: 1740
- Joined: 2009-05-04 15:56
- Been thanked: 1 time
Re: Logging on to this forum
I was speaking in terms of computer resource usage and admin time. That should give you an idea of how much value I would place on having this forum SSL protected. I am not an admin on this forum.
-
- Posts: 1014
- Joined: 2009-06-15 01:19
Oh fearless leaders
I think that it would be a very good idea to encrypt via SSL/TLS the username and password combination. THOSE are sensitive, even for users who do not reuse passwords. I do take your point that the posts themselves are public information anyway, but even here you may not have thought hard enough about the consequences of a GET or POST in the clear for those who live in repressive countries.
Anyway, I hope the moderators can find the time to secure encryption of logon sessions. Clearly in future all forums will have to do so, and I like to see Debian leading, not lagging.
Eventually, it might be a good idea to offer encryption of the full session to users in certain countries during times of turmoil, financial cost permitting.
Anyway, I hope the moderators can find the time to secure encryption of logon sessions. Clearly in future all forums will have to do so, and I like to see Debian leading, not lagging.
Eventually, it might be a good idea to offer encryption of the full session to users in certain countries during times of turmoil, financial cost permitting.
Ahtiga Saraz
Le peuple debout contre les tyrans! De l'audace, encore de l'audace, toujours l'audace!
Le peuple debout contre les tyrans! De l'audace, encore de l'audace, toujours l'audace!
Re: Logging on to this forum
I didn't know the meaning of FUD, so I had to Google it.....FUD is Fear Uncertainty and Doubt.
Debian Bits And Snips
Squeeze, Gnome, amd64, Intel Core i3-530, Geforce GT330
Squeeze, Gnome, amd64, Intel Core i3-530, Geforce GT330
-
- Posts: 119
- Joined: 2011-02-09 06:26
Re: Logging on to this forum
There's even a forum for it: http://fudforum.org/eric1959 wrote:I didn't know the meaning of FUD, so I had to Google it.....FUD is Fear Uncertainty and Doubt.
-
- Posts: 1014
- Joined: 2009-06-15 01:19
SSL Now!
@moderators: any progress on implementing encrypted communication of password to the forum server?
Please note: a Javascript "solution" won't work, at least not for those who have disabled Javascript for security reasons.
Please note: a Javascript "solution" won't work, at least not for those who have disabled Javascript for security reasons.
Ahtiga Saraz
Le peuple debout contre les tyrans! De l'audace, encore de l'audace, toujours l'audace!
Le peuple debout contre les tyrans! De l'audace, encore de l'audace, toujours l'audace!
-
- Posts: 1014
- Joined: 2009-06-15 01:19
Bump
Moderators, any progress or firm decision or timeline on encrypting logon (at least)?
Regarding the issue of additional costs, I have seen some claims that Google and Amazon say that transiting their websites to https pages only increased costs by about 1%. I think I take the point that this might not hold true for a bulletin board type website, but I still insist that logon should be protected by SSL.
Regarding the issue of additional costs, I have seen some claims that Google and Amazon say that transiting their websites to https pages only increased costs by about 1%. I think I take the point that this might not hold true for a bulletin board type website, but I still insist that logon should be protected by SSL.
Ahtiga Saraz
Le peuple debout contre les tyrans! De l'audace, encore de l'audace, toujours l'audace!
Le peuple debout contre les tyrans! De l'audace, encore de l'audace, toujours l'audace!
- roseway
- Posts: 1528
- Joined: 2007-12-31 22:50
- Location: Kent, UK
- Has thanked: 3 times
- Been thanked: 4 times
Re: Logging on to this forum
You can insist all you like, but I don't see many people agreeing with you. And it's pretty pointless addressing your demand to moderators, because they don't have the power to change it anyway.I still insist that logon should be protected by SSL.
Eric
Re: Logging on to this forum
Well, is the forum account so valuable that it we need to insist on it?
Because let’s face it, the unfortunate aspect of software development is that it involves humans. Mewling, disorganized, miserably analog humans. Sometimes they smell bad.
-
- Posts: 1014
- Joined: 2009-06-15 01:19
https now!
There are many good reasons for the recent trend towards "https everywhere". If you are interested in learning what some of them are, try these links:
[ EDIT 5 May 2011: a not-so-obvious reason why https is a good idea: far from discouraging us from assuming DUF is powerless against state actors, Comodogate (an incident which some feel reflects attempted retaliation by the government of Iran against its own citizens) and an even more recent incident disclosed by the EFF which appears to suggest attempted retaliation by the government of Syria against its own citizens), these incidents seem to suggest that even state actors may find it difficult to misuse fraudulent certs without leaving traces which can be discovered and publicized by organizations like the EFF. ]
If you are persuaded to give it a try, see How to Deploy HTTPS Correctly, Chris Palmer, EFF, 15 November 2010,
As for Debian User Forums, does anyone know who I should petition?
- HTTPS is more secure, so why isn't the Web using it?, Scott Gilbertson, Wired, 20 March 2011
- HTTPS is great: here's why everyone needs to use it (so we can too), Clint Ecker and Kurt Mackey, Ars Technica, 22 March 2011
- HTTPS Now Campaign Urges Users to Take an Active Role in Protecting Internet Security, Eva Galperin, EFF, 20 April 2011
[ EDIT 5 May 2011: a not-so-obvious reason why https is a good idea: far from discouraging us from assuming DUF is powerless against state actors, Comodogate (an incident which some feel reflects attempted retaliation by the government of Iran against its own citizens) and an even more recent incident disclosed by the EFF which appears to suggest attempted retaliation by the government of Syria against its own citizens), these incidents seem to suggest that even state actors may find it difficult to misuse fraudulent certs without leaving traces which can be discovered and publicized by organizations like the EFF. ]
If you are persuaded to give it a try, see How to Deploy HTTPS Correctly, Chris Palmer, EFF, 15 November 2010,
As for Debian User Forums, does anyone know who I should petition?
Ahtiga Saraz
Le peuple debout contre les tyrans! De l'audace, encore de l'audace, toujours l'audace!
Le peuple debout contre les tyrans! De l'audace, encore de l'audace, toujours l'audace!
-
- Posts: 6
- Joined: 2011-05-28 17:25
- Location: Georgetown, TX, USA
Re: Logging on to this forum
@ Ahtiga Saraz
I wholeheartedly agree with your position on encrypting the username and password. Actually, I am quite surprised, both at the general attitude against your position here, and also that Firefox hasn't warned me about this (I thought that I had it set to warn me whenever I send unencrypted information).
Also, I am so glad to see that someone else chooses to disable javascript for security reasons. I was really beginning to think that I was the only one who was even aware of javascript any more. So, @ forum maintainers, please I beg you to avoid a javascript solution (assuming that you may decide to implement a solution at all).
I wholeheartedly agree with your position on encrypting the username and password. Actually, I am quite surprised, both at the general attitude against your position here, and also that Firefox hasn't warned me about this (I thought that I had it set to warn me whenever I send unencrypted information).
Also, I am so glad to see that someone else chooses to disable javascript for security reasons. I was really beginning to think that I was the only one who was even aware of javascript any more. So, @ forum maintainers, please I beg you to avoid a javascript solution (assuming that you may decide to implement a solution at all).
Re: Logging on to this forum
Some of the concern may be from people who are using their real, "meatspace", name as a username, perhaps they would have some "reputation" issues if their account was compromised.
From my point of view, if someone took over the username Thorny, it would not affect the size of my pension check nor my ability to eat, drink and breathe. I'd even be able to get another username, possibly even convince a moderator that I should have the old one back (but maybe not, that should be hard to do).
So, at the end of the day, I could survive the disaster. I'd also expect anyone stealing a username would have a specific reason for doing so and very likely would attract moderation and loss of account fairly soon. I rarely use the same username on different forums and my usernames (and passphrases) don't correspond to any email account I use for my mission-critical stuff. I don't even always tell the truth about personal stuff in cyberspace.
From my point of view, if someone took over the username Thorny, it would not affect the size of my pension check nor my ability to eat, drink and breathe. I'd even be able to get another username, possibly even convince a moderator that I should have the old one back (but maybe not, that should be hard to do).
So, at the end of the day, I could survive the disaster. I'd also expect anyone stealing a username would have a specific reason for doing so and very likely would attract moderation and loss of account fairly soon. I rarely use the same username on different forums and my usernames (and passphrases) don't correspond to any email account I use for my mission-critical stuff. I don't even always tell the truth about personal stuff in cyberspace.