Logging on to this forum

[Ahtiga Saraz]

Shouldn't username and password be sent through TLS/SSL encrypted tunnel?

I know that SSL key exchange places some computational burden on the server. I am not asking that the entire session be encrypted point-to-point, but it seems that username and password should be.

[llivv]

Shouldn't username and password be sent through TLS/SSL encrypted tunnel?

I know that SSL key exchange places some computational burden on the server. I am not asking that the entire session be encrypted point-to-point, but it seems that username and password should be.

Yes it should..
And mods should not fud with your post

[smallchange]

There is really no reason to add the overhead of encrypted passwords for something that contains only public information, like this forum.

[Ahtiga Saraz]

lliv, thanks for supporting my proposal. What do you mean by saying "moderators should not FUD with my posts"?

smallchange, the reason is that username and password of forum users can be snagged in transit. And possibly session cookies could be hijacked. That certainly would not be good, even though I do not reuse passwords.

Forgive me please for not being able to check what actually happens since I have limited system access right now.... I am going by memory of what I found using Wireshark while logging on here some time ago.

[Ahtiga Saraz]

Smallchange, it might help if you (a forum admin?) gave us some idea of an yearly dollar amount or a percentage increase in the estimated cost to run the server if username/password were sent via an SSL tunnel.

[oOarthurOo]

What do you mean by saying "moderators should not FUD with my posts"?

FUD is Fear Uncertainty and Doubt. Usually it means spreading false or misleading information to discredit something / someone. I'm not sure how what lliv means by it either, but it is certainly a threadjack of your post and should probably be raised in a thread of its own rather than dilluting the focus of your suggestion.

[llivv]

I'm not sure how what lliv means by it either, but it is certainly a threadjack

Not sure how to read that....
Maybe, if Elmer read it I'd be able to understand it.... no guarantees though...

[Ahtiga Saraz]

OK, I don't come here very often so I don't really know what is going on with this forum, but the other day I did see some threads indicating there are some current conflicts.... which I want to stay out of.

Back to the issue of whether the time as come to bear the cost of point-to-point encrypting at least username and password during transmision.

I'd be willing to pay my share to Debian... but there's a problem for me there too, my country (don't ask) makes it very difficult to send money to Germany and other countries where Debian has a presence.

[Telemachus]

There was some talk a few months ago among moderators about adding SSL. People supported the idea, and as far as I know, it was going to happen. It hasn't yet, but I believe it's a only question of moderators' time, nothing to do with expense.

I can't be sure but I think smallchange meant only "effort" when he spoke of "adding overhead", not money. (Also, I don't believe he's an admin. I mention this only since Ahtiga half asked.)

[smallchange]

I was speaking in terms of computer resource usage and admin time. That should give you an idea of how much value I would place on having this forum SSL protected. I am not an admin on this forum.

[Ahtiga Saraz]

I think that it would be a very good idea to encrypt via SSL/TLS the username and password combination. THOSE are sensitive, even for users who do not reuse passwords. I do take your point that the posts themselves are public information anyway, but even here you may not have thought hard enough about the consequences of a GET or POST in the clear for those who live in repressive countries.

Anyway, I hope the moderators can find the time to secure encryption of logon sessions. Clearly in future all forums will have to do so, and I like to see Debian leading, not lagging.

Eventually, it might be a good idea to offer encryption of the full session to users in certain countries during times of turmoil, financial cost permitting.

[eric1959]

FUD is Fear Uncertainty and Doubt.

I didn't know the meaning of FUD, so I had to Google it.....

[Globetrotter]

FUD is Fear Uncertainty and Doubt.

I didn't know the meaning of FUD, so I had to Google it.....

There's even a forum for it: http://fudforum.org/

[Ahtiga Saraz]

@moderators: any progress on implementing encrypted communication of password to the forum server?

Please note: a Javascript "solution" won't work, at least not for those who have disabled Javascript for security reasons.

[Ahtiga Saraz]

Moderators, any progress or firm decision or timeline on encrypting logon (at least)?

Regarding the issue of additional costs, I have seen some claims that Google and Amazon say that transiting their websites to https pages only increased costs by about 1%. I think I take the point that this might not hold true for a bulletin board type website, but I still insist that logon should be protected by SSL.

[roseway]

I still insist that logon should be protected by SSL.

You can insist all you like, but I don't see many people agreeing with you. And it's pretty pointless addressing your demand to moderators, because they don't have the power to change it anyway.

[Tadeas]

Well, is the forum account so valuable that it we need to insist on it?

[Ahtiga Saraz]

There are many good reasons for the recent trend towards "https everywhere". If you are interested in learning what some of them are, try these links:

• HTTPS is more secure, so why isn't the Web using it?, Scott Gilbertson, Wired, 20 March 2011
• HTTPS is great: here's why everyone needs to use it (so we can too), Clint Ecker and Kurt Mackey, Ars Technica, 22 March 2011
• HTTPS Now Campaign Urges Users to Take an Active Role in Protecting Internet Security, Eva Galperin, EFF, 20 April 2011

As the Comodogate breach demonstrated, https does not by itself provide guaranteed authenticity, security, or privacy, but it can and should play an important role in mitigating many of the most common problems.

[ EDIT 5 May 2011: a not-so-obvious reason why https is a good idea: far from discouraging us from assuming DUF is powerless against state actors, Comodogate (an incident which some feel reflects attempted retaliation by the government of Iran against its own citizens) and an even more recent incident disclosed by the EFF which appears to suggest attempted retaliation by the government of Syria against its own citizens), these incidents seem to suggest that even state actors may find it difficult to misuse fraudulent certs without leaving traces which can be discovered and publicized by organizations like the EFF. ]


If you are persuaded to give it a try, see How to Deploy HTTPS Correctly, Chris Palmer, EFF, 15 November 2010,

As for Debian User Forums, does anyone know who I should petition?

[michaelburns]

@ Ahtiga Saraz

I wholeheartedly agree with your position on encrypting the username and password. Actually, I am quite surprised, both at the general attitude against your position here, and also that Firefox hasn't warned me about this (I thought that I had it set to warn me whenever I send unencrypted information).

Also, I am so glad to see that someone else chooses to disable javascript for security reasons. I was really beginning to think that I was the only one who was even aware of javascript any more. So, @ forum maintainers, please I beg you to avoid a javascript solution (assuming that you may decide to implement a solution at all).

[Thorny]

Some of the concern may be from people who are using their real, "meatspace", name as a username, perhaps they would have some "reputation" issues if their account was compromised.

From my point of view, if someone took over the username Thorny, it would not affect the size of my pension check nor my ability to eat, drink and breathe. I'd even be able to get another username, possibly even convince a moderator that I should have the old one back (but maybe not, that should be hard to do).

So, at the end of the day, I could survive the disaster. I'd also expect anyone stealing a username would have a specific reason for doing so and very likely would attract moderation and loss of account fairly soon. I rarely use the same username on different forums and my usernames (and passphrases) don't correspond to any email account I use for my mission-critical stuff. I don't even always tell the truth about personal stuff in cyberspace.