Debian User Forums

[roseway]

I still insist that logon should be protected by SSL.

You can insist all you like, but I don't see many people agreeing with you. And it's pretty pointless addressing your demand to moderators, because they don't have the power to change it anyway.

[Tadeas]

Well, is the forum account so valuable that it we need to insist on it?

[Ahtiga Saraz]

There are many good reasons for the recent trend towards "https everywhere". If you are interested in learning what some of them are, try these links:

• HTTPS is more secure, so why isn't the Web using it?, Scott Gilbertson, Wired, 20 March 2011
• HTTPS is great: here's why everyone needs to use it (so we can too), Clint Ecker and Kurt Mackey, Ars Technica, 22 March 2011
• HTTPS Now Campaign Urges Users to Take an Active Role in Protecting Internet Security, Eva Galperin, EFF, 20 April 2011

As the Comodogate breach demonstrated, https does not by itself provide guaranteed authenticity, security, or privacy, but it can and should play an important role in mitigating many of the most common problems.

[ EDIT 5 May 2011: a not-so-obvious reason why https is a good idea: far from discouraging us from assuming DUF is powerless against state actors, Comodogate (an incident which some feel reflects attempted retaliation by the government of Iran against its own citizens) and an even more recent incident disclosed by the EFF which appears to suggest attempted retaliation by the government of Syria against its own citizens), these incidents seem to suggest that even state actors may find it difficult to misuse fraudulent certs without leaving traces which can be discovered and publicized by organizations like the EFF. ]


If you are persuaded to give it a try, see How to Deploy HTTPS Correctly, Chris Palmer, EFF, 15 November 2010,

As for Debian User Forums, does anyone know who I should petition?

[michaelburns]

@ Ahtiga Saraz

I wholeheartedly agree with your position on encrypting the username and password. Actually, I am quite surprised, both at the general attitude against your position here, and also that Firefox hasn't warned me about this (I thought that I had it set to warn me whenever I send unencrypted information).

Also, I am so glad to see that someone else chooses to disable javascript for security reasons. I was really beginning to think that I was the only one who was even aware of javascript any more. So, @ forum maintainers, please I beg you to avoid a javascript solution (assuming that you may decide to implement a solution at all).

[Thorny]

Some of the concern may be from people who are using their real, "meatspace", name as a username, perhaps they would have some "reputation" issues if their account was compromised.

From my point of view, if someone took over the username Thorny, it would not affect the size of my pension check nor my ability to eat, drink and breathe. I'd even be able to get another username, possibly even convince a moderator that I should have the old one back (but maybe not, that should be hard to do).

So, at the end of the day, I could survive the disaster. I'd also expect anyone stealing a username would have a specific reason for doing so and very likely would attract moderation and loss of account fairly soon. I rarely use the same username on different forums and my usernames (and passphrases) don't correspond to any email account I use for my mission-critical stuff. I don't even always tell the truth about personal stuff in cyberspace.

[Telemachus]

As for Debian User Forums, does anyone know who I should petition?

I believe that only Mez can make this change. PM him directly, I suppose.