Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
SSL in Debian Forums
SSL in Debian Forums
Hello.
Website: forum
Severity: wishlist
I have noticed that while other websites in Debian are SSL secured, the forum is not.
Is there any possibility to secure the forum with SSL?
Website: forum
Severity: wishlist
I have noticed that while other websites in Debian are SSL secured, the forum is not.
Is there any possibility to secure the forum with SSL?
Last edited by jesus92gz on 2015-05-29 07:28, edited 1 time in total.
- Sarge-in-charge
- Posts: 113
- Joined: 2012-07-21 08:41
Re: SSL in Debian Forums
I vote NO if it's going to be with a self-signed certificate or with a certificate chained up to a CA not by default in Firefox.jesus92gz wrote:Is there any possibility to secure the forum with SSL?
Otherwise, I vote YES.
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 132 times
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 132 times
- roseway
- Posts: 1528
- Joined: 2007-12-31 22:50
- Location: Kent, UK
- Has thanked: 3 times
- Been thanked: 4 times
Re: SSL in Debian Forums
Anyone who uses the same password on a public forum as they use for something confidential is asking for trouble anyway. SSL is pointless on a forum like this.
Eric
- Sarge-in-charge
- Posts: 113
- Joined: 2012-07-21 08:41
Re: SSL in Debian Forums
This is so wrong on many levels.roseway wrote:SSL is pointless on a forum like this.
No HTTP traffic should be sent on the clear. Period. That's just the way it is in the post-Snowden era.
Re: SSL in Debian Forums
Once this is live we should just use it. It costs nothing and works in any browser.
https://letsencrypt.org/
https://letsencrypt.org/
Re: SSL in Debian Forums
Honestly after thinking about this some more I think there is no excuse to not have a valid SSL certificate. I will buy (and if needed configure) the SSL cert for this site, does anyone know who we need to talk to in order to make this happen?
Re: SSL in Debian Forums
Apart from the previous users' replies, I can see the Debian site is using SSL everywhere.Head_on_a_Stick wrote:Why does this matter?
For example:
Official Site: https://debian.org/
Wiki: https://wiki.debian.org/
...
Why should the forum not use SSL as well?
Re: SSL in Debian Forums
Really? I thought it was.wizard10000 wrote:forums.debian.net isn't an official Debian resource.
Anyways, I think supporting SSL could improve the security of the forums to the end users. Just in case.
Re: SSL in Debian Forums
it not a end of the world thing but imo it should be a default on all sites. this is not because some thing sensative is happening per se or anything its just a good policy for all comunications.
Re: SSL in Debian Forums
Personally, I would love to have the NSA listen to what I have to say about systemd.
Re: SSL in Debian Forums
+1
You know mint just got their website completely owned.
It's probably time to use HTTPS on the main website and forums.
What's the delay about?
You know mint just got their website completely owned.
It's probably time to use HTTPS on the main website and forums.
What's the delay about?
Re: SSL in Debian Forums
+1
It is in beta since 2015-12-03:levlaz wrote:Once this is live we should just use it. It costs nothing and works in any browser.
https://letsencrypt.org/
https://letsencrypt.org/2015/12/03/ente ... -beta.html
The Debian package migrated to testing just a few days ago:
https://tracker.debian.org/pkg/python-letsencrypt
Re: SSL in Debian Forums
Since this is a public forum where everyone can blather whatever nonsense comes to one's mind, I see no benifits in using SSL. The only 'benefits' I see, are higher load on the servers as these will also have to deal with encryption and decryption.
Vote: NO.
Vote: NO.
Debian == { > 30, 000 packages }; Debian != systemd
The worst infection of all, is a false sense of security!
It is hard to get away from CLI tools.
The worst infection of all, is a false sense of security!
It is hard to get away from CLI tools.
Re: SSL in Debian Forums
Really? Show me the contents of your apt sources.list. NOTHING coming from the package archives is run through https because of the huge encryption overhead; security is managed by other means. ISOs downloaded from most sources are not encrypted for the same reason. And that video or audio stream arriving at your browser is also generally not encrypted (even if you started it from an HTTPS secured web page).Sarge-in-charge wrote:...This is so wrong on many levels.
No HTTP traffic should be sent on the clear. Period. That's just the way it is in the post-Snowden era.
HTTPS is NOT free. Every frakin' byte that arrives and departs has to be individually encrypted. While generally imposing little noticeable overhead on the client-side ("browser"), there is an added burden on the server side that can require server upgrades to meet volume demands.
BTW, when it comes to discussing computers, software, and protocols "never say never" is generally good policy. There are enough corner cases to prove most "never do this" scenarios wrong.
Re: SSL in Debian Forums
wizard10000 wrote:Only reason I can think of is sending passwords in plain text.
Chiefahol wrote: You know mint just got their website completely owned.
It's probably time to use HTTPS on the main website and forums.
Of course encryption is costly on the server side, but let's face the truth: http://forums.debian.net is not the most frequently visited web page...cpoakes wrote:Really? Show me the contents of your apt sources.list. NOTHING coming from the package archives is run through https because of the huge encryption overhead; security is managed by other means. ISOs downloaded from most sources are not encrypted for the same reason. And that video or audio stream arriving at your browser is also generally not encrypted (even if you started it from an HTTPS secured web page).Sarge-in-charge wrote:...This is so wrong on many levels.
No HTTP traffic should be sent on the clear. Period. That's just the way it is in the post-Snowden era.
HTTPS is NOT free. Every frakin' byte that arrives and departs has to be individually encrypted. While generally imposing little noticeable overhead on the client-side ("browser"), there is an added burden on the server side that can require server upgrades to meet volume demands.
...
On the other hand, every serious webpage is using encryption today - so I don't think that would be a problem for such a small forums...
Vote: Yes.
Regards.
Odi profanum vulgus