Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Debian Forum security issue ?

Code of conduct, suggestions, and information on forums.debian.net.
Post Reply
Message
Author
User avatar
ticojohn
Posts: 1284
Joined: 2009-08-29 18:10
Location: Costa Rica
Has thanked: 21 times
Been thanked: 44 times

Debian Forum security issue ?

#1 Post by ticojohn »

I recently updated my Firefox browser to version 51.0 and am now seeing a security warning indicating that forums.debian.net is not secure. I assume that is because it is not https. Is that a correct assumption and should users be concerned? For myself, I think I can come to this site with confidence but just wonder how that warning might affect potential future users.
I am not irrational, I'm just quantum probabilistic.

horgh
Posts: 58
Joined: 2008-12-13 10:28

Re: Debian Forum security issue ?

#2 Post by horgh »

Is it happening just when visiting the forum? Or is it just on the login page/when logging in? I think there is a warning in that version now for password fields on non-HTTPS sites.

Making the site HTTPS would definitely be a good idea. Maybe that Firefox behaviour will help make it happen.

User avatar
GarryRicketson
Posts: 5644
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Debian Forum security issue ?

#3 Post by GarryRicketson »

This all ready had been brought up here:
http://forums.debian.net/viewtopic.php?f=12&t=118960

http://forums.debian.net/viewtopic.php? ... 15#p629939



Just because a site is "https", and has a ssl certificate, does not
in any way mean it is a safe or secure site,..
http://www.spamtitan.com/web-filtering/ ... fe-to-use/

However in their effort to make people believe they must be using
and purchasing ssl certificates, even google has started "not listing" sites
that do not have https,...Apparently now the newest versions of Firefox as well.
So yes, if one is concerned about "google ratings", it would be important
to use https, and the certificates, but it is really just a gimmick, and
has nothing to do with if the site really is safe and secure,..If one
is really concerned about a website or forums security, just assuming
it is secure just because it is https, is plain foolish.
A search will show results that can help you determine the security and safety of a website,..

User avatar
ticojohn
Posts: 1284
Joined: 2009-08-29 18:10
Location: Costa Rica
Has thanked: 21 times
Been thanked: 44 times

Re: Debian Forum security issue ?

#4 Post by ticojohn »

GarryRicketson wrote: Just because a site is "https", and has a ssl certificate, does not in any way mean it is a safe or secure site,..
I understand that. I think my question was more about why it is showing as not secure, and I think that is clear in your answer. Just another gimmick, or maybe a tactic to try to get more sites to pay for ssl certificates. Which, as you state, doesn't by itself make a site safe; just more expensive to operate.
I am not irrational, I'm just quantum probabilistic.

kedaha
Posts: 3521
Joined: 2008-05-24 12:26
Has thanked: 33 times
Been thanked: 77 times

Re: Debian Forum security issue ?

#5 Post by kedaha »

ticojohn wrote:Just another gimmick, or maybe a tactic to try to get more sites to pay for ssl certificates. Which, as you state, doesn't by itself make a site safe; just more expensive to operate.
Except that it's easy to install a free certificate from letsencrypt.org to enable HTTPS (SSL/TLS) without incurring any cost at all. debian.org itself now uses this.
DebianStable

Code: Select all

$ vrms

No non-free or contrib packages installed on debian!  rms would be proud.

horgh
Posts: 58
Joined: 2008-12-13 10:28

Re: Debian Forum security issue ?

#6 Post by horgh »

Safety/security is a spectrum. There is no absolute security. No one is saying having HTTPS will magically make the forum totally secure.

Enabling HTTPS on the forum would increase security. It is definitely less secure without it.

Consider the case where you connect to a coffee shop wireless network. A malicious network operator could harvest your forum username and password and spy on what you are doing currently. They could also serve up a fake version of the forum and have users run malicious commands.

Yes it is not the end of the world having your forum password exposed, but given certificates are free these days, there's no reason not to do this.

User avatar
GarryRicketson
Posts: 5644
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Debian Forum security issue ?

#7 Post by GarryRicketson »

I was going to edit my post, but now it is to late, ...
anyway, I shouldn't say "just a gimmick", the ssl certificates do have
a use full purpose, especially for commercial sites where on-line sales
are made, and also they could be applied even for sites that just
have a donation option,... the main thing they are good for is to help
prevent scammers setting up duplicate sites,or re-routing , and the victims think they are on the legit site, make a purchase, the money goes to the "fake site" , operator, and nothing gets delivered.
In other words , the certificate does help assure you are really connected
to the site you think you are.
by ticojohn » I think my question was more about why it is showing as not secure,
I am not sure on that, it seems like the Firefox people should make a effort to make it where the "site not secure " message is more clear, and
includes why,...
I do agree, this could have a negative effect on new users, or visitors,
that do not know better,
Why does Firefox say a site is not secure
There are many results, here is one :
https://support.mozilla.org/en-US/kb/wh ... ecure-mean

The only times I have gotten those kind of messages with Firefox were
on sites that have https, and either the certificate really was expired,
or in one case, it was because my clock/date on my computer was set
wrong, I was in the wrong year !,... so it actually had absolutely nothing
to do with the actual website being insecure,....
You really have not provided enough details to determine why it says
that, and is it just FDN, or do you get these messages on other sites as well ?

User avatar
ticojohn
Posts: 1284
Joined: 2009-08-29 18:10
Location: Costa Rica
Has thanked: 21 times
Been thanked: 44 times

Re: Debian Forum security issue ?

#8 Post by ticojohn »

GarryRicketson wrote: You really have not provided enough details to determine why it says
that, and is it just FDN, or do you get these messages on other sites as well ?
I see a little information icon to the left of the URL. When I click on the icon it gives a message that the connection is not secure. I see this icon for all sites that do not have https in the URL. Don't see it on those that do. I'm not going to let it bother me. I don't do a lot of exploring of unknown sites.

Thanks for the feedback.
I am not irrational, I'm just quantum probabilistic.

Post Reply