Use HTTPS

Code of conduct, suggestions, and information on forums.debian.net.
Message
Author
needsch
Posts: 2
Joined: 2012-06-07 12:07

Re: Use HTTPS

#31 Post by needsch »

It is unbelievable that this needs to be discussed in 2018...

The reasons given for not implementing HTTPS are ridiculous. The logic is completely flawed. Just because HTTPS does not provide 100% security and can be bypassed by exploiting security vulnerabilities in apps implementing or using it, does not at all mean that it doesn't add security at all.

"Only a Sith deals in absolutes."
Admin here = Sith? :lol:

sallybrown
Posts: 2
Joined: 2018-11-24 09:21

Re: Use HTTPS

#32 Post by sallybrown »

needsch wrote:It is unbelievable that this needs to be discussed in 2018...

The reasons given for not implementing HTTPS are ridiculous. The logic is completely flawed. Just because HTTPS does not provide 100% security and can be bypassed by exploiting security vulnerabilities in apps implementing or using it, does not at all mean that it doesn't add security at all.
I don't suppose you would care at all, but I use an old computer and an old browser. Adding https to this site would lock me out of using it (as my browser will not recognize the certificate). The same has happened with numerous other sites already. I can no longer use those sites. I cannot update my browser (because mozilla says my OS is "deprecated"). I cannot update my OS (because microsoft and linux both say my computer is "deprecated"). I cannot buy a new computer because I have no money (I guess I'm "deprecated").

Not everyone in the world is rich enough to buy whatever they're told to whenever large corporations decide to boost their profits by "deprecating" all the stuff that would otherwise still work just fine.

I'm just pointing it out, that's all.

User avatar
Head_on_a_Stick
Posts: 13450
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Use HTTPS

#33 Post by Head_on_a_Stick »

sallybrown wrote:I cannot update my OS (because microsoft and linux both say my computer is "deprecated").
Have you tried OpenBSD? They support much older machines than Linux and the resource usage is significantly lower as well.

In respect of https:

http://n-gate.com/software/2017/07/12/0/

^ I'm with that guy :D
Black Lives Matter

Debian buster-backports ISO image: for new hardware support

sallybrown
Posts: 2
Joined: 2018-11-24 09:21

Re: Use HTTPS

#34 Post by sallybrown »

Head_on_a_Stick wrote:In respect of https:

http://n-gate.com/software/2017/07/12/0/

^ I'm with that guy :D
It took me a while to work out if that page (and therefore you) were for or against https, mostly because I have no idea what a "block quote" is and because, laughably, when I go to the site that it links to (https://doesmysiteneedhttps.com/), I get "An error occurred during a connection to doesmysiteneedhttps.com. Cannot communicate securely with peer: no common encryption algorithm(s)." Perhaps that only seems laughable to me though.
Head_on_a_Stick wrote:
sallybrown wrote:I cannot update my OS (because microsoft and linux both say my computer is "deprecated").
Have you tried OpenBSD? They support much older machines than Linux and the resource usage is significantly lower as well.
I tried that once and didn't like it. It reminds me of the terminals we had to use when I made the mistake of doing a university degree. Perhaps I should add to "I cannot update my OS", that "I don't want to update my OS". I'm perfectly happy with XP and I don't really care how safe/unsafe anyone else thinks it is. I've never had a virus in 20 years of using it, and I've never run an antivirus either. I have a firewall and a HIPS system. The only time either have ever flagged anything was when I purposefully ran that sample virus whatnot (the one that all antivirus programs recognize as a virus, and that's used to test if your antivirus is working).

User avatar
Head_on_a_Stick
Posts: 13450
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Use HTTPS

#35 Post by Head_on_a_Stick »

sallybrown wrote:when I go to the site that it links to (https://doesmysiteneedhttps.com/), I get "An error occurred during a connection to doesmysiteneedhttps.com. Cannot communicate securely with peer: no common encryption algorithm(s)." Perhaps that only seems laughable to me though.
No, that is funny :D

n-gate.com is utterly brilliant but the author is rather scathing (which I find entertaining).
sallybrown wrote:I'm perfectly happy with XP
Fair play to you, I loved Win XP, it was ace.
Black Lives Matter

Debian buster-backports ISO image: for new hardware support

pcalvert
Posts: 1924
Joined: 2006-04-21 11:19
Location: Sol Sector

Re: Use HTTPS

#36 Post by pcalvert »

It's a good idea for websites that people need to log into to use, or ones that have web forms for entering personal information. But I don't understand the push to make every website use SSL.

Phil
“It is better to believe than to disbelieve; in doing so, it brings
everything into the realm of possibility.” — Albert Einstein

User avatar
None1975
Posts: 1019
Joined: 2015-11-29 18:23
Location: Lithuania, Vilnius

Re: Use HTTPS

#37 Post by None1975 »

pcalvert wrote: But I don't understand the push to make every website use SSL.Phil
Maybe it is more secure? HTTP protocol is built on top of TCP. TCP guarantees that the data will be delivered, or it is impossible to deliver (target not reachable, etc.). You open a TCP connection and send HTTP messages through it. But TCP does not guarantee any level of security. Therefore an intermediate layer named SSL is put between TCP and HTTP and you get the so called HTTPS. This way of working is called tunneling – you dump data into one end of (SSL) tunnel and collect it at the other one. SSL gets HTTP messages, encrypts them, sends them over TCP and decrypts them again at the other end. Encryption protects you from eavesdropping and transparent MITM attack (altering the messages). But SSL does not only provide encryption, it also provides authentication. Server must have a certificate signed by a well known certification authority (CA) that proves its identity. Without authentication, encryption is useless as MITM attack is still possible. The attacker could trick you into thinking that he is the server you want to connect to. Private chat with the devil is not what you want, you want to verify that the server you are connecting to really is the one you want to connect to. Authentication protects you from MITM.

More readings here.
OS: Debian 10.3 Buster / WM: xmonad
Debian Wiki | DontBreakDebian, My config files on github

User avatar
Rildebai
Posts: 87
Joined: 2016-04-30 09:27
Location: Ireland

Re: Use HTTPS

#38 Post by Rildebai »

Is there any plan to implement https for DUF in the future? :?:
Write programs that do one thing and do it well. ~ Doug Mcllroy on the UNIX Philosophy

User avatar
GarryRicketson
Posts: 5872
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Use HTTPS

#39 Post by GarryRicketson »

Not that I know of.

User avatar
llivv
Posts: 5484
Joined: 2007-02-14 18:10
Location: cold storage

Re: Use HTTPS

#40 Post by llivv »

@ NewHere
very insightful thought regarding wifi - in my opinion anyways.
With every new iteration of hardware there appears to be a SERIOUS lack of
attention to personal security. ie:
How may ways does your hardware connect?
If you haven't already thought about this issue, maybe it's time you looked into
the ways you connect.
Obviously ----
blah blah blah ->
If you are worried now, the future offers no hope for a better solution, so way
care anyway and keep those blinders firmly in place.

as of January 3, 2019
Rutaba Rais
has this to say concerning secure browsing.
https://www.beencrypted.com/5-best-secure-browsers/
may it help some to feel they still have some control over how much of their personal data is kept private from others (private, corporate or just plain old crack addicts) that might use it for personal or professional gains.

ps: llivv bows gracefully to h_o_s_a' s slow clapping of hands
and hopes he enjoyed the show performed especially for him.
In memory of Ian Ashley Murdock (1973 - 2015) founder of the Debian project.

D2b2426R5d
Posts: 8
Joined: 2015-12-23 10:48

Re: Use HTTPS

#41 Post by D2b2426R5d »

2019 and still no HTTPS? What is wrong with this forum, people? :shock:

User avatar
sunrat
Global Moderator
Global Moderator
Posts: 3655
Joined: 2006-08-29 09:12
Location: Melbourne, Australia
Has thanked: 3 times
Been thanked: 4 times

Re: Use HTTPS

#42 Post by sunrat »

D2b2426R5d wrote:2019 and still no HTTPS? What is wrong with this forum, people? :shock:
The forum admins belong to a group of shamen who live in a remote mountain region unknown to mere mortals. They visit civilisation every few years to gauge the progress of humankind, always returning home shortly afterwards in exasperation and despair.
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ”
Remember to BACKUP!

cuckooflew
Posts: 681
Joined: 2018-05-10 19:34
Location: Some where out west

Re: Use HTTPS

#43 Post by cuckooflew »

It's all just a toy anyway, why do you think the versions are "toy story" characters ?.
And, P.S.
They visit civilisation every few years to gauge the progress of humankind,
What civilization ? Humans are not civilized, nor are considered a intelligent life form where I live.
Please Read What we expect you have already Done
Search Engines know a lot, and
"If God had wanted computers to work all the time, He wouldn't have invented RESET buttons"
and
Just say NO to help vampires!

cuckooflew
Posts: 681
Joined: 2018-05-10 19:34
Location: Some where out west

Re: Use HTTPS

#44 Post by cuckooflew »

If you really want to be enlightned , try this:

Code: Select all

curl -s -I forums.debian.net 
Please Read What we expect you have already Done
Search Engines know a lot, and
"If God had wanted computers to work all the time, He wouldn't have invented RESET buttons"
and
Just say NO to help vampires!

User avatar
sickpig
Posts: 589
Joined: 2019-01-23 10:34

Re: Use HTTPS

#45 Post by sickpig »

debiman wrote:
dotlj wrote:Many other CAs are also U.S. based. Does that bother you when you connect to Amazon, Apple, Google, or any other of the most commonly used websites?
I can't see how being U.S. based means the Let's Encrypt certificates are less trustworthy than any other CA. Why pay any of the big companies when Let's Encrypt is doing so much to promote and support a safer Internet?
i should have clarified:
my comment was from the point of view of the server owner who decides to employ letsencrypt.
i was on the verge of doing it once and, apart from a deep mistrust in handing control to my complete system over to some unknown python script, i remember 100% that i read that i am effectively entering into some sort of contract with said entity, under US law.
i think you will understand that i, a citizen of an entirely different continent, both online and IRL, do not want to do that.

this has no impact on the person who browses the site, i'll agree to that.

btw, cacert.org is based in australia.
i used them for a while, but unfortunately their certificates are not "browser trusted" :(
i think it takes serious money to buy that trust (sic) - another interesting thought, what's letsencrypt's motivation of spending that and then giving the certificates away for free?
Please edit your post to capitalize Australia. i dont care about the rest of your spellings, grammar or sentence construction but when it comes to nations kindly bear some respect. Thanks.

User avatar
Head_on_a_Stick
Posts: 13450
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Use HTTPS

#46 Post by Head_on_a_Stick »

sickpig wrote:Please edit your post
debiman doesn't post here any more, he can't stand to be on the same boards as me :mrgreen:

He's active over at linuxquestions.org if you want to go and bother him there. Tell him HoaS says [redacted].
Black Lives Matter

Debian buster-backports ISO image: for new hardware support

theblueplll
Posts: 154
Joined: 2019-04-29 01:17

Re: Use HTTPS

#47 Post by theblueplll »

sickpig wrote:
Please edit your post to capitalize Australia. i dont care about the rest of your spellings, grammar or sentence construction but when it comes to nations kindly bear some respect. Thanks.

It actually has nothing to do with respect.
It's proper english to capitalize the first letter to the name of a country.

D2b2426R5d
Posts: 8
Joined: 2015-12-23 10:48

Re: Use HTTPS

#48 Post by D2b2426R5d »

Can some admin seriously answer the question, what the f*ck is wrong with this forum? no TLS in 2019? Is someone stuck in 90's or something?

User avatar
4D696B65
Site admin
Site admin
Posts: 2621
Joined: 2009-06-28 06:09
Been thanked: 5 times

Re: Use HTTPS

#49 Post by 4D696B65 »

ask the orange guys

cuckooflew
Posts: 681
Joined: 2018-05-10 19:34
Location: Some where out west

Re: Use HTTPS

#50 Post by cuckooflew »

GoodLuck at getting a reply, but if https is important to you, there are several groups on face book, they are all https :
https://web.facebook.com/debian/
Or this one:
https://web.facebook.com/groups/lifewithdebian/
Personally I trust this site with http, more then I do any site with https, the only thing https does is help trick the visitors into thinking they are more secure, when they aren't.
Please Read What we expect you have already Done
Search Engines know a lot, and
"If God had wanted computers to work all the time, He wouldn't have invented RESET buttons"
and
Just say NO to help vampires!

Post Reply