Use HTTPS

Code of conduct, suggestions, and information on forums.debian.net.
Message
Author
Gerowen
Posts: 146
Joined: 2011-04-11 05:12

Re: Use HTTPS

#61 Post by Gerowen »

Head_on_a_Stick wrote:So you're using the same password everywhere? That's not wise.
No, I'm not, and that's not the point, you're deflecting. By that logic, you're basically saying it's perfectly ok for people to be allowed to see usernames and passwords being sent to this website in an unencrypted form. You're basically admitting that this website has weak security, but it's acceptable because we shouldn't be reusing passwords anyway.

kopper
Posts: 136
Joined: 2016-09-30 14:30

Re: Use HTTPS

#62 Post by kopper »

Head_on_a_Stick wrote:And what information would that be then? This is a public forum, all of the posts are visible even to non-members.
Head_on_a_Stick wrote:So you're using the same password everywhere? That's not wise.
So you (deliberately?) miss the point to share assumptions on other users' behavior you have no knowledge about? Really builds your case.

I do agree, it's a public forum. I don't think that's conflicting with anything I said in my post.
Debian 10.2 Stable with i3
Secure your stuff: Securing Debian Manual
Don't break your stuff: Source List Management DontBreakDebian

User avatar
Head_on_a_Stick
Posts: 13450
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Use HTTPS

#63 Post by Head_on_a_Stick »

Gerowen wrote:you're basically saying it's perfectly ok for people to be allowed to see usernames and passwords being sent to this website in an unencrypted form.
Yes.
Gerowen wrote:You're basically admitting that this website has weak security, but it's acceptable because we shouldn't be reusing passwords anyway.
Correct.

My $DAY_JOB is sufficiently dangerous that body armour is considered a legitimate tax-deductible expense so perhaps my perception of risk is skewed but I am very happy with the provisions of these boards.

The electrons aren't free and this site isn't under the aegis of debian.org so the orange folks have my gratitude for this playground :)
Black Lives Matter

Debian buster-backports ISO image: for new hardware support

Gerowen
Posts: 146
Joined: 2011-04-11 05:12

Re: Use HTTPS

#64 Post by Gerowen »

Head_on_a_Stick wrote:
Gerowen wrote:you're basically saying it's perfectly ok for people to be allowed to see usernames and passwords being sent to this website in an unencrypted form.
Yes.
Gerowen wrote:You're basically admitting that this website has weak security, but it's acceptable because we shouldn't be reusing passwords anyway.
Correct.

My $DAY_JOB is sufficiently dangerous that body armour is considered a legitimate tax-deductible expense so perhaps my perception of risk is skewed but I am very happy with the provisions of these boards.

The electrons aren't free and this site isn't under the aegis of debian.org so the orange folks have my gratitude for this playground :)
What does your job have to do with the discussion at hand? You don't see me talking about getting free (to me anyway) body armor and ammo in Iraq because it doesn't have jack to do with what we're talking about here. Nice, not-so-low key humble brag though I guess.

On your other statement though about the electrons not being free, nobody is asking the forum admins to spend extra money; you can generate self signed certs, or if you don't want people to have to click past the message about an unknown cert, you can get a lets encrypt cert free of charge.

cuckooflew
Posts: 681
Joined: 2018-05-10 19:34
Location: Some where out west

Re: Use HTTPS

#65 Post by cuckooflew »

Yea but to do that, it takes someone with full administrative privileges, full access to the server, and no one that is active here has those kind of privileges.
By that logic, you're basically saying it's perfectly ok for people to be allowed to see usernames and passwords being sent to this website in an unencrypted form.
I sure can't see any ones passwords,but sounds interesting, maybe you could explain how that is possible, and show some passwords you have seen, ? You probably can't. because you can not see other peoples passwords, if you can , prove it.

Oh, and then this is hilarious :
You don't see me talking about getting free (to me anyway) body armor and ammo in Iraq because it doesn't have jack to do with what we're talking about here. Nice, not-so-low key humble brag though I guess.
But you just had to brag about that, and now we all do see it.

andre@home
Posts: 398
Joined: 2011-10-02 08:00

Re: Use HTTPS

#66 Post by andre@home »

On the quoted weblink the discussion stopped in 2017.
http://forums.debian.net/viewtopic.php?f=12&t=118960

What I see on the internet there are 2 groups: the ones are "pro" htpps and the others are "against" https.
Apparently is seems virtually impossible for the one to convince the other, so it seems to be become more and more long semantic discussions....

So currently the choice is for the user, accept what it i now and stay or leave.
As users we do not have the influence to change this.

I'm putting my energy into other things....

User avatar
Head_on_a_Stick
Posts: 13450
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Use HTTPS

#67 Post by Head_on_a_Stick »

Gerowen wrote:Nice, not-so-low key humble brag though I guess.
Thanks, I've been waiting ages for an opportunity to shoehorn that into a post :mrgreen:
Gerowen wrote:You don't see me talking about getting free (to me anyway) body armor and ammo in Iraq
Holy shit d00d that's pretty extreme, why are you worrying about something as trivial as https?
Gerowen wrote:nobody is asking the forum admins to spend extra money; you can generate self signed certs, or if you don't want people to have to click past the message about an unknown cert, you can get a lets encrypt cert free of charge.
The admins have donated the server space that runs these forums, it is not covered by Debian donations (AFAIK) and so constitutes a gift to the community. With that in mind demands for "better service" seem a bit, well, rude. IMO.
Black Lives Matter

Debian buster-backports ISO image: for new hardware support

User avatar
sickpig
Posts: 589
Joined: 2019-01-23 10:34

Re: Use HTTPS

#68 Post by sickpig »

welcome to the club Gerowen, I have been d00ded by hoas too! cryptic bloke it is, but quite helpful

User avatar
efdevse
Posts: 23
Joined: 2020-06-19 21:07

Re: Use HTTPS

#69 Post by efdevse »

debian.org is using an LE cert. Since LE can do wildcards, it's a bit odd why this forum haven't got it yet.

cuckooflew
Posts: 681
Joined: 2018-05-10 19:34
Location: Some where out west

Re: Use HTTPS

#70 Post by cuckooflew »

Considering that this forum is .net ,(debian.forums.net), and debian.org is a entirely different website, nothing odd about it. It does strike me as odd that some one would still want to beat this dead horse, after all that has been said in various older topics.
Please Read What we expect you have already Done
Search Engines know a lot, and
"If God had wanted computers to work all the time, He wouldn't have invented RESET buttons"
and
Just say NO to help vampires!

User avatar
efdevse
Posts: 23
Joined: 2020-06-19 21:07

Re: Use HTTPS

#71 Post by efdevse »

cuckooflew wrote:Considering that this forum is .net ,(debian.forums.net), and debian.org is a entirely different website, nothing odd about it. It does strike me as odd that some one would still want to beat this dead horse, after all that has been said in various older topics.
Missed that part. Still, it's not a hard thing to do.

// The dead horse… I assume the horse is http.

cuckooflew
Posts: 681
Joined: 2018-05-10 19:34
Location: Some where out west

Re: Use HTTPS

#72 Post by cuckooflew »

No , the dead horse is the endless discussion on using https, it is clear for some reason, the administrator of the forum has choosen not to use https, but they have never posted a response explaining their reasons. There is no reason to expect they will either. I will say this much, I agree, there is no real reason to use it on this forum/site, all though many persons in the endless discussion on this, have pointed the many reasons they imagine we need it.
I will add, I don't use it my self on any of my webistes and forums that I administer....no need to spam the forum with a list though,...
Years ago, I did honestly have a problem with my system clock, and setting it,...I needed help with that, every other forum I tried to connect to was https, and I was not able to connect. Finally I stumbled on to this one, it was listed in the search results, but way down toward the bottom, any finally , I found a forum that was http, and I was able to connect just fine, and got the help I needed. SOOOO, go figure, Is https really such a good thing , for a OS support forum, where many of the users are trying to connect with a perhaps crippled system ? Supposedly there is optional choice, where one can select to use http instead,
and I suppose as long as the http option is available , then it would not matter, but in anyevent , that goes back to the same point that I mentioned to start with,...
Me: it is clear for some reason, the administrator of the forum has choosen not to use https, but they have never posted a response explaining their reasons. There is no reason to expect they will either.
So you see , it is just a endless loop, and if you actually read all of the posts in the 5 or 6 various topics, but on the same subject, you will see what I mean. I could post links to all the topics, but it is a "dead horse", and I really don't feel like beating it any more. It won't do any good, no one will ever convince those that do not want https that we should use it. and like wise no one that wants http will ever convince the people that promote https that http is ok. In other words, the ones that like and want https, will always argue that it is necessary, the ones that don't want it will all ways argue that it isn't. So it is a deadhorse, a old and pointless , endless discussion. :mrgreen:
Please Read What we expect you have already Done
Search Engines know a lot, and
"If God had wanted computers to work all the time, He wouldn't have invented RESET buttons"
and
Just say NO to help vampires!

User avatar
efdevse
Posts: 23
Joined: 2020-06-19 21:07

Re: Use HTTPS

#73 Post by efdevse »

Yes, I can imagine there's been a few posts about this. I just replied to this one, since it was fairly rescent. No, there's no reason to repeat, but since you took the time to write a good reply, I'll response to some of it.
cuckooflew wrote: I will say this much, I agree, there is no real reason to use it on this forum/site, all though many persons in the endless discussion on this, have pointed the many reasons they imagine we need it.
I will add, I don't use it my self on any of my webistes and forums that I administer....no need to spam the forum with a list though, // ... //

Years ago, I did honestly have a problem with my system clock, and setting it,...I needed help with that, every other forum I tried to connect to was https, and I was not able to connect.
Yes, that can be tough… There are simular cases with Rasbery Pi's (no hwclock), but it usually helps to use ntpd or crony to get the clock running as it should.

If your clock was an hour or a day off or so… and it was because of an expired certificate - then you had really bad luck. But, if you had serveral site that didn't let you in… Perhaps their HTTPS settings were too “modern” for your browser? That's always a delicate balance – how far back you shuold support old browsers. (Example: ssl-config.mozilla.org. Look at the different browser support between old, intermediate and modern.) I usually go with intermediate if it's a larger site or someone else site, and modern on my own sites.

cuckooflew wrote:Is https really such a good thing , for a OS support forum, where many of the users are trying to connect with a perhaps crippled system ?
If it's not good here, then it's not good on the Wiki either. That'd be one of the first places I look for answers if my system is crippled.

cuckooflew wrote:Supposedly there is optional choice, where one can select to use http instead, and I suppose as long as the http option is available , then it would not matter, // ... //
Unless you (force) redirect all traffic to 443, on the server level, there's always the option for the visitor to use http instead. For a place like this (OS support forum), that would maybe be considered, for those reasons you mentioned earlier. So, even if you add HTTPS to a site and make that default - you can always have HTTP available. It's just how you configure it. Then no one will get hurt.

cuckooflew wrote:It won't do any good, no one will ever convince those that do not want https that we should use it. and like wise no one that wants http will ever convince the people that promote https that http is ok. In other words, the ones that like and want https, will always argue that it is necessary, the ones that don't want it will all ways argue that it isn't. So it is a deadhorse, a old and pointless , endless discussion. :mrgreen:
I think we all can agree on that HTTPS is a better choice, but the “why's” and reasons to use it may differ. For example, I don't see any reason not to - where you have a few ones.

One good reason though… Since browsers are punishing non-HTTPS sites now in different ways (blocking, lower page rank, display page as unsecure, etc.). I think it's soon hard to avoid it.

Old and pointless… naah. :–)
Endless… Well, that is actullay “fixable”:
cuckooflew wrote:it is clear for some reason, the administrator of the forum has choosen not to use https, but they have never posted a response explaining their reasons. There is no reason to expect they will either.
It would be great if they decided to speak up, and explain their reasons why, or when …or why not. Until then it will always seem a bit odd to me, since they have it on all the other pages. But, since they are the ones to decide… If they'd speak up, then there's no reason speculate anymore. And the endless becomes end… :–)

/2¢

cuckooflew
Posts: 681
Joined: 2018-05-10 19:34
Location: Some where out west

Re: Use HTTPS

#74 Post by cuckooflew »

by efdevse » 2020-06-26 04:14
Yes, I can imagine there's been a few posts about this.
A few posts ? that's funny, more like "A lot of posts, and several topics",...to many to count.
efdevse »It would be great if they decided to speak up, and explain their reasons why, or when …or why not. Until then it will always seem a bit odd to me, since they have it on all the other pages.
Ahh, ok, I guess I forgot to mention, or was not clear,
You mean they , as in the Debian.org website admins ? The Debian.org website is administered by differnt persons, they have nothing to do with the administration of the forums.debian.net site. Originally the forum was setup and started by a individual, using hardware they had for the server, they do have some other projects, websites , etc on that server, but Debian.org is not one of them.
This forum is mentioned on the Debian.org website, but it is only a mention,and is called a "web portal" providing the link and some details. There used to be some other forums mentioned as well, but they are not there any more.
https://www.debian.org/support
Forums

Debian User Forums is a web portal on which you can discuss Debian-related topics, submit questions about Debian, and have them answered by other users.
Last edited by cuckooflew on 2020-07-02 02:44, edited 1 time in total.
Please Read What we expect you have already Done
Search Engines know a lot, and
"If God had wanted computers to work all the time, He wouldn't have invented RESET buttons"
and
Just say NO to help vampires!

cuckooflew
Posts: 681
Joined: 2018-05-10 19:34
Location: Some where out west

Re: Use HTTPS

#75 Post by cuckooflew »

Here is one other topic/thread, there are even more though:
http://forums.debian.net/viewtopic.php?f=12&t=135350
=========================
and yet another: http://forums.debian.net/viewtopic.php?f=12&t=122422
To be continued --------forever :mrgreen:
Please Read What we expect you have already Done
Search Engines know a lot, and
"If God had wanted computers to work all the time, He wouldn't have invented RESET buttons"
and
Just say NO to help vampires!

manuelmagic
Posts: 5
Joined: 2020-12-09 20:46
Location: Italy

Re: Use HTTPS

#76 Post by manuelmagic »

GarryRicketson wrote:It is not that big of a deal, and yes the same could apply to saying FDN instead of Forums Debian Net.
These acronyms , chat speak, etc, all make it much harder for those that do not speak / write English, and when they put the text into a translator, it does not translate well.
Back to the https issue, and this is something I said before in the other topics. To start with the only person that can add https, or ssl to the forum / website is the owner/admin of the server, the suggestion or request has been made several times, but for what ever reason they choose not to do that.
One reason I think, and valid, if you give it some thought:
We get many people coming here with "crippled" systems, or in the middle of installing, configuring, etc.
If it was https, they might have a lot of trouble accessing the forum and being able to post details, ask the question. For example, if your clock, time and date is not yet set properly, it can lead to not being able to access a site using https.
Another example, not to long ago someone asked about a problem, apparently the solution was available but at another site, so someone posted a link to that site, and the thread with the solution. I was going to look at it, but couldn't. Why ? It said the "certificate is expired",... So great, the site uses https, but nobody could access because the certificate is expired.
It would not be appropriate, nor is it necessary to be using https here. This is not a "banking" site and
it needs to be easily accessed, for those that need to get help immediately.
I came across this thread out of curiosity regarding the question "why forums.debian.net does not run on HTTPS?" and, in my opinion, this response is solid (even if probably it is not the actual reason behind the choice by the forum admin).
It happened to me in the past to log on a computer with the wrong date (run out motherboard battery) and it took me a while to realize why I couldn't surf the web.

User avatar
ComputerBob
Posts: 1199
Joined: 2007-11-30 04:49
Location: The Beautiful Sunshine State

Re: Use HTTPS

#77 Post by ComputerBob »

Isn't https a choice?

Isn't it possible to easily do both -- serve https to users whose equipment can process it, but fall back to http for those whose equipment can't process https?
Last edited by ComputerBob on 2020-12-14 13:20, edited 1 time in total.
ComputerBob - Making Geek-Speak Chic (TM)
ComputerBob.com - Nearly 6,000 Posts and 22 Million Views
My Ministry
My Massive Stroke
_________________
Your Life Matters

sgosnell
Posts: 975
Joined: 2011-03-14 01:49

Re: Use HTTPS

#78 Post by sgosnell »

it is possible, the the site owner doesn't seem to want to do that. We get what we get, and accept it or go elsewhere.
Take my advice, I'm not using it.

User avatar
ComputerBob
Posts: 1199
Joined: 2007-11-30 04:49
Location: The Beautiful Sunshine State

Re: Use HTTPS

#79 Post by ComputerBob »

Thanks for the confirmation.
ComputerBob - Making Geek-Speak Chic (TM)
ComputerBob.com - Nearly 6,000 Posts and 22 Million Views
My Ministry
My Massive Stroke
_________________
Your Life Matters

marco__mg
Posts: 3
Joined: 2013-10-20 09:40

Re: Use HTTPS

#80 Post by marco__mg »

Welcome to 2021 with no ssl and the old phpbb 3.0.11
http://forums.debian.net/docs/CHANGELOG.html

Post Reply