HTTPS - Page 6

Nick · 2018-03-10, 09:10

Quote:

Originally Posted by yoyo

It sounds to me as you would let the door to your flat open because any lock can be broken.

No, but changing to a new lock and expecting everyone to pay for new keys without a good reason would be a bad idea too.

Of course there is an element of devil's advocate in my response.
But we have enough security experts on this forum, at both academic and technical levels, to reach a considered view together.

heliosh · 2018-03-10, 09:18

TLS would also allow the use of HTTP/2 and maybe future standards yet to come.

It's weird to have a discussion in 2018 whether to use https or not, while https is de facto standard and browsers even give a warning when visiting http-only websites.

Using letsencrypt it only takes 5-10 minutes of your time to enable https. I can lend you a hand if you need assistance.

yoyo · 2018-03-10, 09:18

On my servers I enabled https without any additional costs. I even didn't had to ask the provider.
As stated before, if you have root access to the host you can enable https very easy.

I don't know on which model this forum is running, if it is a root server or a managed host without root access?

xilman · 2018-03-10, 09:40

Quote:

Originally Posted by Nick

I think Mike's opening post summarizes the situation succinctly.

No, most forum members have not expressed an opinion on this.

OK, time to stand up and be counted.

I whole-heartedly recommend moving to https.

Added in edit: If it costs more I will also put my money where my mouth is.

LaurV · 2018-03-10, 10:37

Quote:

Originally Posted by Nick

No, most forum members have not expressed an opinion on this.

That is because we (royal we) have no freaking idea why one would be better/worse than the other, and we (royal we again) really don't care on which protocol we argue against everybody else here...

VictordeHolland · 2018-03-10, 12:28

If money is the issue stopping the forum from going HTTPS, I'd gladly make a donation (preferbly via Paypal/send to friends-family option, so you don't incure extra costs).

BTW: where is the donation page/link anyway?

M344587487 · 2018-03-10, 14:18

Put it this way I'd prefer https as a matter of course, but if it was up to me to implement I might not bother.

Dubslow · 2018-03-10, 17:19

The donation page is hidden when not necessary.

I think it's safe to say that the internet security community has generally agreed that https is better than http. Various web browser providers, including not only Google but also Mozilla, will within a year or two mark http as insecure.

As far as "worst security problems this forum has ever faced", although we certainly can state that DDoS attacks have happened, there's no way to be certain that there aren't larger problems we aren't currently aware of. http leaves open a wide variety of MitM attacks and various other snooping and authentication problems. https is also, now, easy to install. There is no valid reason to not use it (not even cost, given that multiple people have volunteered to help in that respect).

I believe the best course of action to proceed would be to nominate various sysadmin users who are able to help Mike, then create a private forum (or PM group) where those nominated can discuss the specifics of https installation for the particular server-OS software combination this forum uses. (I believe the OS is FreeBSD?) As a starter for the list of people able to help, I nominate yoyo/ChristianB and chalsall. I have no personal experience https but am willing to observe the discussion if thought necessary or useful. Are there any others who have sysadmin experience who would like to nominate themselves?

Some links to support my assertion:

https://www.eff.org/encrypt-the-web
https://blog.mozilla.org/security/20...n-secure-http/
https://blog.mozilla.org/security/20...n-secure-http/

(To be clear, https is not a be-all-end-all solution, and like any security protocol, has vulnerabilities and problems [most notably, in my recollection, the significant centralization of the certificate chain/network], but it is indisputably a major upgrade in security from https. No lock is perfectly secure, but a basically-functional lock is ten times or a hundred times better than no lock at all.)

chalsall · 2018-03-10, 23:47

Quote:

Originally Posted by Dubslow

I think it's safe to say that the internet security community has generally agreed that https is better than http.

Horror vacui.

ewmayer · 2018-03-11, 21:23

Quote:

Originally Posted by henryzz

https://forum.palemoon.org/viewtopic.php?f=41&t=18243

Thanks - got it! Seems to be running OK so far under macos 10.6.8, though on initial sartup it only gave me the option of importing my settings from Safari (which I only use rarely on the Mac), not from FF.

chalsall · 2018-03-11, 21:36

Quote:

Originally Posted by ewmayer

Thanks - got it! Seems to be running OK so far under macos 10..8, though on initial sartup it only gave me the option of importing my settings from Safari (which I only use rarely on the Mac), not from FF.

Cool. The boy has a client which can deal with HTTPS.

2018-03-10, 17:19	#63
Dubslow Basketry That Evening! "Bunslow the Bold" Jun 2011 40<A<43 -89<O<-88 3×29×83 Posts	The donation page is hidden when not necessary. I think it's safe to say that the internet security community has generally agreed that https is better than http. Various web browser providers, including not only Google but also Mozilla, will within a year or two mark http as insecure. As far as "worst security problems this forum has ever faced", although we certainly can state that DDoS attacks have happened, there's no way to be certain that there aren't larger problems we aren't currently aware of. http leaves open a wide variety of MitM attacks and various other snooping and authentication problems. https is also, now, easy to install. There is no valid reason to not use it (not even cost, given that multiple people have volunteered to help in that respect). I believe the best course of action to proceed would be to nominate various sysadmin users who are able to help Mike, then create a private forum (or PM group) where those nominated can discuss the specifics of https installation for the particular server-OS software combination this forum uses. (I believe the OS is FreeBSD?) As a starter for the list of people able to help, I nominate yoyo/ChristianB and chalsall. I have no personal experience https but am willing to observe the discussion if thought necessary or useful. Are there any others who have sysadmin experience who would like to nominate themselves? Some links to support my assertion: https://www.eff.org/encrypt-the-web https://blog.mozilla.org/security/20...n-secure-http/ https://blog.mozilla.org/security/20...n-secure-http/ (To be clear, https is not a be-all-end-all solution, and like any security protocol, has vulnerabilities and problems [most notably, in my recollection, the significant centralization of the certificate chain/network], but it is indisputably a major upgrade in security from https. No lock is perfectly secure, but a basically-functional lock is ten times or a hundred times better than no lock at all.) Last fiddled with by Dubslow on 2018-03-10 at 17:27

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Why is https://www.mersenne.org so damn buggy?	jxsl13	Information & Answers	2	2017-02-22 03:06
https and www etc etc	Uncwilly	Forum Feedback	1	2012-03-12 20:46
https access to www.mersenne.org failed	LLL	PrimeNet	17	2008-12-26 20:34

2018-03-10, 09:18	#57
heliosh Oct 2017 ++41 5³ Posts	TLS would also allow the use of HTTP/2 and maybe future standards yet to come. It's weird to have a discussion in 2018 whether to use https or not, while https is de facto standard and browsers even give a warning when visiting http-only websites. Using letsencrypt it only takes 5-10 minutes of your time to enable https. I can lend you a hand if you need assistance.

2018-03-10, 09:18	#58
yoyo Oct 2006 Berlin, Germany 1001101001₂ Posts	On my servers I enabled https without any additional costs. I even didn't had to ask the provider. As stated before, if you have root access to the host you can enable https very easy. I don't know on which model this forum is running, if it is a root server or a managed host without root access?

2018-03-10, 12:28	#61
VictordeHolland "Victor de Hollander" Aug 2011 the Netherlands 2³·3·7² Posts	If money is the issue stopping the forum from going HTTPS, I'd gladly make a donation (preferbly via Paypal/send to friends-family option, so you don't incure extra costs). BTW: where is the donation page/link anyway?

2018-03-10, 14:18	#62
M344587487 "Composite as Heck" Oct 2017 1100101110₂ Posts	Put it this way I'd prefer https as a matter of course, but if it was up to me to implement I might not bother.