Why no https???

[beavers]

Why no encryption on this site?

[sacerdos_daemonis]

Is it necessary to encrypt the contents of a public forum with information to help people solve computer problems?

[Beastie]

Quote:

Originally Posted by sacerdos_daemonis

Is it necessary to encrypt the contents of a public forum with information to help people solve computer problems?

Probably not, but it would still be preferable to encrypt the log in process/cookie data.

[rons]

Quote:

Originally Posted by Beastie

Probably not, but it would still be preferable to encrypt the log in process/cookie data.

With an unencrypted connection it's easier for an interloper to do an MITM exploit - and transmit malware, etc. Really, it's not even an exploit of any consequence when the stream is http - pretty easy. It doesn't seem to me that it'd be much more of a maintenance issue to add the secure https server to the site.

I come here occasionally because NetBSD doesn't really have a forum of its own. But I always think to myself when I visit, "Oops, I'm going to be http again."

[Beastie]

Quote:

Originally Posted by rons

and transmit malware, etc.

Most attacks rely on some kind of scripting on the client's side. Disable JavaScript on all websites that don't require it to function and you'll avoid most attacks.

Encryption of any kind is resource-intensive, which is why I suggested only the log in process and cookie data be encrypted.

Most of the content is text-only and I doubt anyone will bother MITM'ing our threads. The only code you'll find around here is in source code, not binary, form.

In any case, Daemon Forums is a free service that we - its users - don't own, so we shouldn't normally get any say in the final decision. </My humble opinion, naturally.>

[Funkygoby]

It seems to me that https involves two distinct mechanisms. Please correct me:

1- The stream is (asymetrically) encrypted so no 3rd party can read or inject content.
2- You are garanteed to be visiting the right website through the use of "trusted" certificates. Each domain has his own certificate delivered by organizations.

With those 2 features combined, you should end up with a secure connexion to the legitimate website.

The problem is, we (internet users) are trusting a handful of organizations to be competent in doing the right things: provide certificates to the right people. So far symantec and trustico have comfirmed that, again, this is prone to failure.

The stream is encrypted but maybe not secure if the certificate is compromised.

To conclude, I am all for encrypted stream where it is needed. Regarding this forum, I am not sure. Is the login/password encrypted or plain text? My password is disposable after all. Steal it all you want I don't care and will just generate a new one.
Certificate OTOH is a false sense of secutiy IMO.
I like @tedu approach with his website: https with his own untrusted certificate that you have to accept once.

[beavers]

Quote:

Originally Posted by Beastie

Probably not, but it would still be preferable to encrypt the log in process/cookie data.

This, at the very least. We're not talking about vast quantities of data here, it wouldn't be that much more resource intensive to just encrypt everything. Yes, proc and network usage will go up -- slightly. On reasonably modern hardware, that doesn't particularly strike me as a reason not to do it.

[beavers]

Quote:

Originally Posted by Beastie

In any case, Daemon Forums is a free service that we - its users - don't own, so we shouldn't normally get any say in the final decision. </My humble opinion, naturally.>

The owners put up a "Feedback and Suggestions" section on the forum for this very purpose. No demands here, just . . . some feedback, and a suggestion.

[Carpetsmoker]

The simple reason is that when I started this site in 2008, I didn't have a lot of money, and paying for the domain and hosting was already comparatively expensive at the time, so a SSL cert was a bit too much.

From memory, I think I set up some CACert stuff back in the day. Or maybe I did eventually get a mainstream certificate. I don't recall.

I handed stuff over a few years ago, and haven't been very active since. I'm not even sure who manages things now.

I'm not sure if it's really worth setting up, given the low level of activity these days.

[Trihex]

I got a free Let's Encrypt SSL Certificate for my site to keep Google happy though I don't even use cookies. If you don't use HTTPS Google is going to start negatively factoring that into your search engine ranking.

[graudeejs]

Yes, I was like "What the Beast?" as well

[raindog308]

Quote:

Originally Posted by Carpetsmoker

I'm not sure if it's really worth setting up, given the low level of activity these days.

I'm an occasional participant and I guess a contributor to "low level of activity". Today when I logged in I was surprised it was http-only. That's how unusual it's become.

Let's Encrypt is very simple to setup, and free, so cost is no longer a consideration. And as already noted, you're paying a Google penalty for not being https.

There's really no good reason not to use https these days...http is deprecated, and BSD users are generally more technically savvy users.

Just my opinion :-)