DaemonForums  

Go Back   DaemonForums > DaemonForums.org > Feedback and Suggestions

Feedback and Suggestions We want to hear your thoughts and ideas!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 30th August 2018
beavers beavers is offline
Shell Scout
 
Join Date: Nov 2017
Posts: 85
Default Why no https???

Why no encryption on this site?
Reply With Quote
  #2   (View Single Post)  
Old 30th August 2018
sacerdos_daemonis's Avatar
sacerdos_daemonis sacerdos_daemonis is offline
Real Name: Will forever be a secret.
Spam Deminer
 
Join Date: Sep 2014
Posts: 283
Default

Is it necessary to encrypt the contents of a public forum with information to help people solve computer problems?
Reply With Quote
  #3   (View Single Post)  
Old 31st August 2018
Beastie Beastie is offline
Daemonology student
 
Join Date: Jan 2009
Location: /dev/earth0
Posts: 335
Default

Quote:
Originally Posted by sacerdos_daemonis View Post
Is it necessary to encrypt the contents of a public forum with information to help people solve computer problems?
Probably not, but it would still be preferable to encrypt the log in process/cookie data.
__________________
May the source be with you!
Reply With Quote
  #4   (View Single Post)  
Old 31st August 2018
rons's Avatar
rons rons is offline
Snoozing
 
Join Date: Oct 2015
Posts: 69
Default

Quote:
Originally Posted by Beastie View Post
Probably not, but it would still be preferable to encrypt the log in process/cookie data.
With an unencrypted connection it's easier for an interloper to do an MITM exploit - and transmit malware, etc. Really, it's not even an exploit of any consequence when the stream is http - pretty easy. It doesn't seem to me that it'd be much more of a maintenance issue to add the secure https server to the site.

I come here occasionally because NetBSD doesn't really have a forum of its own. But I always think to myself when I visit, "Oops, I'm going to be http again."
Reply With Quote
  #5   (View Single Post)  
Old 1st September 2018
Beastie Beastie is offline
Daemonology student
 
Join Date: Jan 2009
Location: /dev/earth0
Posts: 335
Default

Quote:
Originally Posted by rons View Post
and transmit malware, etc.
Most attacks rely on some kind of scripting on the client's side. Disable JavaScript on all websites that don't require it to function and you'll avoid most attacks.

Encryption of any kind is resource-intensive, which is why I suggested only the log in process and cookie data be encrypted.

Most of the content is text-only and I doubt anyone will bother MITM'ing our threads. The only code you'll find around here is in source code, not binary, form.

In any case, Daemon Forums is a free service that we - its users - don't own, so we shouldn't normally get any say in the final decision. </My humble opinion, naturally.>
__________________
May the source be with you!
Reply With Quote
  #6   (View Single Post)  
Old 9th September 2018
Funkygoby Funkygoby is offline
Fdisk Soldier
 
Join Date: Aug 2015
Posts: 57
Default

It seems to me that https involves two distinct mechanisms. Please correct me:

1- The stream is (asymetrically) encrypted so no 3rd party can read or inject content.
2- You are garanteed to be visiting the right website through the use of "trusted" certificates. Each domain has his own certificate delivered by organizations.

With those 2 features combined, you should end up with a secure connexion to the legitimate website.

The problem is, we (internet users) are trusting a handful of organizations to be competent in doing the right things: provide certificates to the right people. So far symantec and trustico have comfirmed that, again, this is prone to failure.

The stream is encrypted but maybe not secure if the certificate is compromised.

To conclude, I am all for encrypted stream where it is needed. Regarding this forum, I am not sure. Is the login/password encrypted or plain text? My password is disposable after all. Steal it all you want I don't care and will just generate a new one.
Certificate OTOH is a false sense of secutiy IMO.
I like @tedu approach with his website: https with his own untrusted certificate that you have to accept once.
Reply With Quote
  #7   (View Single Post)  
Old 12th September 2018
beavers beavers is offline
Shell Scout
 
Join Date: Nov 2017
Posts: 85
Default

Quote:
Originally Posted by Beastie View Post
Probably not, but it would still be preferable to encrypt the log in process/cookie data.
This, at the very least. We're not talking about vast quantities of data here, it wouldn't be that much more resource intensive to just encrypt everything. Yes, proc and network usage will go up -- slightly. On reasonably modern hardware, that doesn't particularly strike me as a reason not to do it.
Reply With Quote
  #8   (View Single Post)  
Old 12th September 2018
beavers beavers is offline
Shell Scout
 
Join Date: Nov 2017
Posts: 85
Default

Quote:
Originally Posted by Beastie View Post
In any case, Daemon Forums is a free service that we - its users - don't own, so we shouldn't normally get any say in the final decision. </My humble opinion, naturally.>
The owners put up a "Feedback and Suggestions" section on the forum for this very purpose. No demands here, just . . . some feedback, and a suggestion.
Reply With Quote
  #9   (View Single Post)  
Old 26th September 2018
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Tcpdump Spy
 
Join Date: Apr 2008
Location: Netherlands
Posts: 2,243
Default

The simple reason is that when I started this site in 2008, I didn't have a lot of money, and paying for the domain and hosting was already comparatively expensive at the time, so a SSL cert was a bit too much.

From memory, I think I set up some CACert stuff back in the day. Or maybe I did eventually get a mainstream certificate. I don't recall.

I handed stuff over a few years ago, and haven't been very active since. I'm not even sure who manages things now.

I'm not sure if it's really worth setting up, given the low level of activity these days.
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
Old 28th November 2018
Trihex's Avatar
Trihex Trihex is offline
Real Name: Trihexagonal
Shell Scout
 
Join Date: Jul 2017
Location: Land of the Dead
Posts: 87
Default

I got a free Let's Encrypt SSL Certificate for my site to keep Google happy though I don't even use cookies. If you don't use HTTPS Google is going to start negatively factoring that into your search engine ranking.
Reply With Quote
Old 4th January 2019
graudeejs's Avatar
graudeejs graudeejs is offline
Real Name: Aldis Berjoza
ISO Quartermaster
 
Join Date: Jul 2008
Location: Riga, Latvia
Posts: 589
Default

Yes, I was like "What the Beast?" as well
Reply With Quote
Old 19th July 2019
raindog308 raindog308 is offline
Fdisk Soldier
 
Join Date: Sep 2011
Posts: 67
Default

Quote:
Originally Posted by Carpetsmoker View Post
I'm not sure if it's really worth setting up, given the low level of activity these days.
I'm an occasional participant and I guess a contributor to "low level of activity". Today when I logged in I was surprised it was http-only. That's how unusual it's become.

Let's Encrypt is very simple to setup, and free, so cost is no longer a consideration. And as already noted, you're paying a Google penalty for not being https.

There's really no good reason not to use https these days...http is deprecated, and BSD users are generally more technically savvy users.

Just my opinion :-)
Reply With Quote
Old 24th February 2021
Omphalotus_japonicus Omphalotus_japonicus is offline
New User
 
Join Date: Jan 2021
Posts: 9
Default

I use the Tor Browser to preserve my privacy and I access this forum through it. Without HTTPS a malicious exit node could sniff my login information and compromise my account.
Reply With Quote
Old 28th February 2021
ohmpr ohmpr is offline
Port Guard
 
Join Date: Feb 2021
Posts: 20
Default wowsers!

i didn't even notice it wasn't using https, b/c i just expect that these days. If someone doesn't want to use https for their static html site and doesn't care about SEO, then fine (i still probably won't visit their site), but any site that has login should be using tls, IMHO, because otherwise it is compromising users' email addresses and whatever else they want to collect that was intended for this site's servers only. I just don't like feeding the dataminers as a matter of principle and every data point helps them.

Please consider adding a letsencrypt certificate. It can be automated so that it's not a maintenance burden, though i just use the dns method for some apps, b/c i had some breakage with my automation on those, and decided it's just easier on my nerves. If there are hosting burdens maybe we can help.

Thanks
Reply With Quote
Old 5th April 2021
grahamperrin grahamperrin is offline
Real Name: Graham Perrin
New User
 
Join Date: Mar 2021
Location: UK
Posts: 4
Lightbulb Compatibility with HTTPZ

After receiving registration details for the site, I did nothing for around two weeks because I assumed that the site was down.

Eventually, after receiving a registration reminder, I realised that DaemonForums is a very rare example of a site that doesn't work with the HTTPZ extension for Firefox:

I see the 2017 topic, DaemonForums and https?

I'm here now
Reply With Quote
Old 7th August 2022
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 1,027
Default

I can now only read the forum using HTTPS . Is this a real change, or have I been hacked?
Reply With Quote
Old 7th August 2022
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

Yes, it is a real change.

But it is through a dirty hack. I put a HTTPS proxy/relay in front of the original site .........
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 7th August 2022
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 1,027
Default

Thanks, and congratulations on the change!
Reply With Quote
Old 9th August 2022
frcc frcc is offline
Don't Worry Be Happy!
 
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, tornado,puts the fear of God in you-Texas
Posts: 335
Default

J65nko
The issue of some portion of your site not being designated https even though most is, and Firefox issuing a warning that some portions of the site is un-secure is the same issue i had with all my sites when converting. I just located a couple of links or other issues with site map etc that i had not changed from http to https.
Good work, it will help your rating, and peoples perception and of course visiting and interacting with the site itself.
Reply With Quote
Old 9th August 2022
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

I had to change some of the custom BBcode like [oman=1]fdisk[/oman] because they still used 'http' instead of 'https'. Together with the changes in the footer page (Daemon image copyright) etc. it has become better.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
DaemonForums and https? hitest Off-Topic 11 24th August 2017 04:34 AM
Relayd as a HTTPS client e1-531g OpenBSD Security 4 11th January 2016 07:11 PM
snownews to support https daemonfowl OpenBSD Packages and Ports 9 26th October 2013 06:13 PM
https ports on PF mug23 OpenBSD Security 5 4th March 2011 10:11 PM


All times are GMT. The time now is 09:02 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick