34 replies to this topic

[PeteG5000]

You know what?  My request was simple. It was respectful and was meant to help out.  Instead I am slammed because people are so angry at the move over to HTTPS that they want to take it out on others.  The harsh reality is that modern day browsers are going to mark this site as "Not Secure" and scare people away from visiting.  I just moved at least 10 of my sites over to HTTPS using let's encrypt certificates.  I automated everything and it was simple.  Now my sites are secure and no longer have that marking.  You can rebel against the way things are moving but that does not change anything.  The end results is that you just look foolish.  So why don't we just work to move this site over to secure certificates and call it a day.  I could help with the move as well.  Again.....   This was an innocent request meant to help out the site not to garner anger and resentment.  Thank You.

[Steptoe]

You know what?  My request was simple. It was respectful and was meant to help out.  Instead I am slammed because people are so angry at the move over to HTTPS that they want to take it out on others.  The harsh reality is that modern day browsers are going to mark this site as "Not Secure" and scare people away from visiting.  I just moved at least 10 of my sites over to HTTPS using let's encrypt certificates.  I automated everything and it was simple.  Now my sites are secure and no longer have that marking.  You can rebel against the way things are moving but that does not change anything.  The end results is that you just look foolish.  So why don't we just work to move this site over to secure certificates and call it a day.  I could help with the move as well.  Again.....   This was an innocent request meant to help out the site not to garner anger and resentment.  Thank You.

 

Yep was a simple request...totally agree.

 I gave my thioughts as it pertained to MY sites..

A couple good informative posts after that, both sides of the coin.

Shame so much of social media is full of over the top stuff..

And why after 25/30yrs I have not gone down the route of Twitter FB etc.

Thanks for the constructive posts.

The bar is flat tomorrow, take the boat out for a mid winter fish.

[PeteG5000]

OMG that is so funny.. I saw mid winter fish and thought, wait it is summer!  Than I saw your location!  Sounds fun!! Enjoy!!!

[Wonko the Sane]

Only for the record, this was just an (evidently failed ) attempt at humour:

In any case, HTTPS is so '90, I would rather have 2FA authentication, via SMS or better through a dedicated app (in dual version, iOS and Android).

 
 
@pgeremia DELETED ACCOUNT PeteG5000
Of course I have nothing against HTTPS (though I still believe[1] in the specific case of a public forum it is not in any way *needed* in the sense that it doesn't actually solve any *real* problem), but the moment I have been called "ridiculous" (most probably in a very respectful tone that I somehow missed) only because I didn't agree:
1) on this assumed "need"
2) on the reason for HTTPS not being implemented being due to the ignorance on the matter by the Owner and Administrators of the board
the discussion is over.
 
@assarbad
You didn't make the request, you just "endorsed" it, the request came from Pete and was later "pushed" by GabF, and seemingly I wasn't too off when saying "people who never took any interest in the community if not for proposing this particular request":
 
 
 

I wasted way too much time on this that was just an attempt to contribute to a forum I have very little interest in:

 
 
 
As a side note - your "preventive" Snowden's quote was - IMHO - gratuitious and condescending. 
 
You do have however a point on erwan.l's tools being a huge potential risk for the community, like - say - 99.9999% of files you can download from the internet, he should really do something about that, though IMHO before adding hashes .(and encryption and password protection) he might want to start adding version to the name of files   .
 

Wonko
 
[1] personally, and in my own ignorance on the matter, ignorance that is declared and my own, and that does not extend to the competences of Nuno, erwan.l and the other peeps that manage the site/board.

[assarbad]

AFAIC, debating about https is fine.
But being called an ignorant because i am only debating is not fine

 

Who did, though? Maybe you should have quoted whomever you meant, so not everyone of us who assumed the unpopular position in this thread would have to think they're meant?

 

Wonko alleged that some of the participants in this discussion were doing it (i.e. calling you and your peers ignoramuses), but that's about the worst possible interpretation one could use of what was written (and responses indicate that wasn't even the intent). Besides, in written conversation it makes sense to presume good faith, because a lot of the typical cues available in a face-to-face conversation are lost in this mode of communication.

 

Wonko also mentioned his own personal ignorance and indeed GabF had a point when he posited that we are all ignorant in most subject matters, because you can only master so many at once.

 

And surely not encouraging me to spend time on this matter.

 

Absolutely understandable. Been there, done that. Why? Because I have hosted a forum about a particular FLOSS remote control software since 2004 and many times have had comparable requests. HTTPS, though, no one needed to request that. I even had that going before LetsEncrypt was born.

 

I am dealing with such requests in my job everyday (being a network admin) : being called names or being yelled at will surely not happen here when i consider this place a hobby for fun.

 

Well, as a network admin you should be no stranger to risk analysis. And since you dodged the main subject in your last response and instead concentrated on the less preferable aspect of the discussion, do you object to my risk analysis in any way? After all we were told we'd have to make a case for HTTPS (or transport encryption) for it to happen.

[misty]

Please be advised that some of the long standing members of this forum are grumpy old b@st@rds - myself definitely included.

Please do consider that the board has been subjected to a lot of spam recently and from my own perspective when someone with a limited post count starts a discussion then thoughts of spam quickly appear in my head.

In my opinion warnings from browsers that a site is not secure just because it's http is not a reason for switching to https. Personally I have never experienced such a warning and frankly wouldn't care less if I did. I am responsible for my own security when accessing the net and am still susceptable to security issues whether a site is http or https.

I am definitly an ignoramus about the whole issue of security and the pros and cons of https v's http. I will read more, but at the moment I'm not convinced of the need to switch based on the arguments presented here.
 

You know what? My request was simple. It was respectful and was meant to help out.

It was a simple request. And it was not disrespectful. However it was a very brief post from a forum member that is not particularly well known, requesting a seemingly (to me) big change without initially going into a detailed explanation of why this is so necessary.
 

You do have however a point on erwan.l's tools being a huge potential risk for the community, like - say - 99.9999% of files you can download from the internet, he should really do something about that, though IMHO before adding hashes .(and encryption and password protection) he might want to start adding version to the name of files .

Erwan's tools are usually bloody dangerous. Nothing to do with his skills or the inconsistency in his versioning numbers, just the nature of the tools and what they are designed for.



Misty

[erwan.l]

Who would have thought that such a simple topic would turn into such a hot discussion

 

Firstly, I will repeat that this has nothing to do with technical capabilities.

Setting up HTTP+SSL is simple enough when it comes to tunnelling, i.e much less complex that building a site to site or client to site l2tp/ipsec/ssl tunnel.

So once for all lets stop this simplistic argument which consists in "you dont want to do it because you dont know how to do it" : it just takes the discussion on a sterile path.

 

Secondly, like in any situation, one requestor may accept that his request will not forcibly be accepted at once.

No need to be harsh because the request is "put on hold" or even "rejected" : you may ask and the other party may say "no", provided anysone even said "no" in this case.

 

Also, lets make a clear distinction between network capabilities and security : a confusion which is often made and which matters to me (experiencing this everyday).

It is not because you can that you should.

A network admin cannot be the judge and the advocate.

In simpler terms, a decision needs to be made and it did not happen yet : not yet does not mean never.

 

As far as I am concerned, if you read my original post here, when it comes to forums, blogs, etc, i believe it is acceptable to not use https but i did offer to eventually take care of that matter.

I concluded that post with ...

 

 

My 2 cents...Dont start firing at me because I have an opinion 

 

... but obviously this is was not heard.

 

On a good side, it is good to see reboot.pro users having strong opinions about this forum and bringing in ideas.

Lets turn that passion into energy and that energy into something concrete.

 

On a side note, I wont even comment on the low kicks from my grumpy bastards colleagues about versionning my "dangerous" proggies

[GabF]

So where we are at? Have you had a look at it? You determined not to go through?

It seems that the people against it have not yet gotten the point that it's a most likely trivial and very quick thing to do; until you realize that you'll be missing an extremely important aspect of the question.

Let's have a look at it.
The server is nginx on... linux, right? If so, Certbot is the best option (it's the most widespread, it's constantly developed, and was the first implementation of the protocol used by Let's Encrypt).

Have a look here:

after opening TCP 443 (if you're using firewalls) it's just a couple of commands.

For example, on Ubuntu 18.04:

• Add Certbot's package repository:
  • sudo apt-get update
  • sudo apt-get install software-properties-common
  • sudo add-apt-repository universe
  • sudo add-apt-repository ppa:certbot/certbot
  • sudo apt-get update
• Install Certbot:
  • sudo apt-get install certbot python-certbot-nginx
• Do all the certificate and configuration stuff (yes, with just one command)
  • sudo certbot certonly --nginx
• Verify that renewal works
  • sudo certbot renew --dry-run
• See if it worked
  • Do we have https://reboot.pro with a nice lock?

That's all. Most posts written about this had more characters than the sum of these commands. That's why we were so frustrated.

 

erwan.l, as assarbad already asked, can you clarify who you felt called you ignorant or other names? I ask you just so to further clarify myself, in case it included me.

 
 

I concluded that post with ...

My 2 cents...Dont start firing at me because I have an opinion

... but obviously this is was not heard.

It looks like there's some deep misundarsting, to me at least the last posts seemed very civil and polite and I saw no one attacking you.

 
 

Setting up HTTP+SSL is simple enough when it comes to tunnelling, i.e much less complex that building a site to site or client to site l2tp/ipsec/ssl tunnel.

The sentence is not very clear, but you should have seen now that SSL for public sites is a lot easier than any kind of tunnel. No need to deal with certificates, keys, configs or strange commands.
If is though a different thing, and you do appear to have never done it (and not have deep security and cryptography knowledge); my reason for pointing it out was that the moment you have a look at it you realize that it's a lot simpler than you ever thought, that it's kinda stupid to waste so much time in debating it and that there's nothing wrong in not being familiar with the subject. Yes, I forgot about network admins. Let's say that in the whole IT spectrum, the wide majority of people who'd better know about security have no clue. That's just the state of affairs, at least apparently. And yes, that's while IoT, 5G, IA, ICS, electronic voting... Dire times indeed. But it's for historical reasons and you shouldn't be ashamed if you fall in the category to some degree. Just, possibly, it would be better to gradually get more familiar with it if you are involved with it in your job, for everyone's sake (see the list of acronyms I just mentioned).

 

I might have something more to say but I'll leave it for later.

Just have a look at the steps above and evaluate whether it makes more sense to ruminate more on it or just give it a try.

 

P.S. I noticed that in my previous post the link in "This might be an ok place to start from" did not come through. Apologies, it was meant to be to https://letsencrypt....etting-started/ .

Edited by GabF, 02 July 2019 - 08:57 PM.

[erwan.l]

Hi Gabf,

Obviously i wont get heard nor understood.
It is not about how to do it.
It is a decision matter and it is not my decision.

Thanks for you nice lecture thus.
My humble advice : dont be so quick to judge on people, who they are, what they know (or not), etc as otherwise you may inadvertently sound pedantic.

Discussion over for me here and will unsubscribe from this thread in an attempt to calm things down.

I came here initially to offer assistance and eventually bring peace (my first post) but miserably failed

The joy of internet !

Cheers,
Erwan

[assarbad]

Discussion over for me here and will unsubscribe from this thread in an attempt to calm things down.

 

Excellent idea.