Hello,
Could you change the site over to use HTTPS?
Lets Encrypt are free certs if cost is an issue.
Thank You,
Pete
Posted 23 June 2019 - 05:21 PM
Hello,
Could you change the site over to use HTTPS?
Lets Encrypt are free certs if cost is an issue.
Thank You,
Pete
Posted 23 June 2019 - 05:27 PM
Hello,
Could you change the site over to use HTTPS?
Lets Encrypt are free certs if cost is an issue.
Thank You,
Pete
Why?
Are you afraid of MITM attacks?
Do you believe that your posts could be stolen?
Other reasons?
Wonko
Posted 23 June 2019 - 08:30 PM
Basically the same answer I have for my web sites and servers.
Even thu have to log in, there is not private information held.
Seems very much this cert thing is very much a rort...like the yr 2k bug, lead in fuel..
A must have and in so many cases the security is not needed.
Posted 23 June 2019 - 09:44 PM
Posted 24 June 2019 - 12:27 PM
Well, the email address used to register would qualify as personally identifiable data (aka PID, as per the GDPR) for one. Pretty much the same for me as for pgeremia for me (unique password and email address), but I concur, it feels a bit out-of-place to find a website that requires credentials but doesn't even provide a minimum of transport encryption. But I only ever registered because although back when I registered having transport encryption was already considered a best practice, but it also cost money and there were bureaucratic hurdles. Nowadays you can get certificates for free from LetsEncrypt, provided you can prove to have control over the domain (lowest validation level for this kind of certificate). The setup can be scripted, which is needed but once, and many hosters (I see for reboot.pro it's Hetzner) provide LetsEncrypt integration for those packages where no shell access is provided. If shell access is possible, I will be happy to lend a hand.
Alleged speed issues with TLS, both on the server and the client side (as well as connection-wise) have long been debunked, so I suppose there's no need to justify that aspect again?
Why?
Are you afraid of MITM attacks?
Do you believe that your posts could be stolen?
Other reasons?
Impersonation is an example of abuse, especially when looking at what's called "Messenger" here but called private messages in many other forum systems. That the forum admin could glance at them is one thing. That everyone on the way from my computer to the server can glance at them isn't quite so cool, though.
It's similar to the analogy that sending plain text email is akin to sending a postcard which many people (strangely enough) are surprised about when they hear it. Yet most people I know would likely not wish their payslip or bank statements be sent without envelope.
Oh and I'll better not get into ways a plain text connection could literally be exploited other than for MITM scenarios.
Basically the same answer I have for my web sites and servers.
Even thu have to log in, there is not private information held.
Seems very much this cert thing is very much a rort...like the yr 2k bug, lead in fuel..
A must have and in so many cases the security is not needed.
Seriously? Leaving aside that as a non-native speaker of English I had to look up rort presumably the next argument will be that you got nothing to hide and so there's no need for transport encryption?! But your desire for privacy/security may differ from everyone else's. Transport encryption is considered a best practice and has been for a fairly long time. It's just that it became more prevalent after the Snowden leaks and when LetsEncrypt made them "cheap" (as in free of charge) and easy.
Edward Snowden had this to say about the "nothing to hide" argument (emphasis mine):
And when I sort of follow this [the meaning of “privacy”], and I think about this in my own terms – particularly when we're confronted with the arguments of, sort of, apologists for the national security state, and the argument that was first proposed by the Nazis against privacy, which was “if you have nothing to hide, you have nothing to fear” – I would say that arguing that you don't care about privacy because you have nothing to hide is like saying that you don't care about free speech because you have nothing to say. Rights exist and have value for more than just the individual in the current moment. Rights are both individual and collective. And when you think about the value of a free press, we're not all journalists, but we still derive value from them. Moreover, rights are not really intended, rights are not really designed for use by the elites, for people who are leading our debates, because these are the people who are least threatened with the abrogation of their rights. The system exists to serve and protect these people. Rights are almost always needed on a regular, continual basis by those who are vulnerable, by those who are not protected by the system, by those who are not protected by their communities, by the people who are different, by the people who are ahead of everyone else because of a new idea, or people who are simply minorities, who don't have access to the same resources, don't have access to the same ability to compete. And to say fundamentally that you don't care about a right – even if it is truly of no value to you, because you're not using it in this current moment and you don't expect to use it in the future – is probably the most antisocial thing I can imagine.
If the server admin has the desire to implement this and it's possible to run custom scripts on the server, preferably through cron or some other scheduler, I'll be happy to lend a hand (of course free of charge).
Posted 24 June 2019 - 01:00 PM
Thank you for your thoughtful response. I have my Lets Encrypt cert renew fully scripted and automated. Now all of my sites are HTTPS and users will not see those browser warnings. I hope that the admin will consider doing that.
Thanks!!
-Pete
Posted 26 June 2019 - 06:30 PM
+1
Additionally, these days an http-only site looks very suspicious.
At the very least it gives a sense of having been abandoned.
Yes, maybe you haven't noticed, but they are that rare by now. I use an extension that blocks any plain-http request and I run into the need to disable it only once every couple weeks.
It took me a while to find the courage to login again (especially given that I first had to reset my long-lost password). I actually still feel dirty
It is true that ssl is a thing that can give a false sense of security, in that in all likelyhood a lot of the https sites implement it wrongly and are actually hackable in multiple ways, but... it's a layer, if it's missing you're sure there's no transport security, if it's there it's at least very likely that the data exchanged has not been mangled with and it's at least a lot harder for third parties to see what you do with the site.
Edited by GabF, 26 June 2019 - 06:33 PM.
Posted 26 June 2019 - 06:59 PM
It took me a while to find the courage to login again (especially given that I first had to reset my long-lost password). I actually still feel dirty
Oww, come off it.
JFYI :
http://www.marriedto...06/gracious.jpg
Wonko
Posted 27 June 2019 - 04:56 PM
Yeah I would've never thought I could be associated with such a picture, but sadly Internet (or maybe just what we know about it) changed a lot since that picture was made
Posted 27 June 2019 - 04:58 PM
Anyway, can we assume that the site administrators are aware of this thread? Or maybe we should PM someone?
Posted 27 June 2019 - 05:05 PM
Oh, I ran into a much older related thread: http://reboot.pro/to...httpsrebootpro/
Posted 27 June 2019 - 05:19 PM
Look people reading the various messages it's almost obvious that the real reason you don't want to support https is that you don't know how to do it and don't have much knowledge about cryptography and security.
I can relate to that.
First, if it's indeed so I advise you to read something about it, security is something every developer or site administrator ought to be familiar with; don't take this personally, you're far from alone, unfortunately poor security knowledge seems to be extremely common in the developers community.
Second, these days it's fortunately very easy to add support to it, and there's no need to pay anything. I might be able to provide some help.
Edited by GabF, 27 June 2019 - 05:20 PM.
Posted 28 June 2019 - 09:32 AM
Look people reading the various messages it's almost obvious that the real reason you don't want to support https is that you don't know how to do it and don't have much knowledge about cryptography and security.
I can relate to that.
First, if it's indeed so I advise you to read something about it, security is something every developer or site administrator ought to be familiar with; don't take this personally, you're far from alone, unfortunately poor security knowledge seems to be extremely common in the developers community.
Second, these days it's fortunately very easy to add support to it, and there's no need to pay anything. I might be able to provide some help.
Essentially you are saying that the Admin/Owner of reboot.pro (and his helpers) are a bunch of ignorants (on the relevant techniques).
Interesting approach, particularly when coming from someone whose only contributions to the board are revolving around this specific matter, directly or indirectly:
http://reboot.pro/to...-damit-umgehen/
Although I doubt that Nuno misses the technical capabilities to implement HTTPS, I would - given my own, personal, ignorance - want to have explained (in layman's terms) in which way HTTPS would:
1) prevent any spammer from joining the forum
2) prevent such spammers from sending private messages to other members[1]
In any case, HTTPS is so '90, I would rather have 2FA authentication, via SMS or better through a dedicated app (in dual version, iOS and Android).
Wonko
[1] and - if the member has chosen to be notified of personal messages via e-mail, prevent the board to send such notifying e-mail
Posted 28 June 2019 - 10:54 AM
Wow you guys get all bent out of shape over a simple request. And it is simple. Why don't we just ask the site admins to make the change. I am sure they know how to do it.
-Pete
Posted 28 June 2019 - 12:04 PM
Wow you guys get all bent out of shape over a simple request. And it is simple. Why don't we just ask the site admins to make the change. I am sure they know how to do it.
-Pete
Well, not exactly.
The "simple" request comes from people who never took any interest in the community if not for proposing this particular request.
And the "evangelist" approach doesn't particularly help, at least to me it sounds a lot like what I call "otiose" proposals.
Of course the final decision is up to Nuno, but essentially if someone requires someone else to do additional work (for free BTW) it would be nice if there were some easy to understand, and valid reasons backing the request.
Some examples of non-valid (IMHO) reasons:
1) experts say ...
2) it is recognized (by whom) best practice ...
3) it gives the sense of being abandoned ...
4) it doesn't look like modern ...
5) modern browsers ...
Wonko
Posted 28 June 2019 - 12:20 PM
You know what? You are ridiculous. People have offered plenty of GOOD reasons and even offered to HELP! You hard liners have nothing better to do than to go against BEST PRACTICES because you want to live in the PAST.
GO FOR IT.
I joined this site as one of the 1st people to purchase the ISOSTICK. But clearly this site has no purpose any longer other than to go against ANYTHING that does not suit your agenda.
SO BE IT.
I am done. This is my last post and then I will delete my account.
GOOD BYE CHILDREN!
Posted 28 June 2019 - 12:29 PM
You know what? You are ridiculous.
You see?
Usually evangelists tend to resort to call other people names when their will (for whatever reason) is not instantly put in practice.
I am done. This is my last post and then I will delete my account.
GOOD BYE CHILDREN!
Hmmm, no you can't delete your account , you can only ask here[1]:
http://reboot.pro/to...ete-my-account/
for it to be deleted.
Good bye , have a nice (and secure) online activity wherever you go.
Wonko
[1] and yes, this is most probably ALSO against "best practices".
Posted 28 June 2019 - 05:37 PM
Me coming late to that discussion...
If this really brings peace over here, I can have a look on my spare time and implement SSL
But itoo thinks that what is the risk here?
We are no banking site here and posted data is public. I.e even non authenticated users can read posts.
So apart from someone sniffing your private messages, not sure what is the added value.
Now for sure, modern browsers may scare a few users off but that are much worse things to be scared off like giving away your personal life to facebook...
My 2 cents...Dont start firing at me because I have an opinion
Posted 28 June 2019 - 05:54 PM
If this really brings peace over here, I can have a look on my spare time and implement SSL
And you actually think that that would bring peace?
You would have at least one more enemy.
Now, a good? new question, should you delete the account "pgeremia" that has been just renamed to "DELETED ACCOUNT" by the user (who could not delete it, as expected), even if the user did not ask for deletion of the account?
Wonko
Posted 28 June 2019 - 06:23 PM
And you actually think that that would bring peace?
You would have at least one more enemy.
Now, a good? new question, should you delete the account "pgeremia" that has been just renamed to "DELETED ACCOUNT" by the user (who could not delete it, as expected), even if the user did not ask for deletion of the account?
Wonko
Nah, it takes two to enter an enemy relationship, and even with my occasionally bad temper and bitchy attitude (so I am told), I never consider anyone as such.
Worse case scenario, some individuals get on my ignore list.
About "pgeremia" renaming itself to "DELETED ACCOUNT", this is an interesting one
The things ppl would do when they get upset...
I'll be stubborn and will wait for the user to kindly request to delete his account like other polite users do.
"deleted account" is only a display name after all and the login is still registered as pgeremia in the database.
Posted 28 June 2019 - 08:56 PM
Essentially you are saying that the Admin/Owner of reboot.pro (and his helpers) are a bunch of ignorants (on the relevant techniques).
Interesting approach, particularly when coming from someone whose only contributions to the board are revolving around this specific matter, directly or indirectly:
http://reboot.pro/to...-damit-umgehen/
Although I doubt that Nuno misses the technical capabilities to implement HTTPS
I would - given my own, personal, ignorance - want to have explained (in layman's terms) in which way HTTPS would:
1) prevent any spammer from joining the forum
2) prevent such spammers from sending private messages to other members[1]
In any case, HTTPS is so '90, I would rather have 2FA authentication, via SMS
Edited by GabF, 28 June 2019 - 08:57 PM.
Posted 28 June 2019 - 09:46 PM
About "pgeremia" renaming itself to "DELETED ACCOUNT", this is an interesting one
The things ppl would do when they get upset...
I'll be stubborn and will wait for the user to kindly request to delete his account like other polite users do.
"deleted account" is only a display name after all and the login is still registered as pgeremia in the database.
I have to say. You people that LIVE on these forums think you are something special. I don't get it. Yes I know I have to request account deletion. But it is fun to watch y'all freak out about the fact that I changed the display name.
For those of you who replied to my original post in a thoughtful way THANK YOU. I definitely appreciate it. How about we kill this thread since I really have no desire to participate in this any longer.
Posted 28 June 2019 - 09:49 PM
Although I doubt that Nuno misses the technical capabilities to implement HTTPS, I would - given my own, personal, ignorance - want to have explained (in layman's terms) in which way HTTPS would:
1) prevent any spammer from joining the forum
2) prevent such spammers from sending private messages to other members[1]
In any case, HTTPS is so '90, I would rather have 2FA authentication, via SMS or better through a dedicated app (in dual version, iOS and Android).
Not exactly sure what one has to do with the other. Besides 2FA is only relevant when signing in, all the subsequent exchanges with the web server will typically rely on a cookie or some such. So since you are seriously suggesting that there is any point in doing all that without transport encryption, I guess we can cut this short. I won't resort to the same kind of ad hominem attack, though, which you decided to level on GabF.
Also, none of this will prevent spammers and unless I missed something obvious no one even suggested it does. Or are you somehow insinuating the fact that GabF merely contributed to that one topic there has to be some connection of sorts?
The "simple" request comes from people who never took any interest in the community if not for proposing this particular request.
Why thank you. Given I contributed to other topics, joined in with this request and even offered to help with the implementation if need be, I am charmed to hear that.
And the "evangelist" approach doesn't particularly help, at least to me it sounds a lot like what I call "otiose" proposals.
Hmm, let me point out to you how your proposal to implement 2FA without transport encryption is equally "otiose" as you put it.
And no, HTTPS isn't 90s. Well, minor aspects of it are and certainly some badly implemented web sites fall still into that category for spurious reasons. However, if you followed any recent technical advances I doubt that TLS 1.2 and TLS 1.3 have completely escaped your attention. If they have, you may want to read up and perhaps reconsider your statements.
Of course the final decision is up to Nuno, but essentially if someone requires someone else to do additional work (for free BTW) it would be nice if there were some easy to understand, and valid reasons backing the request.
Some examples of non-valid (IMHO) reasons:
1) experts say ...
2) it is recognized (by whom) best practice ...
3) it gives the sense of being abandoned ...
4) it doesn't look like modern ...
5) modern browsers ...
Hard to avoid slipping into ad hominem here myself, but you did read my responses, did you? Did you also understand them, or is there anything that is unclear and that you want me to break down for you further? Mind you, I won't necessarily explain everything to the last detail, but I can provide explanations in layman's terms and point you to relevant literature.
Usually evangelists tend to resort to call other people names when their will (for whatever reason) is not instantly put in practice.
You know, aside from the religious connotation of the word, I find nothing wrong being an evangelist of best practices. But I can't help but think that you are using it in a derogatory fashion here ...
If this really brings peace over here, I can have a look on my spare time and implement SSL
Great. My offer stands. You can establish initial contact via email and we can sort out a more convenient mode of communication.
But itoo thinks that what is the risk here?
We are no banking site here and posted data is public. I.e even non authenticated users can read posts.
So apart from someone sniffing your private messages, not sure what is the added value.
Hmm, well. Aside from GDPR violations because you are processing PID (see previous responses) without transport encryption, I also had a hard time making a point. However, I glanced at your forum signature ...
Anyway, before we get to that, let me explain again what transport encryption is meant to provide. It's meant to provide confidentiality for the communication between client and server (i.e. no eavesdropping possible unless current crypto gets broken, even then the perfect forward secrecy will make things harder). It also ensures - that's after all what that certificate signed by a trusted CA (certification authority is meant to do), that you are the one in control of the domain. Mind you, this is the lowest validation level. Further levels exist, providing additional levels of assurance. But it can be debated if some of that is snake oil. So to summarize: content I get from here, I know it's coming from your server and it's on me to decide whether to trust you and your server.
The scenario that Wonko so gallantly shoved aside is a very real one: man in the middle (MITM). Someone injecting their content in place of yours on the way between me (or any other user) and your server.
Which brings me back to your nice signature.
Let's consider just one of your little contributions. Say MkisofsGui. Can you see what's coming?
Well, you aren't code signing your executables, but that ZIP file I downloaded contains an executable program (.exe). So how am I to be sure that no one tampered with it on the way from you (personally) via your server to me? I can't. In fact I can't even be sure about this at all, not even with HTTPS. However, provided your server security holds, and you'd provide a cryptographic hash (e.g. SHA256) of the ZIP archive, I could be reasonably sure that - after verifying the hash matches - came from you. The only way to be even more sure would for you to code-sign your executables (which is the software analogue of web server certificates).
Anyway, without transport encryption all bets are off. I can't be sure that the data I am receiving came from you. I can't be sure it hasn't been tampered with either ...
So this is not purely about confidentiality of some boring (not so) private message. This is literally you abetting cyber crime by neglect. Sorry to say. And sorry to have to use so strong words ...
I hope this is nevertheless an understandable argument. If not, feel free to ask away. I will try to answer, spare time permitting.
You would have at least one more enemy.
... hmm and who would that be? The incorrigible user who holds still - after hearing all the facts - that transport encryption is so 90s and really unnecessary?
[...] and even with my occasionally bad temper and bitchy attitude (so I am told), I never consider anyone as such.
Hey, we could make a good match
btw: that WYSIWYG-editor was acting up a lot. For some reason the first quote doesn't appear correctly attributed to "Wonko the Sane".
Edited by assarbad, 28 June 2019 - 09:53 PM.
Posted 28 June 2019 - 09:58 PM
@erwan.l let me add that aside from the obvious "switching out the file under both our noses" there are also very real risks involved due to the fact that harmful, that is malicious, content gets injected on the way. People will most likely attribute any harm to you, even though you may be completely innocent and even oblivious to what happened.
And yes, anything that gets parsed with code, including seemingly harmless ZIP files, but more so executables, have the potential of wreaking havoc when tampered with. That tampering is one of the scenarios transport encryption aims to prevent.
Posted 29 June 2019 - 12:00 AM
0 members, 1 guests, 0 anonymous users