Jump to content











Photo
* * * * * 1 votes

HTTPS


  • Please log in to reply
34 replies to this topic

#1 PeteG5000

PeteG5000
  • Members
  • 9 posts
  •  
    United States

Posted 4 weeks ago

Hello,

 

Could you change the site over to use HTTPS?

 

Lets Encrypt are free certs if cost is an issue.

 

Thank You,

 

Pete


  • GabF likes this

#2 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14830 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 4 weeks ago

Hello,

 

Could you change the site over to use HTTPS?

 

Lets Encrypt are free certs if cost is an issue.

 

Thank You,

 

Pete

Why?

Are you afraid of MITM attacks?

Do you believe that your posts could be stolen?

Other reasons?

 

 

:duff:

Wonko



#3 Steptoe

Steptoe

    Newbie

  • Members
  • 11 posts
  • Interests: Restoring Classic cars, Gardening, breeding endangered parrots for conservation, the Grand Children.
  •  
    New Zealand

Posted 4 weeks ago

Basically the same answer I have for my web sites and servers.

Even thu have to log in, there is not private information held.

Seems very much this cert thing is very much a rort...like the yr 2k bug, lead in fuel..

 A must have and in so many cases the security is not needed.



#4 PeteG5000

PeteG5000
  • Members
  • 9 posts
  •  
    United States

Posted 4 weeks ago

I use unique password so I don’t really care. Although I would not want someone to steal my account and post as me. I think the bigger reason is that modern browsers are now warning and making it difficult to go to non https sites. This is a great resource for learning and you wouldn’t want to scare anyone away.

#5 assarbad

assarbad

    Member

  • Members
  • 37 posts
  •  
    Germany

Posted 3 weeks ago

Well, the email address used to register would qualify as personally identifiable data (aka PID, as per the GDPR) for one. Pretty much the same for me as for pgeremia for me (unique password and email address), but I concur, it feels a bit out-of-place to find a website that requires credentials but doesn't even provide a minimum of transport encryption. But I only ever registered because although back when I registered having transport encryption was already considered a best practice, but it also cost money and there were bureaucratic hurdles. Nowadays you can get certificates for free from LetsEncrypt, provided you can prove to have control over the domain (lowest validation level for this kind of certificate). The setup can be scripted, which is needed but once, and many hosters (I see for reboot.pro it's Hetzner) provide LetsEncrypt integration for those packages where no shell access is provided. If shell access is possible, I will be happy to lend a hand.

 

Alleged speed issues with TLS, both on the server and the client side (as well as connection-wise) have long been debunked, so I suppose there's no need to justify that aspect again?

 

Why?

Are you afraid of MITM attacks?

Do you believe that your posts could be stolen?

Other reasons?

Impersonation is an example of abuse, especially when looking at what's called "Messenger" here but called private messages in many other forum systems. That the forum admin could glance at them is one thing. That everyone on the way from my computer to the server can glance at them isn't quite so cool, though.

 

It's similar to the analogy that sending plain text email is akin to sending a postcard which many people (strangely enough) are surprised about when they hear it. Yet most people I know would likely not wish their payslip or bank statements be sent without envelope.

 

Oh and I'll better not get into ways a plain text connection could literally be exploited other than for MITM scenarios.

 

Basically the same answer I have for my web sites and servers.

Even thu have to log in, there is not private information held.

Seems very much this cert thing is very much a rort...like the yr 2k bug, lead in fuel..

 A must have and in so many cases the security is not needed.

Seriously? Leaving aside that as a non-native speaker of English I had to look up rort presumably the next argument will be that you got nothing to hide and so there's no need for transport encryption?! But your desire for privacy/security may differ from everyone else's. Transport encryption is considered a best practice and has been for a fairly long time. It's just that it became more prevalent after the Snowden leaks and when LetsEncrypt made them "cheap" (as in free of charge) and easy.

 

Edward Snowden had this to say about the "nothing to hide" argument (emphasis mine):

 

And when I sort of follow this [the meaning of “privacy”], and I think about this in my own terms – particularly when we're confronted with the arguments of, sort of, apologists for the national security state, and the argument that was first proposed by the Nazis against privacy, which was “if you have nothing to hide, you have nothing to fear” – I would say that arguing that you don't care about privacy because you have nothing to hide is like saying that you don't care about free speech because you have nothing to say. Rights exist and have value for more than just the individual in the current moment. Rights are both individual and collective. And when you think about the value of a free press, we're not all journalists, but we still derive value from them. Moreover, rights are not really intended, rights are not really designed for use by the elites, for people who are leading our debates, because these are the people who are least threatened with the abrogation of their rights. The system exists to serve and protect these people. Rights are almost always needed on a regular, continual basis by those who are vulnerable, by those who are not protected by the system, by those who are not protected by their communities, by the people who are different, by the people who are ahead of everyone else because of a new idea, or people who are simply minorities, who don't have access to the same resources, don't have access to the same ability to compete. And to say fundamentally that you don't care about a right – even if it is truly of no value to you, because you're not using it in this current moment and you don't expect to use it in the future – is probably the most antisocial thing I can imagine.

 

 

If the server admin has the desire to implement this and it's possible to run custom scripts on the server, preferably through cron or some other scheduler, I'll be happy to lend a hand (of course free of charge).


  • GabF likes this

#6 PeteG5000

PeteG5000
  • Members
  • 9 posts
  •  
    United States

Posted 3 weeks ago

Thank you for your thoughtful response.  I have my Lets Encrypt cert renew fully scripted and automated.  Now all of my sites are HTTPS and users will not see those browser warnings.  I hope that the admin will consider doing that.

 

Thanks!!

 

-Pete



#7 GabF

GabF

    Newbie

  • Members
  • 13 posts

Posted 3 weeks ago

+1

Additionally, these days an http-only site looks very suspicious.
At the very least it gives a sense of having been abandoned.
Yes, maybe you haven't noticed, but they are that rare by now. I use an extension that blocks any plain-http request and I run into the need to disable it only once every couple weeks.

It took me a while to find the courage to login again (especially given that I first had to reset my long-lost password). I actually still feel dirty :)


It is true that ssl is a thing that can give a false sense of security, in that in all likelyhood a lot of the https sites implement it wrongly and are actually hackable in multiple ways, but... it's a layer, if it's missing you're sure there's no transport security, if it's there it's at least very likely that the data exchanged has not been mangled with and it's at least a lot harder for third parties to see what you do with the site.


Edited by GabF, 3 weeks ago.


#8 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14830 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 3 weeks ago

It took me a while to find the courage to login again (especially given that I first had to reset my long-lost password). I actually still feel dirty  :)

 

Oww, come off it.

 

JFYI ;) :

http://www.marriedto...06/gracious.jpg

 

:duff:

Wonko



#9 GabF

GabF

    Newbie

  • Members
  • 13 posts

Posted 3 weeks ago

 

Yeah I would've never thought I could be associated with such a picture, but sadly Internet (or maybe just what we know about it) changed a lot since that picture was made



#10 GabF

GabF

    Newbie

  • Members
  • 13 posts

Posted 3 weeks ago

Anyway, can we assume that the site administrators are aware of this thread? Or maybe we should PM someone?



#11 GabF

GabF

    Newbie

  • Members
  • 13 posts

Posted 3 weeks ago

Oh, I ran into a much older related thread: http://reboot.pro/to...httpsrebootpro/



#12 GabF

GabF

    Newbie

  • Members
  • 13 posts

Posted 3 weeks ago

Look people reading the various messages it's almost obvious that the real reason you don't want to support https is that you don't know how to do it and don't have much knowledge about cryptography and security.

I can relate to that.
First, if it's indeed so I advise you to read something about it, security is something every developer or site administrator ought to be familiar with; don't take this personally, you're far from alone, unfortunately poor security knowledge seems to be extremely common in the developers community.

Second, these days it's fortunately very easy to add support to it, and there's no need to pay anything. I might be able to provide some help.
 


Edited by GabF, 3 weeks ago.


#13 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14830 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 3 weeks ago

Look people reading the various messages it's almost obvious that the real reason you don't want to support https is that you don't know how to do it and don't have much knowledge about cryptography and security.

I can relate to that.
First, if it's indeed so I advise you to read something about it, security is something every developer or site administrator ought to be familiar with; don't take this personally, you're far from alone, unfortunately poor security knowledge seems to be extremely common in the developers community.

Second, these days it's fortunately very easy to add support to it, and there's no need to pay anything. I might be able to provide some help.
 

Essentially you are saying that the Admin/Owner of reboot.pro (and his helpers) are a bunch of ignorants (on the relevant techniques).

 

Interesting approach, particularly when coming from someone whose only contributions to the board are revolving around this specific matter, directly or indirectly:

http://reboot.pro/to...-damit-umgehen/

 

Although I doubt that Nuno misses the technical capabilities to implement HTTPS, I would - given my own, personal, ignorance - want to have explained (in layman's terms) in which way HTTPS would:

1) prevent any spammer from joining the forum

2) prevent such spammers from sending private messages to other members[1]

 

In any case, HTTPS is so '90, I would rather have 2FA authentication, via SMS or better through a dedicated app (in dual version, iOS and Android).

 

 

:duff:

Wonko 

 

[1] and - if the member has chosen to be notified of personal messages via e-mail, prevent the board to send such notifying e-mail



#14 PeteG5000

PeteG5000
  • Members
  • 9 posts
  •  
    United States

Posted 3 weeks ago

Wow you guys get all bent out of shape over a simple request.  And it is simple. Why don't we just ask the site admins to make the change.  I am sure they know how to do it.

 

-Pete



#15 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14830 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 3 weeks ago

Wow you guys get all bent out of shape over a simple request.  And it is simple. Why don't we just ask the site admins to make the change.  I am sure they know how to do it.

 

-Pete

Well, not exactly.

 

The "simple" request comes from people who never took any interest in the community if not for proposing this particular request.

 

And the "evangelist" approach doesn't particularly help, at least to me it sounds a lot like what I call "otiose" proposals.

 

Of course the final decision is up to Nuno, but essentially if someone requires someone else to do additional work (for free BTW) it would be nice if there were some  easy to understand, and valid reasons backing the request.

 

Some examples of non-valid (IMHO) reasons:

1) experts say ...

2) it is recognized (by whom) best practice ...

3) it gives the sense of being abandoned ...

4) it doesn't look like modern ...

5) modern browsers ...

 

 

 

:duff:

Wonko



#16 PeteG5000

PeteG5000
  • Members
  • 9 posts
  •  
    United States

Posted 3 weeks ago

You know what?   You are ridiculous.  People have offered plenty of GOOD reasons and even offered to HELP!  You hard liners have nothing better to do than to go against BEST PRACTICES because you want to live in the PAST.

 

GO FOR IT.

 

I joined this site as one of the 1st people to purchase the ISOSTICK.  But clearly this site has no purpose any longer other than to go against ANYTHING that does not suit your agenda.

 

SO BE IT.

 

I am done.  This is my last post and then I will delete my account.

 

GOOD BYE CHILDREN!



#17 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14830 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 3 weeks ago

You know what?   You are ridiculous. 

You see?

Usually evangelists tend to resort to call other people names when their will (for whatever reason)  is not instantly put in practice.

 

 

I am done.  This is my last post and then I will delete my account.

 

GOOD BYE CHILDREN!

 

Hmmm, no you can't delete your account :w00t:, you can only ask here[1]:

http://reboot.pro/to...ete-my-account/

for it to be deleted.

 

Good bye :bye: , have a nice (and secure) online activity wherever you go.

 

:duff:

Wonko

 

[1] and yes, this is most probably ALSO against "best practices".



#18 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2735 posts
  • Location:Nantes - France
  •  
    France

Posted 3 weeks ago

Me coming late to that discussion...

 

If this really brings peace over here, I can have a look on my spare time and implement SSL :)

 

But itoo thinks that what is the risk here?

We are no banking site here and posted data is public. I.e even non authenticated users can read posts.

So apart from someone sniffing your private messages, not sure what is the added value.

 

Now for sure, modern browsers may scare a few users off but that are much worse things to be scared off like giving away your personal life to facebook...

 

My 2 cents...Dont start firing at me because I have an opinion :)


  • assarbad likes this

#19 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14830 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 3 weeks ago

If this really brings peace over here, I can have a look on my spare time and implement SSL  :)

 

And you actually think that that would bring peace? :dubbio:

 

You would have at least one more enemy. :w00t:

 

Now, a good? :unsure: new question, should you delete the account "pgeremia" that has been just renamed to "DELETED ACCOUNT" by the user (who could not delete it, as expected), even if the user did not ask for deletion of the account?

 

:duff:

Wonko



#20 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2735 posts
  • Location:Nantes - France
  •  
    France

Posted 3 weeks ago

And you actually think that that would bring peace? :dubbio:

 

You would have at least one more enemy. :w00t:

 

Now, a good? :unsure: new question, should you delete the account "pgeremia" that has been just renamed to "DELETED ACCOUNT" by the user (who could not delete it, as expected), even if the user did not ask for deletion of the account?

 

:duff:

Wonko

 

Nah, it takes two to enter an enemy relationship, and even with my occasionally bad temper and bitchy attitude (so I am told), I never consider anyone as such.

Worse case scenario, some individuals get on my ignore list.

 

About "pgeremia" renaming itself to "DELETED ACCOUNT", this is an interesting one :)

The things ppl would do when they get upset...

I'll be stubborn and will wait for the user to kindly request to delete his account like other polite users do.

"deleted account" is only a display name after all and the login is still registered as pgeremia in the database.


  • assarbad likes this

#21 GabF

GabF

    Newbie

  • Members
  • 13 posts

Posted 3 weeks ago

In all likelyhood most posts written about this have taken more time to be made than what would have enabling https to someone familiar with it. And even if you don't know anything about it, in most situations it takes at most a few hours from the first google search to working connection. And there's no downside. That's why it's a no-brainer, these days, and only someone who doesn't have familiarity with it would hesitate to support it.

 

Essentially you are saying that the Admin/Owner of reboot.pro (and his helpers) are a bunch of ignorants (on the relevant techniques).


I haven't called anyone ignorant, but if not knowing something "essentially" means to be "a bunch of ignorant (on the relevant something)", so be it. I for one am part of a bunch of ignorants on quantum physics, neuroscience, dialectical materialism and a whole lot of other things. If on the other hand you know everything (most of all, that you do know everything), I envy you. But that's when my flame ends, I wasted way too much time on this that was just an attempt to contribute to a forum I have very little interest in: luckily others replied before me and said and done most of the things (deleting the account) that I was preparing to do. I imagine you mean well, but I'll dare suggest you a little more humility. Yes, I know you'll say ditto.
I repeat, a whole lot of time was wasted for nothing, and what's worse, in all likelyhood all people involved meant well.


erwan.I, I understand your hesitation because I was in the same place, ssl seems a big, complex and scary topic, and it kinda is if you delve in the details, but these days it is fortunately extremely easy to implement even without knowying anything about it. Many server control panels let you do it with a simple toggle, and if yours doesn't or you're managing the server at a lower level, the various Let's Encrypt clients (Certbot, win-acme...) do almost everything automatically in few minutes; in most cases you'll at most have to open some doors.
There are some additional things to do if you want better security or SEO (so, yes, you'll probably get more nagging requests in the feature ;) ), but this alone is already a huge jump forward and you can be content with it.
This might be an ok place to start from, but you can also find dozens of step-by-step tutorials on google (be sure to follow something recent, things have changed dramatically in the last few years, with Let's Encrypt).


 

Interesting approach, particularly when coming from someone whose only contributions to the board are revolving around this specific matter, directly or indirectly:
http://reboot.pro/to...-damit-umgehen/


That thread is in no way related to this one

 

Although I doubt that Nuno misses the technical capabilities to implement HTTPS


presumption
It's obvious that you know little of the subject, you can't know if it's an obvious "technical capability" or not (it's not).
And by the way there would be nothing wrong in knowing little of the subject.



I would - given my own, personal, ignorance - want to have explained (in layman's terms) in which way HTTPS would:
1) prevent any spammer from joining the forum
2) prevent such spammers from sending private messages to other members[1]


Your own personal ignorance has not prevented you to associate this post to the other. I came back to the forum for the reasons cited in that thread, and then the first thing I noticed is no HTTPS (with does stand out a lot) and decided to give my contribution to fix the thing, which even if you don't care about the people who would like for your site to support it is in all likelyhood hurting your community more than you realize.


 

In any case, HTTPS is so '90, I would rather have 2FA authentication, via SMS


You know nothing, Jon B)
HTTPS for login pages only is indeed so '90s. It is appropriate for a whole bunch of other reasons, that I think were well explained before. To erwan's point: posted data is indeed public, but not every interaction with the site needs to be, and even the traffic manipulation that SSL (to the largest extent) prevents is unfortunately a very real problem (eg). Yes, VPN, Tor, whatnot. But if your site supports HTTPS, it's a lot easier for people.
Wonko, I would be quite pissed to see a site that goes to the length of supporting 2FA but then sends the cookies in plain text. Ok, in your threat model no one will ever target you, you'll never use wi-fi without a vpn or no hacker will ever care about your data. But that's your own peculiar threat model, it doesn't reflect the expectations of most people.
And please Google 2FA SMS (yes I saw the howtogeek article, but still... let's at least stop recommending it, please).
In any case, we could probably have enabled HTTPS for hundreds of sites in the time spent discussing about it.



I have to leave hastily and won't be able to further reply for a couple of days. Please believe me that I did not mean to antagonize anyone (but I am a little pissed with Wonko).

Edited by GabF, 3 weeks ago.

  • PeteG5000 and assarbad like this

#22 PeteG5000

PeteG5000
  • Members
  • 9 posts
  •  
    United States

Posted 3 weeks ago

 

About "pgeremia" renaming itself to "DELETED ACCOUNT", this is an interesting one :)

The things ppl would do when they get upset...

I'll be stubborn and will wait for the user to kindly request to delete his account like other polite users do.

"deleted account" is only a display name after all and the login is still registered as pgeremia in the database.

 

I have to say.  You people that LIVE on these forums think you are something special.  I don't get it.  Yes I know I have to request account deletion.  But it is fun to watch y'all freak out about the fact that I changed the display name.

 

For those of you who replied to my original post in a thoughtful way THANK YOU.  I definitely appreciate it.  How about we kill this thread since I really have no desire to participate in this any longer.



#23 assarbad

assarbad

    Member

  • Members
  • 37 posts
  •  
    Germany

Posted 3 weeks ago

Although I doubt that Nuno misses the technical capabilities to implement HTTPS, I would - given my own, personal, ignorance - want to have explained (in layman's terms) in which way HTTPS would:

1) prevent any spammer from joining the forum

2) prevent such spammers from sending private messages to other members[1]

 

In any case, HTTPS is so '90, I would rather have 2FA authentication, via SMS or better through a dedicated app (in dual version, iOS and Android).

 

Not exactly sure what one has to do with the other. Besides 2FA is only relevant when signing in, all the subsequent exchanges with the web server will typically rely on a cookie or some such. So since you are seriously suggesting that there is any point in doing all that without transport encryption, I guess we can cut this short. I won't resort to the same kind of ad hominem attack, though, which you decided to level on GabF.

 

Also, none of this will prevent spammers and unless I missed something obvious no one even suggested it does. Or are you somehow insinuating the fact that GabF merely contributed to that one topic there has to be some connection of sorts?

 

The "simple" request comes from people who never took any interest in the community if not for proposing this particular request.

 

Why thank you. Given I contributed to other topics, joined in with this request and even offered to help with the implementation if need be, I am charmed to hear that.

 

And the "evangelist" approach doesn't particularly help, at least to me it sounds a lot like what I call "otiose" proposals.

 

Hmm, let me point out to you how your proposal to implement 2FA without transport encryption is equally "otiose" as you put it.

 

And no, HTTPS isn't 90s. Well, minor aspects of it are and certainly some badly implemented web sites fall still into that category for spurious reasons. However, if you followed any recent technical advances I doubt that TLS 1.2 and TLS 1.3 have completely escaped your attention. If they have, you may want to read up and perhaps reconsider your statements.

 

Of course the final decision is up to Nuno, but essentially if someone requires someone else to do additional work (for free BTW) it would be nice if there were some  easy to understand, and valid reasons backing the request.

 

Some examples of non-valid (IMHO) reasons:

1) experts say ...

2) it is recognized (by whom) best practice ...

3) it gives the sense of being abandoned ...

4) it doesn't look like modern ...

5) modern browsers ...

 

Hard to avoid slipping into ad hominem here myself, but you did read my responses, did you? Did you also understand them, or is there anything that is unclear and that you want me to break down for you further? Mind you, I won't necessarily explain everything to the last detail, but I can provide explanations in layman's terms and point you to relevant literature.

 

Usually evangelists tend to resort to call other people names when their will (for whatever reason)  is not instantly put in practice.

 

You know, aside from the religious connotation of the word, I find nothing wrong being an evangelist of best practices. But I can't help but think that you are using it in a derogatory fashion here ...

 

If this really brings peace over here, I can have a look on my spare time and implement SSL :)

 

Great. My offer stands. You can establish initial contact via email and we can sort out a more convenient mode of communication.

 

 

But itoo thinks that what is the risk here?

We are no banking site here and posted data is public. I.e even non authenticated users can read posts.

So apart from someone sniffing your private messages, not sure what is the added value.

 

Hmm, well. Aside from GDPR violations because you are processing PID (see previous responses) without transport encryption, I also had a hard time making a point. However, I glanced at your forum signature ...

 

Anyway, before we get to that, let me explain again what transport encryption is meant to provide. It's meant to provide confidentiality for the communication between client and server (i.e. no eavesdropping possible unless current crypto gets broken, even then the perfect forward secrecy will make things harder). It also ensures - that's after all what that certificate signed by a trusted CA (certification authority is meant to do), that you are the one in control of the domain. Mind you, this is the lowest validation level. Further levels exist, providing additional levels of assurance. But it can be debated if some of that is snake oil. So to summarize: content I get from here, I know it's coming from your server and it's on me to decide whether to trust you and your server.

 

The scenario that Wonko so gallantly shoved aside is a very real one: man in the middle (MITM). Someone injecting their content in place of yours on the way between me (or any other user) and your server.

 

Which brings me back to your nice signature.

 

Let's consider just one of your little contributions. Say MkisofsGui. Can you see what's coming?

 

Well, you aren't code signing your executables, but that ZIP file I downloaded contains an executable program (.exe). So how am I to be sure that no one tampered with it on the way from you (personally) via your server to me? I can't. In fact I can't even be sure about this at all, not even with HTTPS. However, provided your server security holds, and you'd provide a cryptographic hash (e.g. SHA256) of the ZIP archive, I could be reasonably sure that - after verifying the hash matches - came from you. The only way to be even more sure would for you to code-sign your executables (which is the software analogue of web server certificates).

 

Anyway, without transport encryption all bets are off. I can't be sure that the data I am receiving came from you. I can't be sure it hasn't been tampered with either ...

 

So this is not purely about confidentiality of some boring (not so) private message. This is literally you abetting cyber crime by neglect. Sorry to say. And sorry to have to use so strong words ...

 

I hope this is nevertheless an understandable argument. If not, feel free to ask away. I will try to answer, spare time permitting.

 

You would have at least one more enemy. :w00t:

 

... hmm and who would that be? The incorrigible user who holds still - after hearing all the facts - that transport encryption is so 90s and really unnecessary?

 

[...] and even with my occasionally bad temper and bitchy attitude (so I am told), I never consider anyone as such.

 

Hey, we could make a good match  :D

 

btw: that WYSIWYG-editor was acting up a lot. For some reason the first quote doesn't appear correctly attributed to "Wonko the Sane".


Edited by assarbad, 3 weeks ago.

  • PeteG5000 likes this

#24 assarbad

assarbad

    Member

  • Members
  • 37 posts
  •  
    Germany

Posted 3 weeks ago

@erwan.l let me add that aside from the obvious "switching out the file under both our noses" there are also very real risks involved due to the fact that harmful, that is malicious, content gets injected on the way. People will most likely attribute any harm to you, even though you may be completely innocent and even oblivious to what happened.

 

And yes, anything that gets parsed with code, including seemingly harmless ZIP files, but more so executables, have the potential of wreaking havoc when tampered with. That tampering is one of the scenarios transport encryption aims to prevent.


  • PeteG5000 likes this

#25 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2735 posts
  • Location:Nantes - France
  •  
    France

Posted 3 weeks ago

AFAIC, debating about https is fine.
But being called an ignorant because i am only debating is not fine :)
And surely not encouraging me to spend time on this matter.

I am dealing with such requests in my job everyday (being a network admin) : being called names or being yelled at will surely not happen here when i consider this place a hobby for fun.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users