Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Wed 16 Oct 2019, 12:38
All times are UTC - 4
 Forum index » Off-Topic Area » Security
HTTPS everywhere except this forum
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 3 [31 Posts]   Goto page: 1, 2, 3 Next
Author Message
labbe5

Joined: 13 Nov 2013
Posts: 2003
Location: Canada

PostPosted: Thu 15 Mar 2018, 15:32    Post subject:  HTTPS everywhere except this forum  

One line of defense is using HTTPS. Electronic Frontier Fondation (EFF) is offering one of the best plugins out there, on par with NoScript : HTTPS Everywhere.

Using this plugin for years, for some time now i use it with the setting Block All Unencrypted Request.

Unfortunately, i have to uncheck it to access Murga-Linux forum, i can not think of another web site i need to do that now.

With Let's Encrypt easing the way toward HTTPS, i wonder why Murga-Linux forum is still on old, soon-to-be deprecated, HTTP.

Have an idea?

Further reading :
https://www.itzgeek.com/how-tos/linux/how-to-install-lets-encrypt-on-centos-debian-ubuntu-running-apache-web-server.html

Last edited by labbe5 on Fri 16 Mar 2018, 20:40; edited 1 time in total
Back to top
View user's profile Send private message 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 13343
Location: Arizona USA

PostPosted: Thu 15 Mar 2018, 16:38    Post subject:  

Other than encrypting your password, which is now sent in the clear, I don't see the point of HTTPS for this forum. Everything in it is available to anyone who wants to become a member and log in.
Back to top
View user's profile Send private message 
matchpoint

Joined: 26 Jan 2018
Posts: 169

PostPosted: Thu 15 Mar 2018, 17:30    Post subject:  

That we post publicly, what are you hoping it will protect you from?
Back to top
View user's profile Send private message 
belham2

Joined: 15 Aug 2016
Posts: 1676

PostPosted: Thu 15 Mar 2018, 18:30    Post subject:  

Flash wrote:
Other than encrypting your password, which is now sent in the clear, I don't see the point of HTTPS for this forum. Everything in it is available to anyone who wants to become a member and log in.


Flash,

You cannot possibly be serious, are you? Please tell me you are not. Https has little to do with "protecting" passwords. That is a side corollary, a little thing. There is another, a much bigger thing, one which encapsulate the whole https movement and its reason for being (and the push it is receiving).

Ask yourself: how many small scripts, pics and such do you think murga has on its account at the servers it contracts this forum out to (the web server company)? You think thousands? Hundred of thousands? More??? (it'd be wise to guess the last one).

Ask yourself each and every time one of those things are downloaded, how unbelievably easy it is to: a) impersonate this site, and b) for the end user would have no inkling it happened. Https fights on these two fronts. If you think about the ease of compromising http-only websites, you get an idea of what https would do for this site and its users.

I just wish people would stop putting out there what they think they know about https, and stop using lame, unapplicable excuses. Simply put, there is no way on this green Earth murga-liux.com can confidently tell any browser (who lands on its site today) that it is: a) actually the murga site, and; b) that any and/all scripts/programs that you download will be done securely & thanks to https will not be subject to easy MITM actions.

I've done https on the few sites I run. It is not hard. It is not expensive. It just takes time, not $$$$ or brainpower. It is just plain goddamn laziness (please excuse the language but it has gotten to the point this needs to be said)...it is just plain damn laziness that this site has not been converted to https.

So plz stop spreading mistruths (that https would do nothing for this site) and misconceptions about https overall. And, John, if you are reading this, get off of the eternal laziness pillow and get this done. It is inexcusable at this point in time, especially given the amount of material people have provided your site for decades now, that you've let this linger. Start acting like you want everything protected here. Do you? All of the users who uploaded and contributed stuff, do you value it? Or no??

If the web server provider you currently use will not help you move murga to https (which I cannot think of one on the planet that does not now offer this), then have the foresight to move.

Stop making excuses. This has went beyond ridiculous, especially for a site like murga & the content it holds.
Back to top
View user's profile Send private message 
Sailor Enceladus

Joined: 22 Feb 2016
Posts: 1565

PostPosted: Thu 15 Mar 2018, 21:29    Post subject:  

I like living in the past. All those new ad-filled social-media-connected javascript-filled CPU-tanking sites can go to hell Twisted Evil Laughing
Back to top
View user's profile Send private message 
rufwoof


Joined: 24 Feb 2014
Posts: 3539

PostPosted: Sat 17 Mar 2018, 17:00    Post subject:  

belham2 wrote:
Flash wrote:
Other than encrypting your password, which is now sent in the clear, I don't see the point of HTTPS for this forum. Everything in it is available to anyone who wants to become a member and log in.

You cannot possibly be serious, are you? Please tell me you are not. Https has little to do with "protecting" passwords. That is a side corollary, a little thing. There is another, a much bigger thing, one which encapsulate the whole https movement and its reason for being (and the push it is receiving).

https often isn't implemented properly and as such offers little in the way of protection over not having bothered.

_________________
( ͡° ͜ʖ ͡°) :wq
Fatdog multi-session usb

echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh

Last edited by rufwoof on Thu 10 Oct 2019, 20:20; edited 1 time in total
Back to top
View user's profile Send private message 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 13343
Location: Arizona USA

PostPosted: Sat 17 Mar 2018, 19:45    Post subject:  

rufwoof wrote:
...hardly a pleasant/helpful community/board for new visitors either.

How so? Please explain.
Back to top
View user's profile Send private message 
matchpoint

Joined: 26 Jan 2018
Posts: 169

PostPosted: Sun 18 Mar 2018, 08:16    Post subject:  

For our daily 30,000 plus, key comments from a respected Windows MVP administrator and a realistic viewpoint on the topic.
Quote:
No, the use of SSL does not protect this website, its software or server. Someone asked me something similar offline from this, whether forcing SSL would prevent hackers from attacking. No, it won't. SSL is not a protective barrier keeping anyone out. Everyone can access the site using SSL if it is enabled - good guys and bad guys. And hack attempts, things like SQL injection, or other known exploitable holes in either the [blank] application or the underlying webserver software, are in no way prevented by implementing SSL.

Quote:
I will add that MITM attacks are just as easy against a site with a CA provided cert as a self-signed one. If a CA grants an open ended cert to some big company or govt agency, which everyone knows has been done, and they then put that between us and this forum, our browsers wouldn't object to that regardless of whether the cert here is self-signed or provided by a CA. It's the trust on the MITM cert that's important at that point, not the target site's certificate.

And no, I'm not interested in a debate.

Ref? You've got plenty to work with.


Peace.
Back to top
View user's profile Send private message 
labbe5

Joined: 13 Nov 2013
Posts: 2003
Location: Canada

PostPosted: Tue 07 Aug 2018, 17:31    Post subject: Let's Encrypt
Subject description: Now Officially Trusted by All Major Root Programs
 

https://www.bleepingcomputer.com/news/security/lets-encrypt-is-now-officially-trusted-by-all-major-root-programs/

Let's Encrypt announced yesterday that they are now directly trusted by all major root certificate programs including those from Microsoft, Google, Apple, Mozilla, Oracle, and Blackberry. With this announcement, Let's Encrypt is now directly trusted by all major browsers and operating systems.

While Let's Encrypt has already been trusted by almost all browsers, it was done so through intermediate certificate that were cross-signed by IdenTrust. As IdenTrust was directly trusted by all major browser vendors and operating systems, it also allowed Let's Encrypt to be trusted as well.
Back to top
View user's profile Send private message 
hatemonday

Joined: 10 Oct 2019
Posts: 5

PostPosted: Thu 10 Oct 2019, 09:33    Post subject:  

Most sites have https nowadays, it's strange this murga forum don't have https enabled.
Last edited by hatemonday on Fri 11 Oct 2019, 23:23; edited 1 time in total
Back to top
View user's profile Send private message 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 13343
Location: Arizona USA

PostPosted: Thu 10 Oct 2019, 10:47    Post subject:  

No, your password is not encrypted. However, if you are using an encrypted wifi connection, the traffic between your computer and the wifi base station is encrypted, meaning that an eavesdropper can't understand anything that's sent or received over the wireless connection. I don't know about public wifi. Usually it requires a password, so I assume it's an encrypted connection, but the traffic between the wifi base station and the wired Ethernet is definitely not encrypted. This is where someone could read your password, but they'd have to be eavesdropping on the wired Ethernet to do it. That's much more difficult to do than eavesdropping on a wireless connection. It requires physical access to the Ethernet cable.

The reason this forum doesn't use https is that the forum was established in 2005, before https was common. I don't know how much trouble it would be to add https capability. Probably that would require updating the forum software. That would be up to John Murga.

Yes, the forum logs users' IP addresses. Each post has the poster's IP address attached to it. I don't know if everyone can see it but moderators and administrators can. I can't see your password, so don't ask me what it is if you forget it.
Back to top
View user's profile Send private message 
mikeslr


Joined: 16 Jun 2008
Posts: 3405
Location: 500 seconds from Sol

PostPosted: Thu 10 Oct 2019, 11:20    Post subject:  

Although a "Let's encrypt" account can be obtained without cost*, https://gethttpsforfree.com/ It's not just a question of whether this Forum's software could use it. [I suspect major problems in updating 14 year old software and the likelihood of loosing some (many) of its over 1 Million posts). There's also the question of whether the Web-host on which this Forum resides can both accommodate Let's encrypt in general and with respect to this Forum's software in particular.

* I think it has to be renewed every 90 days.
Back to top
View user's profile Send private message 
01101001b


Joined: 08 Mar 2017
Posts: 89
Location: Buenos Aires, Argentina

PostPosted: Thu 10 Oct 2019, 19:08    Post subject:  

rufwoof wrote:
Puppy is so [...] Insecure ...etc.

Insecure?? Clearly you don't have the slightest idea of what you're talking about. No surprise, though. But I don't give a damn.

Have a good day Cool
Back to top
View user's profile Send private message 
01101001b


Joined: 08 Mar 2017
Posts: 89
Location: Buenos Aires, Argentina

PostPosted: Thu 10 Oct 2019, 19:23    Post subject:  

belham2 wrote:

it is just plain damn laziness that this site has not been converted to https.

So plz stop spreading mistruths (that https would do nothing for this site) and misconceptions about https overall. And, John, if you are reading this, get off of the eternal laziness pillow and get this done. It is inexcusable at this point in time, especially given the amount of material people have provided your site for decades now, that you've let this linger. Start acting like you want everything protected here. Do you?

No disrespect here but you are talking plain paranoia and spreading hysteria. HTTPS has a purpose, secrecy, and here nothing is secret. Security is a must when needed. No need here. HTTPS to protect what? Old scripts? Posts? MITM here?? Please.

Have a good day Cool
Back to top
View user's profile Send private message 
s243a

Joined: 02 Sep 2014
Posts: 2122

PostPosted: Thu 10 Oct 2019, 20:23    Post subject:  

01101001b wrote:
belham2 wrote:

it is just plain damn laziness that this site has not been converted to https.

So plz stop spreading mistruths (that https would do nothing for this site) and misconceptions about https overall. And, John, if you are reading this, get off of the eternal laziness pillow and get this done. It is inexcusable at this point in time, especially given the amount of material people have provided your site for decades now, that you've let this linger. Start acting like you want everything protected here. Do you?

No disrespect here but you are talking plain paranoia and spreading hysteria. HTTPS has a purpose, secrecy, and here nothing is secret. Security is a must when needed. No need here. HTTPS to protect what? Old scripts? Posts? MITM here?? Please.

Have a good day Cool


Passwords and session cookies should be secret. Also https serves as a type of content verification. Without such content verification you can't tell if someone is doing a man in the middle attack on you!

_________________
Find me on minds and on pearltrees.
Back to top
View user's profile Send private message Visit poster's website 
Display posts from previous:   Sort by:   
Page 1 of 3 [31 Posts]   Goto page: 1, 2, 3 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.2617s ][ Queries: 12 (0.0461s) ][ GZIP on ]