Page 1 of 1

HTTPS for the forum?

Posted: Mon Jun 06, 2016 5:11 pm
by Chris
I've noticed that, since the Snowden leaks, a lot more sites have been going HTTPS by default. Even news sites and corporate home pages. But this site is still using HTTP, even the login page /-:

Now I'm well aware that one of the goals of the forum is to have a low upkeep cost. Hey, I like the default phpBB theme! But offering HTTPS isn't a cosmetic change; sending passwords via plaintext is generally a Bad Idea. General browsing and commenting on the forums might be a problem too, for some people who have their internet activity monitored at the office.

The EFF is now offering SSL certificates for free, and has software to automate the installation process. It should only take a couple of minutes to get it done.

Anyone else care about this?

Re: HTTPS for the forum?

Posted: Mon Jun 06, 2016 6:39 pm
by BRUTE
+1

Re: HTTPS for the forum?

Posted: Mon Jun 06, 2016 7:24 pm
by chicago81
I'd prefer it, especially since I'm sending a password.... but at the same time I think my account to this site is of no value to any potential hacker, so meh :) For all I know, the password could be stored in a database in plaintext anyway. I don't use the same password here as I do for other "more important" sites like banks/brokersages, etc... so ....

Re: HTTPS for the forum?

Posted: Mon Jun 06, 2016 11:38 pm
by bryan
+1

Re: HTTPS for the forum?

Posted: Tue Jun 07, 2016 3:39 am
by vexed87
If it's easy and doesn't take much effort, I'll +1

As chicago says, its imperative you don't duplicate your passwords anywhere, there's no excuse when you can get password managing software where you passwords are stored encrypted, either on your own PC or in the cloud - which is useful if you login on many devices, I understand why others would be nervous about this, but it's encrypted with a 25 character and easy to remember password (see diceware). I remember one password and all my logins are randomly generated 12 character phrases.

Oh, btw, HTTPS won't stop employers snooping on your browser habits unfortunately. They can still see the pages you visit etc, even if they can't see the text you send to the server, anyone with half a brain could work out which user on the forum you are!

Re: HTTPS for the forum?

Posted: Thu Jun 23, 2016 1:55 pm
by SilverElephant
vexed87 wrote:Oh, btw, HTTPS won't stop employers snooping on your browser habits unfortunately. They can still see the pages you visit etc, even if they can't see the text you send to the server, anyone with half a brain could work out which user on the forum you are!
With modern TLS/SSL connections, all the employer can see is the DNS query and the IP address of the server you end up contacting. Obviously these two are sufficient to make a claim à la "you're on that ERE forum all the time you're at work", but in general, these days, a properly configured server will hide the exact pages you are visiting on a site. All an eavesdropped will see is that you are exchanging data with a specific IP after resolving a domain name to that IP, but not the actual pages.

Re: HTTPS for the forum?

Posted: Thu Jun 23, 2016 5:12 pm
by JamesR
It'd probably require more than a few hours of work to make that change I bet. Likely have to buy an SSL certificate and spend the time setting it up, adding the appropriate apache rewrite rules, etc.

Re: HTTPS for the forum?

Posted: Thu Jun 23, 2016 5:32 pm
by Scott 2
SilverElephant wrote: With modern TLS/SSL connections, all the employer can see is the DNS query and the IP address of the server you end up contacting.
If the employer controls the device, this is not true. They can potentially see everything, including all SSL traffic.

Re: HTTPS for the forum?

Posted: Thu Jun 23, 2016 5:46 pm
by jacob
FWIW, it's not gonna happen insofar that _I_ have to make the change.

However, I'm willing to pay an impressive mid-high two-figures per month in case anyone desires to take over site maintenance so I don't have to worry about the forums+blog_wiki breaking again.

Most of the time, you'd just be cashing monthly checks w/o doing anything whatsoever. However, if history is any indication, about once a year, shit's on fire and you better be able to fix it within a couple of hours.

Potential applicants, if any, please note that I tend to trust people proportional to how many posts they've made on the forum---500+ would be acceptable---and obviously regulars would be much preferred so that you might catch problems before I do/I don't have to hunt you down.

Obviously some skill operating SQL, phpBB, wordpress, and mediawiki would be required.

Re: HTTPS for the forum?

Posted: Fri Jun 24, 2016 2:44 pm
by SilverElephant
Scott 2 wrote:
SilverElephant wrote: With modern TLS/SSL connections, all the employer can see is the DNS query and the IP address of the server you end up contacting.
If the employer controls the device, this is not true. They can potentially see everything, including all SSL traffic.
Well, yes, agreed, if the device is under the employer's control... perhaps I'm just spoiled by my having been presented with a laptop and the words "go nuts", so my device is 100% controlled by me. Obviously this is not the case for everyone.
jacob wrote:FWIW, it's not gonna happen insofar that _I_ have to make the change.
JamesR wrote:It'd probably require more than a few hours of work to make that change I bet. Likely have to buy an SSL certificate and spend the time setting it up, adding the appropriate apache rewrite rules, etc.
Depending on your degree of control over your server, setting up an SSL certificate from Letsencrypt is a 30 minute thing, tops. 10 if you've got a server with root access and Apache running. Plus it's free, and perpetually self-renewing (as long as Letsencrypt in its present form exists).
jacob wrote:Obviously some skill operating SQL, phpBB, wordpress, and mediawiki would be required.
Wordpress... more like "remote PHP shell". :|

Re: HTTPS for the forum?

Posted: Fri Jun 24, 2016 3:31 pm
by bryan
SilverElephant wrote:
Scott 2 wrote:
SilverElephant wrote: With modern TLS/SSL connections, all the employer can see is the DNS query and the IP address of the server you end up contacting.
If the employer controls the device, this is not true. They can potentially see everything, including all SSL traffic.
Well, yes, agreed, if the device is under the employer's control... perhaps I'm just spoiled by my having been presented with a laptop and the words "go nuts", so my device is 100% controlled by me. Obviously this is not the case for everyone.
"Presented" in that you got it direct from a shop, unopened? Otherwise you don't know if the IT has done something outside of the system software (OS) level. Can you go into BIOS and play around 100%? Wipe the hard drive? Even all of this may not be enough these days (it's not for certain smartphones, I know PCs have been heading in that direction with Intel SGX, AMD PSP).

Sorry.. this is a tangent and not on topic of getting HTTPS set up so anyone sniffing on the network can steal my ERE cookie or password or otherwise spy on me.

Re: HTTPS for the forum?

Posted: Fri Jun 24, 2016 3:43 pm
by jacob
SilverElephant wrote: Depending on your degree of control over your server, setting up an SSL certificate from Letsencrypt is a 30 minute thing, tops. 10 if you've got a server with root access and Apache running.
Or in my case: 10 minutes to do it + 5000 minutes to learn how to do it + 20000 minutes to gain the experiental knowledge to know how to fix the random problems whenever things turn out not to work as expected, lest I get hammered with mails and IM's telling me to "please fix the forum now" after it's been down for a couple of hours.

I've noticed that for every two dozen people who tell me that X is easy, only one person is actually willing to do it even if I offer to pay them :)

Re: HTTPS for the forum?

Posted: Fri Jun 24, 2016 5:53 pm
by BRUTE
maybe jacob needs to pay more

Re: HTTPS for the forum?

Posted: Fri Jun 24, 2016 6:11 pm
by jacob
@brute - Yeah ...

Random internet guy: Based on your alexa rankings you could monetize your blog and make $100,000 per year.
Me: Great! Make it happen and I'll pay you 50% of the profits per year.
Random internet guy: Sorry, I'm suddenly too busy.

Obviously, it's not worth it to make these changes after all unless someone else is doing all the work.

Re: HTTPS for the forum?

Posted: Fri Jun 24, 2016 8:58 pm
by Chris
Really, no takers?

Ok, I'm willing to take care of enabling HTTPS.