HTTPS for the forum?

Questions and comments
Post Reply
User avatar
Chris
Posts: 504
Joined: Thu Jul 22, 2010 2:44 pm

HTTPS for the forum?

Post by Chris » Mon Jun 06, 2016 5:11 pm

I've noticed that, since the Snowden leaks, a lot more sites have been going HTTPS by default. Even news sites and corporate home pages. But this site is still using HTTP, even the login page /-:

Now I'm well aware that one of the goals of the forum is to have a low upkeep cost. Hey, I like the default phpBB theme! But offering HTTPS isn't a cosmetic change; sending passwords via plaintext is generally a Bad Idea. General browsing and commenting on the forums might be a problem too, for some people who have their internet activity monitored at the office.

The EFF is now offering SSL certificates for free, and has software to automate the installation process. It should only take a couple of minutes to get it done.

Anyone else care about this?

User avatar
BRUTE
Posts: 2513
Joined: Sat Dec 26, 2015 5:20 pm

Re: HTTPS for the forum?

Post by BRUTE » Mon Jun 06, 2016 6:39 pm

+1

chicago81
Posts: 255
Joined: Sat Feb 04, 2012 3:24 pm
Location: Chicago, IL

Re: HTTPS for the forum?

Post by chicago81 » Mon Jun 06, 2016 7:24 pm

I'd prefer it, especially since I'm sending a password.... but at the same time I think my account to this site is of no value to any potential hacker, so meh :) For all I know, the password could be stored in a database in plaintext anyway. I don't use the same password here as I do for other "more important" sites like banks/brokersages, etc... so ....

User avatar
bryan
Posts: 711
Joined: Sat Nov 29, 2014 2:01 am
Location: mostly Bay Area

Re: HTTPS for the forum?

Post by bryan » Mon Jun 06, 2016 11:38 pm

+1

User avatar
vexed87
Posts: 1187
Joined: Fri Feb 20, 2015 8:02 am
Location: Yorkshire, UK

Re: HTTPS for the forum?

Post by vexed87 » Tue Jun 07, 2016 3:39 am

If it's easy and doesn't take much effort, I'll +1

As chicago says, its imperative you don't duplicate your passwords anywhere, there's no excuse when you can get password managing software where you passwords are stored encrypted, either on your own PC or in the cloud - which is useful if you login on many devices, I understand why others would be nervous about this, but it's encrypted with a 25 character and easy to remember password (see diceware). I remember one password and all my logins are randomly generated 12 character phrases.

Oh, btw, HTTPS won't stop employers snooping on your browser habits unfortunately. They can still see the pages you visit etc, even if they can't see the text you send to the server, anyone with half a brain could work out which user on the forum you are!

SilverElephant
Posts: 126
Joined: Mon Jul 22, 2013 12:40 pm

Re: HTTPS for the forum?

Post by SilverElephant » Thu Jun 23, 2016 1:55 pm

vexed87 wrote:Oh, btw, HTTPS won't stop employers snooping on your browser habits unfortunately. They can still see the pages you visit etc, even if they can't see the text you send to the server, anyone with half a brain could work out which user on the forum you are!
With modern TLS/SSL connections, all the employer can see is the DNS query and the IP address of the server you end up contacting. Obviously these two are sufficient to make a claim à la "you're on that ERE forum all the time you're at work", but in general, these days, a properly configured server will hide the exact pages you are visiting on a site. All an eavesdropped will see is that you are exchanging data with a specific IP after resolving a domain name to that IP, but not the actual pages.

JamesR
Posts: 821
Joined: Sun Apr 21, 2013 9:08 pm

Re: HTTPS for the forum?

Post by JamesR » Thu Jun 23, 2016 5:12 pm

It'd probably require more than a few hours of work to make that change I bet. Likely have to buy an SSL certificate and spend the time setting it up, adding the appropriate apache rewrite rules, etc.

Scott 2
Posts: 811
Joined: Sun Feb 12, 2012 10:34 pm

Re: HTTPS for the forum?

Post by Scott 2 » Thu Jun 23, 2016 5:32 pm

SilverElephant wrote: With modern TLS/SSL connections, all the employer can see is the DNS query and the IP address of the server you end up contacting.
If the employer controls the device, this is not true. They can potentially see everything, including all SSL traffic.

jacob
Site Admin
Posts: 9033
Joined: Fri Jun 28, 2013 8:38 pm
Location: USA, Zone 5b, Koppen Dfa, Elev. 620ft, Walkscore 73
Contact:

Re: HTTPS for the forum?

Post by jacob » Thu Jun 23, 2016 5:46 pm

FWIW, it's not gonna happen insofar that _I_ have to make the change.

However, I'm willing to pay an impressive mid-high two-figures per month in case anyone desires to take over site maintenance so I don't have to worry about the forums+blog_wiki breaking again.

Most of the time, you'd just be cashing monthly checks w/o doing anything whatsoever. However, if history is any indication, about once a year, shit's on fire and you better be able to fix it within a couple of hours.

Potential applicants, if any, please note that I tend to trust people proportional to how many posts they've made on the forum---500+ would be acceptable---and obviously regulars would be much preferred so that you might catch problems before I do/I don't have to hunt you down.

Obviously some skill operating SQL, phpBB, wordpress, and mediawiki would be required.

SilverElephant
Posts: 126
Joined: Mon Jul 22, 2013 12:40 pm

Re: HTTPS for the forum?

Post by SilverElephant » Fri Jun 24, 2016 2:44 pm

Scott 2 wrote:
SilverElephant wrote: With modern TLS/SSL connections, all the employer can see is the DNS query and the IP address of the server you end up contacting.
If the employer controls the device, this is not true. They can potentially see everything, including all SSL traffic.
Well, yes, agreed, if the device is under the employer's control... perhaps I'm just spoiled by my having been presented with a laptop and the words "go nuts", so my device is 100% controlled by me. Obviously this is not the case for everyone.
jacob wrote:FWIW, it's not gonna happen insofar that _I_ have to make the change.
JamesR wrote:It'd probably require more than a few hours of work to make that change I bet. Likely have to buy an SSL certificate and spend the time setting it up, adding the appropriate apache rewrite rules, etc.
Depending on your degree of control over your server, setting up an SSL certificate from Letsencrypt is a 30 minute thing, tops. 10 if you've got a server with root access and Apache running. Plus it's free, and perpetually self-renewing (as long as Letsencrypt in its present form exists).
jacob wrote:Obviously some skill operating SQL, phpBB, wordpress, and mediawiki would be required.
Wordpress... more like "remote PHP shell". :|

User avatar
bryan
Posts: 711
Joined: Sat Nov 29, 2014 2:01 am
Location: mostly Bay Area

Re: HTTPS for the forum?

Post by bryan » Fri Jun 24, 2016 3:31 pm

SilverElephant wrote:
Scott 2 wrote:
SilverElephant wrote: With modern TLS/SSL connections, all the employer can see is the DNS query and the IP address of the server you end up contacting.
If the employer controls the device, this is not true. They can potentially see everything, including all SSL traffic.
Well, yes, agreed, if the device is under the employer's control... perhaps I'm just spoiled by my having been presented with a laptop and the words "go nuts", so my device is 100% controlled by me. Obviously this is not the case for everyone.
"Presented" in that you got it direct from a shop, unopened? Otherwise you don't know if the IT has done something outside of the system software (OS) level. Can you go into BIOS and play around 100%? Wipe the hard drive? Even all of this may not be enough these days (it's not for certain smartphones, I know PCs have been heading in that direction with Intel SGX, AMD PSP).

Sorry.. this is a tangent and not on topic of getting HTTPS set up so anyone sniffing on the network can steal my ERE cookie or password or otherwise spy on me.

jacob
Site Admin
Posts: 9033
Joined: Fri Jun 28, 2013 8:38 pm
Location: USA, Zone 5b, Koppen Dfa, Elev. 620ft, Walkscore 73
Contact:

Re: HTTPS for the forum?

Post by jacob » Fri Jun 24, 2016 3:43 pm

SilverElephant wrote: Depending on your degree of control over your server, setting up an SSL certificate from Letsencrypt is a 30 minute thing, tops. 10 if you've got a server with root access and Apache running.
Or in my case: 10 minutes to do it + 5000 minutes to learn how to do it + 20000 minutes to gain the experiental knowledge to know how to fix the random problems whenever things turn out not to work as expected, lest I get hammered with mails and IM's telling me to "please fix the forum now" after it's been down for a couple of hours.

I've noticed that for every two dozen people who tell me that X is easy, only one person is actually willing to do it even if I offer to pay them :)

User avatar
BRUTE
Posts: 2513
Joined: Sat Dec 26, 2015 5:20 pm

Re: HTTPS for the forum?

Post by BRUTE » Fri Jun 24, 2016 5:53 pm

maybe jacob needs to pay more

jacob
Site Admin
Posts: 9033
Joined: Fri Jun 28, 2013 8:38 pm
Location: USA, Zone 5b, Koppen Dfa, Elev. 620ft, Walkscore 73
Contact:

Re: HTTPS for the forum?

Post by jacob » Fri Jun 24, 2016 6:11 pm

@brute - Yeah ...

Random internet guy: Based on your alexa rankings you could monetize your blog and make $100,000 per year.
Me: Great! Make it happen and I'll pay you 50% of the profits per year.
Random internet guy: Sorry, I'm suddenly too busy.

Obviously, it's not worth it to make these changes after all unless someone else is doing all the work.

User avatar
Chris
Posts: 504
Joined: Thu Jul 22, 2010 2:44 pm

Re: HTTPS for the forum?

Post by Chris » Fri Jun 24, 2016 8:58 pm

Really, no takers?

Ok, I'm willing to take care of enabling HTTPS.

Post Reply