I was just reading the news, Let's Encrypt has issued 10 million certificates:
https://twitter.com/letsencrypt/status/ ... 2255932416
Can we encrypt this site? It's important because as it is right now passwords are sent in clear-text over the internet, that means that a) any malicious person could see your forum password (hopefully you don't use it for anything else) b) any malicious person can impersonate somebody on the forum (even a developer) and/or modify posts, so for example they could change download links. Also, some people use the site at work and they don't want 3rd party to snoop their traffic.
Disadvantages: I think that old http links won't work anymore, although they could probably be redirected to https.
Can we encrypt the forum already?
Re: Can we encrypt the forum already?
My 2 cents :
1. To be a tad serious: Who will hack an linux forum ?
2. To what end ? To gain what ? Just to impersonate an forum admin and write strange posts ?
3. General knowledge among hackers is that linux servers are harder to hack than other systems and they have better means to track back an intruder (and better admins).
I'm a bit curious how many distros implemented secured passwords but I could be wrong. Take it only as an personal opinion.
1. To be a tad serious: Who will hack an linux forum ?
2. To what end ? To gain what ? Just to impersonate an forum admin and write strange posts ?
3. General knowledge among hackers is that linux servers are harder to hack than other systems and they have better means to track back an intruder (and better admins).
I'm a bit curious how many distros implemented secured passwords but I could be wrong. Take it only as an personal opinion.
Re: Can we encrypt the forum already?
^ Guess you missed the news this year about the Linux Mint and Ubuntu forums being hacked resulting in usernames and passwords stolen. I'm sure that many users use the same username and password for everything so that they don't have to remember a bunch of them for different sites. This information could be valuable in the right hands. If you are one of those people using the same credentials for everything then I strongly recommend you start to use something such as Keepass2, KeepassX or Gorilla.
Last edited by v3g4n on Sat Sep 10, 2016 1:35 pm, edited 1 time in total.
Re: Can we encrypt the forum already?
http://blog.linuxmint.com/?p=2994Who will hack an linux forum ?
That's irrelevant if you pass the passwords in clear, they don't need to "hack" the forum, somebody simply needs to use a password that has bounced around in clear over the nodes on the internet.General knowledge among hackers is that linux servers are harder to hack than other systems
Re: Can we encrypt the forum already?
Back. many years ago, when I was doing web admin signed certificates were expensive so I would self-sign certificates on intranets which meant people would get a scary error/warning the first time they came to the https version and would have to add an exception to avoid getting the message in the future.
The Let's Encrypt site says that starting with Firefox version 50, (to be released later this year) the Firefox browser will accept Let's Encrypt certificates by default. Until then, and (I presume) with other browsers, the scary warning/error message will still be shown unless we pay for a signed certificate. I think the scary error/warning message is going to do more harm than the good done by using https encryption. Using encryption is a good idea but I think we should investigate purchasing a signed certificate.
The Let's Encrypt site says that starting with Firefox version 50, (to be released later this year) the Firefox browser will accept Let's Encrypt certificates by default. Until then, and (I presume) with other browsers, the scary warning/error message will still be shown unless we pay for a signed certificate. I think the scary error/warning message is going to do more harm than the good done by using https encryption. Using encryption is a good idea but I think we should investigate purchasing a signed certificate.
"The first principle is that you must not fool yourself -- and you are the easiest person to fool."
-- Richard Feynman
-- Richard Feynman
Re: Can we encrypt the forum already?
How much is it, can't be a big problem for a community, I can donate something for that...unless we pay for a signed certificate
Re: Can we encrypt the forum already?
There is the problem of the webmaster's availability, which has been severely limited for some time.
Production: 5.10, MX-23 Xfce, AMD FX-4130 Quad-Core, GeForce GT 630/PCIe/SSE2, 16 GB, SSD 120 GB, Data 1TB
Personal: Lenovo X1 Carbon with MX-23 Fluxbox and Windows 10
Other: Raspberry Pi 5 with MX-23 Xfce Raspberry Pi Respin
Personal: Lenovo X1 Carbon with MX-23 Fluxbox and Windows 10
Other: Raspberry Pi 5 with MX-23 Xfce Raspberry Pi Respin
Re: Can we encrypt the forum already?
True, we need somebody to implement it. In my search "enable SSL on Apache" (assuming this server runs Apache)or "enable HTTPS" it seems like it's just a couple of commands that need to be run. For example: https://help.ubuntu.com/lts/serverguide ... figurationJerry3904 wrote:There is the problem of the webmaster's availability, which has been severely limited for some time.
Re: Can we encrypt the forum already?
I'm sure my information is completely outdated. Google tells me Comdo offers certs for $5/year but I don't know if there are any catches. It used to be hundreds of dollars per year.Adrian wrote:How much is it, can't be a big problem for a community, I can donate something for that...
Reconfiguring Apache to use ssl is trivial but redirecting links and so forth may be slightly less so. I don't recall. We might want to switch to the mxlinux.org domain before buying a certificate because the certificate is linked to the name. That will take some work. I suggest we do some research and then wait until we have web admin bandwidth before going forward. This might take some time so I think it is good to start now and not rush.
We might also want to look into making our public signing keys more available. I liked m_pav's suggestion of including them in our iso files even though including a signing key inside what is signed is mostly pointless. The keys will be useful for the following release and those that come after. I'm sorry if this seems like a change in subject, I see them as both steps in beefing up our security. I think we need to but we don't have to rush, although it is much better to stay ahead of the security curve and not lag behind. I'm sure there are other things we need to address as well. I'm not volunteering.
"The first principle is that you must not fool yourself -- and you are the easiest person to fool."
-- Richard Feynman
-- Richard Feynman
- Gordon Cooper
- Posts: 965
- Joined: Mon Nov 21, 2011 5:50 pm
Re: Can we encrypt the forum already?
Backup: Dell9010, MX-19_B2, Win7, 120 SSD, WD 232GIB HD, 4GB RAM
Primary :Homebrew64 bit Intel duo core 2 GB RAM, 120 GB Kingston SSD, Seagate1TB.
MX-18.2 64bit. Also MX17, Kubuntu14.04 & Puppy 6.3.
Primary :Homebrew64 bit Intel duo core 2 GB RAM, 120 GB Kingston SSD, Seagate1TB.
MX-18.2 64bit. Also MX17, Kubuntu14.04 & Puppy 6.3.