Can we encrypt the forum already?

[Adrian]

I was just reading the news, Let's Encrypt has issued 10 million certificates:
https://twitter.com/letsencrypt/status/ ... 2255932416

Can we encrypt this site? It's important because as it is right now passwords are sent in clear-text over the internet, that means that a) any malicious person could see your forum password (hopefully you don't use it for anything else) b) any malicious person can impersonate somebody on the forum (even a developer) and/or modify posts, so for example they could change download links. Also, some people use the site at work and they don't want 3rd party to snoop their traffic.

Disadvantages: I think that old http links won't work anymore, although they could probably be redirected to https.

[sanlav]

My 2 cents :

1. To be a tad serious: Who will hack an linux forum ?
2. To what end ? To gain what ? Just to impersonate an forum admin and write strange posts ?
3. General knowledge among hackers is that linux servers are harder to hack than other systems and they have better means to track back an intruder (and better admins).

I'm a bit curious how many distros implemented secured passwords but I could be wrong. Take it only as an personal opinion.

[v3g4n]

^ Guess you missed the news this year about the Linux Mint and Ubuntu forums being hacked resulting in usernames and passwords stolen. I'm sure that many users use the same username and password for everything so that they don't have to remember a bunch of them for different sites. This information could be valuable in the right hands. If you are one of those people using the same credentials for everything then I strongly recommend you start to use something such as Keepass2, KeepassX or Gorilla.

[Adrian]

Who will hack an linux forum ?

http://blog.linuxmint.com/?p=2994

General knowledge among hackers is that linux servers are harder to hack than other systems

That's irrelevant if you pass the passwords in clear, they don't need to "hack" the forum, somebody simply needs to use a password that has bounced around in clear over the nodes on the internet.

[BitJam]

Back. many years ago, when I was doing web admin signed certificates were expensive so I would self-sign certificates on intranets which meant people would get a scary error/warning the first time they came to the https version and would have to add an exception to avoid getting the message in the future.

The Let's Encrypt site says that starting with Firefox version 50, (to be released later this year) the Firefox browser will accept Let's Encrypt certificates by default. Until then, and (I presume) with other browsers, the scary warning/error message will still be shown unless we pay for a signed certificate. I think the scary error/warning message is going to do more harm than the good done by using https encryption. Using encryption is a good idea but I think we should investigate purchasing a signed certificate.

[Adrian]

unless we pay for a signed certificate

How much is it, can't be a big problem for a community, I can donate something for that...

[Jerry3904]

There is the problem of the webmaster's availability, which has been severely limited for some time.

[Adrian]

There is the problem of the webmaster's availability, which has been severely limited for some time.

True, we need somebody to implement it. In my search "enable SSL on Apache" (assuming this server runs Apache)or "enable HTTPS" it seems like it's just a couple of commands that need to be run. For example: https://help.ubuntu.com/lts/serverguide ... figuration

[BitJam]

How much is it, can't be a big problem for a community, I can donate something for that...

I'm sure my information is completely outdated. Google tells me Comdo offers certs for $5/year but I don't know if there are any catches. It used to be hundreds of dollars per year.

Reconfiguring Apache to use ssl is trivial but redirecting links and so forth may be slightly less so. I don't recall. We might want to switch to the mxlinux.org domain before buying a certificate because the certificate is linked to the name. That will take some work. I suggest we do some research and then wait until we have web admin bandwidth before going forward. This might take some time so I think it is good to start now and not rush.

We might also want to look into making our public signing keys more available. I liked m_pav's suggestion of including them in our iso files even though including a signing key inside what is signed is mostly pointless. The keys will be useful for the following release and those that come after. I'm sorry if this seems like a change in subject, I see them as both steps in beefing up our security. I think we need to but we don't have to rush, although it is much better to stay ahead of the security curve and not lag behind. I'm sure there are other things we need to address as well. I'm not volunteering.

[Gordon Cooper]

comparison of costs : http://www.whichssl.com/compare-ssl-certificates.html

Unsure of related date.