TLS for OSDev Website?

Questions, comments, and suggestions about this site should go here.
SenorContento
Posts: 2
Joined: Thu Oct 06, 2016 10:08 am
Libera.chat IRC: SenorContento
Contact:

TLS for OSDev Website?

Post by SenorContento »

Hello, I am Brandon Gomez and I found a page that said don't contact people directly unless you are personally part of that project and I would like to request TLS for this site and its forum. I am into cybersecurity and I would think it would be great to have at least some form of encryption on the pages as they pass through the internet A suggestion I have if it helps is using Cloudflare to host the connections if you can't have it yourself, but to have full end to end encryption yourself would be a much better idea. Thanks!
glauxosdever
Member
Member
Posts: 501
Joined: Wed Jun 17, 2015 9:40 am
Libera.chat IRC: glauxosdever
Location: Athens, Greece

Re: TLS for OSDev Website?

Post by glauxosdever »

Hi,

SenorContento wrote:Hello, I am Brandon Gomez and I found a page that said don't contact people directly unless you are personally part of that project and I would like to request TLS for this site and its forum.
I don't understand how the different things expressed in the above quote relate together. Maybe try to rephrase it?
SenorContento wrote:I am into cybersecurity and I would think it would be great to have at least some form of encryption on the pages as they pass through the internet
I agree this site needs encryption.
SenorContento wrote:A suggestion I have if it helps is using Cloudflare to host the connections if you can't have it yourself, but to have full end to end encryption yourself would be a much better idea.
Cloudflare has been faced against enough controversies, not sure why do you specifically suggest using it. Maybe try to elaborate a bit more?


Regards,
glauxosdever
User avatar
Kazinsal
Member
Member
Posts: 559
Joined: Wed Jul 13, 2011 7:38 pm
Libera.chat IRC: Kazinsal
Location: Vancouver
Contact:

Re: TLS for OSDev Website?

Post by Kazinsal »

The site admin is... mysterious. He shows up when things break, and disappears into the æther shortly thereafter.

Adding TLS to old non-TLS software such as phpBB is not as simple as flicking a magic switch even with things like Let's Encrypt. In the meantime, please continue to not use the OSDev forums and wiki for posting content that you direly need encrypted.
glauxosdever
Member
Member
Posts: 501
Joined: Wed Jun 17, 2015 9:40 am
Libera.chat IRC: glauxosdever
Location: Athens, Greece

Re: TLS for OSDev Website?

Post by glauxosdever »

Hi,

Kazinsal wrote:In the meantime, please continue to not use the OSDev forums and wiki for posting content that you direly need encrypted.
So you now blame him for the site not being encrypted?


Regards,
glauxosdever
User avatar
Roman
Member
Member
Posts: 568
Joined: Thu Mar 27, 2014 3:57 am
Location: Moscow, Russia
Contact:

Re: TLS for OSDev Website?

Post by Roman »

glauxosdever wrote:Hi,

Kazinsal wrote:In the meantime, please continue to not use the OSDev forums and wiki for posting content that you direly need encrypted.
So you now blame him for the site not being encrypted?


Regards,
glauxosdever
What? He have suggested not to transfer any private data to OSDev.org.
"If you don't fail at least 90 percent of the time, you're not aiming high enough."
- Alan Kay
glauxosdever
Member
Member
Posts: 501
Joined: Wed Jun 17, 2015 9:40 am
Libera.chat IRC: glauxosdever
Location: Athens, Greece

Re: TLS for OSDev Website?

Post by glauxosdever »

Hi,

Roman wrote:What? He have suggested not to transfer any private data to OSDev.org.
Seems it was a misunderstanding from my part.

Sorry Kazinsal.


Regards,
glauxosdever
User avatar
Kazinsal
Member
Member
Posts: 559
Joined: Wed Jul 13, 2011 7:38 pm
Libera.chat IRC: Kazinsal
Location: Vancouver
Contact:

Re: TLS for OSDev Website?

Post by Kazinsal »

My point is that someone so deeply concerned about the privacy of their data on a public forum that they need end to end encryption between the forum and their web browser, they probably shouldn't be posting it on a public forum.

Encryption for encryption's sake is one of the things I just don't "get" about people who think they're security experts. Throwing TLS on everything doesn't solve any problems that didn't already exist.
User avatar
Roman
Member
Member
Posts: 568
Joined: Thu Mar 27, 2014 3:57 am
Location: Moscow, Russia
Contact:

Re: TLS for OSDev Website?

Post by Roman »

Cryptography is not only about privacy, it's also about authentification. But it's small forum, though. Why would someone hijack our accounts here?
"If you don't fail at least 90 percent of the time, you're not aiming high enough."
- Alan Kay
Peterbjornx
Member
Member
Posts: 116
Joined: Thu May 06, 2010 4:34 am
Libera.chat IRC: peterbjornx
Location: Leiden, The Netherlands
Contact:

Re: TLS for OSDev Website?

Post by Peterbjornx »

Because sending passwords and email addresses as plaintext is never a smart idea. Although I agree OSDev isn't much of a target, there's still plenty of people who use their passwords on multiple sites, and they are vulnerable thru the lack of encryption.
User avatar
Kazinsal
Member
Member
Posts: 559
Joined: Wed Jul 13, 2011 7:38 pm
Libera.chat IRC: Kazinsal
Location: Vancouver
Contact:

Re: TLS for OSDev Website?

Post by Kazinsal »

Personal computers are fast enough now to do challenge-response HMACs on the client end. IMO we shouldn't be sending cleartext passwords or hashes on an encrypted link, because that's just lazy.

HMAC/AES a short-lived session token with the hash of the password using the agreed-upon algorithm, send that back. Use something strong for password hashing to make brute forces a pain.

Unfortunately we can't implement that in the forums' ancient phpBB software.
onlyonemac
Member
Member
Posts: 1146
Joined: Sat Mar 01, 2014 2:59 pm

Re: TLS for OSDev Website?

Post by onlyonemac »

Kazinsal wrote:Personal computers are fast enough now to do challenge-response HMACs on the client end. IMO we shouldn't be sending cleartext passwords or hashes on an encrypted link, because that's just lazy.
Kazinsal wrote:Unfortunately we can't implement that in the forums' ancient phpBB software.
Which is why we should just throw TLS on it and call it a day (even though it's "just lazy"). phpBB has no problem running over an HTTPS connection; as far as the PHP side of things goes, it doesn't see anything different.
When you start writing an OS you do the minimum possible to get the x86 processor in a usable state, then you try to get as far away from it as possible.

Syntax checkup:
Wrong: OS's, IRQ's, zero'ing
Right: OSes, IRQs, zeroing
User avatar
matt11235
Member
Member
Posts: 286
Joined: Tue Aug 02, 2016 1:52 pm
Location: East Riding of Yorkshire, UK

Re: TLS for OSDev Website?

Post by matt11235 »

Kazinsal wrote:The site admin is... mysterious. He shows up when things break, and disappears into the æther shortly thereafter.

Adding TLS to old non-TLS software such as phpBB is not as simple as flicking a magic switch even with things like Let's Encrypt. In the meantime, please continue to not use the OSDev forums and wiki for posting content that you direly need encrypted.
Surely you'd just enable TLS on the web server and then just change the URL to the forums in the phpBB settings to use the https prefix?
com.sun.java.swing.plaf.nimbus.InternalFrameInternalFrameTitlePaneInternalFrameTitlePaneMaximizeButtonWindowNotFocusedState
Compiler Development Forum
stdcall
Member
Member
Posts: 78
Joined: Thu Mar 14, 2013 1:30 am

Re: TLS for OSDev Website?

Post by stdcall »

Google will start ranking web sites low on search results if they don't support HTTPS in the near future.

This could also be a good reason to do so.

Google anouncement:
https://webmasters.googleblog.com/2014/ ... ignal.html
“Meaningless! Meaningless!”
says the Teacher.
“Utterly meaningless!
Everything is meaningless.” - Ecclesiastes 1, 2

Educational Purpose Operating System - EPOS
Boris
Member
Member
Posts: 145
Joined: Sat Nov 07, 2015 3:12 pm

Re: TLS for OSDev Website?

Post by Boris »

Isnt a forum a Threads Local Storage by definition ?

.. I'm out already :D
onlyonemac
Member
Member
Posts: 1146
Joined: Sat Mar 01, 2014 2:59 pm

Re: TLS for OSDev Website?

Post by onlyonemac »

zenzizenzicube wrote:Surely you'd just enable TLS on the web server and then just change the URL to the forums in the phpBB settings to use the https prefix?
Yes, you would. That's why Kazinsal clearly doesn't know what he's talking about. PHP doesn't know (read: see) the difference between HTTP and HTTPS beyond the URL scheme, and thus phpBB doesn't care whether you're running it over an HTTP or an HTTPS connection. Such is the beauty of the OSI model...
When you start writing an OS you do the minimum possible to get the x86 processor in a usable state, then you try to get as far away from it as possible.

Syntax checkup:
Wrong: OS's, IRQ's, zero'ing
Right: OSes, IRQs, zeroing
Post Reply