TLS for OSDev Website?

[SenorContento]

Hello, I am Brandon Gomez and I found a page that said don't contact people directly unless you are personally part of that project and I would like to request TLS for this site and its forum. I am into cybersecurity and I would think it would be great to have at least some form of encryption on the pages as they pass through the internet A suggestion I have if it helps is using Cloudflare to host the connections if you can't have it yourself, but to have full end to end encryption yourself would be a much better idea. Thanks!

[glauxosdever]

Hi,

Hello, I am Brandon Gomez and I found a page that said don't contact people directly unless you are personally part of that project and I would like to request TLS for this site and its forum.

I don't understand how the different things expressed in the above quote relate together. Maybe try to rephrase it?

I am into cybersecurity and I would think it would be great to have at least some form of encryption on the pages as they pass through the internet

I agree this site needs encryption.

A suggestion I have if it helps is using Cloudflare to host the connections if you can't have it yourself, but to have full end to end encryption yourself would be a much better idea.

Cloudflare has been faced against enough controversies, not sure why do you specifically suggest using it. Maybe try to elaborate a bit more?


Regards,
glauxosdever

[Kazinsal]

The site admin is... mysterious. He shows up when things break, and disappears into the æther shortly thereafter.

Adding TLS to old non-TLS software such as phpBB is not as simple as flicking a magic switch even with things like Let's Encrypt. In the meantime, please continue to not use the OSDev forums and wiki for posting content that you direly need encrypted.

[glauxosdever]

Hi,

In the meantime, please continue to not use the OSDev forums and wiki for posting content that you direly need encrypted.

So you now blame him for the site not being encrypted?


Regards,
glauxosdever

[Roman]

Hi,

In the meantime, please continue to not use the OSDev forums and wiki for posting content that you direly need encrypted.

So you now blame him for the site not being encrypted?


Regards,
glauxosdever

What? He have suggested not to transfer any private data to OSDev.org.

[glauxosdever]

Hi,

What? He have suggested not to transfer any private data to OSDev.org.

Seems it was a misunderstanding from my part.

Sorry Kazinsal.


Regards,
glauxosdever

[Kazinsal]

My point is that someone so deeply concerned about the privacy of their data on a public forum that they need end to end encryption between the forum and their web browser, they probably shouldn't be posting it on a public forum.

Encryption for encryption's sake is one of the things I just don't "get" about people who think they're security experts. Throwing TLS on everything doesn't solve any problems that didn't already exist.

[Roman]

Cryptography is not only about privacy, it's also about authentification. But it's small forum, though. Why would someone hijack our accounts here?

[Peterbjornx]

Because sending passwords and email addresses as plaintext is never a smart idea. Although I agree OSDev isn't much of a target, there's still plenty of people who use their passwords on multiple sites, and they are vulnerable thru the lack of encryption.

[Kazinsal]

Personal computers are fast enough now to do challenge-response HMACs on the client end. IMO we shouldn't be sending cleartext passwords or hashes on an encrypted link, because that's just lazy.

HMAC/AES a short-lived session token with the hash of the password using the agreed-upon algorithm, send that back. Use something strong for password hashing to make brute forces a pain.

Unfortunately we can't implement that in the forums' ancient phpBB software.

[onlyonemac]

Personal computers are fast enough now to do challenge-response HMACs on the client end. IMO we shouldn't be sending cleartext passwords or hashes on an encrypted link, because that's just lazy.

Unfortunately we can't implement that in the forums' ancient phpBB software.

Which is why we should just throw TLS on it and call it a day (even though it's "just lazy"). phpBB has no problem running over an HTTPS connection; as far as the PHP side of things goes, it doesn't see anything different.

[matt11235]

The site admin is... mysterious. He shows up when things break, and disappears into the æther shortly thereafter.

Adding TLS to old non-TLS software such as phpBB is not as simple as flicking a magic switch even with things like Let's Encrypt. In the meantime, please continue to not use the OSDev forums and wiki for posting content that you direly need encrypted.

Surely you'd just enable TLS on the web server and then just change the URL to the forums in the phpBB settings to use the https prefix?

[stdcall]

Google will start ranking web sites low on search results if they don't support HTTPS in the near future.

This could also be a good reason to do so.

Google anouncement:
https://webmasters.googleblog.com/2014/ ... ignal.html

[Boris]

Isnt a forum a Threads Local Storage by definition ?

.. I'm out already

[onlyonemac]

Surely you'd just enable TLS on the web server and then just change the URL to the forums in the phpBB settings to use the https prefix?

Yes, you would. That's why Kazinsal clearly doesn't know what he's talking about. PHP doesn't know (read: see) the difference between HTTP and HTTPS beyond the URL scheme, and thus phpBB doesn't care whether you're running it over an HTTP or an HTTPS connection. Such is the beauty of the OSI model...