Why isn't the wiki/forum using HTTPS ?

[dozniak]

We hardly communicate much sensitive stuff. What next? Show your passport before you can take part in a pub chat?

For example, you might not want to have your login password stolen when you open forum.osdev.org from a cafeteria? You also might want to know you are connecting to the ACTUAL forum.osdev.org not some other website pretending to be one.

[MichaelFarthing]

We hardly communicate much sensitive stuff. What next? Show your passport before you can take part in a pub chat?

For example, you might not want to have your login password stolen when you open forum.osdev.org from a cafeteria? You also might want to know you are connecting to the ACTUAL forum.osdev.org not some other website pretending to be one.

Both of these things frighten me as much as losing a coin in the street or accidentally finding myself in a butcher's shop instead of a greengrocer's - though both of the internet problems are far less likely to actually happen.

[dozniak]

Both of these things frighten me as much as losing a coin in the street

You maybe, but there are other people on the internets as well.

[Schol-R-LEA]

Why on Earth does it matter except that some large corporations are trying to bully everyone?

Because those large organizations can make the sites that don't use HTTPS inaccessible using most browsers. How many browsers do you know of that don't use one of the major engines? How many of those would you find usable with the majority of (usually lousy and bug-ridden, but that's another story) websites you have reason to go to?

Seriously, while they've pushed off the plans to make their browsers "all HTTPS all the time", all the major players are on board with the idea. As I understand it, there is serious thought by the IETF of deprecating unsecured HTTP entirely. The days when you could get write a simple HTTP server and serve your own site are long over, for better or for worse.

Mind you, I am surprised it's taken this long, because honestly, the fact that it wasn't secured from the outset has been the source of endless problems. Sir Tim had no idea his baby would go as far as it did - he just thought it was a neat way to share pre-publication papers with people who weren't physically at CERN. Yea do many things come to pass fnord.

And at this point, the topic is moot; the forum has in fact switched over, as said already.

[MichaelFarthing]

What this says is that it matters because some large bully corporations say it does. It is true that sensitive websites need it. This is not one such.

It is necessary that the House of Commons, airports, prisons and Courts need security checks. Pubs don't.

[iansjack]

You wouldn't want people posting stuff you couldn't trust on an internet forum, would you.

[Solar]

For example, you might not want to have your login password stolen when you open forum.osdev.org from a cafeteria? You also might want to know you are connecting to the ACTUAL forum.osdev.org not some other website pretending to be one.

Both of these things frighten me as much as losing a coin in the street or accidentally finding myself in a butcher's shop instead of a greengrocer's - though both of the internet problems are far less likely to actually happen.

That utter failure to actually think about, "what is the worst that can happen".

Just two variations on the identity theft part:

1) Someone posting insults and threats in your name. Believe it or not, those are actionable offenses in the real world, and all the evidence points to you as the offender. At the very least, your reputation will take a sharp dip.

2) Someone hijacking a moderator account and using it to corrupt or outright destroy content.

Perhaps "frighten" is not the right word, but it's certainly enough to be a bloody nuisance. How often, do you think, would chase be willing to restore vandalized content from backups or fight off lawsuits for stuff that's been injected here by malicious attackers before he says, "forget it, I am closing down the site"?

[MichaelFarthing]

Well it's managed upwards of 10 years I think?

[Schol-R-LEA]

What this says is that it matters because some large bully corporations say it does. It is true that sensitive websites need it. This is not one such.

It is necessary that the House of Commons, airports, prisons and Courts need security checks. Pubs don't.

Conversations in pubs don't linger decades after you are dead (OK, so that's shifting the topic a bit, as HTTP/HTTPS connections are potentially just as ephemeral as personal conversations, but whatever.) And I'll bet that if you thought your brother-in-law was in earshot, you'd be more guarded in your words than if it was just you and some friends whom you trusted, even if you didn't have any secrets to hide from your wife.

More importantly, just because you are being pressured to do something that is itself a good idea doesn't mean it isn't a good idea.

An oft-repeated (and equally often misconstrued) truism of the RISKS list goes, if you are only encrypting what you want to hide, all it does is wave a flag saying, "here's the secret stuff!". Even if privacy isn't a concern right now, it is a concern at other times, and going from not hiding things to hiding them is by itself crucial signals intel should anyone have a reason to listen in (they rarely do, at least on individuals; most of the really important data is in tracking demographic trends, not the activities of specific indiduals - that is, they don't care what Joe Blow had for dinner last night, but they do care that 10,000 in his hometown had Burger King compared to 12,000 who had MacDonalds).

(Though to be fair, it has been years I've read RISKS on a regular basis. I also want to point to the tangentially related topic of spread-spectrum transmission and frequency hopping, but that's going too far afield so I'll just give those links for others to follow up on; suffice it to say, it's important enough that even your Bluetooth headphones both encrypt your data and frequency hop, regardless of whether the data itself is important or not.)

As I said, this is something which would have been an intrinsic part of the Web from the outset, had anyone thought about it. It is appalling that cleartext HTTP transmissions were ever a thing in the first place - though admittedly, it is unlikely that it would have exploded the way it did if the bar for implementing a webserver had been higher early on, it would have put a much higher computation cost on things which would have been onerous for the hardware of the time, and there would have been political pushback on it (given the way governments were about encryption at the time - much worse than they are today, and that's saying a lot), so it's not a clear-cut matter in some ways.

[Solar]

Well it's managed upwards of 10 years I think?

You really want to field "it worked so far" as a genuine argument in a discussion?

[nullplan]

Seriously, while they've pushed off the plans to make their browsers "all HTTPS all the time", all the major players are on board with the idea. As I understand it, there is serious thought by the IETF of deprecating unsecured HTTP entirely. The days when you could get write a simple HTTP server and serve your own site are long over, for better or for worse.

Yeah, and it appears that these people have absolutely no clue what they are doing with that. The other day I was using a public Wifi network. As per usual, this requires clicking "accept" on the terms and conditions before you can do anything. This is generally accomplished by having the access point unencrypted but then blocking all traffic except on port 80, and redirecting all port 80 traffic to the login site. So in theory you should be able to click the accept button by opening a browser and surfing to any HTTP site. And bugger my bumblebee's breadbin, is it hard to find those these days. Every site I could think of automatically goes to HTTPS.

[Solar]

The other day I was using a public Wifi network. As per usual, this requires clicking "accept" on the terms and conditions before you can do anything. This is generally accomplished by having the access point unencrypted but then blocking all traffic except on port 80, and redirecting all port 80 traffic to the login site. So in theory you should be able to click the accept button by opening a browser and surfing to any HTTP site. And bugger my bumblebee's breadbin, is it hard to find those these days. Every site I could think of automatically goes to HTTPS.

Curious. I usually get a message along the lines of "this WiFi network requires authentication" automatically as the WiFi connection is established -- i.e. before I even open a browser. At which point I am taken to a webpage where I can accept or decline the terms of service, and acknowledge the login.

In fact the only times I've seen HTTP intercept the way you described was with, let's say, "homegrown" installations.

So I guess the way "this is generally accomplished" is a bit more sophisticated than intercepting your first HTTP request.

[Korona]

So I guess the way "this is generally accomplished" is a bit more sophisticated than intercepting your first HTTP request.

I don't think that's the case. In my experience, it works the way that nullplan explained. However, modern OS know that it works that way and do a HTTP request to trigger the portal. For example, Android checks http://connectivitycheck.gstatic.com/generate_204 (and shows the "this WiFi networks requires a login" message if the request does not return the expected 204).

[chase]

The other day I was using a public Wifi network. As per usual, this requires clicking "accept" on the terms and conditions before you can do anything. This is generally accomplished by having the access point unencrypted but then blocking all traffic except on port 80, and redirecting all port 80 traffic to the login site. So in theory you should be able to click the accept button by opening a browser and surfing to any HTTP site. And bugger my bumblebee's breadbin, is it hard to find those these days. Every site I could think of automatically goes to HTTPS.

I use http://neverssl.com/ for that.

Edit: Little bit more about what Korona mentioned, what they do is try to load a known http:// URL when connecting to a wifi network and if they get back a response other than expected then the network probably requires a login. Here is a list of the URLs that various OSes/Devices use - https://enterprisenetworkingatlarge.wor ... p-vendors/