Page 1 of 2

TLS for OSDev Website?

Posted: Thu Oct 06, 2016 10:16 am
by SenorContento
Hello, I am Brandon Gomez and I found a page that said don't contact people directly unless you are personally part of that project and I would like to request TLS for this site and its forum. I am into cybersecurity and I would think it would be great to have at least some form of encryption on the pages as they pass through the internet A suggestion I have if it helps is using Cloudflare to host the connections if you can't have it yourself, but to have full end to end encryption yourself would be a much better idea. Thanks!

Re: TLS for OSDev Website?

Posted: Thu Oct 06, 2016 12:06 pm
by glauxosdever
Hi,

SenorContento wrote:Hello, I am Brandon Gomez and I found a page that said don't contact people directly unless you are personally part of that project and I would like to request TLS for this site and its forum.
I don't understand how the different things expressed in the above quote relate together. Maybe try to rephrase it?
SenorContento wrote:I am into cybersecurity and I would think it would be great to have at least some form of encryption on the pages as they pass through the internet
I agree this site needs encryption.
SenorContento wrote:A suggestion I have if it helps is using Cloudflare to host the connections if you can't have it yourself, but to have full end to end encryption yourself would be a much better idea.
Cloudflare has been faced against enough controversies, not sure why do you specifically suggest using it. Maybe try to elaborate a bit more?


Regards,
glauxosdever

Re: TLS for OSDev Website?

Posted: Thu Oct 06, 2016 12:24 pm
by Kazinsal
The site admin is... mysterious. He shows up when things break, and disappears into the æther shortly thereafter.

Adding TLS to old non-TLS software such as phpBB is not as simple as flicking a magic switch even with things like Let's Encrypt. In the meantime, please continue to not use the OSDev forums and wiki for posting content that you direly need encrypted.

Re: TLS for OSDev Website?

Posted: Thu Oct 06, 2016 12:27 pm
by glauxosdever
Hi,

Kazinsal wrote:In the meantime, please continue to not use the OSDev forums and wiki for posting content that you direly need encrypted.
So you now blame him for the site not being encrypted?


Regards,
glauxosdever

Re: TLS for OSDev Website?

Posted: Thu Oct 06, 2016 2:37 pm
by Roman
glauxosdever wrote:Hi,

Kazinsal wrote:In the meantime, please continue to not use the OSDev forums and wiki for posting content that you direly need encrypted.
So you now blame him for the site not being encrypted?


Regards,
glauxosdever
What? He have suggested not to transfer any private data to OSDev.org.

Re: TLS for OSDev Website?

Posted: Thu Oct 06, 2016 2:48 pm
by glauxosdever
Hi,

Roman wrote:What? He have suggested not to transfer any private data to OSDev.org.
Seems it was a misunderstanding from my part.

Sorry Kazinsal.


Regards,
glauxosdever

Re: TLS for OSDev Website?

Posted: Thu Oct 06, 2016 4:16 pm
by Kazinsal
My point is that someone so deeply concerned about the privacy of their data on a public forum that they need end to end encryption between the forum and their web browser, they probably shouldn't be posting it on a public forum.

Encryption for encryption's sake is one of the things I just don't "get" about people who think they're security experts. Throwing TLS on everything doesn't solve any problems that didn't already exist.

Re: TLS for OSDev Website?

Posted: Fri Oct 07, 2016 2:23 am
by Roman
Cryptography is not only about privacy, it's also about authentification. But it's small forum, though. Why would someone hijack our accounts here?

Re: TLS for OSDev Website?

Posted: Fri Oct 07, 2016 12:24 pm
by Peterbjornx
Because sending passwords and email addresses as plaintext is never a smart idea. Although I agree OSDev isn't much of a target, there's still plenty of people who use their passwords on multiple sites, and they are vulnerable thru the lack of encryption.

Re: TLS for OSDev Website?

Posted: Fri Oct 07, 2016 2:09 pm
by Kazinsal
Personal computers are fast enough now to do challenge-response HMACs on the client end. IMO we shouldn't be sending cleartext passwords or hashes on an encrypted link, because that's just lazy.

HMAC/AES a short-lived session token with the hash of the password using the agreed-upon algorithm, send that back. Use something strong for password hashing to make brute forces a pain.

Unfortunately we can't implement that in the forums' ancient phpBB software.

Re: TLS for OSDev Website?

Posted: Sat Oct 08, 2016 11:21 am
by onlyonemac
Kazinsal wrote:Personal computers are fast enough now to do challenge-response HMACs on the client end. IMO we shouldn't be sending cleartext passwords or hashes on an encrypted link, because that's just lazy.
Kazinsal wrote:Unfortunately we can't implement that in the forums' ancient phpBB software.
Which is why we should just throw TLS on it and call it a day (even though it's "just lazy"). phpBB has no problem running over an HTTPS connection; as far as the PHP side of things goes, it doesn't see anything different.

Re: TLS for OSDev Website?

Posted: Mon Oct 10, 2016 3:01 pm
by matt11235
Kazinsal wrote:The site admin is... mysterious. He shows up when things break, and disappears into the æther shortly thereafter.

Adding TLS to old non-TLS software such as phpBB is not as simple as flicking a magic switch even with things like Let's Encrypt. In the meantime, please continue to not use the OSDev forums and wiki for posting content that you direly need encrypted.
Surely you'd just enable TLS on the web server and then just change the URL to the forums in the phpBB settings to use the https prefix?

Re: TLS for OSDev Website?

Posted: Wed Oct 12, 2016 6:45 am
by stdcall
Google will start ranking web sites low on search results if they don't support HTTPS in the near future.

This could also be a good reason to do so.

Google anouncement:
https://webmasters.googleblog.com/2014/ ... ignal.html

Re: TLS for OSDev Website?

Posted: Wed Oct 12, 2016 10:04 am
by Boris
Isnt a forum a Threads Local Storage by definition ?

.. I'm out already :D

Re: TLS for OSDev Website?

Posted: Sun Oct 16, 2016 2:48 am
by onlyonemac
zenzizenzicube wrote:Surely you'd just enable TLS on the web server and then just change the URL to the forums in the phpBB settings to use the https prefix?
Yes, you would. That's why Kazinsal clearly doesn't know what he's talking about. PHP doesn't know (read: see) the difference between HTTP and HTTPS beyond the URL scheme, and thus phpBB doesn't care whether you're running it over an HTTP or an HTTPS connection. Such is the beauty of the OSI model...