Why isn't the wiki/forum using HTTPS ?

Questions, comments, and suggestions about this site should go here.
orion40
Posts: 11
Joined: Tue Jun 13, 2017 12:37 pm

Why isn't the wiki/forum using HTTPS ?

Post by orion40 »

Hi, I've noticed that the forum doesn't use any kind of protection. Why not add HTTPS, via Let's encrypt for example ?
User avatar
matt11235
Member
Member
Posts: 286
Joined: Tue Aug 02, 2016 1:52 pm
Location: East Riding of Yorkshire, UK

Re: Why isn't the wiki/forum using HTTPS ?

Post by matt11235 »

orion40 wrote:Hi, I've noticed that the forum doesn't use any kind of protection. Why not add HTTPS, via Let's encrypt for example ?
http://forum.osdev.org/viewtopic.php?f=6&t=30881
com.sun.java.swing.plaf.nimbus.InternalFrameInternalFrameTitlePaneInternalFrameTitlePaneMaximizeButtonWindowNotFocusedState
Compiler Development Forum
User avatar
Kazinsal
Member
Member
Posts: 559
Joined: Wed Jul 13, 2011 7:38 pm
Libera.chat IRC: Kazinsal
Location: Vancouver
Contact:

Re: Why isn't the wiki/forum using HTTPS ?

Post by Kazinsal »

No one's gotten around to it.

That's really about it.
User avatar
BrightLight
Member
Member
Posts: 901
Joined: Sat Dec 27, 2014 9:11 am
Location: Maadi, Cairo, Egypt
Contact:

Re: Why isn't the wiki/forum using HTTPS ?

Post by BrightLight »

orion40 wrote:Why not add HTTPS, via Let's encrypt for example ?
Because my OS and most other OSes with networking here have HTTP but don't have HTTPS support. ;)
You know your OS is advanced when you stop using the Intel programming guide as a reference.
orion40
Posts: 11
Joined: Tue Jun 13, 2017 12:37 pm

Re: Why isn't the wiki/forum using HTTPS ?

Post by orion40 »

matt11235 wrote:http://forum.osdev.org/viewtopic.php?f=6&t=30881
Thanks for the link, I did a quick search, but didn't found anything. So basically, until the admin pops out of nowhere, this is not going to change ?
omarrx024 wrote:Because my OS and most other OSes with networking here have HTTP but don't have HTTPS support. ;)
Well I guess you're joking, but I'll add more thought anyway: no HTTPS mean passwords and authentification cookies sent in clear text. Who care about your OSdev account ? Probably no one, but your username/password is probably reused several time on other services. Like your email, which hold the key to all your other accounts.
Then there's all kind of nasty redirection, and overall disruption you can cause without HTTPS.

Hell, even donations to get a certificate, I'm sure a few people would be ready to give a dollar or two for that (me included).
User avatar
dozniak
Member
Member
Posts: 723
Joined: Thu Jul 12, 2012 7:29 am
Location: Tallinn, Estonia

Re: Why isn't the wiki/forum using HTTPS ?

Post by dozniak »

orion40 wrote:but your username/password is probably reused several time on other services. Like your email
Corollary: do NOT reuse your password on mulitple websites. Use generated passwords.
Learn to read.
User avatar
~
Member
Member
Posts: 1225
Joined: Tue Mar 06, 2007 11:17 am
Libera.chat IRC: ArcheFire

Re: Why isn't the wiki/forum using HTTPS ?

Post by ~ »

I generate passwords by crazily typing randomly and then I don't even need to see the password again, only store it where nobody else would search it in my house.

I also use my cell phone frequently instead of a password.
I use a cell phone as a password for all of the websites I can.
It could be safer sometimes because nobody would have a password and would need my cell phone to log into a website that can use it to recover the account.
User avatar
matt11235
Member
Member
Posts: 286
Joined: Tue Aug 02, 2016 1:52 pm
Location: East Riding of Yorkshire, UK

Re: Why isn't the wiki/forum using HTTPS ?

Post by matt11235 »

~ wrote:I generate passwords by crazily typing randomly and then I don't even need to see the password again, only store it where nobody else would search it in my house.

I also use my cell phone frequently instead of a password.
I use a cell phone as a password for all of the websites I can.
It could be safer sometimes because nobody would have a password and would need my cell phone to log into a website that can use it to recover the account.
How do you use a cell phone as a password? Do you mean you're using 2 factor auth?
com.sun.java.swing.plaf.nimbus.InternalFrameInternalFrameTitlePaneInternalFrameTitlePaneMaximizeButtonWindowNotFocusedState
Compiler Development Forum
User avatar
~
Member
Member
Posts: 1225
Joined: Tue Mar 06, 2007 11:17 am
Libera.chat IRC: ArcheFire

Re: Why isn't the wiki/forum using HTTPS ?

Post by ~ »

For example in Yahoo I have two factor disabled.

When I log in normally I add my cell phone as a means to recover my account.

When I log in again, I use the option to recover the account instead of logging in normally with a password, as if I would have forgotten it. Then it just sends me an SMS with a random code and I use all that as a way to log in instead of using a password.

I still write down the new password just in case I need it.
User avatar
sortie
Member
Member
Posts: 931
Joined: Wed Mar 21, 2012 3:01 pm
Libera.chat IRC: sortie

Re: Why isn't the wiki/forum using HTTPS ?

Post by sortie »

omarrx024 wrote:
orion40 wrote:Why not add HTTPS, via Let's encrypt for example ?
Because my OS and most other OSes with networking here have HTTP but don't have HTTPS support. ;)
I'm sorry to hear that. Might I suggest libressl? I ported it in 2014 before many systems and they merged the portability fixes I sent them afterwards. It basically works out of the box with no configuration of mine, and passes almost all badssl.com tests.

Viva SSL libre!
stevewoods1986
Member
Member
Posts: 80
Joined: Wed Aug 09, 2017 7:37 am

Re: Why isn't the wiki/forum using HTTPS ?

Post by stevewoods1986 »

HTTPS should be added for many reasons

= People give more trust to websites with HTTPS (or the padlock).
= Encrypted connections are important. It stops sniffing (MITM attacks) as well as giving a good level of privacy.
= Google likes it.

= There is no reason not to. All you need to do is play with Apache. I tried it once when I was into web development (way back before my journey of advanced programming). Mozilla and EFF made Lets Encrypt (and I like those organizations. you can believe what they say because they don't get money).
oscoder
Member
Member
Posts: 59
Joined: Mon Mar 27, 2006 12:00 am
Location: UK

Re: Why isn't the wiki/forum using HTTPS ?

Post by oscoder »

Looks like it's using it now! Guess someone got around to it :)
User avatar
chase
Site Admin
Posts: 710
Joined: Wed Oct 20, 2004 10:46 pm
Libera.chat IRC: chase_osdev
Location: Texas
Discord: chase/matt.heimer
Contact:

Re: Why isn't the wiki/forum using HTTPS ?

Post by chase »

Yep, although it is not as painless as everyone makes it out to be.
User avatar
dozniak
Member
Member
Posts: 723
Joined: Thu Jul 12, 2012 7:29 am
Location: Tallinn, Estonia

Re: Why isn't the wiki/forum using HTTPS ?

Post by dozniak »

chase wrote:Yep, although it is not as painless as everyone makes it out to be.
Using caddyserver.com makes it as painless as ever possible. It's HTTPS and LetsEncrypt by default and you have to put effort to revert it to plain HTTP.
Learn to read.
User avatar
MichaelFarthing
Member
Member
Posts: 167
Joined: Thu Mar 10, 2016 7:35 am
Location: Lancaster, England, Disunited Kingdom

Re: Why isn't the wiki/forum using HTTPS ?

Post by MichaelFarthing »

Why on Earth does it matter except that some large corporations are trying to bully everyone?

We hardly communicate much sensitive stuff. What next? Show your passport before you can take part in a pub chat?
Post Reply