• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Closed HTTPS by default

Status
Not open for further replies.

beatgammit

Member

Thanks: 13
Messages: 78

#1
It seems that HTTPS is available, but there's not redirect from HTTP to HTTPS by default. Is this something that could be done, or is there a reason why HTTPS is not used by default?

I mentioned this on the migration to 2014 Forums Migration To Xenforo thread, but it didn't get much in the way of a response.
 

getopt

Well-Known Member

Thanks: 294
Messages: 494

#2
Is there a reason why this should be the case?
https protects your data while logging in, editing personal profile and using the personal message feature.
For other than this there is no privacy or protection provided when using https.
When browsing the forums the https header unveils what you are reading, while the content is encrypted. Because this is the case the content is no secret, as the header can be used to retrieve the forums content which is accessible to everyone.
 

gkbsd

Member

Thanks: 36
Messages: 76

#3
An HTTPS "ON" by default policy in my opinion is better when possible. Also, Google is planning to display a warning in the future when surfing in plain HTTP, and I think it's a good idea. I understand that in the case of a forum that may seem less useful, regarding encryption, however we should not forget the certificate also is a proof of the forum's identity. Just my opinion :) (EDIT: I'm using "HTTPS Everywhere" Chrome plugin and I'm surfing this forum always in https)

Regards,
Guillaume
 

Beastie

Daemon

Thanks: 418
Messages: 2,085

#4
Is there a reason why this should be the case?
https protects your data while logging in
And this is precisely what beatgammit is talking about. While one may trust his ISP (?), the same can't be said about public networks such as a workplace with snoopy IT and management.
The Log in or Sign up and (You must log in or sign up to reply here.) links at the top and bottom should probably be changed from http://forums.freebsd.org/login/ to https://forums.freebsd.org/login/ as it is the case for your e-banking or webmail accounts.
On the other hand, having HTTPS always enabled on a public forum is of course useless like you said.
 

getopt

Well-Known Member

Thanks: 294
Messages: 494

#5
Yes. It looks like there is a http only login possible which should not be the case.
 

usdmatt

Daemon

Thanks: 419
Messages: 1,210

#6
When browsing the forums the https header unveils what you are reading, while the content is encrypted.
Not sure exactly what you mean by "https header" here, but to be clear, the entire request is encrypted when using HTTPS, so someone in the middle can see the IP you are connected to but not see what URL you are requesting. This is why we always used to have the problem of needing a unique IP for each cert, because the entire request header needs to be encrypted, but the server didn't know what website you were after until it got the request.

Personally I'm not particularly bothered if a forum is encrypted or not (other than the login), but obviously have no objection if it's enabled by default. Working in the industry I appreciate the opposite argument that it's just extra overhead when the content being encrypted is public anyway, although I think modern hardware handles SSL/TLS fairly well.

Providing confirmation of the website identity is a good point though.
 

Zirias

Well-Known Member

Thanks: 99
Messages: 275

#7
An HTTPS "ON" by default policy in my opinion is better when possible. Also, Google is planning to display a warning in the future when surfing in plain HTTP, and I think it's a good idea.
I think it's a TERRIBLE idea.

First, HTTPS is something you'd probably want for web services / applications dealing with accounts. It's completely pointless for static content, the classical "hypertext". Whily the first is probably the majority of web traffic nowadays -- the latter is still the vast majority of content available. It's completely idiotic to bother all the people running some small static sites with buying a pointless, but expensive, certificate.

Second, HTTPS has a serious flaw, and that's not exactly technical. It requires you to trust some big (but, to you, unknown) organizations. There was evidence before that it's OFTEN possible to get a perfectly fine certificate from one of these for a domain that isn't yours. So just telling people HTTPS is secure and HTTP isn't ... is misleading at best. Some more knowledge is needed.

This is why we always used to have the problem of needing a unique IP for each cert, because the entire request header needs to be encrypted, but the server didn't know what website you were after until it got the request.
Hmm, I don't remember the exact details, but this problem is solved ... for example Apache with the GnuTLS module allows name-based virtual hosts for SSL.

Nevertheless: Indeed, there is no "unencrypted header" with HTTPS requests.
 

usdmatt

Daemon

Thanks: 419
Messages: 1,210

#8
Zirias Yes, SNI, which is why I said "used to". After a good few years of it being available we're now finally at a point where we can get away with actually using it (Now that Windows XP is officially unsupported).

They does seem to be a bit of a "HTTPS as default" movement at the moment. There's at least one company offering personal use certs for free and Cloudflare have started offering HTTPS (although their HTTPS service seems completely broken to me).

The Google thing is slightly worrying. It's not up to them to decide that the Internet should be fully HTTPS, and that websites not using it are 'dubious' (from the linked article). A good proportion of websites are just providing information, and I can't see why they should be forced into encrypting the same public data for every user, or face having their users scared away by security warnings. Maybe if it was something small just to highlight that if you do submit data it's not secure, but then that's what the padlock is supposed to be there for.
 

gkbsd

Member

Thanks: 36
Messages: 76

#9
Zirias there is two reasons for me to think that's a good idea: privacy and security. Even for static content, HTTP is plain text and can be snooped on by WIFI hotspots, or simply by the ISPs with Deep Packet Inspection (DPI). About security, I stumbled upon a website once to make an order, which wasn't in HTTPS at all. Needless to say I did not complete the order. Finally, about certificates not being free, EFF and Mozilla will release in 2015 https://letsencrypt.org/ which will allow anyone to have a certificate for its website, easily, and for free. Having HTTPS on all connections, if that even happens someday, will greatly hinder illegal global surveillance which relies on automated recording of clear text protocols (i.e SMTP, HTTP). If they have to target someone to put more ressources and be able to still read the communications, that's not a global surveillance anymore :)

About Let's Encrypt:
[...] This is part of a larger effort to encrypt all forms of online communications that security and privacy experts have called for following revelations of bulk Internet surveillance by intelligence agencies like the U.S. National Security Agency or the U.K.’s Government Communications Headquarters. [...]
On the other side I agree it would be a hassle for Joe's website, if Joe does not know or does not care (but Letsencrypt initiative will make the process easy). I also agree Google is not an internet authority, but it should be discussed and agreed among all the major browser makers. Anyway, even if Google makes the move, Microsoft and Mozilla have the choice not to if they disagree. In the end, I'm favorable to more HTTPS, as I also prefer to have an identity proof from where I connect too, even if it's Joe's website. (EDIT: HTTPS authority trust issue is a real problem too as you mentioned it, that should be adressed indeed).

Regards,
Guillaume
 

NewGuy

Well-Known Member

Thanks: 71
Messages: 297

#10
I'd like to point out that not all of the forum is static/public content. When visiting your inbox/private messages, the connection is not automatically encrypted. This means if you are privating discussing an issue or sharing credentials or other private information it could be snooped on since the connection is plain HTTP. So for that reason, if none other, it makes sense to use HTTPS by default.
 

Zirias

Well-Known Member

Thanks: 99
Messages: 275

#11
Salut Guillaume,

please allow me to put these two quotes adjacent:

Zirias there is two reasons for me to think that's a good idea: privacy and security.
(EDIT: HTTPS authority trust issue is a real problem too as you mentioned it, that should be adressed indeed)
I'd argue here: What exactly are "privacy and security" if not just nice-sounding buzzwords when there ARE issues that aren't solvable in an easy way?

I don't think having even MORE HTTPS hosts would do any good -- in fact, do you think the already sometimes lacking quality of authorization with certificate issuers would'nt be further impaired, when there are masses of new certificates, and authorities that provide them at (nearly?) no cost? In general, for trust, I prefer the "web of trust" idea of PGP over the authorities used with X.509. Unfortunately, this is not applicable to business. So, you say the issue should be addressed indeed ... well, but how? At least, there is no simple solution.

Then for the point you make about surveillance .... well, of course this worries me, too. Still I think there are more important problems than the web pages I'm viewing while browsing. It's still a problem, I just don't think HTTPS is THE solution. From all these stories about surveillance and secret services, the one thing you probably pick up is "trust nobody" ... and of course this doesn't benefit the certificate authorities :eek:

edit: I just became aware that this is getting a bit off-topic, because the thread originally was about this forum ... and of course, there ARE accounts involved, as well as private content, so some encryption should be in place. Only encrypting where necessary seems fine for me, but as someone pointed out the private messages not being encrypted by default, this shows how easy it is to miss something when trying this ....

Regards,
Felix
 

gkbsd

Member

Thanks: 36
Messages: 76

#12
I prefer to move in the encryption direction, even if there is issues there, instead of doing nothing (no encryption). That being said, you brought relevant points :) You can send me a private message if you want to continue the off-topic discussion ;)

Regards,
Guillaume
 

beatgammit

Member

Thanks: 13
Messages: 78

#13
It's completely idiotic to bother all the people running some small static sites with buying a pointless, but expensive, certificate.
First of all, certificates are not expensive and can around the same as a domain name. Here's one from comodo for $9 per year: https://www.namecheap.com/security/ssl-certificates/domain-validation.aspx

Second, FreeBSD forums already has an SSL certificate, I just want to redirect from HTTP -> HTTPS by default. This would not require any money from the site, only a simple redirection in the webserver.

Many people use the same password on multiple sites, and requiring at least account logon to go over HTTPS is a good way to reduce drive-by attacks. The only real downside to HTTPS over HTTP is marginal load increase on the server for encryption, but I doubt there's enough traffic on the forums to make any real difference.
 

beatgammit

Member

Thanks: 13
Messages: 78

#14
While one may trust his ISP (?), the same can't be said about public networks such as a workplace with snoopy IT and management.
I'm more worried about very public networks like airports and libraries where predators frequent. I don't really care about the content, but I do care about my password being sent in plain text. While losing my FreeBSD forums account really isn't a big deal, losing a password which may be used on other sites is a big deal. Granted, passwords should never be reused, but it's unrealistic to have a separate password for every site without a password manager (which isn't viable if you have to borrow computers frequently).

I'd just like to point out that freebsd.org uses HTTPS be default, and there isn't even a log-in there, so it should be obvious that the forums should also be HTTPS by default. I imagine this is more oversight in the XenForo migration than anything.
 
Status
Not open for further replies.