OSDev.org

The Place to Start for Operating System Developers
It is currently Thu Mar 28, 2024 7:04 am

All times are UTC - 6 hours




Post new topic Reply to topic  [ 29 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: TLS for OSDev Website?
PostPosted: Thu Oct 06, 2016 10:16 am 
Offline

Joined: Thu Oct 06, 2016 10:08 am
Posts: 2
Hello, I am Brandon Gomez and I found a page that said don't contact people directly unless you are personally part of that project and I would like to request TLS for this site and its forum. I am into cybersecurity and I would think it would be great to have at least some form of encryption on the pages as they pass through the internet A suggestion I have if it helps is using Cloudflare to host the connections if you can't have it yourself, but to have full end to end encryption yourself would be a much better idea. Thanks!


Top
 Profile  
 
 Post subject: Re: TLS for OSDev Website?
PostPosted: Thu Oct 06, 2016 12:06 pm 
Offline
Member
Member

Joined: Wed Jun 17, 2015 9:40 am
Posts: 501
Location: Athens, Greece
Hi,


SenorContento wrote:
Hello, I am Brandon Gomez and I found a page that said don't contact people directly unless you are personally part of that project and I would like to request TLS for this site and its forum.
I don't understand how the different things expressed in the above quote relate together. Maybe try to rephrase it?

SenorContento wrote:
I am into cybersecurity and I would think it would be great to have at least some form of encryption on the pages as they pass through the internet
I agree this site needs encryption.

SenorContento wrote:
A suggestion I have if it helps is using Cloudflare to host the connections if you can't have it yourself, but to have full end to end encryption yourself would be a much better idea.
Cloudflare has been faced against enough controversies, not sure why do you specifically suggest using it. Maybe try to elaborate a bit more?


Regards,
glauxosdever


Top
 Profile  
 
 Post subject: Re: TLS for OSDev Website?
PostPosted: Thu Oct 06, 2016 12:24 pm 
Offline
Member
Member
User avatar

Joined: Wed Jul 13, 2011 7:38 pm
Posts: 558
The site admin is... mysterious. He shows up when things break, and disappears into the æther shortly thereafter.

Adding TLS to old non-TLS software such as phpBB is not as simple as flicking a magic switch even with things like Let's Encrypt. In the meantime, please continue to not use the OSDev forums and wiki for posting content that you direly need encrypted.


Top
 Profile  
 
 Post subject: Re: TLS for OSDev Website?
PostPosted: Thu Oct 06, 2016 12:27 pm 
Offline
Member
Member

Joined: Wed Jun 17, 2015 9:40 am
Posts: 501
Location: Athens, Greece
Hi,


Kazinsal wrote:
In the meantime, please continue to not use the OSDev forums and wiki for posting content that you direly need encrypted.
So you now blame him for the site not being encrypted?


Regards,
glauxosdever


Top
 Profile  
 
 Post subject: Re: TLS for OSDev Website?
PostPosted: Thu Oct 06, 2016 2:37 pm 
Offline
Member
Member
User avatar

Joined: Thu Mar 27, 2014 3:57 am
Posts: 568
Location: Moscow, Russia
glauxosdever wrote:
Hi,


Kazinsal wrote:
In the meantime, please continue to not use the OSDev forums and wiki for posting content that you direly need encrypted.
So you now blame him for the site not being encrypted?


Regards,
glauxosdever

What? He have suggested not to transfer any private data to OSDev.org.

_________________
"If you don't fail at least 90 percent of the time, you're not aiming high enough."
- Alan Kay


Top
 Profile  
 
 Post subject: Re: TLS for OSDev Website?
PostPosted: Thu Oct 06, 2016 2:48 pm 
Offline
Member
Member

Joined: Wed Jun 17, 2015 9:40 am
Posts: 501
Location: Athens, Greece
Hi,


Roman wrote:
What? He have suggested not to transfer any private data to OSDev.org.
Seems it was a misunderstanding from my part.

Sorry Kazinsal.


Regards,
glauxosdever


Top
 Profile  
 
 Post subject: Re: TLS for OSDev Website?
PostPosted: Thu Oct 06, 2016 4:16 pm 
Offline
Member
Member
User avatar

Joined: Wed Jul 13, 2011 7:38 pm
Posts: 558
My point is that someone so deeply concerned about the privacy of their data on a public forum that they need end to end encryption between the forum and their web browser, they probably shouldn't be posting it on a public forum.

Encryption for encryption's sake is one of the things I just don't "get" about people who think they're security experts. Throwing TLS on everything doesn't solve any problems that didn't already exist.


Top
 Profile  
 
 Post subject: Re: TLS for OSDev Website?
PostPosted: Fri Oct 07, 2016 2:23 am 
Offline
Member
Member
User avatar

Joined: Thu Mar 27, 2014 3:57 am
Posts: 568
Location: Moscow, Russia
Cryptography is not only about privacy, it's also about authentification. But it's small forum, though. Why would someone hijack our accounts here?

_________________
"If you don't fail at least 90 percent of the time, you're not aiming high enough."
- Alan Kay


Top
 Profile  
 
 Post subject: Re: TLS for OSDev Website?
PostPosted: Fri Oct 07, 2016 12:24 pm 
Offline
Member
Member

Joined: Thu May 06, 2010 4:34 am
Posts: 116
Location: Leiden, The Netherlands
Because sending passwords and email addresses as plaintext is never a smart idea. Although I agree OSDev isn't much of a target, there's still plenty of people who use their passwords on multiple sites, and they are vulnerable thru the lack of encryption.

_________________
posnk ( a simple unix clone )
twitter profile - security research, die shots and IC reverse engineering, low level stuff


Top
 Profile  
 
 Post subject: Re: TLS for OSDev Website?
PostPosted: Fri Oct 07, 2016 2:09 pm 
Offline
Member
Member
User avatar

Joined: Wed Jul 13, 2011 7:38 pm
Posts: 558
Personal computers are fast enough now to do challenge-response HMACs on the client end. IMO we shouldn't be sending cleartext passwords or hashes on an encrypted link, because that's just lazy.

HMAC/AES a short-lived session token with the hash of the password using the agreed-upon algorithm, send that back. Use something strong for password hashing to make brute forces a pain.

Unfortunately we can't implement that in the forums' ancient phpBB software.


Top
 Profile  
 
 Post subject: Re: TLS for OSDev Website?
PostPosted: Sat Oct 08, 2016 11:21 am 
Offline
Member
Member

Joined: Sat Mar 01, 2014 2:59 pm
Posts: 1146
Kazinsal wrote:
Personal computers are fast enough now to do challenge-response HMACs on the client end. IMO we shouldn't be sending cleartext passwords or hashes on an encrypted link, because that's just lazy.
Kazinsal wrote:
Unfortunately we can't implement that in the forums' ancient phpBB software.
Which is why we should just throw TLS on it and call it a day (even though it's "just lazy"). phpBB has no problem running over an HTTPS connection; as far as the PHP side of things goes, it doesn't see anything different.

_________________
When you start writing an OS you do the minimum possible to get the x86 processor in a usable state, then you try to get as far away from it as possible.

Syntax checkup:
Wrong: OS's, IRQ's, zero'ing
Right: OSes, IRQs, zeroing


Top
 Profile  
 
 Post subject: Re: TLS for OSDev Website?
PostPosted: Mon Oct 10, 2016 3:01 pm 
Offline
Member
Member
User avatar

Joined: Tue Aug 02, 2016 1:52 pm
Posts: 286
Location: East Riding of Yorkshire, UK
Kazinsal wrote:
The site admin is... mysterious. He shows up when things break, and disappears into the æther shortly thereafter.

Adding TLS to old non-TLS software such as phpBB is not as simple as flicking a magic switch even with things like Let's Encrypt. In the meantime, please continue to not use the OSDev forums and wiki for posting content that you direly need encrypted.


Surely you'd just enable TLS on the web server and then just change the URL to the forums in the phpBB settings to use the https prefix?

_________________
com.sun.java.swing.plaf.nimbus.InternalFrameInternalFrameTitlePaneInternalFrameTitlePaneMaximizeButtonWindowNotFocusedState
Compiler Development Forum


Top
 Profile  
 
 Post subject: Re: TLS for OSDev Website?
PostPosted: Wed Oct 12, 2016 6:45 am 
Offline
Member
Member

Joined: Thu Mar 14, 2013 1:30 am
Posts: 78
Google will start ranking web sites low on search results if they don't support HTTPS in the near future.

This could also be a good reason to do so.

Google anouncement:
https://webmasters.googleblog.com/2014/ ... ignal.html

_________________
“Meaningless! Meaningless!”
says the Teacher.
“Utterly meaningless!
Everything is meaningless.” - Ecclesiastes 1, 2

Educational Purpose Operating System - EPOS


Top
 Profile  
 
 Post subject: Re: TLS for OSDev Website?
PostPosted: Wed Oct 12, 2016 10:04 am 
Offline
Member
Member

Joined: Sat Nov 07, 2015 3:12 pm
Posts: 145
Isnt a forum a Threads Local Storage by definition ?

.. I'm out already :D


Top
 Profile  
 
 Post subject: Re: TLS for OSDev Website?
PostPosted: Sun Oct 16, 2016 2:48 am 
Offline
Member
Member

Joined: Sat Mar 01, 2014 2:59 pm
Posts: 1146
zenzizenzicube wrote:
Surely you'd just enable TLS on the web server and then just change the URL to the forums in the phpBB settings to use the https prefix?
Yes, you would. That's why Kazinsal clearly doesn't know what he's talking about. PHP doesn't know (read: see) the difference between HTTP and HTTPS beyond the URL scheme, and thus phpBB doesn't care whether you're running it over an HTTP or an HTTPS connection. Such is the beauty of the OSI model...

_________________
When you start writing an OS you do the minimum possible to get the x86 processor in a usable state, then you try to get as far away from it as possible.

Syntax checkup:
Wrong: OS's, IRQ's, zero'ing
Right: OSes, IRQs, zeroing


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 29 posts ]  Go to page 1, 2  Next

All times are UTC - 6 hours


Who is online

Users browsing this forum: No registered users and 12 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group