OSDev.org
https://forum.osdev.org/

TLS for OSDev Website?
https://forum.osdev.org/viewtopic.php?f=6&t=30881
Page 1 of 2

Author:  SenorContento [ Thu Oct 06, 2016 10:16 am ]
Post subject:  TLS for OSDev Website?

Hello, I am Brandon Gomez and I found a page that said don't contact people directly unless you are personally part of that project and I would like to request TLS for this site and its forum. I am into cybersecurity and I would think it would be great to have at least some form of encryption on the pages as they pass through the internet A suggestion I have if it helps is using Cloudflare to host the connections if you can't have it yourself, but to have full end to end encryption yourself would be a much better idea. Thanks!

Author:  glauxosdever [ Thu Oct 06, 2016 12:06 pm ]
Post subject:  Re: TLS for OSDev Website?

Hi,


SenorContento wrote:
Hello, I am Brandon Gomez and I found a page that said don't contact people directly unless you are personally part of that project and I would like to request TLS for this site and its forum.
I don't understand how the different things expressed in the above quote relate together. Maybe try to rephrase it?

SenorContento wrote:
I am into cybersecurity and I would think it would be great to have at least some form of encryption on the pages as they pass through the internet
I agree this site needs encryption.

SenorContento wrote:
A suggestion I have if it helps is using Cloudflare to host the connections if you can't have it yourself, but to have full end to end encryption yourself would be a much better idea.
Cloudflare has been faced against enough controversies, not sure why do you specifically suggest using it. Maybe try to elaborate a bit more?


Regards,
glauxosdever

Author:  Kazinsal [ Thu Oct 06, 2016 12:24 pm ]
Post subject:  Re: TLS for OSDev Website?

The site admin is... mysterious. He shows up when things break, and disappears into the æther shortly thereafter.

Adding TLS to old non-TLS software such as phpBB is not as simple as flicking a magic switch even with things like Let's Encrypt. In the meantime, please continue to not use the OSDev forums and wiki for posting content that you direly need encrypted.

Author:  glauxosdever [ Thu Oct 06, 2016 12:27 pm ]
Post subject:  Re: TLS for OSDev Website?

Hi,


Kazinsal wrote:
In the meantime, please continue to not use the OSDev forums and wiki for posting content that you direly need encrypted.
So you now blame him for the site not being encrypted?


Regards,
glauxosdever

Author:  Roman [ Thu Oct 06, 2016 2:37 pm ]
Post subject:  Re: TLS for OSDev Website?

glauxosdever wrote:
Hi,


Kazinsal wrote:
In the meantime, please continue to not use the OSDev forums and wiki for posting content that you direly need encrypted.
So you now blame him for the site not being encrypted?


Regards,
glauxosdever

What? He have suggested not to transfer any private data to OSDev.org.

Author:  glauxosdever [ Thu Oct 06, 2016 2:48 pm ]
Post subject:  Re: TLS for OSDev Website?

Hi,


Roman wrote:
What? He have suggested not to transfer any private data to OSDev.org.
Seems it was a misunderstanding from my part.

Sorry Kazinsal.


Regards,
glauxosdever

Author:  Kazinsal [ Thu Oct 06, 2016 4:16 pm ]
Post subject:  Re: TLS for OSDev Website?

My point is that someone so deeply concerned about the privacy of their data on a public forum that they need end to end encryption between the forum and their web browser, they probably shouldn't be posting it on a public forum.

Encryption for encryption's sake is one of the things I just don't "get" about people who think they're security experts. Throwing TLS on everything doesn't solve any problems that didn't already exist.

Author:  Roman [ Fri Oct 07, 2016 2:23 am ]
Post subject:  Re: TLS for OSDev Website?

Cryptography is not only about privacy, it's also about authentification. But it's small forum, though. Why would someone hijack our accounts here?

Author:  Peterbjornx [ Fri Oct 07, 2016 12:24 pm ]
Post subject:  Re: TLS for OSDev Website?

Because sending passwords and email addresses as plaintext is never a smart idea. Although I agree OSDev isn't much of a target, there's still plenty of people who use their passwords on multiple sites, and they are vulnerable thru the lack of encryption.

Author:  Kazinsal [ Fri Oct 07, 2016 2:09 pm ]
Post subject:  Re: TLS for OSDev Website?

Personal computers are fast enough now to do challenge-response HMACs on the client end. IMO we shouldn't be sending cleartext passwords or hashes on an encrypted link, because that's just lazy.

HMAC/AES a short-lived session token with the hash of the password using the agreed-upon algorithm, send that back. Use something strong for password hashing to make brute forces a pain.

Unfortunately we can't implement that in the forums' ancient phpBB software.

Author:  onlyonemac [ Sat Oct 08, 2016 11:21 am ]
Post subject:  Re: TLS for OSDev Website?

Kazinsal wrote:
Personal computers are fast enough now to do challenge-response HMACs on the client end. IMO we shouldn't be sending cleartext passwords or hashes on an encrypted link, because that's just lazy.
Kazinsal wrote:
Unfortunately we can't implement that in the forums' ancient phpBB software.
Which is why we should just throw TLS on it and call it a day (even though it's "just lazy"). phpBB has no problem running over an HTTPS connection; as far as the PHP side of things goes, it doesn't see anything different.

Author:  matt11235 [ Mon Oct 10, 2016 3:01 pm ]
Post subject:  Re: TLS for OSDev Website?

Kazinsal wrote:
The site admin is... mysterious. He shows up when things break, and disappears into the æther shortly thereafter.

Adding TLS to old non-TLS software such as phpBB is not as simple as flicking a magic switch even with things like Let's Encrypt. In the meantime, please continue to not use the OSDev forums and wiki for posting content that you direly need encrypted.


Surely you'd just enable TLS on the web server and then just change the URL to the forums in the phpBB settings to use the https prefix?

Author:  stdcall [ Wed Oct 12, 2016 6:45 am ]
Post subject:  Re: TLS for OSDev Website?

Google will start ranking web sites low on search results if they don't support HTTPS in the near future.

This could also be a good reason to do so.

Google anouncement:
https://webmasters.googleblog.com/2014/ ... ignal.html

Author:  Boris [ Wed Oct 12, 2016 10:04 am ]
Post subject:  Re: TLS for OSDev Website?

Isnt a forum a Threads Local Storage by definition ?

.. I'm out already :D

Author:  onlyonemac [ Sun Oct 16, 2016 2:48 am ]
Post subject:  Re: TLS for OSDev Website?

zenzizenzicube wrote:
Surely you'd just enable TLS on the web server and then just change the URL to the forums in the phpBB settings to use the https prefix?
Yes, you would. That's why Kazinsal clearly doesn't know what he's talking about. PHP doesn't know (read: see) the difference between HTTP and HTTPS beyond the URL scheme, and thus phpBB doesn't care whether you're running it over an HTTP or an HTTPS connection. Such is the beauty of the OSI model...

Page 1 of 2 All times are UTC - 6 hours
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/