HTTPS for the forum.

[Nozy]

Hi All,

Is it possible to make the forum accessibel in https mode?

[vexx32]

SSL is typically only really used for things like protecting financial data in online stores and so forth... Why would the forum require it?

[Nozy]

I don’t think it’s a requirement but i thought more of it as an option.

[vexx32]

I just don't see why it really needs to be an option, really. Last I checked, SSL certificates take a bit of time (and money, too, probably) to obtain... but to answer your original question, yes, it ought to be possible.

[ttb]

SSL is typically only really used for things like protecting financial data in online stores and so forth... Why would the forum require it?

Privacy is IMHO important on the internets. HTTPS helps ensure privacy. Quite a few sites are moving to it by default. I believe the new HTTP 2 standard will require HTTPS by default if available. The only argument against HTTPS in the past is due to the extra processing requirements, however with modern hardware this is of little concern. Of course there is the cost of purchasing a SSL certificate. I for one would be stoked if this forum provided HTTPS.

My two cents.

Thanks

ttb

[vexx32]

Considering the forums are public anyway, I see little need for https, unless you wanted to put the authentication server onto a https. SSL is not without its problems, though; it's been shown to have some rather serious, though lesser-known, flaws. As always, they patch them up as they can, though.

[Majiir]

HTTPS provides more than just privacy of posted content. It prevents your ISP (which could be a commercial provider but also a school or employer) or an attacker from seeing what you're doing or modifying pages in transit. Without HTTPS, login passwords and session IDs are transmitted in the clear. It's entirely possible that someone could suffer financial loss because of an unsecured connection with the forum. Yes, everyone should use a different password for everything, but nobody does.

TLS certificates are inexpensive and easy to use. This one should be a no-brainer.

[vexx32]

Good to know, Majiir. As you can see, I clearly don't know enough about SSL/TLS. I'll ask the higher-ups, if they don't see this before I see them.

[shadone]

Any updates on this? This is kinda ridiculous that at the very least the login form is not secured by SSL. Majir has put a great description of the potential problems this can cause, starting from one using the same password on multiple web sites and it leaking from here to somebody impersonating somebody else by taking a session cookie.

Also, you already have one certificate (https://kerbalspaceprogram.com/kspstore/index.php?p=22 - BTW that one expires on Nov 23th ) - one possibility is to change it to either wildcard or multi domain cert.

[KasperVld]

This issue is on the list

[technion]

That's good stuff - I applaud any progress there.

You get Facebook and Youtube over HTTPS nowadays - there's no room to argue it's for "financial data" any more.

[Corax]

How is this progressing?

If there's still any doubt about using HTTPS for the forums,

gives a good explanation why encrypting everything really matters and how to implement it.

[KasperVld]

No progress on this, I'll bring it up again given the current projects.

[longbyte1]

I wish HTTPS was more accessible. Currently, the only way to use it is to buy a certificate from a CA, and even CAs can't be trusted. Unfortunately you don't have a choice because some websites use that CA you decided to untrust a week ago.

If it worked like PGP plus a "notary" system for extra layers of trust, there would be no excuse as to why anything wouldn't be using HTTPS.

[Corax]

This issue is on the list

It took nine months to get this on The List^TM, another eight and a half have passed since... how hard can it be?

[Fel]

It's a bloody forum.

If someone wants to hack SSL, they can hack SSL, it just requires getting access to the private key on the server, and given the server is not a financial server hence paying thousands of dollars to protect investments and check in triplicate for potential exploits, if you're stupid enough to use the same password someone could just as easily gain access to the hash table and break out the old cracking tools.

Or get a trusted man-in-the-middle to just spy on you cause security is all an illusion anyways. I'm who I says I am, sees the NSA swears it!

(Just wanted to explain that I understand the theory in that making things appear more secure brings more security, but the fact is that if using https will make you feel more comfortable using anything aside from "Password" to protect a form account, that is enough reason NOT to use https.

Injecting into the stream is something that remains a problem due to man-in-the-middle attacks which can only be solved with local copies of certificates. SSL is not magical, the handshake is a period of extreme vulnerability that leaves you defenseless against the owner of the network. (https://casecurity.org/2015/01/08/gogo-found-spoofing-google-ssl-certificates/)

Other things to note is that if you use a "cheap" SSL key. I think SSL3 requires 2048bit keys and that is because it needs to be due to massively parallel processing allowing multiple attacks against a key and hence 512bit keys being less secure than initially thought; the problem is that to the user it still appears as HTTPS whether SSL1 or SSL2/3 thus bringing the idea of security.

Security is what YOU do to protect yourself against the incompetence of others, not what you expect others to do for you.)

Edited June 25, 2015 by Fel

[Corax]

Yes, it's a bloody forum. I know my apartment door safety lock can be opened without the proper keys, heck, I've done it myself. That's no reason at all not to have a door lock in the first place. It's not about a feeling of safety as you put it, it is a viable and effective measure to raise the effort for unauthorized entry (I can do that bold thingy too you know). Same here.

And just for completeness: it wasn't I who put the door lock in place, it was the landlord. Just as I ask Squad to put some safety measures in place. It's still my responsibility to use the keys properly.