1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Are there any plans on adding HTTPS support?

Discussion in 'Empty Closets Help and Feedback' started by BobObob, May 4, 2016.

Thread Tools

Thread Tools

  1. BobObob

    BobObob
    Full Member

    Joined:
    Jun 26, 2012
    Messages:
    577
    Likes Received:
    9
    Location:
    California
    Gender:
    Male
    Gender Pronoun:
    He
    Sexual Orientation:
    Gay
    Out Status:
    Out to everyone
    I was curious as to whether or not there were plans to add HTTPS with TSL support. I know EC isn't a bank, doesn't hold any credit card information, and probably isn't a site that the NSA is particularly interested in monitoring, However, a secure connection is always good. Many people may be re-using passwords from other sites that can be sniffed over an insecure connection (and some may also be re-using usernames from other sites, even though they aren't supposed to). Given that security seems be a high priority according to the people running this site, I would think that this would be something to consider.

    I don't see too many downsides with implementing TLS support other than the work to set it up. I suppose it creates a little more overhead, which would consume slightly more bandwidth.

    I found a couple of threads back in 2012 here and here in which adding HTTPS support was on the to-do list.
     
    #1 BobObob, May 4, 2016
  2. Martin

    Martin
    Board Member Admin Team Full Member

    Joined:
    Nov 14, 2007
    Messages:
    15,266
    Likes Received:
    63
    Location:
    Merseyside, UK
    Gender:
    Male
    Gender Pronoun:
    He
    Sexual Orientation:
    Gay
    Out Status:
    Out to everyone
    Hey,

    Personally speaking, it's right at the top of my list of things I want to see implemented on the site, so it's something I will be pushing quite hard for as soon as the IPB migration is implemented.

    At an organisational level, it has been on the to-do list for a while, so it seems to be a case of 'when' rather than 'if'. We're going to have some exciting news regarding our IPB migration within the upcoming weeks, so once the time-consuming aspects of this planning and development is done then we're really going to be in a fantastic position to start looking at other things that have been caught lower down on the to-do list.

    So... watch this space. There's going to be a lot of changes over the summer, and I would personally love this to be one of them! :slight_smile:

    Martin.
     
    #2 Martin, May 4, 2016
  3. Chip

    Chip
    Board Member Admin Team Advisor Full Member

    Joined:
    May 9, 2008
    Messages:
    16,559
    Likes Received:
    4,757
    Location:
    northern CA
    Gender:
    Male
    Gender Pronoun:
    He
    Sexual Orientation:
    Gay
    Out Status:
    Out to everyone
    I agree with Martin. Most likely it will roll out with the shift to the new platform.
     
    #3 Chip, May 4, 2016
  4. Pret Allez

    Pret Allez
    Full Member

    Joined:
    Apr 19, 2012
    Messages:
    6,785
    Likes Received:
    67
    Location:
    Seattle, WA
    Gender:
    Female (trans*)
    Gender Pronoun:
    She
    Sexual Orientation:
    Bisexual
    Out Status:
    Some people
    If cost is a concern, I happen to know that the Let's Encrypt project provides TLS certificates for free, because their goal is not to sell people green padlocks, but rather to secure the internet. (*hug*) They also support ECDSA, but be sure if you do that, use only the secp384r1 curve, otherwise Google Chrome clients will not be able to connect.

    It took me a little bit of effort to get everything right, but I have it working on my website.
     
    #4 Pret Allez, May 4, 2016
    Last edited: May 4, 2016
  5. BobObob

    BobObob
    Full Member

    Joined:
    Jun 26, 2012
    Messages:
    577
    Likes Received:
    9
    Location:
    California
    Gender:
    Male
    Gender Pronoun:
    He
    Sexual Orientation:
    Gay
    Out Status:
    Out to everyone
    I don't have a very good understanding of how CA's work, but how is the Let's Encrypt project funded and how can they be considered trustworthy? Do they rely off of charitable donations? I'm inclined to believe that people usually are either the customer or the product (which is why I think it's a really bad idea to use a free VPN). That being said, I would think that TLS verified by a questionable CA would probably be much better than no TLS.

    I'm not all that worried about a malicious CA or someone sniffing my packets (I'm using a paid VPN most of the time anyways), but I'm kind of curious about these issues.
     
    #5 BobObob, May 4, 2016
    Last edited: May 4, 2016
  6. Chip

    Chip
    Board Member Admin Team Advisor Full Member

    Joined:
    May 9, 2008
    Messages:
    16,559
    Likes Received:
    4,757
    Location:
    northern CA
    Gender:
    Male
    Gender Pronoun:
    He
    Sexual Orientation:
    Gay
    Out Status:
    Out to everyone
    I appreciate the input.

    The cost of certificates has gotten so inexpensive -- you can get a totally solid, recognized Geotrust for something like $30/3 years now that the cost element is t a big issue. Quite a change from when Verisign was the only game and it was $200/year. :slight_smile:
     
    #6 Chip, May 4, 2016
  7. Pret Allez

    Pret Allez
    Full Member

    Joined:
    Apr 19, 2012
    Messages:
    6,785
    Likes Received:
    67
    Location:
    Seattle, WA
    Gender:
    Female (trans*)
    Gender Pronoun:
    She
    Sexual Orientation:
    Bisexual
    Out Status:
    Some people
    You trust them already, because they are a root CA. I mean, if you want to go off on your own and specifically distrust their intermediate CA certificates. They are already in your trust store.

    All a CA is supposed to do is prove they can keep their own signing keys safe and prove that they do a good job of verifying the identities of domains and the IT staff/webmasters who maintain them.

    By all means. :slight_smile: The only disadvantage I know of with Let's Encrypt is you have to renew fairly often (like every three months instead of annually). I am working on setting up an automated process for a colleague. I am happy to post a sample bash script for how you might generate keys, CSR, and automate the domain verification process.
     
    #7 Pret Allez, May 5, 2016
    Last edited: May 5, 2016
  8. BobObob

    BobObob
    Full Member

    Joined:
    Jun 26, 2012
    Messages:
    577
    Likes Received:
    9
    Location:
    California
    Gender:
    Male
    Gender Pronoun:
    He
    Sexual Orientation:
    Gay
    Out Status:
    Out to everyone
    I trust the CA's my browser trusts more out of laziness than out of the fact that I know that they're worthy of that trust. How many people actually look up each CA that verifies the website they're visiting? Probably almost no one who isn't really concerned about security, or is curious about it.

    I don't know how CA's work (perhaps I'll make that my next random thing to study out of curiosity), but isn't it possible for a corrupt/malicious CA to participate in a man-in-the-middle attack by intentionally "verifying" the malicious man-in-the-middle as the intended site? I would think that reputable, for-profit CA's would lose a lot of money if they got caught doing that, and that they would probably get caught eventually if they did it a lot.
     
    #8 BobObob, May 5, 2016
    Last edited: May 5, 2016
(You must log in or sign up to post here.)