HTTPS for EEVBlog Forums?

[AntiProtonBoy]

I didn't know where to post this, but may I make the suggestion of making SSL/TLS connections default on the EEVBlog and the forum?

https://www.eevblog.com/forum/ only offers partically encrypted content, but the forum itself embeds HTTP URLs instead of HTTPS.

Let's Encrypt now offers free certificates. Apache can be also configured to automatically redirect HTTP URLs to HTTPS.

[IanB]

But, er, why?

[EEVblog]

This is forum, not a bank.

[AntiProtonBoy]

Apart from the obvious reasons of keeping data private while in transit, there is now a push by browsers to discourage the use of HTTP, particularly when sending credentials, such as logins and passwords. There is really no excuse not to use TLS any more now that Let's Encrypt offers certificates for free.

[EEVblog]

This has been discussed on here many time before and the consensus was that it's not worth the effort.

[AntiProtonBoy]

Depends on your web host, I suppose?

I'm using a shitty shared hosting package for my forum, and I could install TLS with a single click of a button, and just add a mod_rewrite entry in .htaccess to redirect HTTP traffic to HTTPS.

Anyway. Your call obviously. 

[Halcyon]

I've brought it up once before and it was decided down. I guess as long as you're not using the same password anywhere else, it won't matter. I personally opt to use HTTPS everywhere where it's available.

This is forum, not a bank.

To be honest, these days, that's not really a fair argument. There are several reasons why even the most trivial sites should employ HTTPS. I understand you need to weigh up the benefit vs. effort of implementing the solution. It's a bit like people not caring about their privacy during phone calls or SMS's because "they have nothing to hide", that's not the point.

[AntiProtonBoy]

Yeah, big vacuum cleaners on large internet pipes just collect everything. The harder we make data collection for them the better it is for us. Using TLS goes beyond just practical security. It's also about making a stand against unethical data collection. Again, up to Dave's discretion where he stands on this issue, but I think protecting user's data is worth considering, especially for users situated in countries with a high risk of getting persecuted for the stupidest things.

I'm also predicting that browsers in the near future will be more aggressive about flagging raw HTTP as unsafe. I believe Chrome already does this for forms containing a password field. Time to get prepared me thinks. 

[EEVblog]

IIRC it was investigated by gnif (resident server maintainer) and it was not as trivial as you make it out to be, and most decided it wasn't imporatnt.
No other forums I'm on use https
Hardly anyone is asking for it, not a single person has quit or refused to join the forum because it doesn't have it, and quite frankly not moving to it is one less thing that can go wrong.

[Monkeh]

IIRC it was investigated by gnif (resident server maintainer) and it was not as trivial as you make it out to be.

It's trivial except for the CloudFail, err, Flare, issue.

[AntiProtonBoy]

IIRC it was investigated by gnif (resident server maintainer) and it was not as trivial as you make it out to be, and most decided it wasn't imporatnt.

I don't know what kind of hackery  is required to get this working on your hosting service, so fair enough. That said, I wasn't kidding about click of a button thing with the hosting company I'm with (VentraIP). I just assumed other hosting services offered a similar thing.

[JPortici]

I've brought it up once before and it was decided down. I guess as long as you're not using the same password anywhere else, it won't matter. I personally opt to use HTTPS everywhere where it's available.

there is a firefox extension: HTTPS anywhere, it will try to use HTTPS on any weebsite.
too bad it crashes most of them, especially forums.

okay, this is not the best example but if you ever tried the microchip forum the software will refuse to work with https, you won't even be able to write a post because the applet won't start with https

[KE5FX]

Why do I care about "privacy" on a site where the whole idea is to post a message on a public bulletin board?

If someone sniffs my password, I guess that could be a much bigger problem.  Who knows what could happen?  They might be able to log into my accounts on Reddit, Fark, and Disqus, and... um... read some more stuff that I posted with the intention of making it public.

[nfmax]

The dangers are more subtle than mere password sniffing. There is the possibility that the content either of the site itself, or more probably of one of the advert syndication services or CDNs it uses is modified by a malicious actor to inject a JavaScript attack or a link to a site containing such an attack. This may be able to gain privileged access to your machine and then it's Game Over. Today, probably ransomware is the most likely payload, but they might just be after your contacts and email account, as a staging post to a credible phishing attempt on someone else. 'They' could be anyone from Russian or Ukranian crime syndicates (other nationalities are also available) to state actors. You may well not be the target - but your machine might get trashed just to cover their tracks

I am not an expert (though I know people who are) but IMHO it is starting to become dangerous to allow JavaScript and adverts on non-encrypted connections

[imidis]

I don't care either way, however, I buy the godaddy $5.99 ssl cert, the non verified non-wildcard. (one domain prefix only) They give me a zip file then I install it on my server. Didn't really find it that complicated.

[3db]

Depends on your web host, I suppose?

I'm using a shitty shared hosting package for my forum, and I could install TLS with a single click of a button, and just add a mod_rewrite entry in .htaccess to redirect HTTP traffic to HTTPS.

Anyway. Your call obviously. 

Have you done this ?

[3db]

There is NO such thing as internet security.
Anything on the net can be hacked etc,etc .

[Halcyon]

IIRC it was investigated by gnif (resident server maintainer) and it was not as trivial as you make it out to be, and most decided it wasn't imporatnt.
No other forums I'm on use https
Hardly anyone is asking for it, not a single person has quit or refused to join the forum because it doesn't have it, and quite frankly not moving to it is one less thing that can go wrong.

It's clearly a feature some (including myself) would like to see implemented as it's been brought up a number of times. Saying no one has quit or joined is all well and good, but it's almost impossible to provide stats on that unless they tell you. As for another thing to go wrong, normally I'd agree with you, but it's old technology that is been tried and tested. I personally believe the benefits outweigh the off-chance something was to go wrong.

Maybe gnif can weigh in on the conversation since he knows the server and site set up intimately. I suppose it's one of those things, once implemented (even if it requires a bit of work to get there) can be left alone to do its thing for the mid-to-long term.

I'd have to say, 90% of the websites I visit use HTTPS as standard, including news sites, hell even porn sites.

[EEVblog]

Maybe gnif can weigh in on the conversation since he knows the server and site set up intimately. I suppose it's one of those things, once implemented (even if it requires a bit of work to get there) can be left alone to do its thing for the mid-to-long term.

One thing I do know is that we (mostly gnif) has spent a long time getting this server running optimally in all sorts of ways. Things you think won't be a problem and should be easy have a nasty habit of causing no end of trouble.

[magetoo]

Saying no one has quit or joined is all well and good, but it's almost impossible to provide stats on that unless they tell you. As for another thing to go wrong, normally I'd agree with you, but it's old technology that is been tried and tested. I personally believe the benefits outweigh the off-chance something was to go wrong.

I'd most likely quit if the forum moved to HTTPS.  (Not a great loss perhaps.)  Old browsers don't really handle currently popular encryption standards well, and the defaults in most places seems to be very particular about who's allowed to connect.  I'm already having to manually change all URLs to "http:" on the non-forum EEVblog pages.

On the other hand, if someone is involved who really knows their stuff and can test things, fine.  But I get the feeling that most web devs will do a quick check with a recent Chrome version and call it a day.

[RGB255_0_0]

Saying no one has quit or joined is all well and good, but it's almost impossible to provide stats on that unless they tell you. As for another thing to go wrong, normally I'd agree with you, but it's old technology that is been tried and tested. I personally believe the benefits outweigh the off-chance something was to go wrong.

I'd most likely quit if the forum moved to HTTPS.  (Not a great loss perhaps.)  Old browsers don't really handle currently popular encryption standards well, and the defaults in most places seems to be very particular about who's allowed to connect.  I'm already having to manually change all URLs to "http:" on the non-forum EEVblog pages.

On the other hand, if someone is involved who really knows their stuff and can test things, fine.  But I get the feeling that most web devs will do a quick check with a recent Chrome version and call it a day.

Just because you don't care about your security doesn't mean others should be forced to because of your lackadaisical view.

[ovnr]

+1 for not bothering w/ HTTPS. You shouldn't be reusing your login credentials anyway, and what you post is public anyway.

The whole "Ooh! Let's encrypt all the things!" push is pointless, and that's coming from someone intensely angry about surveillance and privacy issues (specifically, the lack of privacy).

[forrestc]

One thing I do know is that we (mostly gnif) has spent a long time getting this server running optimally in all sorts of ways. Things you think won't be a problem and should be easy have a nasty habit of causing no end of trouble.

SSL connections tend to be far more resource intensive than non-encrypted ones.   It doesn't surprise me that SSL would be something which you wouldn't want to enable by default if you care about CPU load.     

And before someone mentions it: Yes, some of this can now be handled in hardware with encryption co-processors.   But even with those, just doing the SSL handshakes can be expensive.

[wilhelm]

Beginning in January 2017 (Chrome 56), we’ll mark HTTP sites that transmit passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.

https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html

[magetoo]

Just because you don't care about your security doesn't mean others should be forced to because of your lackadaisical view.

I won't stop anyone from typing in "https" in the address bar.  HTTPS by default has stopped me from seeing quite a few sites, so I think you've got it backwards.

If things are done right, both HTTP and HTTPS should work.  But it often doesn't.