You are not logged in.

#26 2010-07-16 12:25:11

Allan
Developer
From: Brisbane, AU
Registered: 2007-06-09
Posts: 10,409
Website

Re: This bbs now uses https exclusively

I just installed chromium from the repos (i686) to test and found no issue.

Offline

#27 2010-07-16 12:29:45

karol
Archivist
Registered: 2009-05-06
Posts: 25,428

Re: This bbs now uses https exclusively

https://bbs.archlinux.org/viewtopic.php … 42#p792842 showed up in the rss for new forum topics.
Is there a way to avoid it?

Offline

#28 2010-07-16 13:20:05

madeye
Member
From: Denmark
Registered: 2006-07-19
Posts: 331
Website

Re: This bbs now uses https exclusively

Nice work. I'd actually like to encrypt any and all connections I use... But that's not possible (yet!).
Am I being paranoid? Maybe yes, but you know what they say.

Just because you are paranoid, doesn't mean that no one is after you...


MadEye | Registered Linux user #167944 since 2000-02-28 | Homepage

Offline

#29 2010-07-16 13:20:32

kgas
Member
From: Qatar
Registered: 2008-11-08
Posts: 718

Re: This bbs now uses https exclusively

Just closed and open the browser and asked for the user name and password and noticed the change to https. Good work.

Offline

#30 2010-07-16 13:46:06

brain0
Developer
From: Aachen - Germany
Registered: 2005-01-03
Posts: 1,382

Re: This bbs now uses https exclusively

Skripka wrote:

Maybe, but why would anyone want to steal my login credentials to a linux bulletin board?  It has to be the most worthless piece of digital info I have.    Or are you thinking of things like IP # etc?

Just because it's worthless information doesn't mean you should send it to everyone.

Has there been an active security problem we haven't been alerted to....or are we linux users just getting more paranoid?  The timing is strange, given the redesign of the website etc.  Was this on the burner for a while, or what?  I'm curious what the reason is for the sudden switch after so many years of HTTP.

It has been long overdue. I added (optional) https to all vhosts a few months back (except AUR, which I added earlier today), and we will probably switch to https-only on wiki, bbs and AUR soon.


What bugs me here is the browsers: Even if the CACert is not trusted, these warnings are stupid: No web browser warns about surfing to an unencrypted and unauthenticated site, but they all go crazy when you surf to an encrypted site that whose authentication couldn't be verified. The logic is just reversed here.
To answer another question from earlier: Yes, all traffic should be encrypted, as the internet is an untrustworthy network.

Offline

#31 2010-07-16 13:55:36

tjwoosta
Member
Registered: 2008-12-18
Posts: 453

Re: This bbs now uses https exclusively

brain0 wrote:

What bugs me here is the browsers: Even if the CACert is not trusted, these warnings are stupid: No web browser warns about surfing to an unencrypted and unauthenticated site, but they all go crazy when you surf to an encrypted site that whose authentication couldn't be verified. The logic is just reversed here.

I think the logic behind this behavior is for situations where you really need https, like financial transactions and such. You'd want to know if the secure connection can be verified before submiting anything personal.

Offline

#32 2010-07-16 14:29:22

ataraxia
Member
From: Pittsburgh
Registered: 2007-05-06
Posts: 1,537

Re: This bbs now uses https exclusively

Nice work, don't let all the naysayers bring you down.

Offline

#33 2010-07-16 14:34:37

Inxsible
Forum Fellow
From: Chicago
Registered: 2008-06-09
Posts: 9,071

Re: This bbs now uses https exclusively

Currently in windows at work. All browsers say the certificate is untrusted.

EDIT: Read that other OSes are not supported. Meh. Will check the Arch browsers from home later.

Last edited by Inxsible (2010-07-16 14:37:01)


Forum Rules

There's no such thing as a stupid question, but there sure are a lot of inquisitive idiots !

Offline

#34 2010-07-16 14:34:45

karol
Archivist
Registered: 2009-05-06
Posts: 25,428

Re: This bbs now uses https exclusively

> Nice work, don't let all the naysayers bring you down.
Behold - The Archers Who Say 'Nay'.

Offline

#35 2010-07-16 14:40:22

wonder
Developer
From: Bucharest, Romania
Registered: 2006-07-05
Posts: 5,937
Website

Re: This bbs now uses https exclusively

Inxsible wrote:

Currently in windows at work. All browsers say the certificate is untrusted.

EDIT: Read that other OSes are not supported. Meh. Will check the Arch browsers from home later.

you can install the cacert root into this browsers. http://www.cacert.org/index.php?id=3


Give what you have. To someone, it may be better than you dare to think.
Blog

Offline

#36 2010-07-16 14:48:59

DarkVenger
Member
Registered: 2008-11-24
Posts: 34

Re: This bbs now uses https exclusively

wonder wrote:
Inxsible wrote:

Currently in windows at work. All browsers say the certificate is untrusted.

EDIT: Read that other OSes are not supported. Meh. Will check the Arch browsers from home later.

you can install the cacert root into this browsers. http://www.cacert.org/index.php?id=3

x2
I'm at work too, XP+Firefox and had to install the cacert root...not a big deal...easy and slick

Offline

#37 2010-07-16 14:51:49

Misfit138
Misfit Emeritus
From: USA
Registered: 2006-11-27
Posts: 4,170

Re: This bbs now uses https exclusively

wonder wrote:
Inxsible wrote:

Currently in windows at work. All browsers say the certificate is untrusted.

EDIT: Read that other OSes are not supported. Meh. Will check the Arch browsers from home later.

you can install the cacert root into this browsers. http://www.cacert.org/index.php?id=3

Works in Chrome on Win XP after importing root.der. Thanks.

Offline

#38 2010-07-16 14:56:55

Skyalmian
Member
Registered: 2009-06-28
Posts: 120
Website

Re: This bbs now uses https exclusively

jocheem67 wrote:

Minefield doesn't trust the certificate, exception added...

Likewise with Mozilla SeaMonkey 2.0.7pre from the latest 1.9.1 comm. (Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.12pre) Gecko/20100714 SeaMonkey/2.0.7pre) It says the connection is partially encrypted.

ca-certificates and openssl packages had been installed a while ago, though.

Edit: "you can install the cacert root into this browsers" Cleared the exception, tried again; that fixed it.

Last edited by Skyalmian (2010-07-16 15:00:11)


[arch] [git]

Offline

#39 2010-07-16 15:02:59

Pierre
Developer
From: Bonn
Registered: 2004-07-05
Posts: 1,950
Website

Re: This bbs now uses https exclusively

As you said yourself: you are not using a browser from our repos. In addition to this Mozilla does not use openssl or ca-certificates.

So for those who use third-party systems: install the class 1 and class 3 certs from http://www.cacert.org/index.php?id=3 (e.g. just click on both in pem-format)

Offline

#40 2010-07-16 15:28:10

ozar
Member
From: USA
Registered: 2005-02-18
Posts: 1,681

Re: This bbs now uses https exclusively

brain0 wrote:

I just switched bbs.archlinux.org to use only https.

Good move... thanks!  cool


oz

Offline

#41 2010-07-16 16:15:17

saline
Member
Registered: 2010-02-20
Posts: 86

Re: This bbs now uses https exclusively

Thank you.  This is a good move in the right direction.

Offline

#42 2010-07-16 16:15:47

ngoonee
Forum Fellow
From: Between Thailand and Singapore
Registered: 2009-03-17
Posts: 6,834

Re: This bbs now uses https exclusively

karol wrote:

> Nice work, don't let all the naysayers bring you down.
Behold - The Archers Who Say 'Nay'.

AND the Archers who don't like using the normal quote-boxes?

Just to be consistent with my viewpoints on package signing, let me say right now... Meh...

Great work to those who did it though.


Allan-Volunteer on the (topic being discussed) mailn lists. You never get the people who matters attention on the forums.
jasonwryan-Installing Arch is a measure of your literacy. Maintaining Arch is a measure of your diligence. Contributing to Arch is a measure of your competence.
Griemak-Bleeding edge, not bleeding flat. Edge denotes falls will occur from time to time. Bring your own parachute.

Offline

#43 2010-07-16 17:51:10

.:B:.
Forum Fellow
Registered: 2006-11-26
Posts: 5,819

Re: This bbs now uses https exclusively

I for one can only applaud this smile. Great job guys.


Got Leenucks? :: Arch: Power in simplicity :: Get Counted! Registered Linux User #392717 :: Blog thingy

Offline

#44 2010-07-16 18:54:33

beroal
Member
From: Ukraine
Registered: 2009-06-07
Posts: 235
Website

Re: This bbs now uses https exclusively

Yet another step to secure web.

Skyalmian wrote:

Likewise with Mozilla SeaMonkey... It says the connection is partially encrypted.

I think this warning is caused by the image http://img143.imageshack.us/img143/2138/chromium.png . Note that the main page of BBS is o'kay. Not sure whether this is browser's or BBS's problem. If BBS will forbid including into posts images on other domain names, than BBS must have its own image store.


we are not condemned to write ugly code

Offline

#45 2010-07-16 23:24:50

bones
Member
From: Brisbane
Registered: 2006-03-24
Posts: 321
Website

Re: This bbs now uses https exclusively

Reading this and posting from Webpositive and Haiku with no problems at all.


"When once you have tasted flight, you will forever walk the earth with your eyes turned skyward, for there you have been, and there you will always long to return."

Offline

#46 2010-07-17 04:00:52

skottish
Forum Fellow
From: Here
Registered: 2006-06-16
Posts: 7,931

Re: This bbs now uses https exclusively

*** I haven't read any post in this thread. ***

Thanks devs for the https upgrade. Once again a very nice improvement. It's much appreciated.

Offline

#47 2010-07-17 07:55:48

dcc24
Member
Registered: 2009-10-31
Posts: 723

Re: This bbs now uses https exclusively

ngoonee wrote:

Just to be consistent with my viewpoints on package signing, let me say right now... Meh...

I was just about to post something about this. I'm not aware of your particular views regarding package signing, but in general here's what I think:

In all those package signing threads, most devs/moderators treated those who wanted package signing as paranoid and didn't pay much attention. When it comes to SSL on something as trivial as the Arch homepage, wiki, even forums everyone seems to be afraid of the Internet.

I'm not trying to imply anything. Can someone - that was against package signing but for the SSL thing - please explain to me, why? I'm genuinely curious. Does it come down merely to "implementation difficulty" (e.g. it's easy to deploy an SSL certificate / hard to implement package signing) ? The Internet is "an untrusted network" when it comes to SSL-protecting the homepage, but "it's not a big deal" when implementing package signing?

Last edited by dcc24 (2010-07-17 07:58:07)


It is better to keep your mouth shut and be thought a fool than to open it and remove all doubt. (Mark Twain)

My AUR packages

Offline

#48 2010-07-17 08:13:43

wonder
Developer
From: Bucharest, Romania
Registered: 2006-07-05
Posts: 5,937
Website

Re: This bbs now uses https exclusively

dcc24 wrote:
ngoonee wrote:

Just to be consistent with my viewpoints on package signing, let me say right now... Meh...

I'm not trying to imply anything. Can someone - that was against package signing but for the SSL thing - please explain to me, why? I'm genuinely curious. Does it come down merely to "implementation difficulty" (e.g. it's easy to deploy an SSL certificate / hard to implement package signing) ? The Internet is "an untrusted network" when it comes to SSL-protecting the homepage, but "it's not a big deal" when implementing package signing?

mostly the complexity of the implementation and the desire of one man to DO IT. things are done if somebody work on them. so if you are interested and want this to have, CODE IT.

p.s don't ruin this thread by transforming in yet another package signing thread. PLEASE

Last edited by wonder (2010-07-17 08:14:49)


Give what you have. To someone, it may be better than you dare to think.
Blog

Offline

#49 2010-07-17 08:18:44

dcc24
Member
Registered: 2009-10-31
Posts: 723

Re: This bbs now uses https exclusively

wonder wrote:
dcc24 wrote:
ngoonee wrote:

Just to be consistent with my viewpoints on package signing, let me say right now... Meh...

I'm not trying to imply anything. Can someone - that was against package signing but for the SSL thing - please explain to me, why? I'm genuinely curious. Does it come down merely to "implementation difficulty" (e.g. it's easy to deploy an SSL certificate / hard to implement package signing) ? The Internet is "an untrusted network" when it comes to SSL-protecting the homepage, but "it's not a big deal" when implementing package signing?

mostly the complexity of the implementation and the desire of one man to DO IT. things are done if somebody work on them. so if you are interested and want this to have, CODE IT.

p.s don't ruin this thread by transforming in yet another package signing thread. PLEASE

You've managed to completely miss my point. I'm not inquiring as to WHY it hasn't been implemented, I'm simply asking why some people called package signing as paranoia and consider SSL'ing the homepage as "Internet is an untrusted network".

Last edited by dcc24 (2010-07-17 08:19:10)


It is better to keep your mouth shut and be thought a fool than to open it and remove all doubt. (Mark Twain)

My AUR packages

Offline

#50 2010-07-17 08:46:55

ngoonee
Forum Fellow
From: Between Thailand and Singapore
Registered: 2009-03-17
Posts: 6,834

Re: This bbs now uses https exclusively

DIfferent people, I'm sure you'll find.

As you yourself have also noted, package signing is much harder. Much much harder. Now can we get off that topic? Its OT here.


Allan-Volunteer on the (topic being discussed) mailn lists. You never get the people who matters attention on the forums.
jasonwryan-Installing Arch is a measure of your literacy. Maintaining Arch is a measure of your diligence. Contributing to Arch is a measure of your competence.
Griemak-Bleeding edge, not bleeding flat. Edge denotes falls will occur from time to time. Bring your own parachute.

Offline

Board footer

Powered by FluxBB