This bbs now uses https exclusively

Allan · 2010-07-16 12:25:11

I just installed chromium from the repos (i686) to test and found no issue.

karol · 2010-07-16 12:29:45

https://bbs.archlinux.org/viewtopic.php … 42#p792842 showed up in the rss for new forum topics.
Is there a way to avoid it?

madeye · 2010-07-16 13:20:05

Nice work. I'd actually like to encrypt any and all connections I use... But that's not possible (yet!).
Am I being paranoid? Maybe yes, but you know what they say.

Just because you are paranoid, doesn't mean that no one is after you...

kgas · 2010-07-16 13:20:32

Just closed and open the browser and asked for the user name and password and noticed the change to https. Good work.

brain0 · 2010-07-16 13:46:06

Skripka wrote:

Maybe, but why would anyone want to steal my login credentials to a linux bulletin board? It has to be the most worthless piece of digital info I have. Or are you thinking of things like IP # etc?

Just because it's worthless information doesn't mean you should send it to everyone.

Has there been an active security problem we haven't been alerted to....or are we linux users just getting more paranoid? The timing is strange, given the redesign of the website etc. Was this on the burner for a while, or what? I'm curious what the reason is for the sudden switch after so many years of HTTP.

It has been long overdue. I added (optional) https to all vhosts a few months back (except AUR, which I added earlier today), and we will probably switch to https-only on wiki, bbs and AUR soon.

What bugs me here is the browsers: Even if the CACert is not trusted, these warnings are stupid: No web browser warns about surfing to an unencrypted and unauthenticated site, but they all go crazy when you surf to an encrypted site that whose authentication couldn't be verified. The logic is just reversed here.
To answer another question from earlier: Yes, all traffic should be encrypted, as the internet is an untrustworthy network.

tjwoosta · 2010-07-16 13:55:36

brain0 wrote:

What bugs me here is the browsers: Even if the CACert is not trusted, these warnings are stupid: No web browser warns about surfing to an unencrypted and unauthenticated site, but they all go crazy when you surf to an encrypted site that whose authentication couldn't be verified. The logic is just reversed here.

I think the logic behind this behavior is for situations where you really need https, like financial transactions and such. You'd want to know if the secure connection can be verified before submiting anything personal.

ataraxia · 2010-07-16 14:29:22

Nice work, don't let all the naysayers bring you down.

Inxsible · 2010-07-16 14:34:37

Currently in windows at work. All browsers say the certificate is untrusted.

EDIT: Read that other OSes are not supported. Meh. Will check the Arch browsers from home later.

Last edited by Inxsible (2010-07-16 14:37:01)

karol · 2010-07-16 14:34:45

> Nice work, don't let all the naysayers bring you down.
Behold - The Archers Who Say 'Nay'.

wonder · 2010-07-16 14:40:22

Inxsible wrote:

Currently in windows at work. All browsers say the certificate is untrusted.
EDIT: Read that other OSes are not supported. Meh. Will check the Arch browsers from home later.

you can install the cacert root into this browsers. http://www.cacert.org/index.php?id=3

DarkVenger · 2010-07-16 14:48:59

wonder wrote:

Inxsible wrote:
Currently in windows at work. All browsers say the certificate is untrusted.
EDIT: Read that other OSes are not supported. Meh. Will check the Arch browsers from home later.
you can install the cacert root into this browsers. http://www.cacert.org/index.php?id=3

x2
I'm at work too, XP+Firefox and had to install the cacert root...not a big deal...easy and slick

Misfit138 · 2010-07-16 14:51:49

wonder wrote:

Inxsible wrote:
Currently in windows at work. All browsers say the certificate is untrusted.
EDIT: Read that other OSes are not supported. Meh. Will check the Arch browsers from home later.
you can install the cacert root into this browsers. http://www.cacert.org/index.php?id=3

Works in Chrome on Win XP after importing root.der. Thanks.

Skyalmian · 2010-07-16 14:56:55

jocheem67 wrote:

Minefield doesn't trust the certificate, exception added...

Likewise with Mozilla SeaMonkey 2.0.7pre from the latest 1.9.1 comm. (Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.12pre) Gecko/20100714 SeaMonkey/2.0.7pre) It says the connection is partially encrypted.

ca-certificates and openssl packages had been installed a while ago, though.

Edit: "you can install the cacert root into this browsers" Cleared the exception, tried again; that fixed it.

Last edited by Skyalmian (2010-07-16 15:00:11)

Pierre · 2010-07-16 15:02:59

As you said yourself: you are not using a browser from our repos. In addition to this Mozilla does not use openssl or ca-certificates.

So for those who use third-party systems: install the class 1 and class 3 certs from http://www.cacert.org/index.php?id=3 (e.g. just click on both in pem-format)

ozar · 2010-07-16 15:28:10

brain0 wrote:

I just switched bbs.archlinux.org to use only https.

Good move... thanks!

saline · 2010-07-16 16:15:17

Thank you. This is a good move in the right direction.

ngoonee · 2010-07-16 16:15:47

karol wrote:

> Nice work, don't let all the naysayers bring you down.
Behold - The Archers Who Say 'Nay'.

AND the Archers who don't like using the normal quote-boxes?

Just to be consistent with my viewpoints on package signing, let me say right now... Meh...

Great work to those who did it though.

.:B:. · 2010-07-16 17:51:10

I for one can only applaud this . Great job guys.

beroal · 2010-07-16 18:54:33

Yet another step to secure web.

Skyalmian wrote:

Likewise with Mozilla SeaMonkey... It says the connection is partially encrypted.

I think this warning is caused by the image http://img143.imageshack.us/img143/2138/chromium.png . Note that the main page of BBS is o'kay. Not sure whether this is browser's or BBS's problem. If BBS will forbid including into posts images on other domain names, than BBS must have its own image store.

bones · 2010-07-16 23:24:50

Reading this and posting from Webpositive and Haiku with no problems at all.

skottish · 2010-07-17 04:00:52

*** I haven't read any post in this thread. ***

Thanks devs for the https upgrade. Once again a very nice improvement. It's much appreciated.

dcc24 · 2010-07-17 07:55:48

ngoonee wrote:

Just to be consistent with my viewpoints on package signing, let me say right now... Meh...

I was just about to post something about this. I'm not aware of your particular views regarding package signing, but in general here's what I think:

In all those package signing threads, most devs/moderators treated those who wanted package signing as paranoid and didn't pay much attention. When it comes to SSL on something as trivial as the Arch homepage, wiki, even forums everyone seems to be afraid of the Internet.

I'm not trying to imply anything. Can someone - that was against package signing but for the SSL thing - please explain to me, why? I'm genuinely curious. Does it come down merely to "implementation difficulty" (e.g. it's easy to deploy an SSL certificate / hard to implement package signing) ? The Internet is "an untrusted network" when it comes to SSL-protecting the homepage, but "it's not a big deal" when implementing package signing?

Last edited by dcc24 (2010-07-17 07:58:07)

wonder · 2010-07-17 08:13:43

dcc24 wrote:

ngoonee wrote:
Just to be consistent with my viewpoints on package signing, let me say right now... Meh...
I'm not trying to imply anything. Can someone - that was against package signing but for the SSL thing - please explain to me, why? I'm genuinely curious. Does it come down merely to "implementation difficulty" (e.g. it's easy to deploy an SSL certificate / hard to implement package signing) ? The Internet is "an untrusted network" when it comes to SSL-protecting the homepage, but "it's not a big deal" when implementing package signing?

mostly the complexity of the implementation and the desire of one man to DO IT. things are done if somebody work on them. so if you are interested and want this to have, CODE IT.

p.s don't ruin this thread by transforming in yet another package signing thread. PLEASE

Last edited by wonder (2010-07-17 08:14:49)

dcc24 · 2010-07-17 08:18:44

wonder wrote:

dcc24 wrote:
ngoonee wrote:
Just to be consistent with my viewpoints on package signing, let me say right now... Meh...
I'm not trying to imply anything. Can someone - that was against package signing but for the SSL thing - please explain to me, why? I'm genuinely curious. Does it come down merely to "implementation difficulty" (e.g. it's easy to deploy an SSL certificate / hard to implement package signing) ? The Internet is "an untrusted network" when it comes to SSL-protecting the homepage, but "it's not a big deal" when implementing package signing?
mostly the complexity of the implementation and the desire of one man to DO IT. things are done if somebody work on them. so if you are interested and want this to have, CODE IT.
p.s don't ruin this thread by transforming in yet another package signing thread. PLEASE

You've managed to completely miss my point. I'm not inquiring as to WHY it hasn't been implemented, I'm simply asking why some people called package signing as paranoia and consider SSL'ing the homepage as "Internet is an untrusted network".

Last edited by dcc24 (2010-07-17 08:19:10)

ngoonee · 2010-07-17 08:46:55

DIfferent people, I'm sure you'll find.

As you yourself have also noted, package signing is much harder. Much much harder. Now can we get off that topic? Its OT here.

Arch Linux

#26 2010-07-16 12:25:11

Re: This bbs now uses https exclusively

#27 2010-07-16 12:29:45

Re: This bbs now uses https exclusively

#28 2010-07-16 13:20:05

Re: This bbs now uses https exclusively

#29 2010-07-16 13:20:32

Re: This bbs now uses https exclusively

#30 2010-07-16 13:46:06

Re: This bbs now uses https exclusively

#31 2010-07-16 13:55:36

Re: This bbs now uses https exclusively

#32 2010-07-16 14:29:22

Re: This bbs now uses https exclusively

#33 2010-07-16 14:34:37

Re: This bbs now uses https exclusively

#34 2010-07-16 14:34:45

Re: This bbs now uses https exclusively

#35 2010-07-16 14:40:22

Re: This bbs now uses https exclusively

#36 2010-07-16 14:48:59

Re: This bbs now uses https exclusively

#37 2010-07-16 14:51:49

Re: This bbs now uses https exclusively

#38 2010-07-16 14:56:55

Re: This bbs now uses https exclusively

#39 2010-07-16 15:02:59

Re: This bbs now uses https exclusively

#40 2010-07-16 15:28:10

Re: This bbs now uses https exclusively

#41 2010-07-16 16:15:17

Re: This bbs now uses https exclusively

#42 2010-07-16 16:15:47

Re: This bbs now uses https exclusively

#43 2010-07-16 17:51:10

Re: This bbs now uses https exclusively

#44 2010-07-16 18:54:33

Re: This bbs now uses https exclusively

#45 2010-07-16 23:24:50

Re: This bbs now uses https exclusively

#46 2010-07-17 04:00:52

Re: This bbs now uses https exclusively

#47 2010-07-17 07:55:48

Re: This bbs now uses https exclusively

#48 2010-07-17 08:13:43

Re: This bbs now uses https exclusively

#49 2010-07-17 08:18:44

Re: This bbs now uses https exclusively

#50 2010-07-17 08:46:55

Re: This bbs now uses https exclusively

Board footer