Why is this site not encrypted?
#11
My two cents, the "Let's encrypt everything, no exceptions" movement is overkill and annoying as hell.

1) If you try to use the web without an https compliant browser, you're screwed. There is no such thing, you might profess. BS. Just an example, Dillo on Mageia is not compiled with ssl support. I ran into this issue just a couple weeks ago when I had to peg my workstation at 100% cpu and ram for couple of hours for work. I resorted to browsing gopher while I waited.

2) If my browser doesn't support the encryption protocol you're using, I can't use your site. This is an issue I have with my BlackBerry Passport, older Android devices, and many other EOL OS's and devices. Pretty much cutting them off from the web.

3) If you're ever in remote places of the world, with spotty hardware and spottier connections, https connections are slower.

4) There are cache issues on some browsers/implementations. See #3 as to why this is a problem.

5) General consumers think that because a website is encrypted, it's safe. Even worse, because CA's are free now, they can become a vector for phishing. 99.5% of users have no idea that the "lock" in their address bar just means that the connection is encrypted or even what that means. False security is bad security.


This might sound like I'm saying not to use SSL. That is completely wrong. My argument is against unneeded redirects. Websites should be accessible to EVERYONE. Websites should offer their content in http and https. Your browser should be responsible for redirecting you to the HTTPS page. It's not the websites' responsibility. Personally, I believe redirects should be built in browser functionality, but seeing the browsers people use these days, good luck with that ever happening.

The only pages that should force redirection are anything to do with money and logins. That's it.

The rest of these pages, this forum, etc are public information. There is no need to force everyone to be behind encryption because YOU think it's a better idea.

Finally, the argument is always injections and man in the middle attacks. My response to this is always, if you have this problem with your ISP, then your problem is your ISP, not the website. I would be more worried about the other crap they're doing besides injecting ads into your connection. Change ISPs, sue them, contact your politician, contact your public works commissioner, or just tell your browser to always use https...
#12
Encrypting all websites is extremely important even if you have nothing to hide related to this particular website. For example, HTTPS protects you from middle-man attacks where someone can hijack the Javascript and inject malware into it. See also: https://www.eff.org/encrypt-the-web.
#13
(11-08-2020, 01:41 PM)fsflover Wrote: Encrypting all websites is extremely important even if you have nothing to hide related to this particular website. For example, HTTPS protects you from middle-man attacks where someone can hijack the Javascript and inject malware into it. See also: https://www.eff.org/encrypt-the-web.

No one is arguing against encrypting all websites. The argument is against forcing redirects if someone chooses to not use HTTPS.

Windows, Android, and iOS devices are massive privacy and security risks. Should we force everyone who owns those devices to use different operating systems because we deem them to be security risks? That's the same idea behind forced redirects of HTTPS.

The article you linked, I completely agree. Every website should have HTTPS. Everyone should use HTTPS Everywhere. Hell, I think HTTPS Everywhere should be built into all major web browsers and enabled by default.

However, I disagree that websites should stop offering static content via http as well. It's the user's choice if they don't want to use HTTPS, and in many cases there are valid reasons why.

Even so, lets look at EFF's arguments against HTTP that you linked:

Quote:For example, it's how GCHQ and NSA took over a Belgian ISP's computers.
Well, 99.5% of active consumer devices computers in the world are using Windows, Android, or iOS, and all three already have NSA backdoors. So that's moot.

Quote:Content injection is also how China took down GitHub with a massive DDoS attack, dubbed "The Great Cannon".

While this might be how China DDoS'd GitHub, I'm sure they have many more tools in their arsenal. They are a multi-trillion dollar authoritarian nation state after all. In fact, I would imagine they have agents working at GitHub and/or Microsoft that could sabotage the site just as easily if they wanted to burn the asset.

Quote:Content injection is also becoming popular with ISPs.

Change ISPs, sue, pester your congress critter, sue some more, or start your own (which might require both suing and your congress critter...) But the bad actions of your ISP shouldn't dictate how I consume content. Just as I shouldn't dictate your use of Windows because it's less secure than OpenBSD.

Anyway, none of those, except maybe the DDoS are reasons to force users to use HTTPS. Those are all reasons consumers should use HTTPS. As a provider, you should offer content however your consumers want to consume it. Some consumers have a valid reason to consume things via unsecured methods.

In the case of the DDoS, sure it mitigates that attack method by a major nation state. But to be honest, anyone can take down any server given enough resources.


Pine64 gives you the option to use http or https. If you're concerned about your privacy and security, use the later. The former won't bother you in anyway, unless the website is being targeted, and even then, there is greater security risks here, like MyBB.
#14
This thread has gone entirely off-topic.

The Main website, Forum, Wiki and Store are served over HTTPS - your opinion on whether or not that is required is besides the point.

Unless there's something I misunderstood from the OP, this thread ought to be locked to further replies.
#15
Whats HTTPS and why do I need it?
#16
(11-08-2020, 02:47 PM)jed Wrote: This thread has gone entirely off-topic.

The Main website, Forum, Wiki and Store are served over HTTPS - your opinion on whether or not that is required is besides the point.

Unless there's something I misunderstood from the OP, this thread ought to be locked to further replies.
I do think you missed the point.  The whole site is accessible with *either* HTTP or HTTPS.  The OP wants to remove HTTP access.  This would make the site inaccessible to those who don't want to, or cannot use HTTPS.

The security concerns about HTTP are valid for the average computer user.  They're moot though for someone who knows what they're doing.  Most people who use Pine64 products should be in this category.  All should, in my opinion.
#17
(11-08-2020, 06:05 PM)KC9UDX Wrote: I do think you missed the point.  The whole site is accessible with *either* HTTP or HTTPS.

Can't replicate on a modern browser.
#18
(11-09-2020, 02:09 AM)jed Wrote:
(11-08-2020, 06:05 PM)KC9UDX Wrote: I do think you missed the point.  The whole site is accessible with *either* HTTP or HTTPS.

Can't replicate on a modern browser.
I'm not sure what you mean.  I am able to load it both ways at the moment.
#19
(11-09-2020, 02:09 AM)jed Wrote:
(11-08-2020, 06:05 PM)KC9UDX Wrote: I do think you missed the point.  The whole site is accessible with *either* HTTP or HTTPS.

Can't replicate on a modern browser.

Not sure which modern browser you used... I was able to easily access the forum via http and https via the current versions of Firefox and Chrome:

http:
   

https:
   
#20
Well this is the point, which is what I said Smile

It works both ways. The OP doesn't want it to work in HTTP.


Possibly Related Threads…
Thread Author Replies Views Last Post
  Pine64 Zoho support site broken anomaly 2 852 02-08-2021, 09:03 PM
Last Post: anomaly
  Suggested UX improvements for forum site Stevie-O 14 7,881 06-03-2020, 09:18 AM
Last Post: lot378

Forum Jump:


Users browsing this thread: 1 Guest(s)