News | Forum | People | FAQ | Links | Search | Register | Log in
Site Help
This is the forum to ask questions about this website, report things that are broken, request features, etc.

Be sure to check out the FAQ as well.
First | Previous | Next | Last
BTW. 
Sorry I SECRETLY EDITED the news post to put in the precious .zip link :P 
Quoting A Url 
http://celephais.net/board/ 
 
Let's Encrypt is public and incredibly easy get a cert with via https://gethttpsforfree.com/

Would be great if func got HTTPS. 
 
what is the point of https unless you are doing things that need to establish encrypted comms? 
 
Why would you want to let state surveillance track all our behaviour and communications online? Why should shady agencies be invited to know what you are reading?

It's none of their business. Everything should be encrypted. 
 
We need a tinfoil hat emote too. Please add one for us NSA. 
 
i'm surprised it's a free service, since normally the price you're paying for a certificate is the security that the key is stored in. 
 
I'm open to this but sleepwalkr would have to do the actual setup, since i don't have access to install this kind of stuff AFAIK.

P.S. one obvious use for https is that you send your password over the internet when you log in (and after that you send a hashed password with every page request.) Asssuming you don't use your func password for any other website it's not a huge risk but still, why not make it more secure? 
 
One reason to care about https is that Google cares when listing search results: http://googlewebmastercentral.blogspot.com/2014/08/https-as-ranking-signal.html 
Necros 
It's a joint effort by Mozilla, the EFF and others to make global HTTPS an easier target to reach. The private key nevers leaves your own infrastructure in any sane procedure.

Expensive certs might have more validation, LE is "just" domain based. You show that you control "quakewiki.org" and they sign your cert for it. "Blue" certs require more proof of your identity but are not necessary unless you are transferring actually sensitive data like money.

Any CA can be breached or made accomplice in MITM.

Scampie: Did you miss the last 2 years of news? 
Necros 
It's a joint effort by Mozilla, the EFF and others to make global HTTPS an easier target to reach. The private key nevers leaves your own infrastructure in any sane procedure.

Expensive certs might have more validation, LE is "just" domain based. You show that you control "quakewiki.org" and they sign your cert for it. "Blue" certs require more proof of your identity but are not necessary unless you are transferring actually sensitive data like money.

Any CA can be breached or made accomplice in MITM.

Scampie: Did you miss the last 2 years of news? 
OMG NSA STOP REPLAYING MY PACKETZ! 
 
 
Wouldn't this have to come with a bunch of other changes as well? If you don't have to log in to see the content, what good is encrypting anything?

I admit to ignorance on this, I just don't see how it stops bots from skimming the text... 
 
Nah, that's a different thing. Func is a public forum.

Jere the encryption would make sure that your login data is transmitted safely and that no one knows what you _read_.

There is nothing sensitive at func but we should strife to make privacy the norm. 
Oh No 
the govorment stealing mah quakes 
 
getting a bit hazy on these details, but aren't public keys built into browsers? if anyone can gets certs, these will go into the browsers as well? 
Public Keys 
The public keys are, as the name suggest, public. They don't need to go into the browser because the server will transmit them to anyone who requests them.

If you request the public keys for a server, there are two questions of trust at stake.

1. How do I know that the person who sent me this public key has the private key to go with it? (Threat: an attacker could get the public key and then relay it to you.)
2. How do I know that this public key belongs to the server I want to talk to? (Threat: an attacker could send you details of a different public key which they have the private key for)

The first question is answered by a challenge-response system - you ask your counterpart to encode a random message using the private key, and check that the public key unlocks it.

The second question is answered by having a trusted party sign the key. This works a bit like our challenge-response, but the encrypted message is hard coded, and unlocks using the public key of a trusted party. In this case, the trusted party will be letsencrypt, and it's their public key which gets built into your browser or operating system. The hard-coded message should decrypt to say that "this key is valid for that server", and you don't trust it if it says anything else.

So then, you might reasonably ask, if letsencrypt will give anyone a certificate, what stops an attacker from getting their own key signed to work on somebody else's server? The reason that doesn't work so easily is that letsencrypt will give the certificate to anyone, so long as they can prove they control the server. This usually involves uploading a specific file to a location specified by letsencrypt - you only get a signature once you meet this challenge. 
"You're Privacy Is Literally Raped :^)" -Edward Snowman 
 
 
"Your" 
 
oh right, whoooops, it's the certificates that are stored on the browser, not the keys. :}

i guess the question still stands, but with different words: how will the certs be distributed or will we get those 'self signed certificate warnings'? 
 
CAs can 'cross-sign' each other's certificates. By that you get chains of trust. The Let's Encrypt CA's cert was cross-signed by some already trusted CA so now browsers trust the certs they issue.

https://quakewiki.org is already running with such a cert, should work anywhere without problems (except non-SNI systems). 
 
 
cool, thanks for the info.
i had no idea that those things were possible. i guess there really isn't any reason not to go https then, since there's no difficulty in getting a cert and having it work without users noticing. 
Yes There Is 
It's work for me and I don't see the point on this particular forum. Sorry. 
1 post not shown on this page because it was spam
First | Previous | Next | Last
You must be logged in to post in this thread.
Website copyright © 2002-2024 John Fitzgibbons. All posts are copyright their respective authors.