Page 1 of 5 123 ... LastLast
Results 1 to 10 of 44

Thread: Ubuntuforums.org SSL Security

  1. #1
    Join Date
    Nov 2006
    Location
    Southern California, USA
    Beans
    15
    Distro
    Ubuntu 8.04 Hardy Heron

    Lightbulb Ubuntuforums.org SSL Security

    Greets, folks. I would really like to see Ubuntuforums.org protect user login, session tracking, and search data with SSL, just as many of the related sites do. e.g. launchpad.net, wiki.ubuntu.com.

    Even help.ubuntu.com is redirected to use SSL, and it's not even used for passing sensitive data.

    I would assume others share my concern over the matter, but it really is important to me, and figured it's as good a time as any to bring it up.

    Thanks for listening.

    Gilbert

  2. #2
    Join Date
    Oct 2005
    Location
    United Kingdom
    Beans
    4,848

    Re: Ubuntuforums.org SSL Security

    I hardly know anything about this, and am not being a voice of staff in this post...

    I'm not sure if ssl is really worth it on a forum like this, and even then, whether the current infrastructure could handle the load increase?

    The reason the wikis use ssl is because they use launchpad to authenticate, which needs to be more secure because of the things on the site.
    Every time you install Jaunty, a kitten........ wait sorry what year is this again?
    Please don't PM support questions, post a thread so that everyone can benefit
    Join us in #ubuntuforums on irc.freenode.net

  3. #3
    Join Date
    Apr 2007
    Beans
    14,781

    Re: Ubuntuforums.org SSL Security

    Quote Originally Posted by gmendoza View Post
    Greets, folks. I would really like to see Ubuntuforums.org protect user login, session tracking, and search data with SSL, just as many of the related sites do. e.g. launchpad.net, wiki.ubuntu.com.
    The only "personal" information that is sent is the user name and password.

    Sessions end with the browser closing (unless you check otherwise).

  4. #4
    Join Date
    Nov 2006
    Location
    Southern California, USA
    Beans
    15
    Distro
    Ubuntu 8.04 Hardy Heron

    Smile Re: Ubuntuforums.org SSL Security

    I'm not sure if ssl is really worth it on a forum like this, and even then, whether the current infrastructure could handle the load increase?
    I'd be very surprised if the Canonical team is not making use of hardware assisted SSL accelerators. And you don't have to encrypt all forum traffic, just the username/password exchange.


    The only "personal" information that is sent is the user name and password.

    Sessions end with the browser closing (unless you check otherwise).
    That's exactly what we should be protecting. Theft of cookies and unencrypted password exchange is trivial.

    Yes... I know it's ultimately up to people to obey best practices when logging into sites... but it's also courteous for those that know better to help a situation when it's within their means. People may often find themselves on untrusted hotspot networks, and it would be a shame for them not to feel comfortable participating in forum discussions when they don't want to log in for fear of exposing their passwords.

    This really isn't meant to cast responsibility or debate security implications, just a friendly suggestion that I'm sure Canonical and fellow Ubunteros would appreciate.

    Thanks.
    Last edited by gmendoza; June 17th, 2008 at 06:06 AM. Reason: spelling

  5. #5
    Join Date
    Apr 2007
    Beans
    14,781

    Re: Ubuntuforums.org SSL Security

    Quote Originally Posted by gmendoza View Post
    That's exactly what we should be protecting. Theft of cookies and unencrypted password exchange is trivial.

    Yes... I know it's ultimately up to people to obey best practices when logging into sites... but it's also courteous for those that know better to help a situation when it's within their means. People may often find themselves on untrusted hotspot networks, and it would be a shame for them not to feel comfortable participating in forum discussions when they don't want to log in for fear of exposing their passwords.
    You do realise you contradicted yourself? Only encrypt login credentials, but not the rest of the site but the theft of cookies is trivial. If SSL were to be used, it would have to be used for the entire site. Better yet, force re-authentication every time an action is made (not sarcastic, some moderator actions require that)

    You can always use a portable browser, like Opera and Firefox. You can use them on a flash drive and use whatever password managers they have (Opera has wand, a very good manager)

  6. #6
    Join Date
    Nov 2006
    Location
    Southern California, USA
    Beans
    15
    Distro
    Ubuntu 8.04 Hardy Heron

    Re: Ubuntuforums.org SSL Security

    Quote Originally Posted by LaRoza View Post
    You do realise you contradicted yourself? Only encrypt login credentials, but not the rest of the site but the theft of cookies is trivial. If SSL were to be used, it would have to be used for the entire site. Better yet, force re-authentication every time an action is made (not sarcastic, some moderator actions require that)
    No offense taken or anything, as I see where perhaps I didn't make myself clear enough. I was responding to the notion of increased load and what one strategy would be to remedy that particular situation; encrypt only authentication data. I didn't expand on this next point.

    Being that your cookie is part of your ongoing authenticated access and just as important as your password, and should be protected using SSL. You do not have to encrypt an entire page just to protect cookie transmission.

    Quote Originally Posted by LaRoza View Post
    You can always use a portable browser, like Opera and Firefox. You can use them on a flash drive and use whatever password managers they have (Opera has wand, a very good manager)
    SSL is to protect network based MITM attacks. You are referring to theft of stored cookies, which is not the attack vector I'm concerned with. If you are using an untrusted computer, then your password is at risk of being stolen anyway.

  7. #7
    Join Date
    Apr 2007
    Beans
    14,781

    Re: Ubuntuforums.org SSL Security

    Quote Originally Posted by gmendoza View Post
    SSL is to protect network based MITM attacks. You are referring to theft of stored cookies, which is not the attack vector I'm concerned with. If you are using an untrusted computer, then your password is at risk of being stolen anyway.
    True. However, I do feel that using untrusted computers is by itself a fail. The average (I think) poster is using a home computer, a friend/family computer or a work/school computer.

    If one feels that the computer being used isn't secure enough to use the forum, then I question using that computer.

  8. #8
    Join Date
    Nov 2006
    Location
    Southern California, USA
    Beans
    15
    Distro
    Ubuntu 8.04 Hardy Heron

    Re: Ubuntuforums.org SSL Security

    Quote Originally Posted by LaRoza View Post
    True. However, I do feel that using untrusted computers is by itself a fail. The average (I think) poster is using a home computer, a friend/family computer or a work/school computer.

    If one feels that the computer being used isn't secure enough to use the forum, then I question using that computer.
    Agreed 100%. My concern and reference was for someone using their own computer on an untrusted *network*. But since that pretty much equates to *any* Internet connection, that's the reason behind SSL to begin with.

    Anyway, thanks for your concern in the matter. I really hope this conversation isn't taken as an argument, but simply clarification. Tone can easily be lost in translation.
    Last edited by gmendoza; June 17th, 2008 at 05:12 PM. Reason: minor edit

  9. #9
    Join Date
    Apr 2007
    Beans
    14,781

    Re: Ubuntuforums.org SSL Security

    Quote Originally Posted by gmendoza View Post
    Agreed 100%. My concern and reference was for someone using their own computer on an untrusted *network*. But since that pretty much equates to *any* Internet connection, that's the reason behind SSL to begin with.

    Anyway, thanks for your concern in the matter.
    I really have no control or say in this matter. It would, I think, be ultimately Canonical's decision and action.

    Having a trusted ISP, and a good router should be enough. Of course, anyone that truly wants to spy and has the knowledge could do it, but there is a fundamental rule in security. The best way to secure something is to make compromising it more expensive that it is worth. So for a bank with a million dollars in it, make it cost one million and one dollars to compromise it.

    I don't think Ubuntuforums is a worthy enough target or anyone but the admins accounts.

  10. #10
    Join Date
    Nov 2006
    Location
    Southern California, USA
    Beans
    15
    Distro
    Ubuntu 8.04 Hardy Heron

    Re: Ubuntuforums.org SSL Security

    I hope you read the last sentence of my last post. I edited it right before/after you submitted yours. Again, thanks for the attention you've given to the thread.

    Quote Originally Posted by LaRoza View Post
    I don't think Ubuntuforums is a worthy enough target or anyone but the admins accounts.
    Here's an excerpt of a point I made in an email I just sent to the Canonical and Ubuntu web team, which I thought it was applicable to this post.

    --
    Let's be honest, even though I created unique passwords for each site
    that doesn't use password hashing or SSL, many other people use the same
    password for everything which puts them at risk. This is not about just
    protecting their forum access, but anything else users may give up as a
    result of this habit. Sure if it's not access to the Ubuntu forums that
    divulge their credentials, it will be another site. But at least it
    *wont* be the Ubuntu forums.
    --

Page 1 of 5 123 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •