Results 1 to 10 of 44

Thread: Ubuntuforums.org SSL Security

Hybrid View

  1. #1
    Join Date
    Nov 2006
    Location
    Southern California, USA
    Beans
    15
    Distro
    Ubuntu 8.04 Hardy Heron

    Lightbulb Ubuntuforums.org SSL Security

    Greets, folks. I would really like to see Ubuntuforums.org protect user login, session tracking, and search data with SSL, just as many of the related sites do. e.g. launchpad.net, wiki.ubuntu.com.

    Even help.ubuntu.com is redirected to use SSL, and it's not even used for passing sensitive data.

    I would assume others share my concern over the matter, but it really is important to me, and figured it's as good a time as any to bring it up.

    Thanks for listening.

    Gilbert

  2. #2
    Join Date
    Oct 2005
    Location
    United Kingdom
    Beans
    4,848

    Re: Ubuntuforums.org SSL Security

    I hardly know anything about this, and am not being a voice of staff in this post...

    I'm not sure if ssl is really worth it on a forum like this, and even then, whether the current infrastructure could handle the load increase?

    The reason the wikis use ssl is because they use launchpad to authenticate, which needs to be more secure because of the things on the site.
    Every time you install Jaunty, a kitten........ wait sorry what year is this again?
    Please don't PM support questions, post a thread so that everyone can benefit
    Join us in #ubuntuforums on irc.freenode.net

  3. #3
    Join Date
    Apr 2007
    Beans
    14,781

    Re: Ubuntuforums.org SSL Security

    Quote Originally Posted by gmendoza View Post
    Greets, folks. I would really like to see Ubuntuforums.org protect user login, session tracking, and search data with SSL, just as many of the related sites do. e.g. launchpad.net, wiki.ubuntu.com.
    The only "personal" information that is sent is the user name and password.

    Sessions end with the browser closing (unless you check otherwise).

  4. #4
    Join Date
    Nov 2006
    Location
    Southern California, USA
    Beans
    15
    Distro
    Ubuntu 8.04 Hardy Heron

    Smile Re: Ubuntuforums.org SSL Security

    I'm not sure if ssl is really worth it on a forum like this, and even then, whether the current infrastructure could handle the load increase?
    I'd be very surprised if the Canonical team is not making use of hardware assisted SSL accelerators. And you don't have to encrypt all forum traffic, just the username/password exchange.


    The only "personal" information that is sent is the user name and password.

    Sessions end with the browser closing (unless you check otherwise).
    That's exactly what we should be protecting. Theft of cookies and unencrypted password exchange is trivial.

    Yes... I know it's ultimately up to people to obey best practices when logging into sites... but it's also courteous for those that know better to help a situation when it's within their means. People may often find themselves on untrusted hotspot networks, and it would be a shame for them not to feel comfortable participating in forum discussions when they don't want to log in for fear of exposing their passwords.

    This really isn't meant to cast responsibility or debate security implications, just a friendly suggestion that I'm sure Canonical and fellow Ubunteros would appreciate.

    Thanks.
    Last edited by gmendoza; June 17th, 2008 at 06:06 AM. Reason: spelling

  5. #5
    Join Date
    Apr 2007
    Beans
    14,781

    Re: Ubuntuforums.org SSL Security

    Quote Originally Posted by gmendoza View Post
    That's exactly what we should be protecting. Theft of cookies and unencrypted password exchange is trivial.

    Yes... I know it's ultimately up to people to obey best practices when logging into sites... but it's also courteous for those that know better to help a situation when it's within their means. People may often find themselves on untrusted hotspot networks, and it would be a shame for them not to feel comfortable participating in forum discussions when they don't want to log in for fear of exposing their passwords.
    You do realise you contradicted yourself? Only encrypt login credentials, but not the rest of the site but the theft of cookies is trivial. If SSL were to be used, it would have to be used for the entire site. Better yet, force re-authentication every time an action is made (not sarcastic, some moderator actions require that)

    You can always use a portable browser, like Opera and Firefox. You can use them on a flash drive and use whatever password managers they have (Opera has wand, a very good manager)

  6. #6
    Join Date
    Nov 2006
    Location
    Southern California, USA
    Beans
    15
    Distro
    Ubuntu 8.04 Hardy Heron

    Re: Ubuntuforums.org SSL Security

    Quote Originally Posted by LaRoza View Post
    You do realise you contradicted yourself? Only encrypt login credentials, but not the rest of the site but the theft of cookies is trivial. If SSL were to be used, it would have to be used for the entire site. Better yet, force re-authentication every time an action is made (not sarcastic, some moderator actions require that)
    No offense taken or anything, as I see where perhaps I didn't make myself clear enough. I was responding to the notion of increased load and what one strategy would be to remedy that particular situation; encrypt only authentication data. I didn't expand on this next point.

    Being that your cookie is part of your ongoing authenticated access and just as important as your password, and should be protected using SSL. You do not have to encrypt an entire page just to protect cookie transmission.

    Quote Originally Posted by LaRoza View Post
    You can always use a portable browser, like Opera and Firefox. You can use them on a flash drive and use whatever password managers they have (Opera has wand, a very good manager)
    SSL is to protect network based MITM attacks. You are referring to theft of stored cookies, which is not the attack vector I'm concerned with. If you are using an untrusted computer, then your password is at risk of being stolen anyway.

  7. #7
    Join Date
    Apr 2007
    Beans
    14,781

    Re: Ubuntuforums.org SSL Security

    Quote Originally Posted by gmendoza View Post
    SSL is to protect network based MITM attacks. You are referring to theft of stored cookies, which is not the attack vector I'm concerned with. If you are using an untrusted computer, then your password is at risk of being stolen anyway.
    True. However, I do feel that using untrusted computers is by itself a fail. The average (I think) poster is using a home computer, a friend/family computer or a work/school computer.

    If one feels that the computer being used isn't secure enough to use the forum, then I question using that computer.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •