(suggestion) Encryption with Let's Encrypt

[carlos]

Let's Encrypt It’s free, automated, and open, Certificate Authority
We can use it to have https in celestia site.

sorry for posting here, I don't found a more suitable place.

[John Van Vliet]

SPAM!!!!

reported

[carlos]

and not spam, even'm serious, let's encrypt the, it is an initiative that includes mozilla can confirm

Added after 2 minutes 54 seconds:
https://en.wikipedia.org/wiki/Let's_Encrypt
https://letsencrypt.org/sponsors/

just I put the suggestion here because I thought the adm might like to have https
noting that yes, it's free

Added after 4 minutes 48 seconds:
an article
http://www.cnet.com/news/privacy-push-means-free-encryption-for-websites/

some sites that use
https://puri.sm/
https://librecmc.org/librecmc/home
https://trac.torproject.org/projects/tor

It is I will not gain anything by it, just one more site to navigate with encryption

(if you find it strange the way I speak, and because I am not a native speaking)

[Coder206]

Hello!

I hope you are doing well. I agree with carlos on this! It's really an important topic especially if the website allows for downloading of executable files.

I think this should be looked at more closely despite the apparent "SPAM" from John.

Best regards,

Coder206

[John Van Vliet]

well a rewrite of the forum code would first need to be done to use https
then after that a cert can be used

but relying on cert authorities is and NEVER !!!!! was a good idea

it is in fact a VERY BAD idea when first implemented and still is

even though "Richard Stallman" is a bit of a nut case i AGREE with him on this
CA's and TC is really "treacherous computing"

[Coder206]

Hello John!

I hope you are doing well! Thanks for the information, I was not aware of the controversy with cert authorities. (I am actually reading about it as much as possible)

Best regards,

Coder206

[Alexell]

If you want, I can do so that website and forum work via HTTPS through letsencrypt.org certificate or hosting provider certificate.
But the question is: why it is needed? We do not share any confidential or payment data that needs to be protected. In addition, the screenshots on the forum people stick with third-party sites and HTTPS protocol will consider this threat and block them.

[selden]

The use of https for login and registration would help to protect against theft of login credentials.

Unfortunately there are some who enjoy the disruption they can cause by stealing others' accounts.

[omega13a]

Unfortunately there are some who enjoy the disruption they can cause by stealing others' accounts.

Not to mention there's a lot of people who use the same exact log-in info for different places. However, given the amount of traffic (or rather lack of) here, I doubt anyone would try to steel usernames and passwords from here.

[selden]

Without https, userids and passwords are transmitted in plain text. The people interested in stealing such things don't pay any attention to where they're coming from. They just accumulate as many as they can see whenever they're managed to compromise a server.

[Alexell]

selden, indeed when login, password are transmitted in POST request in plain text.

Spoiler

ucp.php?mode=login

POST /forum/ucp.php?mode=login HTTP/1.1
Host: celestiaproject.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: ucp.php?mode=login
Cookie: *******************
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 151
username=Alexell&password=**********&autologin=on&redirect=.%2Fucp.php%3Fmode%3Dlogin&sid=c905146949ce0abbd86ee82fed616395&redirect=index.php&login=Login
HTTP/1.1 302 Found
...

But it is possible to see only one who logged in. And for this you need a sniffer. Most importantly - passwords are not stored in plain text on the server.