(suggestion) Encryption with Let's Encrypt

General discussion about Celestia that doesn't fit into other forums.
Topic author
carlos
Posts: 3
Joined: 14.08.2016
With us: 8 years 3 months

(suggestion) Encryption with Let's Encrypt

Post #1by carlos » 23.08.2016, 12:34

Let's Encrypt It’s free, automated, and open, Certificate Authority
We can use it to have https in celestia site.

sorry for posting here, I don't found a more suitable place.
Last edited by carlos on 24.08.2016, 00:43, edited 1 time in total.

Avatar
John Van Vliet
Posts: 2944
Joined: 28.08.2002
With us: 22 years 2 months

Post #2by John Van Vliet » 23.08.2016, 22:23

SPAM!!!!

reported

Topic author
carlos
Posts: 3
Joined: 14.08.2016
With us: 8 years 3 months

Post #3by carlos » 23.08.2016, 23:55

and not spam, even'm serious, let's encrypt the, it is an initiative that includes mozilla can confirm

Added after 2 minutes 54 seconds:
https://en.wikipedia.org/wiki/Let's_Encrypt
https://letsencrypt.org/sponsors/

just I put the suggestion here because I thought the adm might like to have https
noting that yes, it's free

Added after 4 minutes 48 seconds:
an article
http://www.cnet.com/news/privacy-push-means-free-encryption-for-websites/

some sites that use
https://puri.sm/
https://librecmc.org/librecmc/home
https://trac.torproject.org/projects/tor

It is I will not gain anything by it, just one more site to navigate with encryption

(if you find it strange the way I speak, and because I am not a native speaking)

Coder206
Posts: 11
Joined: 22.11.2016
With us: 8 years

Post #4by Coder206 » 04.12.2016, 21:28

Hello!

I hope you are doing well. I agree with carlos on this! It's really an important topic especially if the website allows for downloading of executable files.

I think this should be looked at more closely despite the apparent "SPAM" from John.

Best regards,

Coder206

Avatar
John Van Vliet
Posts: 2944
Joined: 28.08.2002
With us: 22 years 2 months

Post #5by John Van Vliet » 04.12.2016, 23:54

well a rewrite of the forum code would first need to be done to use https
then after that a cert can be used

but relying on cert authorities is and NEVER !!!!! was a good idea

it is in fact a VERY BAD idea when first implemented and still is

even though "Richard Stallman" is a bit of a nut case i AGREE with him on this
CA's and TC is really "treacherous computing"

Coder206
Posts: 11
Joined: 22.11.2016
With us: 8 years

Post #6by Coder206 » 06.12.2016, 23:16

Hello John!

I hope you are doing well! Thanks for the information, I was not aware of the controversy with cert authorities. (I am actually reading about it as much as possible)

Best regards,

Coder206

Avatar
Alexell M
Site Admin
Posts: 303
Joined: 07.10.2010
Age: 30
With us: 14 years 1 month
Location: Moscow, Russia
Contact:

Post #7by Alexell » 07.12.2016, 09:52

If you want, I can do so that website and forum work via HTTPS through letsencrypt.org certificate or hosting provider certificate.
But the question is: why it is needed? We do not share any confidential or payment data that needs to be protected. In addition, the screenshots on the forum people stick with third-party sites and HTTPS protocol will consider this threat and block them.
Admin of celestia.space
PC: Intel Core i7-8700 @ 3.20GHz, SSD, 16 Gb RAM, NVIDIA GeForce GTX 1080, Creative Sound Blaster ZxR. Windows 10 x64.
Phone: iPhone Xs 256 Gb. iOS 14.
Image

Avatar
selden
Developer
Posts: 10192
Joined: 04.09.2002
With us: 22 years 2 months
Location: NY, USA

Post #8by selden » 07.12.2016, 12:45

The use of https for login and registration would help to protect against theft of login credentials.

Unfortunately there are some who enjoy the disruption they can cause by stealing others' accounts.
Selden

Avatar
omega13a M
Posts: 120
Joined: 15.10.2011
Age: 40
With us: 13 years 1 month
Location: California
Contact:

Post #9by omega13a » 08.12.2016, 21:31

selden wrote:Unfortunately there are some who enjoy the disruption they can cause by stealing others' accounts.
Not to mention there's a lot of people who use the same exact log-in info for different places. However, given the amount of traffic (or rather lack of) here, I doubt anyone would try to steel usernames and passwords from here.
A fish without a bicycle cannot contemplate his navel

My Celestia Add-ons
The Omega Galaxy

Avatar
selden
Developer
Posts: 10192
Joined: 04.09.2002
With us: 22 years 2 months
Location: NY, USA

Post #10by selden » 08.12.2016, 22:26

Without https, userids and passwords are transmitted in plain text. The people interested in stealing such things don't pay any attention to where they're coming from. They just accumulate as many as they can see whenever they're managed to compromise a server.
Selden

Avatar
Alexell M
Site Admin
Posts: 303
Joined: 07.10.2010
Age: 30
With us: 14 years 1 month
Location: Moscow, Russia
Contact:

Post #11by Alexell » 12.12.2016, 04:55

selden, indeed when login, password are transmitted in POST request in plain text.
Spoiler
ucp.php?mode=login

POST /forum/ucp.php?mode=login HTTP/1.1
Host: celestiaproject.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: ucp.php?mode=login
Cookie: *******************
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 151
username=Alexell&password=**********&autologin=on&redirect=.%2Fucp.php%3Fmode%3Dlogin&sid=c905146949ce0abbd86ee82fed616395&redirect=index.php&login=Login
HTTP/1.1 302 Found
...

But it is possible to see only one who logged in. And for this you need a sniffer. Most importantly - passwords are not stored in plain text on the server.
Admin of celestia.space
PC: Intel Core i7-8700 @ 3.20GHz, SSD, 16 Gb RAM, NVIDIA GeForce GTX 1080, Creative Sound Blaster ZxR. Windows 10 x64.
Phone: iPhone Xs 256 Gb. iOS 14.
Image


Return to “Celestia Users”