MozillaZine

Why mozillzine.org does not use SSL/TLS on web site?

Talk about stuff specific to the site -- bugs, suggestions, and of course praise welcome.
abcuser
 
Posts: 252
Joined: March 12th, 2007, 11:19 pm

Post Posted August 18th, 2016, 4:49 am

I see this forum is not using SSL and userid/password are send unencrypted over the internet. This is bad practice, because many users uses the same userid/password all over the net and intercepting one unencrypted request like from forums.mozillazine.org makes them vulnerable on many.

I don't know what is the reason not to implement SSL.
a) Costs. You can get SSL certificate for free: https://letsencrypt.org/
b) Performance. Should not be a problem. See Is TLS fast yet: https://istlsfastyet.com/ Performance may even increase if http/2 protocol is used
c) Incompatibility. Site is not compatible with existing adds like system or something similar.
d) Administrator knowledge. See a) it is easy to implement and automate the certificate renewal.

If possible, please implement SSL on your web site.

DanRaisch
Moderator

User avatar
 
Posts: 117677
Joined: September 23rd, 2004, 8:57 pm
Location: Somewhere on the right coast

Post Posted August 18th, 2016, 6:05 am

This is bad practice, because many users uses the same userid/password all over the net


Talk about a bad practice!

abcuser
 
Posts: 252
Joined: March 12th, 2007, 11:19 pm

Post Posted August 18th, 2016, 12:38 pm

DanRaisch wrote:
This is bad practice, because many users uses the same userid/password all over the net

Talk about a bad practice!

I should express my opinion little bit different:
1. It is insecure to send userid/password in clear text. This is bad practice by its own.
2. Many users uses the same userid/password, which is very bad practice by its own.
3. Because of 1. and 2. the problem is even bigger.

But I actually don't want to talk about bad practices, this was not my point at all. My biggest point it was, web pages taking userid/password should be encrypted with or without of discussion of bad practices.

I am just curious why such a web portal like mozillazine.org still does not use SSL?

rsx11m
Moderator
 
Posts: 14420
Joined: May 3rd, 2007, 7:40 am
Location: US

Post Posted August 18th, 2016, 4:28 pm

That topic comes up occasionally, thus please read last year's discussion in viewtopic.php?f=11&t=2950805 for the background. The main issue is that this site is running "as is" (and has been for a while now) due to the administrator being tied up in real life and maintaining this site as a courtesy. After all, everybody here is a volunteer.

barbaz
 
Posts: 1677
Joined: October 1st, 2014, 3:25 pm

Post Posted August 18th, 2016, 5:58 pm

Nothing any server admin can do that will save users from users bonehead security mistakes.

Besides, being nearly locked out of the board over SSL/TLS connection, is still being nearly locked out of the board - viewtopic.php?f=11&t=2824277
*Always* check the changelogs BEFORE updating that important software!

abcuser
 
Posts: 252
Joined: March 12th, 2007, 11:19 pm

Post Posted August 21st, 2016, 10:50 pm

@rsx11m, I understand administrator is busy and doing the work as volunteer. I read discussion in your post and that was a discussion a year ago when Let's Encrypt CA was not available yet. Now this CA is available, establishing SSL/TLS on site is not a huge problem (like max. one hour) and certificate renewal is done automatically.

In my humble opinion, if administrator does not have time, he should assign administrator rights to some other volunteer he trusts and having time and will to do basic administration.


barbaz wrote:Nothing any server admin can do that will save users from users bonehead security mistakes.

I don't completely agree with you. Like saying you can't protect child bonehead mistakes. Parent should, take his hand when walking on street, buy a proper shoes child does not flip etc. You can't do all, but it may help greatly. What should parent (administrator) do is make his/hers best to protect like: enable SSL/TLS, require strong passwords, use capcha if password many times not type in correctly etc. But I do agree that all of the problems can't be prevented, but as a good parent you should make best effort.

Scarlettrunner20

User avatar
 
Posts: 994
Joined: February 13th, 2003, 5:06 pm

Post Posted August 22nd, 2016, 6:30 am

barbaz wrote:Nothing any server admin can do that will save users from users bonehead security mistakes.

I don't completely agree with you. Like saying you can't protect child bonehead mistakes. Parent should, take his hand when walking on street, buy a proper shoes child does not flip etc. You can't do all, but it may help greatly. What should parent (administrator) do is make his/hers best to protect like: enable SSL/TLS, require strong passwords, use capcha if password many times not type in correctly etc. But I do agree that all of the problems can't be prevented, but as a good parent you should make best effort.


Why do you feel that this site should treat users like they are irresponsible, ignorant, small children who refuse to learn anything about their very powerful computers, thus, this site should mollycoddle them?

I very much appreciate that this site has remained NON SSL. Encrypting sites other than banking and a very few other sites is completely unnecessary and irritating to those of us who took responsibility and LEARNED about our computers. I personally don't think anyone who has not taken a test to show their understanding of computers and security and privacy should be allowed to have a computer. In other words, there needs to be a national computer literacy test that awards a "driver's license" for using a computer similar to a driver's license if you want to drive a car.

To me, this site is a breath of fresh air (which evokes a sigh of relief that not all sites change almost constantly purely for the sake of change). This site only needs one change which could easily be implemented in the current software - allow direct upload of screenshots. It's a huge hassle to have to join a third party site (that is there to track and spy on you) just so you can upload a screenshot there and link to it here. But allowing that is the only change I think this site needs.

I didn't know a thing about computers back in 1998. I was old enough then to be considered a senior citizen (55 and above) in regards to computers. I took a class for a year several days a week and learned and learned and learned and then in 1999 I bought my first computer which I configured as I wanted it (I didn't just go in a store and blindly buy one). Then I got interested in computer security because I couldn't understand McAfee and the concept of "heuristics". I stumbled on GRC.com and that was first site I found that explained computer security in a way I could understand and was also very interesting. If I could do this anyone can and irresponsible, lazy users should not have computers. If they think it is ok to use the same password at many sites that are not SSL (excluding banking sites which even now frequently have login that is not SSL) then whatever happens to them is of their own doing because they thought they could have their cake and eat it too. Whatever bad happens is a good lesson for them in that if they have any smarts at all they will finally decide to learn about computer security and privacy.

barbaz
 
Posts: 1677
Joined: October 1st, 2014, 3:25 pm

Post Posted August 22nd, 2016, 8:33 am

abcuser wrote:
barbaz wrote:Nothing any server admin can do that will save users from users bonehead security mistakes.

I don't completely agree with you. Like saying you can't protect child bonehead mistakes. Parent should, take his hand when walking on street, buy a proper shoes child does not flip etc. You can't do all, but it may help greatly. What should parent (administrator) do is make his/hers best to protect like: enable SSL/TLS, require strong passwords, use capcha if password many times not type in correctly etc. But I do agree that all of the problems can't be prevented, but as a good parent you should make best effort.

This site isn't your playground. For your information, when people start threads here, they are here because they need technical support for their computer problems. Some, however, seem weirdly averse to admitting they need help.

I would like to say thanks to kerz and the other Admins/Mods for keeping mozillaZine so consistently running in the face of George and so many issues over the time I have been a member.

Guess who's be childish now?
*Always* check the changelogs BEFORE updating that important software!

Return to MozillaZine Site Discussion


Who is online

Users browsing this forum: No registered users and 1 guest