Feathers, because the site was initially a small start up at one point in time it was decided not to bother with SSL and its added cost. As the site has grown over the years, cost has still been a partial factor, however, additional reasons for not using SSL would be that users typically are using non-critical username/password combinations like they do for most non-critical sites. I doubt anyone is using their banking login information. With that said, I think SSL would be a great improvement to add to KFN. I will take a look at encrypting the login page and/or all pages.

Thanks,
OS

Can't say much for the server load, or the cost of getting an ssl certificate, but not a single forum I frequent regularly has https in place as far as I can see, including xda-developers and ubuntuforums.

Hi Boss!

Thank you both for replying. I'm only asking because I was messing around with SSL myself on my own website, mainly to learn about it (not because I think someone is going to intercept my PW etc). I was thinking about it at the time so I noticed KFN didn't use it.

When reading the following, please remember I'm new to this. The objective is to learn so please enlighten me if I'm wrong etc.

HTTPS for logging in
While I agree that it's unlikely anyone uses the same password for KFN and their online banking, KFN could still be a hacking target "just for fun" like Ubuntuforums appears to have been. I'd be put out if KFN was down for maintenance for as long as Ubuntuforums was.

Yes and no... when you log in with SSO using Canonical's website, that part of your visit uses HTTPS. So at least you know that:
a) your password won't be intercepted on its way there
b) the site you are logging into really is Ubuntu.com, and not something that looks like it and is tricking you into giving away your login. Ubuntu.com presumably knows that the SSO request from ubuntuforums.org is a genuine one.

Also, didn't the hack at ubuntuforums start with just a few "compromised individual accounts" (blog post here). Exact methods aside, if a horrible scallywag had just one admin password that they got from intercepting traffic/ imitating KFN, then they'd be in a position to do a lot of damage.

HTTPS everywhere
There are a few reasons why HTTPS everywhere might be desirable as default. If the cost (in server processing, response times, and money) of doing HTTPS everywhere isn't much, then why not?

Specifically, though, it would be nice to be sure about the origins of content loaded from KFN.

For example, I am often working on something that I find technically challenging because it's new to me. Although I try and make sure that I understand every command suggested before I use it, the reality is that sometimes the understanding of what the command is comes with using it and seeing the results. Because I trust most people on this forum, especially admins and frequent contributors, the level of risk is acceptable to me. I don't think any of you lot would lead me to, say, erase my home directory just for a laugh . Having read a warning on ubuntuforums about malicious terminal commands in disguise, it seems like these commands could be a good way of crafting social engineering attack against Ubuntu users.

So, when I see that someone I trust has posted a suggestion, it would be nice if I could be sure that the content was loaded from KFN, and not somewhere else that had crafted a page to appear as though someone I trust authored the post.

Tin foil hat, I know, but there you go.

Just because nobody else has two locks on their doors, doesn't mean we shouldn't (unless of course those locks cost a million pounds each).


Feathers

Nothing in this forum is secret -- we want it to be crawled by Google -- so using SSL everywhere would be an unnecessary waste of resources.

Protecting the login with SSL is certainly something we can investigate. We could use a self-signed certificate, which would throw warning dialogs during login because self-signed certificates are untrusted by browsers. The alternative is purchasing a certificate signed by a public authority. The cost for this varies between a few hundred and a thousand dollars.

Ubuntu Forums is different...because it's officially sanctioned by Canonical, they can federate with the Ubuntu single-signon. We are independent, and therefore that option is not available to us.

Fair enough. I was surprised to see that the google spiders actually show up as active users sometimes!

Yep, have been experimenting with this myself.

Would be interested in seeing what you think of this:
https://www.cacert.org/

As I understand it, if you add their root key to kubuntu (/orther distro) as trusted then any certificates that they have signed are accepted. So this would work for KFN as well as any other community forums and sites that can't afford to pay for certs.

Failing that, you can always get the first year free here:
https://uk.godaddy.com/ssl/ssl-open-source.aspx


I wasn't saying we should be using Ubuntu single-signon (I actually find it quite annoying), just making the point that the sign-on process for Ubuntuforums uses https.

Feathers

Yep, I have one of their certs. Asking users to install a CA root certificate they've never heard of is little better than using a self-signed certificate, unfortunately.

Eww. Ick. Go Daddy needs to be disbanded. They created massive problems for Fyodor's valuable Seclists.org site and they supported SOPA. I want nothing to do with them.

Speaking of SSL roots...ever take a look at the plethora of root certs in System Settings | SSL Preferences? I disable all the roots from China, Russia, the Middle East, and Eastern Europe. I'm also considering disabling any roots whose certificates employ public keys based on random numbers generated by Dual_EC_DRBG, if such a thing is possible to determine. It's hugely flawed, and even NIST says to stay away.

Yeah I see your point. However, it might be a good opportunity to learn about how HTTPS works. Until I started looking into it for my site I didn't really know anything about it, it was just "a good thing".

Either way (self signed or cacert), perhaps you (the admins) could put an announcement up explaining what you've done, and leave it up to people to choose https when they log in. That way, if you don't know/don't care and type http://kubuntuforums.net then nothing has changed. If you read the announcement and choose https, you can take the necessary steps and then go to https://kubuntuforums.net. That way you wouldn't put any casual visiters off with untrusted certificate warnings from web browsers.

I knew about their practice of hiking up prices once you've been with them for a while, and avoided them for DNS (chose namecheap instead) but didn't know they supported SOPA. That was naughty of them.

Thanks for the pointer to SSL preferences, will have a look at that later.

Feathers

I did not realize that about GoDaddy. I'll start looking for a new provider. I moved one of my domain names from One&One to GoDaddy because it was easier and cheaper to forward my IP to them. I guess I'll take a look at DynDNS again.

Thanks Feathers, thanks admins, thanks contributors!

We can now log in w/o compromising the security of our password.
Nice for someone like me who's often 'on the road' and using dubious hotspots.

I'm so impressed with how quickly you implemented this!

Thank you admins and OpenSource for hearing and responding to suggestions... power to the community

Feathers

I only bought the certificate with KFN donations. You can thank Steve for implementing the HTTPS changes!

OS