HTTPS?, A little TLS for some TLC? Options

[Aaron]

As I was starting my Tor connection, I had a thought. Is there any way you (the powers that be) could make DSF available using TLS (formerly SSL, commonly known as HTTPS)? You'd only have to set it up once, and some folks are behind filters and firewalls and either can't (or don't know how to) use a proxy.

[knasser]

As I was starting my Tor connection, I had a thought. Is there any way you (the powers that be) could make DSF available using TLS (formerly SSL, commonly known as HTTPS)? You'd only have to set it up once, and some folks are behind filters and firewalls and either can't (or don't know how to) use a proxy.

The EU is pushing for more surveillance of transmitted data (my privacy obsessed mate is up in arms about it), so HTTPS gets my vote. Anything to make encryption a bit more useful. But does this mean the site has to have one of those certificate things? They cost money.

[BlueMax]

The EU is pushing for more surveillance of transmitted data (my privacy obsessed mate is up in arms about it), so HTTPS gets my vote. Anything to make encryption a bit more useful. But does this mean the site has to have one of those certificate things? They cost money.

You can always create your own cert. Verisign has a nearly monopoly in the pay market.
Most browser organizations/companies have been properly bribed/threatened to encourage the use of paid certs. Self signed certs would generate numerous emails from individuals panicking when their browser warns them that the cert isnt from a company in on the scam.

I mean uhh, that he cert isn't from a "Trusted Authority".

[Aaron]

I dunno about costs, but they can have an "invalid" cert and then folks can just make DSF an exception. Serves the purpose, doesn't cost anything.

[BlueMax]

I dunno about costs, but they can have an "invalid" cert and then folks can just make DSF an exception. Serves the purpose, doesn't cost anything.

Oh, I agree. Its just that I don't know how many people will panic instead of making an exception.
I work in software and I worked at a place that made CAs and still seasoned developers would panic.

[knasser]

Is it possible to have both HTTP and HTTPS on the same site? People could type in whichever they prefer and those that typed HTTPS would know what they were doing, maybe? It would be easy enough to have a sticky on the top page.

[Dashifen]

I dunno about costs, but they can have an "invalid" cert and then folks can just make DSF an exception. Serves the purpose, doesn't cost anything.

To respond to a few posts while only quoting Aaron's to make him feel special, a lot of people would panic. Especially since IE7+ and Firefox 3 (and probably others) now stick an intermediary page between the referrer and the self-signed page that talks about Armageddon, cats and dogs living together, and all the bad parts of the Bible before they let a visitor travel to the self-signed page. That being said, you can often get a certificate for like $40 from some places online (e.g., GoDaddy) so it might be in the budget .... not that I have any idea what the budget is.

[Aaron]

I think for forty bucks you could probably take up a collection and cover it. Barring that, I think just using an invalid cert with one http version and an https portal would be sufficient (and cheaper) for most of us misbehaving-at-work types.

[knasser]

I chatted about this with my programmer house mate and he said that it was perfectly possible to have HTTP and HTTPS running side by side and actually quite easy, though the forum software might need some minor tweaking to keep people in the mode they started at. Having an "invalid" certificate would only start to scare people if they deliberately went to HTTPS, anyway.

Aside from the money, he said that certificates from Verisign and probably other certificate authorities filed a copy of each certificate with the police / intelligence agencies so that they could eavesdrop on HTTPS traffic. Doesn't sound good to me. Doing our own certificate would be more "Shadowrun". (IMG:style_emoticons/default/biggrin.gif)

His main negative for DS doing its own certificate is that it just gets people more used to clicking "Add Exception" when presented with a security warning and that few people would bother to check that the certificate was valid. But if HTTPS helps people use Dumpshock in certain environments, then I still see it as a positive thing. It would only come up for those people that typed in HTTPS in the first place.

K.