X-Authentication-Warning: delorie.com: mail set sender to geda-user-bounces using -f X-Recipient: geda-user AT delorie DOT com X-Originating-IP: 88.129.21.118 Subject: Re: [geda-user] No https for pcb-rnd To: geda-user AT delorie DOT com References: <20210110065529 DOT A5C7E82966EF AT turkos DOT aspodata DOT se> <63b86b32-75be-dbff-7215-e3c35c484808 AT fastmail DOT com> From: "Nicklas SB Karlsson (nk AT nksb DOT online) [via geda-user AT delorie DOT com]" Message-ID: <66e8f9a1-905c-3fa9-5ec4-41feed2e1690@nksb.online> Date: Mon, 11 Jan 2021 06:05:16 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 In-Reply-To: <63b86b32-75be-dbff-7215-e3c35c484808@fastmail.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US Reply-To: geda-user AT delorie DOT com Errors-To: nobody AT delorie DOT com X-Mailing-List: geda-user AT delorie DOT com X-Unsubscribes-To: listserv AT delorie DOT com Precedence: bulk Den 2021-01-10 kl. 23:38, skrev Girvin Herr (gherrl AT fastmail DOT com) [via geda-user AT delorie DOT com]: > > On 1/9/21 10:55 PM, karl AT aspodata DOT se [via geda-user AT delorie DOT com] wrote: >> Girvin Herr: >>> In the name of computer security, I am going through all of my browser >>> bookmarks and rejecting all websites that do not support the https >>> protocol. >> ... >> >> So would a self signed certificate suffice -- since then you are using >> "https". >> >> And next, what kind of security do you want ? >> a, the middleman cannot see what you transfer >> b, the middleman cannot change what you transfer >> c, the middleman cannot cannot see that you have contact or are >>     transferring (https doesn't solve that) >> d, to be sure that the site is indeed authentic (use dns-sec for that) >> e, something else I haven't thought about >> >> If you don't trust a self signed certificate, why would you trust >> some random certificate authority and not some person writing >> useful code that serves us well. See e.g. >> https://www.theregister.com/2013/12/10/french_gov_dodgy_ssl_cert_reprimand/ >> >> You know, https isn't the final answer to computer security. >> >> And lastly, why don't you do a simple request on the pcb-rnd mailing >> list, what has geda-user have to do with this. >> >> Regards, >> /Karl Hammar >> > Karl, > > I don't know why you are so resistant to computer security. The > majority of websites I visit and I have bookmarks for are already > https compliant, including many, if not most, open source websites > like gEDA. I finally got to my gEDA bookmarks and the gEDA websites > are not https compliant either! It is about time the gEDA websites get > on the bandwagon and improve their website security. Not having a web > server, I cannot attest to what is needed to add a https port, but > IMHO not doing so is risky. https is not the end-all of security. It > takes constant vigilance to keep up with the bad guys and the tools, > such as https, help and it should be a minimum. > > Why did I post my concern about pcb-rnd on this forum? Good question. > I thought about it a while and decided that since pcb-rnd was on this > forum in the past, and that it may be polled by the pcb-rnd devs, and > that some pcb-rnd users who read the postings on this forum should > know that the pcb-rnd website may not be as secure as they think, I > decided to post here. That may be a political mistake and I apologize > if it offends anyone, but I thought I was doing other users a service > and maybe a push for the pcb-rnd server maintainer to add a https > portal. Now that includes gEDA too. I hope the gEDA server maintainers > create a https portal on the web server(s) asap. We all must be > serious about computer security because there are a lot of bad guys > out there. https have a point it could not be changed by man in the middle providing different copies to different people or something similar but are not worried. Do not think any terrorist want to spend effort on this or why should they, a little bit to much work for a practical joke and do not think any of the major intelligence services are neither interested or have any reason to. Sabotage by people working any of the companies selling commercial software might be an issue but do not think they have the opportunity to make a man in the middle attack anyway. Nicklas Karlsson