Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#8850 - No HTTPS support for the forum

Attached to Project: Arch Linux
Opened by Mr. Morph (morphis) - Thursday, 06 December 2007, 10:48 GMT
Last edited by eliott (cactus) - Thursday, 06 December 2007, 17:23 GMT
Task Type Feature Request
Category Web Sites
Status Closed
Assigned To eliott (cactus)
Architecture All
Severity Medium
Priority Normal
Reported Version 2007.08-2
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
There is no HTTPS support for the forum, only for the main site.

Additional info:

Steps to reproduce:
This task depends upon

Closed by  eliott (cactus)
Thursday, 06 December 2007, 17:23 GMT
Reason for closing:  Deferred
Additional comments about closing:  Deferring to potentially some future date.
Comment by Mr. Morph (morphis) - Thursday, 06 December 2007, 10:49 GMT
If it is not possible to create an own certificate for the forum, the forum should also be accessbile through a link such as http://www.archlinux.org/bbs/
Comment by Jan de Groot (JGC) - Thursday, 06 December 2007, 10:53 GMT
Why is there need for HTTPS on the forum? The only reason why we have HTTPS on the website is because of the developer login.
Comment by Pierre Schmitz (Pierre) - Thursday, 06 December 2007, 11:54 GMT
It's allways a good idea to use https for any site where you type in some kind of login and password.
Comment by Mr. Morph (morphis) - Thursday, 06 December 2007, 13:33 GMT
Yes Pierre, this is the point I meant. It is very unsecure to input login data through a normal HTTP connection these days. When the developers have a secured login for their work, a normal forum user should have, too.
Comment by eliott (cactus) - Thursday, 06 December 2007, 17:23 GMT
This has been occasionally brought up before.

I am with JGC on this one. While it may be 'nice', it certainly isn't mission critical.

Also, when doing a security cost/benefit analysis, don't forget to consider the assets you would be protecting. Comparing the dev security to the forum security is a bit silly. They protect completely different assets.
The dev login protects not only the arch infrastructure backend, but vicariously each end user system (because it protects the packaging infrastructure). The forum login protects: screenshot threads, community talk, and troubleshooting steps.

ssl also comes with a performance impact, per connection. It effects both the end user system as well as the server.

Maybe sometime in the future this will become more of a priority, or we will have more funding to offset the barriers to implementation. We will revisit this task at that time.
Closing for now.

Loading...