Mail Archives: geda-user/2021/01/11/00:25:14
Den 2021-01-10 kl. 23:38, skrev Girvin Herr (gherrl AT fastmail DOT com) [via
geda-user AT delorie DOT com]:
>
> On 1/9/21 10:55 PM, karl AT aspodata DOT se [via geda-user AT delorie DOT com] wrote:
>> Girvin Herr:
>>> In the name of computer security, I am going through all of my browser
>>> bookmarks and rejecting all websites that do not support the https
>>> protocol.
>> ...
>>
>> So would a self signed certificate suffice -- since then you are using
>> "https".
>>
>> And next, what kind of security do you want ?
>> a, the middleman cannot see what you transfer
>> b, the middleman cannot change what you transfer
>> c, the middleman cannot cannot see that you have contact or are
>> Â Â Â transferring (https doesn't solve that)
>> d, to be sure that the site is indeed authentic (use dns-sec for that)
>> e, something else I haven't thought about
>>
>> If you don't trust a self signed certificate, why would you trust
>> some random certificate authority and not some person writing
>> useful code that serves us well. See e.g.
>> https://www.theregister.com/2013/12/10/french_gov_dodgy_ssl_cert_reprimand/
>>
>> You know, https isn't the final answer to computer security.
>>
>> And lastly, why don't you do a simple request on the pcb-rnd mailing
>> list, what has geda-user have to do with this.
>>
>> Regards,
>> /Karl Hammar
>>
> Karl,
>
> I don't know why you are so resistant to computer security. The
> majority of websites I visit and I have bookmarks for are already
> https compliant, including many, if not most, open source websites
> like gEDA. I finally got to my gEDA bookmarks and the gEDA websites
> are not https compliant either! It is about time the gEDA websites get
> on the bandwagon and improve their website security. Not having a web
> server, I cannot attest to what is needed to add a https port, but
> IMHO not doing so is risky. https is not the end-all of security. It
> takes constant vigilance to keep up with the bad guys and the tools,
> such as https, help and it should be a minimum.
>
> Why did I post my concern about pcb-rnd on this forum? Good question.
> I thought about it a while and decided that since pcb-rnd was on this
> forum in the past, and that it may be polled by the pcb-rnd devs, and
> that some pcb-rnd users who read the postings on this forum should
> know that the pcb-rnd website may not be as secure as they think, I
> decided to post here. That may be a political mistake and I apologize
> if it offends anyone, but I thought I was doing other users a service
> and maybe a push for the pcb-rnd server maintainer to add a https
> portal. Now that includes gEDA too. I hope the gEDA server maintainers
> create a https portal on the web server(s) asap. We all must be
> serious about computer security because there are a lot of bad guys
> out there.
https have a point it could not be changed by man in the middle
providing different copies to different people or something similar but
are not worried. Do not think any terrorist want to spend effort on this
or why should they, a little bit to much work for a practical joke and
do not think any of the major intelligence services are neither
interested or have any reason to.
Sabotage by people working any of the companies selling commercial
software might be an issue but do not think they have the opportunity to
make a man in the middle attack anyway.
Nicklas Karlsson
- Raw text -