Re: [whatwg] Passwords

[Delfi Ramirez]

 

Hi Anne, hi All: 

Here, in EEA I've noticed and see the same reasons that Glenn exposes,
with subtle emphasis on the reasons three , four and five. 

Regards 

---

Delfi Ramirez

My digital signature [1]

+34 633 589231
 del...@segonquart.net [2] 

twitter: delfinramirez

 IRC: segonquart Skype: segonquart [3]

http://segonquart.net [4]

http://delfiramirez.info
 [5]

On 2014-10-19 19:35, Glenn Maynard wrote: 

> On Sat, Oct 18, 2014 at 2:50 PM, Anne van Kesteren 
> wrote:
> 
>> I'd be interested in hearing why sites such as forums have not made the 
>> switch yet. If you're hosting passwords it seems downright irresponsible at 
>> this point to not use TLS.
> 
> The most common reasons I've seen are:
> 
> - People asking "why would this page need encryption?", which is always the
> wrong question. (The right question is "why does this page need to not
> have encryption?")
> - People don't want to jump the hoops to get a certificate and install it.
> I still have to search to find the right OpenSSL magic commands, and it
> still takes fiddling to get TLS enabled on web servers. (It should require
> editing two or three lines to enable it on Apache, not uncommenting dozens
> of lines of sample configuration then figuring out how to sync it up to
> your HTTP configuration. I suspect Apache can do this much more simply,
> and that the sample configurations that come with installations are just
> garbage...)
> - People don't want to pay for a certificate. (There's StartSSL, but when
> I tried it, it was so bad that I prefer to pay GoDaddy. That should say a
> lot given how bad *that* site is...)
> - They don't want the additional latency that TLS causes. I assume this is
> why Amazon puts most of the storefront on HTTP, and only selectively
> switches to HTTPS. (They've put a lot of design behind making this secure,
> but most authors can't do that, and it still has a big privacy cost.) This
> is at least a valid issue.
> - Some web services don't support HTTPS. (There's no excuse for this, but
> saying that doesn't make the problem go away. I don't recall particular
> examples.)
 

Links:
--
[1] http://delfiramirez.info/public/dr_public_key.asc
[2] mail:%20del...@segonquart.net
[3] skype:segonquart
[4] http://segonquart.net
[5] http://delfiramirez.info

Re: [whatwg] Passwords

[Glenn Maynard]

On Sat, Oct 18, 2014 at 2:50 PM, Anne van Kesteren 
wrote:

> I'd be interested in hearing why sites such as forums have not made
> the switch yet. If you're hosting passwords it seems downright
> irresponsible at this point to not use TLS.
>

The most common reasons I've seen are:

- People asking "why would this page need encryption?", which is always the
wrong question.  (The right question is "why does this page need to not
have encryption?")
- People don't want to jump the hoops to get a certificate and install it.
I still have to search to find the right OpenSSL magic commands, and it
still takes fiddling to get TLS enabled on web servers.  (It should require
editing two or three lines to enable it on Apache, not uncommenting dozens
of lines of sample configuration then figuring out how to sync it up to
your HTTP configuration.  I suspect Apache can do this much more simply,
and that the sample configurations that come with installations are just
garbage...)
- People don't want to pay for a certificate.  (There's StartSSL, but when
I tried it, it was so bad that I prefer to pay GoDaddy.  That should say a
lot given how bad *that* site is...)
- They don't want the additional latency that TLS causes.  I assume this is
why Amazon puts most of the storefront on HTTP, and only selectively
switches to HTTPS.  (They've put a lot of design behind making this secure,
but most authors can't do that, and it still has a big privacy cost.)  This
is at least a valid issue.
- Some web services don't support HTTPS.  (There's no excuse for this, but
saying that doesn't make the problem go away.  I don't recall particular
examples.)

-- 
Glenn Maynard

Re: [whatwg] Passwords

[Anne van Kesteren]

On Sat, Oct 18, 2014 at 7:14 PM, Roger Hågensen  wrote:
> This precludes that a site has a certificate, and depite someone like
> StartSSL giving them out free, sites and forums still do not use HTTPS.

We recently started doing this for whatwg.org. It was not a big deal
(though quite a bit of work given the amount of subdomains we have) on
a shared hosting provider. There's a whole bunch of reasons why most
sites ought to switch to using TLS:

  https://wiki.whatwg.org/wiki/TLS

I'd be interested in hearing why sites such as forums have not made
the switch yet. If you're hosting passwords it seems downright
irresponsible at this point to not use TLS.


-- 
https://annevankesteren.nl/

Re: [whatwg] Passwords

[Roger Hågensen]

On 2014-10-17 17:09, Nils Dagsson Moskopp wrote:

Roger Hågensen  writes:


Also http logins with plaintext transmission of passwords/passphrases
need to go away, and is a pet peeve of mine, I detest Basic
HTTP-Authentication which is plaintext.

Note that Basic Auth + HTTPS provides reliable transport security.


This precludes that a site has a certificate, and depite someone like 
StartSSL giving them out free, sites and forums still do not use HTTPS.

Also, Basic Auth is also plaintext so the server is not Zero Knowledge.




Hashing the password (or passphrase) in the client is the right way to
go, but currently javascript is needed to make that possible.

Do you know about HTTP digest authentication?


Yes, and it's why I said "Basic HTTP Authentication", Digest is the 
better method of HTTP Authentication.
And I know that very well and it's very underdeveloped, there is no 
logout possible (you stay logged in until the browser session is ended 
by the user),
and styling the login is not possible and it's not as easy to implement 
with AJAX methods.



--
Roger "Rescator" Hågensen.
Freelancer - http://www.EmSai.net/

Re: [whatwg] Passwords

[Nils Dagsson Moskopp]

Roger Hågensen  writes:

> Also http logins with plaintext transmission of passwords/passphrases 
> need to go away, and is a pet peeve of mine, I detest Basic 
> HTTP-Authentication which is plaintext.

Note that Basic Auth + HTTPS provides reliable transport security.

> Hashing the password (or passphrase) in the client is the right way to 
> go, but currently javascript is needed to make that possible.

Do you know about HTTP digest authentication?


-- 
Nils Dagsson Moskopp // erlehmann