Why does this Discourse not use SSL?


#1

Doesn’t the lack of SSL mean passwords are sent unencrypted?


#2

Yes, but that is only an issue if you do not trust the network you are connected to. Using a unique password per site will mitigate the risk as someone does not gain much by accessing your Soylent discourse account. Also, if you login with one of the various options (ex. Facebook, Twitter, etc) then there is no plaintext password sent.

Many sites have yet to implement SSL, it isn’t a huge deal for a site such as this.


#3

SSL is hugely important for all sites. Preventing MitM attacks is the main reason, and we should never believe that it will not happen.

Even sites that serve plain HTML with no backend logic at all need SSL/TLS, it should be the standard.


#4

I dunno — I think if a site lets users log in, it should only do so over HTTPS. I think it’s irresponsible to ask for a password without taking steps to keep that password secret.

Tagging @Conor to see if we can get official word on this.


#5

I use a junk password for all sites that demand passwords that I don’t care about. So if you want to use my Soylent password to make comments in my name on the New York Times site, be my guest.


#6

I don’t understand what anyone would gain from acquiring my discourse password? They might troll the forums in my name and get me banned, I guess… but I can’t think of any serious consequences. It wouldn’t give them access to any vital information such as credit card numbers or addresses or anything. Why should I be concerned?


#7

Many people reuse passwords with other sites like email, banking, etc. If Discourse can guarantee that no passwords are reused by anyone anywhere then fine, but otherwise it would be prudent for Discourse to protect the user data whenever possible. SSL is one improvement.


#8

I reuse passwords too, but who would use the same password for their bank account as they use for random forums? That’s just idiotic. I expect to see SSL for things that matter, such as an Amazon account which has personal information on it, but I couldn’t care less whether the forums I frequent are encrypted. There’s a reason I use a junk email address for sites like this.


#9

Because hackers are very resourceful. Think of it as a 6-degrees thing. Your password may not be reused, but there may be other identifiable info (like in Discourse PMs) that can lead to data from another hacked database to infer other personal data from another database which leads to info that can be used to social engineer access to a email account which allows access to reset a bank password which allows full access to a bank account. It just doesn’t make sense to not take precautions like using SSL.


#10

While you and I may be smart enough not to use the same username and password everywhere other people really are that stupid all the time. A friend of mine signed up for a beta version of a game. He got board and decided to poke around the server to see what he could find. The idiot running the game had an unencrypted DB with everyone’s user name and password (the admin password was the only encrypted entry in the file). So without even really trying my friend had the email address and passwords for dozens of people. Sure enough he was able to get into their email, WOW accounts, and even the admin account for a porn site. So yes SSL would be a good idea to help protect the less security minded users.


#11

Can you elaborate on that? I’m curious as to how someone might be able to “social engineer” access to the email account that I use for banking. I’m a pretty cautious person when it comes to internet usage, but this sounds like something I haven’t thought of…or maybe it’s just the way you worded it that I’m not getting. Please explain; I want to be safe :slight_smile:


#12

Read over this example to see how access to one system can lead to access to another system.

Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter.

While you may not be at risk, I’m sure there are plenty of other Discourse users who are not so careful. There are no good reasons to not use SSL.


#13

So the consensus in the thread seems to be that the lack of SSL is unsecure. There is a debate about whether security matters for the Soylent forum — personally, I always like to err on the side of caution.

This thought occurred to me because I just set up my own Discourse forum and found out for myself how easy it is to implement SSL. I bought a one-year SSL certificate for $9. In the time people have spent debating whether it’s necessary in this thread, someone from Soylent could have implemented it.


#14

soylent.com already has an SSL cert, so enabling it for discourse.soylent.com is trivial.


#15

Understand that not using SSL is much more than ‘they can get the passwords’.

without proper encryption, data can be changed over the wire by a third party, and if done well, can lead to phishing issues, ad injections, and other malware being loaded onto the site.

Man in the Middle attacks are serious, and all sites should enable site-wide HTTPS. Please encourage everyone to adopt HTTPS, even for the most trivial of sites.

CC @rob @conor


#16

If everyone in the world was as smart and careful as I’m sure you always are, then there wouldn’t be a problem.


#17

This is an insignificant detail, but modern HTTPS servers should be implementing TLS over SSL.


#18

The network we are connected to is the internet.


#19

Which is what soylent.com implements.


#20

Does anyone know who is in charge of the Soylent Discourse / the Soylent website so I could contact them directly?