LQ Suggestions & FeedbackDo you have a suggestion for this site or an idea that will make the site better? This forum is for you.
PLEASE READ THIS FORUM - Information and status updates will also be posted here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I realized that www.linuxquestions.org was not configured to impose HTTPS. Why? I am using a firefox plugin "https everywhere", so thanks to EFF, my credentials are protected (well not from you, but at least from malicious listeners). But what about other people?
Living in 2017, and most basic processors embedding basic encryption instructions, why don't you setup HTTPS as default protocol? Or even better, why don't you simply forbid plain HTTP? Nobody would lag because of this.
I see your certificate is signed by GeoTrust, so why don't you use it?
In a recent similar thread which I regret that I cannot find right now, Jeremy pointed out that login, contribution, and other information that should be confidential is encrypted.
My personal opinion is that encrypting stuff that doesn't need to be encrypted, such as the boating photos on my boating website, is not security; it's security theatre.
Thanks for the link. I join the "all link as https by default" team. However, to bypass some old protocol conflict (as stated in the thread), letting some pages be accessible in plain http (mainly for downloads) could be a good thing, and it changes my mind about "required https everywhere".
In general, anyone would want to be sure that they are talking to the person they are actually trying to contact, and not anyone else. A plain http download is pretty dangerous as if you don't check the file's fingerprint sum, you could potentially download any sh*t instead of your legit file. So, for this purpose (download over http), I still think it should be hosted on a separate site, to avoid fake DNS attack and malicious redirections. The separate site should have an enormous banner with written "AT YOUR OWN RISK". However, this is really not mandatory as you can download whatever you want from an other host supporting https and transfer it your own way to an old non-compatible toaster.
So, in my opinion, any internet page showing a logon formular should never be plain http anymore, not in 2017, and as much as possible, all websites should redirect http requests to https. While some websites are fighting against xss and cookie stealing (and https does not protect against that), some others let logon pages in plain text. I feel like this is disrespectful to the internet .
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
Posts: 13,602
Rep:
Thanks for the feedback. As I've noted a couple times, https is fully supported at LQ (and has been for a very long time), the login page is https-only, and the site will be moving to https by default after the pending code update.
Hello jeremy. I checked by myself and indeed, the logon form is sent over TLS. But an http prefix always leads to confusion. Thanks to you for the feedback !
Using a login link on the right, when it redirects automatically it redirects to http page not https.
Could be a bug, or intended. Not sure. The http page gets filtered by proxy, and then I need to add "s" and refresh the page every time.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.