Why no HTTPS?

It's a shame that the arduino site and forum don't have HTTPS.

Now even small sites have HTTPS especially since HTTPS certificates are being issued for free.

I'm paranoid when it comes to security especially since I suspect MITM attacks have happened in my network (Shared ISP).

I noticed that there is HTTPS some times and sometimes there isn't. I may be the victim of SSL Strip.

:slightly_frowning_face:

HTTPS works for me.

They use an SSL certificate from Go Daddy that is valid for about one more year.

I noticed that there is HTTPS some times and sometimes there isn't.

You really want the avatars sent securely? What would that accomplish?

Everything I send to the Arduino Forum goes into the Public Domain so people can get it with or without HTTPS.

And everything I take from the Forum is in the public domain before I take it.

...R

For everyone using chrome:

If you want HTTPS permanently for the forum you can force it to try HTTPS first. (clicking a link in a post may send you back to the HTTP version).

Type into address bar, and go to: chrome://net-internals/#hsts

Then add forum.arduino.cc to the set (no http:// just the domain).
You do not need to worry about the other options, just copy in the domain and click add.

Close any tabs with the fourm in view and reload. Even if a link is HTTP for the forum, you'll get a HTTPS version.

@Robin, the whole 'public' forum is public domain. HTTPS is simply a way of receiving the data securely. Posting over a HTTPS connection does not prevent a HTTP connection viewing it.

pYro_65:
@Robin, the whole 'public' forum is public domain. HTTPS is simply a way of receiving the data securely. Posting over a HTTPS connection does not prevent a HTTP connection viewing it.

I understand that. I'm just not clear why I need to use a secure system to send something that I intend to be public.

...R

Robin2:
I understand that. I'm just not clear why I need to use a secure system to send something that I intend to be public.

...R

Like I said above, its nothing to do with the data, a HTTP client can still view your post.

SSL/TLS is a secure transport mechanism. It will allow you to make some assumptions:

  • That the data the server receives, is the data you sent.
  • The data you receive from the server is what the server actually sent.
  • That a third party viewing the contents of what you send/receive during transport to/from you will not be usable.

If someone wanted to be a PITA, they could possibly modify your communications whilst in transit, or steal important data (maybe not important to Arduino, but possibly making other aspects of your PC/network vulnerable).

Robin2:
I understand that. I'm just not clear why I need to use a secure system to send something that I intend to be public.

His intention is most likely NOT to provide free information and free code to the public, but he wants to be stealth while lurking for free information and free code, while no "man in the middle" can possibly find out which free information and which free code he is after at.

Just because he's paranoid doesn't mean they aren't after him.

jurs:
His intention is most likely NOT to provide free information and free code to the public, but he wants to be stealth while lurking for free information and free code, while no "man in the middle" can possibly find out which free information and which free code he is after at.

Just because he's paranoid doesn't mean they aren't after him.

You make it sound like he should be giving something back. There is no obligation for participating because you read something publicly available.

HTTPS isn't a stealth mechanism, connection details will still be logged on every node that wants the metadata. You can use VPN's and proxy's for that. Browsers implement higher security using TLS. CORS for example is far more restricted, and things like XSS attacks can be reduced.

Better security is always good, regardless of paranoia. Its amazing how many times your home router can be hit and tested per day by bots. With popular websites its easily 10 fold.

pYro_65:
There is no obligation for participating because you read something publicly available.

Yes, of course. No obligations for the user of a web forum.

But on the other side there is also no obligation for the owner of a web forum to make https:// the default protocol for the forum.

The https:// protocol requires much more server ressources (RAM, processor time) than the http:// protocol.
No owner of a forum is obliged to offer https access.

BUT: THIS FORUM HAS HTTPS. Not as a default setting, but you can use it.
You just need to start a https:// request to the forum and you get a https:// response back.

So the assumption of the TO that this forum has no HTTPS is totally wrong.
(Some elements within some pages, like images, may not be http://, still)

So I'd like to tell the TO:
It's a shame that you accuse the arduino site and forum don't have HTTPS!
It actually has!

jurs:
BUT: THIS FORUM HAS HTTPS. Not as a default setting, but you can use it.
You just need to start a https:// request to the forum and you get a https:// response back.

So the assumption of the TO that this forum has no HTTPS is totally wrong.
(Some elements within some pages, like images, may not be http://, still)

So I'd like to tell the TO:
It's a shame that you accuse the arduino site and forum don't have HTTPS!
It actually has!

Notice how I siad I suspect an SSL strip. I meant that arduino may have HTTPS and some one on my local network might be doing an SSL strip.

Wow! I guess my choice of words was wrong. I always say stuff that in a way that offends people. By it's a shame I meant "It would have been better if it did".

jurs:
His intention is most likely NOT to provide free information and free code to the public, but he wants to be stealth while lurking for free information and free code, while no "man in the middle" can possibly find out which free information and which free code he is after at.

Just because he's paranoid doesn't mean they aren't after him.

Wow! That was really presomptuous and harsh. Granted I don't help others on forums cos I am simply too dumb. I always end up giving the wrong advice.

I write crappy code. But I always make every script I write Open Source on GitHub.
But sadly nobody uses my code cos it's crappy. I cry sometimes because of my incompetence. I take Open Source as serious as the religious take religion and try to contribute to Open Source.

But sadly fate had it that I was to end up dumb. I can't even remember anything I do. I forget the basics of Python and Arduino. I try to learn stuff and I forget it.

I have taken a lot of hours to write Open Source projects. But the sad part is even a normal person would take only 10 minutes or less to write the same script that I struggle to write for 10 hours.