Idea #10816: Use SSL for User Logins on Brainstorm and UbuntuForums Sites

120

Written by gmendoza the 7 Jul 08 at 02:35. Category: Security.
Related to: ubuntuforums.org. Status: New

Description

I would appreciate it if both the brainstorm and ubuntuforums.org would be protected via SSL for login and cookie exchanges.

Virtually all other sites related to the wiki, documentation, launchpad, etc, use SSL, and I wish the same could be said about these as well.

In a recent forum discussion, some felt that there's no point to protecting those sites. But most will agree that many people use the same password for everything, and even though a compromise of a forum password may not seem like much, it could be an issue elsewhere.

Case in point, all wiki modifications show the IP address of those that make the changes. If this person uses the same password for the wiki as their forum account, not only is it a risk to the wiki, but if their personal machine is remotely accessible via SSH, etc, then that user is also at risk if the password is also the same on their computer.

Yes... people need to follow best practices... but if you have the ability to help people and it comes at virtually no cost to you, then why not?

Hope others feel the same way. Thanks for listening.

Tags: HTTPS SSL Security login

Attachments

Ubuntuforums.org thread #831267

Duplicates

Idea #6560: use ssl (https) for brainstorm login (47 votes)

[Report a duplicate and merge its votes to this idea]

Comments

_sebastian_ wrote on the 7 Jul 08 at 05:39

+1
is there a reason not to use https? If available I always use https ... and I have different passwords on most sites.
It is just a precaution, when I can use secure connections I do.

Eldmannen wrote on the 7 Jul 08 at 13:30

+1

I agree.
Also, I would like to be able to read/submit ideas over SSL too.
It would be nice be able to submit ideas without anyone in between being able to read it.

To some people, ideas are scary. They consider ideas to be dangerous.

PriceChild wrote on the 7 Jul 08 at 19:52

Although no official statement has been made by ubuntuforums.org, please read that thread to find out more about the issues that its implementation would mean,

gmendoza wrote on the 7 Jul 08 at 20:23

I was the one that started the thread and fully understand the implications of using SSL. The arguments against the idea were just silly. You do not need to encrypt all site traffic to protect login and cookie exchanges.

Take for example both Yahoo Mail and Gamil services. Your login and cookie traffic are handled within SSL, but the site switches you back to plain text after the secure login process. This is common practice.

Now there are certain limitations one might have to overcome at the application layer, e.g. if vBulletin only works in an all or nothing fashion with links strictly referencing http, therefore breaking https paths. In that case, fine... encrypt the whole thing or find a way to work around it.

FuturePilot wrote on the 11 Jul 08 at 02:50

Post your comment