http://libregraphicsworld.org/ isn't https


#1

Recently installed HTTPS Everywhere, which made it apparent that libregraphicsworld.org wasn’t https. Is that a problem?


(Glenn Butcher) #2

If you’re not going to log in, or worse, buy something, probably not.

With any http connection, whatever you or the website sends is sent ‘in the clear’, readable by anyone with some kind of access to the network path. More challenging to an adversary would be to inject themselves in the middle of your connection and insert something of their own design, but it is feasible.

I recently upgraded my website, pulpitrock.net, to use https, mainly to encrypt access to directories with authentication, family photos. Also, to stop browsers from complaining I wasn’t secure… :smiley:


(Pat David) #3

Ah, I hadn’t noticed that. @prokoudine - any plans on adding HTTPS?

That depends on what you might consider “a problem”.

If you don’t want anyone to see the data between your browser and that server then yes it’s a problem.

If you don’t want someone to possibly inject any content (malicious or otherwise) between that server and your browser then yes it’s a problem. :slight_smile: (It might seem far-fetched, but I had heard that some ISP’s were injecting their own ads into ad spaces on webpages accessed over their network on HTTP…)

Do note, that unless you’ve taken some extra precautions, then your DNS query is likely also being logged by your ISP (and whoever your DNS is). So someone knows you were trying to at least access libregraphicsworld.org.


(Alex Prokoudine) #4

It’s been my plan to move to a new domain and CMS and HTTPS at the same time. Doing so is going to take quite a while.

I’m not an expert in HTTPS. Perhaps setting up Let’s Encrypt on the current system is much easier than I suspect, and redirecting to HTTPS is just one line in .htaccess away, and everything is going to work just like magic without breaking anything whatsoever, but this is not what I want to spend my time on right now.

As for “Is it a problem” — I guess it depends on what’s acceptable to different people. If you are afraid that your government is spying on you and wants to punish you for your interest in free/libre software, then yes, it’s a problem. Otherwise, the website doesn’t even have forms you can fill, there are no passwords or emails to enter, no payment info, no nothing.


(darix) #5

ping me on IRC to help you set up letsencrypt. It only takes a few minutes with things like dehydrated and a cronjob(well systemd timer) will make sure it auto updates the certs in time.


(Glenn Butcher) #6

Ha, in the news today:

we’re all doomed… :smile:


#7

Also in the news today… many US federal websites are “dropping like flies” because there is no one on hand to update the expiring certificates!

Also,

It’s not a problem for most of us under the control of so-called “first world” governments, but second and third world users definitely face these kinds of fears. Additionally, some present Adobe employees might wish to attend in the most clandestine manner possible.


#8

Not a problem for me. Just wanted to prod @prokoudine. :slight_smile:


(jimplaxco.com and artsnova.com) #9

With respect to not employing HTTPS, a potential problem is that of marketing. With Chrome and other browsers now calling attention to the fact that a web site is not using HTTPS and by implication can’t be trusted, it could scare off first time visitors. And that perception will only grow as more sites convert to HTTPS.

libregraphicsworldNotSecure

I think you will eventually want to convert to HTTPS. The question is whether you’re in a good place for doing it now or with waiting for a better opportunity to come along.

As to the SEO aspects, given the site’s unique niche, for now the smallish boost HTTPS sites get probably won’t get you anything.