Add ssl/https support for this forum

List your suggestions here for the reasontalk.com website (not Reason feature requests)!
Forum rules
Keep in mind that this forum is for Reasontalk.com suggestions, and not for support on your Reason Studios software.
Post Reply
User avatar
jam-s
Posts: 3036
Joined: 17 Apr 2015
Location: Aachen, Germany
Contact:

24 May 2016

As it's now pretty easy to get free ssl certs via letsencrypt.org it would be nice service if this forum would also be available via a secure connection.

User avatar
orthodox
RE Developer
Posts: 2286
Joined: 22 Jan 2015
Location: 55°09'24.5"N 37°27'41.4"E

25 May 2016

What's the need for https in this forum? It is public, no valuable assets here which could be hijacked and stolen. While enabling https will increase the server load and reduce its potential performance.

User avatar
jam-s
Posts: 3036
Joined: 17 Apr 2015
Location: Aachen, Germany
Contact:

25 May 2016

The additional load penalty is just a few percent. And to be honest I consider both the topics I browse as well as my password to be of a high enough value to be protected. Besides in 2016 (3 years after snowden) ssl should really be the default for all websites, if only to stop those 3-letter agencies unlawfully spying on us.

User avatar
orthodox
RE Developer
Posts: 2286
Joined: 22 Jan 2015
Location: 55°09'24.5"N 37°27'41.4"E

25 May 2016

With all due respect to Snowden (he happens to live in my city after all), I don't understand why ssl should be used everywhere. What's so wrong even if a complete copy of Reasontalk with all the passwords and browse history was being maintained on NSA's servers? There is nothing here that can be used against us. So let them dig it.

User avatar
JiggeryPokery
RE Developer
Posts: 1174
Joined: 15 Jan 2015

27 May 2016

orthodox wrote: There is nothing here that can be used against us. So let them dig it.

First they came for the Fruity Loops, and I did not speak out—
Because I was not loopy.

Then they came for the Pro Tools, and I did not speak out—
Because I was not a tool.

Then they came for the Bitwigs, and I did not speak out—
Because I was not an idiot.

Then they came for the Reason users—and there was no one left to speak for us.

User avatar
jam-s
Posts: 3036
Joined: 17 Apr 2015
Location: Aachen, Germany
Contact:

27 May 2016

Due to Snowden's leaks we can assume that the NSA (et. al) is trying to collect a track record (to build a profile) of everybody on earth. This includes personal interests, times of activity, sites visited on a regular basis, etc. They are doing this by correlating unique identifiers such as login cookies (like from this forum as well). By enabling ssl to be the default for more and more sites, we can hinder them from having access to this information and also block them the access to the information which topics are relevant to a user. This helps in hindering them to establish a more detailed profile of people.

Also, right now, it's dead simple (even for a script kiddie) to get the login details/cookies from anybody using this forum e.g. via an untrusted wifi connection. (This would be the more realistic threat for the majority of the users of this board, I suppose). This is a threat as there might be some naive users who use the same password for more than one account. In case somebody uses the same password for reasontalk and his email account, sniffing the password for reasontalk can lead to a compromise of the email account of said user, which can then lead to the compromise of almost any other account, as the email account in most cases can be used to reset passwords for other services. Therefore having any login credentials submitted over an insecure link in 2016 is really bad practice; especially as there are now free certs that work with all recent browsers.

Thanks for taking this suggestion into consideration, even if you don't care much for your privacy. Some users of this board do. :cool:

User avatar
orthodox
RE Developer
Posts: 2286
Joined: 22 Jan 2015
Location: 55°09'24.5"N 37°27'41.4"E

27 May 2016

Those who care for their privacy never use the same password twice, and each one is at least 20 random characters. They use dedicated email accounts for every service. They block tracking cookies or at least reset them on a regular basis. They access most sites by proxies. And of course they use ssl where it is critical.
That's what I do.

As for agencies, they won't stop anyway. And I would rather like them to be buried under tons of useless shit, like things we write in this forum. Let them build their profiles, track our interests, whatever. It's about music, for god's sake. I'm more concerned about commercial agents and advertisers, they can be bothersome.
JiggeryPokery wrote:Then they came for the Bitwigs, and I did not speak out—Because I was not an idiot.
:lol:

User avatar
jam-s
Posts: 3036
Joined: 17 Apr 2015
Location: Aachen, Germany
Contact:

27 May 2016

orthodox wrote:As for agencies, they won't stop anyway. And I would rather like them to be buried under tons of useless shit, like things we write in this forum. Let them build their profiles, track our interests, whatever. It's about music, for god's sake. I'm more concerned about commercial agents and advertisers, they can be bothersome.
Sure, but burying them with encrypted useless shit is even more effective. :twisted:

Post Reply
  • Information
  • Who is online

    Users browsing this forum: No registered users and 4 guests