X-Authentication-Warning: delorie.com: mail set sender to geda-user-bounces using -f X-Recipient: geda-user AT delorie DOT com X-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:reply-to:subject:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; bh=PIHNc2ENdek5peT1ipeVXSJdpdp5M7xTyU6xnRTtQog=; b=fICay7wf 49W71aQ5ANf3nHSuFvKuxactdknk9aSo3zZsxxJc5DpfHfld4uiKUVsbbgbORowq P3iC0+XczbslmcXvL2nF/ZU9prOckXDgcan4FEcB7wvbfCZB6YFda8bOXrI4Vjq/ xKjelD8vKx6Qa1TVOrvITaxST3nuMopNjdCu0uCG6R7uKCE4I5AHBgt/sDDOGs7X K8bQbtvnDvIWZTLtaKxMxcqKQExnztmgZP3/AvUz959/QiGlfxmkbwWUecpBIutx glDK4rQguKRJHcU0cNS59xlKdDyYyr6rXl/b7m26dxM2gd3JBHwCRitaOr7Uoaol 3o4v9mBvsAP/KQ== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrvdehuddgudegkecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurheprhfuvfhfhffkffgfgggjtgesrg dtreertdefjeenucfhrhhomhepifhirhhvihhnucfjvghrrhcuoehghhgvrhhrlhesfhgr shhtmhgrihhlrdgtohhmqeenucggtffrrghtthgvrhhnpeehfefgteevteeileejueetve ekjefhjedvteevffduffegffefgeekvdefhfeuleenucffohhmrghinheplhhinhhugihj ohhurhhnrghlrdgtohhmpdhthhgvrhgvfhhorhgvrghrvggrlhhlohhffhhlihhmihhtsh drihhnpdhhthhtphhsthhoughofihnlhhorggurdgrshenucfkphepuddtkedrvdduhedr udelhedrvddtheenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfh hrohhmpehghhgvrhhrlhesfhgrshhtmhgrihhlrdgtohhm X-ME-Proxy: Subject: Re: [geda-user] No https for pcb-rnd To: geda-user AT delorie DOT com References: From: "Girvin Herr (gherrl AT fastmail DOT com) [via geda-user AT delorie DOT com]" Message-ID: <197408a7-1183-7805-6f84-7794386c52dc@fastmail.com> Date: Mon, 11 Jan 2021 13:15:37 -0800 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:68.0) Gecko/20100101 Thunderbird/68.12.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------EF371C8E63E2E51C56270C18" Content-Language: en-US Reply-To: geda-user AT delorie DOT com Errors-To: nobody AT delorie DOT com X-Mailing-List: geda-user AT delorie DOT com X-Unsubscribes-To: listserv AT delorie DOT com Precedence: bulk This is a multi-part message in MIME format. --------------EF371C8E63E2E51C56270C18 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit On 1/10/21 3:15 PM, DJ Delorie wrote: > "Girvin Herr (gherrl AT fastmail DOT com) [via geda-user AT delorie DOT com]" > writes: >> I don't know why you are so resistant to computer security. > Computer security takes time and effort, and it's wasted on static data > that has no real value. Do you really need to hide the fact that you're > looking at EDA software? Do you worry that terrorists are going to > modify a wiki page you're reading? > >> Why did I post my concern about pcb-rnd on this forum? Good question. I >> thought about it a while and decided that since pcb-rnd was on this >> forum in the past, and that it may be polled by the pcb-rnd devs, > Nope, none of them are here any more. They left long ago. > >> Now that includes gEDA too. > You didn't mention that at all in your original email ;-) > >> I hope the gEDA server maintainers create a https portal on the web >> server(s) asap. > The gEDA server is a very old arm-based device running a prototype > operating system. HTTPS is not an option at this point, unless someone > (or many someones) steps up to migrate everything to a modern server. Greetings, My immediate concern is the software download site. I do not want to download corrupted software. The risk is low, but I think it is still there. On the other end, I am concerned that the gEDA site could get attacked with possible resultant data corruption. In that respect, I don't think computer security is "wasted". You are correct in that since the transactions do not involve the transmission of sensitive data, such as logins and passwords, the risk is low and maybe not worth the effort to upgrade, except for the program download site. I didn't mention the gEDA sites in my original posting because I had not yet gotten to my gEDA site bookmarks, so at the time I wrote the original posting I did not know for sure if gEDA should be included. I suppose in hindsight, I should have waited until I had completed my year-end bookmarks purge before I posted my first posting on this subject. Sorry. I had a suspicion that the problem may be with the server. I guess the best I can ask for is to consider upgrading to https, at least for the software download server part, when a need to upgrade the server is discussed. Since we are trading URLs, here is an article, written by Mick Bauer, that I am using to harden my desktop computer at this time: https://www.linuxjournal.com/magazine/paranoid-penguin-brutally-practical-linux-desktop-security Here is an applicable snippet under "Never Transmit Unencrypted Passwords" for consideration: Telnet, non-anonymous FTP, IMAP, POP3 and any browser-based login involving an http:// URL rather than https://, therefore, are all off limits. In the modern era, all these applications (remote shell, file transfer, e-mail and most Web applications) can and should be used in encrypted implementations, such as SSH, FTPS or SFTP, IMAPS, POP3S and https, at least for logons and other sensitive transactions. Operative phrase: " at least ". Note that pcb, under sourceforge, is using https to download. As a side note, a while back I was looking to make a donation to gEDA to help out and partially compensate for the use I have gotten from gEDA/gaf. However, I could not find a place to make such a donation. I think a PayPal transaction could be made using an email address. I am not sure how to set it up. It may require a PayPal business account. Such donations could help purchase a new server and maybe pay the small fee for the certificate(s). Thanks and take care. Girvin --------------EF371C8E63E2E51C56270C18 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 7bit


On 1/10/21 3:15 PM, DJ Delorie wrote:
"Girvin Herr (gherrl AT fastmail DOT com) [via geda-user AT delorie DOT com]"
<geda-user AT delorie DOT com> writes:

I don't know why you are so resistant to computer security.

Computer security takes time and effort, and it's wasted on static data
that has no real value.  Do you really need to hide the fact that you're
looking at EDA software?  Do you worry that terrorists are going to
modify a wiki page you're reading?


Why did I post my concern about pcb-rnd on this forum? Good question. I 
thought about it a while and decided that since pcb-rnd was on this 
forum in the past, and that it may be polled by the pcb-rnd devs,

Nope, none of them are here any more.  They left long ago.


Now that includes gEDA too.

You didn't mention that at all in your original email ;-)


I hope the gEDA server maintainers create a https portal on the web
server(s) asap.

The gEDA server is a very old arm-based device running a prototype
operating system.  HTTPS is not an option at this point, unless someone
(or many someones) steps up to migrate everything to a modern server.

Greetings,

My immediate concern is the software download site. I do not want to download corrupted software. The risk is low, but I think it is still there. On the other end, I am concerned that the gEDA site could get attacked with possible resultant data corruption. In that respect, I don't think computer security is "wasted". You are correct in that since the transactions do not involve the transmission of sensitive data, such as logins and passwords, the risk is low and maybe not worth the effort to upgrade, except for the program download site.

I didn't mention the gEDA sites in my original posting because I had not yet gotten to my gEDA site bookmarks, so at the time I wrote the original posting I did not know for sure if gEDA should be included. I suppose in hindsight, I should have waited until I had completed my year-end bookmarks purge before I posted my first posting on this subject. Sorry.

I had a suspicion that the problem may be with the server. I guess the best I can ask for is to consider upgrading to https, at least for the software download server part, when a need to upgrade the server is discussed.

Since we are trading URLs, here is an article, written by Mick Bauer, that I am using to harden my desktop computer at this time:

https://www.linuxjournal.com/magazine/paranoid-penguin-brutally-practical-linux-desktop-security

Here is an applicable snippet under "Never Transmit Unencrypted Passwords" for consideration:

Telnet, non-anonymous FTP, IMAP, POP3 and any browser-based login involving an http:// URL rather than https://, therefore, are all off limits. In the modern era, all these applications (remote shell, file transfer, e-mail and most Web applications) can and should be used in encrypted implementations, such as SSH, FTPS or SFTP, IMAPS, POP3S and https, at least for logons and other sensitive transactions.

Operative phrase: " at least ".

Note that pcb, under sourceforge, is using https to download.

As a side note, a while back I was looking to make a donation to gEDA to help out and partially compensate for the use I have gotten from gEDA/gaf. However, I could not find a place to make such a donation. I think a PayPal transaction could be made using an email address. I am not sure how to set it up. It may require a PayPal business account. Such donations could help purchase a new server and maybe pay the small fee for the certificate(s).

Thanks and take care.

Girvin


--------------EF371C8E63E2E51C56270C18--