Welcome, Guest. Please login or register.
Did you miss your activation email?
December 10, 2017, 09:48:28 PM
Home Help Login Register
News:

CAP Talk  |  General Discussion  |  Forum Support  |  Topic: Can we get https on the forums?
0 Members and 1 Guest are viewing this topic.
Pages: [1] Print
Author Topic: Can we get https on the forums?  (Read 1524 times)
Mordecai
Salty & Seasoned Contributor

Posts: 1,086
Unit: SI

« on: June 18, 2017, 03:27:55 AM »

Since it can now be done freely with Let's Encrypt, this shouldn't be a major undertaking.
Logged
Commo
Recruit

Posts: 45
Unit: PCR-WA-002

« Reply #1 on: June 19, 2017, 12:37:48 PM »

I'll second this, and I'm surprised no one else has.  Not even the login page is encrypted.

I dislike having to bring up a VPN to work if I'm at a semi-public place just to keep basic things like usernames and passwords protected.

Commo
Logged
Eclipse
Too Much Free Time Award
***
Posts: 28,060

« Reply #2 on: June 19, 2017, 01:09:55 PM »

What's here that's a secret?

There's no ecommerce, everything is open to the public, and if an account is compromised, it takes 1 minutes to reset.

I'm not saying >not< to, but don't see the need either.
Logged

"The man who does more than he is paid for will soon be paid for more than he does." - Napoleon Hill.
The contents of this post are Copyright 2017 by eclipse. All rights are reserved. Specific permission is given to quote this post here on CAP-Talk only.

Mordecai
Salty & Seasoned Contributor

Posts: 1,086
Unit: SI

« Reply #3 on: June 19, 2017, 03:01:24 PM »

What's here that's a secret?

There's no ecommerce, everything is open to the public, and if an account is compromised, it takes 1 minutes to reset.

I'm not saying >not< to, but don't see the need either.

It is a basic security practice and there are still no doubt plenty of people who don't have a unique account password across all websites, which means a compromise here is a compromise everywhere for those people, especially when considering legacy accounts no longer present.

And seriously, it is an incredibly BASIC security practice.
Logged
Mordecai
Salty & Seasoned Contributor

Posts: 1,086
Unit: SI

« Reply #4 on: June 19, 2017, 03:03:17 PM »

Long, drawn out explanations here:

https://developers.google.com/web/fundamentals/security/encrypt-in-transit/why-https

https://https.cio.gov/everything/
Logged
Commo
Recruit

Posts: 45
Unit: PCR-WA-002

« Reply #5 on: June 20, 2017, 08:54:22 PM »

Also, as this forum allows a level of anonymity via handles, the lack of https even for authentication makes it trivial to associate user Bob on workstation XYZ as CAP user Commo.

Also [again], a third party would then associate a username with the registered email address, and a password.  Hopefully, no one uses their email password for any other account, but at a minimum, it exposes something personally identifiable with a user.

No, my name's not Bob.

Commo
Logged
dwb
Salty & Seasoned Contributor

Posts: 1,318

« Reply #6 on: June 21, 2017, 08:34:45 AM »

I agree that the login should be encrypted. There's no excuse to pass creds in the clear in 2017, regardless of whether you reuse passwords (which you shouldn't). If you ever login to CAP Talk from a Starbucks or a library or whatever, you're exposing yourself to trivial credential harvesting.

Do we need to do everything over SSL/TLS? Probably not. The forums can be read without logging in, so you're not really protecting any data in transit. That said, with Let's Encrypt and SSL certs being easier to come by, there's no harm in doing so.
Logged
Tim Medeiros
Salty & Seasoned Contributor

Posts: 709
Unit: AZ-001

« Reply #7 on: July 01, 2017, 03:12:10 PM »

Something to note, not all webhosts allow Lets Encrypt.

Let's Encrypt is just fine if you're hosting on your own box, but if you're own a shared hosting plan then you have to play by the rules that are laid out for you.
Logged
TIMOTHY R. MEDEIROS, Lt Col, CAP
Member, National IT Functional User Group
1577/2811
Mordecai
Salty & Seasoned Contributor

Posts: 1,086
Unit: SI

« Reply #8 on: July 03, 2017, 04:11:57 AM »

Something to note, not all webhosts allow Lets Encrypt.

Let's Encrypt is just fine if you're hosting on your own box, but if you're own a shared hosting plan then you have to play by the rules that are laid out for you.

I checked in advance and captalk uses 1and1+apache.
https://www.1and1.com/cloud-community/learn/networking/ssl-certificates/installing-a-free-ssl-certificate-from-lets-encrypt-on-ubuntu/
Logged
GaryVC
Forum Regular

Posts: 124
Unit: PCR-NV-070

« Reply #9 on: July 03, 2017, 10:47:42 AM »

My business website is on 1&1 and as far as I know it doesn't allow spiders (like google) on secure websites (I have both an unsecure and secure portions on mine). Google has occasionally allowed me to fine things on CAP Talk that have been helpful.
Logged
Mordecai
Salty & Seasoned Contributor

Posts: 1,086
Unit: SI

« Reply #10 on: July 12, 2017, 02:43:09 PM »

My business website is on 1&1 and as far as I know it doesn't allow spiders (like google) on secure websites (I have both an unsecure and secure portions on mine). Google has occasionally allowed me to fine things on CAP Talk that have been helpful.

That should be a simple update to your robots.txt file to fix.
Logged
Mordecai
Salty & Seasoned Contributor

Posts: 1,086
Unit: SI

« Reply #11 on: July 21, 2017, 01:49:22 PM »

Just curious if the admins have given this any further thought.
Logged
Pages: [1] Print 
CAP Talk  |  General Discussion  |  Forum Support  |  Topic: Can we get https on the forums?
 


Powered by MySQL Powered by PHP SMF 2.0.13 | SMF © 2016, Simple Machines Valid XHTML 1.0! Valid CSS!
Page created in 0.324 seconds with 21 queries.