Welcome, Guest. Please login or register.
Did you miss your activation email?
June 29, 2017, 03:17:03 AM
Home Help Login Register
News:

CAP Talk  |  General Discussion  |  Forum Support  |  Topic: Can we get https on the forums?
0 Members and 1 Guest are viewing this topic.
Pages: [1] Print
Author Topic: Can we get https on the forums?  (Read 505 times)
Mordecai
Salty & Seasoned Contributor

Posts: 968
Unit: SI

« on: June 18, 2017, 03:27:55 AM »

Since it can now be done freely with Let's Encrypt, this shouldn't be a major undertaking.
Logged
Commo
Recruit

Posts: 17
Unit: PCR-WA-002

« Reply #1 on: June 19, 2017, 12:37:48 PM »

I'll second this, and I'm surprised no one else has.  Not even the login page is encrypted.

I dislike having to bring up a VPN to work if I'm at a semi-public place just to keep basic things like usernames and passwords protected.

Commo
Logged
Eclipse
Too Much Free Time Award
***
Posts: 27,483

« Reply #2 on: June 19, 2017, 01:09:55 PM »

What's here that's a secret?

There's no ecommerce, everything is open to the public, and if an account is compromised, it takes 1 minutes to reset.

I'm not saying >not< to, but don't see the need either.
Logged

"Effort" does not equal "results".
The contents of this post are Copyright 2017 by eclipse. All rights are reserved. Specific permission is given to quote this post here on CAP-Talk only.

Mordecai
Salty & Seasoned Contributor

Posts: 968
Unit: SI

« Reply #3 on: June 19, 2017, 03:01:24 PM »

What's here that's a secret?

There's no ecommerce, everything is open to the public, and if an account is compromised, it takes 1 minutes to reset.

I'm not saying >not< to, but don't see the need either.

It is a basic security practice and there are still no doubt plenty of people who don't have a unique account password across all websites, which means a compromise here is a compromise everywhere for those people, especially when considering legacy accounts no longer present.

And seriously, it is an incredibly BASIC security practice.
Logged
Mordecai
Salty & Seasoned Contributor

Posts: 968
Unit: SI

« Reply #4 on: June 19, 2017, 03:03:17 PM »

Long, drawn out explanations here:

https://developers.google.com/web/fundamentals/security/encrypt-in-transit/why-https

https://https.cio.gov/everything/
Logged
Commo
Recruit

Posts: 17
Unit: PCR-WA-002

« Reply #5 on: June 20, 2017, 08:54:22 PM »

Also, as this forum allows a level of anonymity via handles, the lack of https even for authentication makes it trivial to associate user Bob on workstation XYZ as CAP user Commo.

Also [again], a third party would then associate a username with the registered email address, and a password.  Hopefully, no one uses their email password for any other account, but at a minimum, it exposes something personally identifiable with a user.

No, my name's not Bob.

Commo
Logged
dwb
Salty & Seasoned Contributor

Posts: 1,293

« Reply #6 on: June 21, 2017, 08:34:45 AM »

I agree that the login should be encrypted. There's no excuse to pass creds in the clear in 2017, regardless of whether you reuse passwords (which you shouldn't). If you ever login to CAP Talk from a Starbucks or a library or whatever, you're exposing yourself to trivial credential harvesting.

Do we need to do everything over SSL/TLS? Probably not. The forums can be read without logging in, so you're not really protecting any data in transit. That said, with Let's Encrypt and SSL certs being easier to come by, there's no harm in doing so.
Logged
Pages: [1] Print 
CAP Talk  |  General Discussion  |  Forum Support  |  Topic: Can we get https on the forums?
 


Powered by MySQL Powered by PHP SMF 2.0.13 | SMF © 2016, Simple Machines Valid XHTML 1.0! Valid CSS!
Page created in 0.337 seconds with 20 queries.