CAP Talk

General Discussion => Forum Support => Topic started by: Holding Pattern on June 18, 2017, 07:27:55 AM

Title: Can we get https on the forums?
Post by: Holding Pattern on June 18, 2017, 07:27:55 AM
Since it can now be done freely with Let's Encrypt, this shouldn't be a major undertaking.
Title: Re: Can we get https on the forums?
Post by: Commo on June 19, 2017, 04:37:48 PM
I'll second this, and I'm surprised no one else has.  Not even the login page is encrypted.

I dislike having to bring up a VPN to work if I'm at a semi-public place just to keep basic things like usernames and passwords protected.

Commo
Title: Re: Can we get https on the forums?
Post by: Eclipse on June 19, 2017, 05:09:55 PM
What's here that's a secret?

There's no ecommerce, everything is open to the public, and if an account is compromised, it takes 1 minutes to reset.

I'm not saying >not< to, but don't see the need either.
Title: Re: Can we get https on the forums?
Post by: Holding Pattern on June 19, 2017, 07:01:24 PM
Quote from: Eclipse on June 19, 2017, 05:09:55 PM
What's here that's a secret?

There's no ecommerce, everything is open to the public, and if an account is compromised, it takes 1 minutes to reset.

I'm not saying >not< to, but don't see the need either.

It is a basic security practice and there are still no doubt plenty of people who don't have a unique account password across all websites, which means a compromise here is a compromise everywhere for those people, especially when considering legacy accounts no longer present.

And seriously, it is an incredibly BASIC security practice.
Title: Re: Can we get https on the forums?
Post by: Holding Pattern on June 19, 2017, 07:03:17 PM
Long, drawn out explanations here:

https://developers.google.com/web/fundamentals/security/encrypt-in-transit/why-https

https://https.cio.gov/everything/
Title: Re: Can we get https on the forums?
Post by: Commo on June 21, 2017, 12:54:22 AM
Also, as this forum allows a level of anonymity via handles, the lack of https even for authentication makes it trivial to associate user Bob on workstation XYZ as CAP user Commo.

Also [again], a third party would then associate a username with the registered email address, and a password.  Hopefully, no one uses their email password for any other account, but at a minimum, it exposes something personally identifiable with a user.

No, my name's not Bob.

Commo
Title: Re: Can we get https on the forums?
Post by: dwb on June 21, 2017, 12:34:45 PM
I agree that the login should be encrypted. There's no excuse to pass creds in the clear in 2017, regardless of whether you reuse passwords (which you shouldn't). If you ever login to CAP Talk from a Starbucks or a library or whatever, you're exposing yourself to trivial credential harvesting.

Do we need to do everything over SSL/TLS? Probably not. The forums can be read without logging in, so you're not really protecting any data in transit. That said, with Let's Encrypt and SSL certs being easier to come by, there's no harm in doing so.
Title: Re: Can we get https on the forums?
Post by: Tim Medeiros on July 01, 2017, 07:12:10 PM
Something to note, not all webhosts allow Lets Encrypt.

Let's Encrypt is just fine if you're hosting on your own box, but if you're own a shared hosting plan then you have to play by the rules that are laid out for you.
Title: Re: Can we get https on the forums?
Post by: Holding Pattern on July 03, 2017, 08:11:57 AM
Quote from: Tim Medeiros on July 01, 2017, 07:12:10 PM
Something to note, not all webhosts allow Lets Encrypt.

Let's Encrypt is just fine if you're hosting on your own box, but if you're own a shared hosting plan then you have to play by the rules that are laid out for you.

I checked in advance and captalk uses 1and1+apache.
https://www.1and1.com/cloud-community/learn/networking/ssl-certificates/installing-a-free-ssl-certificate-from-lets-encrypt-on-ubuntu/
Title: Re: Can we get https on the forums?
Post by: GaryVC on July 03, 2017, 02:47:42 PM
My business website is on 1&1 and as far as I know it doesn't allow spiders (like google) on secure websites (I have both an unsecure and secure portions on mine). Google has occasionally allowed me to fine things on CAP Talk that have been helpful.
Title: Re: Can we get https on the forums?
Post by: Holding Pattern on July 12, 2017, 06:43:09 PM
Quote from: GaryVC on July 03, 2017, 02:47:42 PM
My business website is on 1&1 and as far as I know it doesn't allow spiders (like google) on secure websites (I have both an unsecure and secure portions on mine). Google has occasionally allowed me to fine things on CAP Talk that have been helpful.

That should be a simple update to your robots.txt file to fix.
Title: Re: Can we get https on the forums?
Post by: Holding Pattern on July 21, 2017, 05:49:22 PM
Just curious if the admins have given this any further thought.