Can we get https on the forums?

Started by Holding Pattern, June 18, 2017, 07:27:55 AM

0 Members and 1 Guest are viewing this topic.

Holding Pattern

Since it can now be done freely with Let's Encrypt, this shouldn't be a major undertaking.

Commo

I'll second this, and I'm surprised no one else has.  Not even the login page is encrypted.

I dislike having to bring up a VPN to work if I'm at a semi-public place just to keep basic things like usernames and passwords protected.

Commo

Eclipse

What's here that's a secret?

There's no ecommerce, everything is open to the public, and if an account is compromised, it takes 1 minutes to reset.

I'm not saying >not< to, but don't see the need either.

"That Others May Zoom"

Holding Pattern

Quote from: Eclipse on June 19, 2017, 05:09:55 PM
What's here that's a secret?

There's no ecommerce, everything is open to the public, and if an account is compromised, it takes 1 minutes to reset.

I'm not saying >not< to, but don't see the need either.

It is a basic security practice and there are still no doubt plenty of people who don't have a unique account password across all websites, which means a compromise here is a compromise everywhere for those people, especially when considering legacy accounts no longer present.

And seriously, it is an incredibly BASIC security practice.


Commo

Also, as this forum allows a level of anonymity via handles, the lack of https even for authentication makes it trivial to associate user Bob on workstation XYZ as CAP user Commo.

Also [again], a third party would then associate a username with the registered email address, and a password.  Hopefully, no one uses their email password for any other account, but at a minimum, it exposes something personally identifiable with a user.

No, my name's not Bob.

Commo

dwb

I agree that the login should be encrypted. There's no excuse to pass creds in the clear in 2017, regardless of whether you reuse passwords (which you shouldn't). If you ever login to CAP Talk from a Starbucks or a library or whatever, you're exposing yourself to trivial credential harvesting.

Do we need to do everything over SSL/TLS? Probably not. The forums can be read without logging in, so you're not really protecting any data in transit. That said, with Let's Encrypt and SSL certs being easier to come by, there's no harm in doing so.

Tim Medeiros

Something to note, not all webhosts allow Lets Encrypt.

Let's Encrypt is just fine if you're hosting on your own box, but if you're own a shared hosting plan then you have to play by the rules that are laid out for you.
TIMOTHY R. MEDEIROS, Lt Col, CAP
Chair, National IT Functional User Group
1577/2811

Holding Pattern

Quote from: Tim Medeiros on July 01, 2017, 07:12:10 PM
Something to note, not all webhosts allow Lets Encrypt.

Let's Encrypt is just fine if you're hosting on your own box, but if you're own a shared hosting plan then you have to play by the rules that are laid out for you.

I checked in advance and captalk uses 1and1+apache.
https://www.1and1.com/cloud-community/learn/networking/ssl-certificates/installing-a-free-ssl-certificate-from-lets-encrypt-on-ubuntu/

GaryVC

My business website is on 1&1 and as far as I know it doesn't allow spiders (like google) on secure websites (I have both an unsecure and secure portions on mine). Google has occasionally allowed me to fine things on CAP Talk that have been helpful.

Holding Pattern

Quote from: GaryVC on July 03, 2017, 02:47:42 PM
My business website is on 1&1 and as far as I know it doesn't allow spiders (like google) on secure websites (I have both an unsecure and secure portions on mine). Google has occasionally allowed me to fine things on CAP Talk that have been helpful.

That should be a simple update to your robots.txt file to fix.

Holding Pattern

Just curious if the admins have given this any further thought.