Welcome, Guest. Please login or register.
Did you miss your activation email?
October 23, 2018, 10:24:38 PM
Home Help Login Register
News:

CAP Talk  |  General Discussion  |  The Lobby  |  Topic: Your input requested
0 Members and 1 Guest are viewing this topic.
Pages: 1 [2]  All Print
Author Topic: Your input requested  (Read 4182 times)
Holding Pattern
Salty & Seasoned Contributor

Posts: 1,278
Unit: Worry

« Reply #20 on: September 05, 2018, 12:30:27 PM »

Google Developers Web Fundamentals:

https://developers.google.com/web/fundamentals/security/encrypt-in-transit/why-https

The question is no longer "why https" the question is "why aren't you following best practices?"
Logged
Eclipse
Too Much Free Time Award

Posts: 29,109

« Reply #21 on: September 05, 2018, 12:39:33 PM »

No, the question is and was why is it necessary?

This site doesn't do anything that requires the additional overhead of HTTPS, nor the expense of the certificate(s) themselves.
Logged


Blanding
Recruit

Posts: 37
Unit: MER-VA-102

« Reply #22 on: September 05, 2018, 12:53:28 PM »

No, the question is and was why is it necessary?

This site doesn't do anything that requires the additional overhead of HTTPS, nor the expense of the certificate(s) themselves.

Emphasis mine:

Quote from: The above linked article
One common misconception about HTTPS is that the only websites that need HTTPS are those that handle sensitive communications. Every unprotected HTTP request can potentially reveal information about the behaviors and identities of your users. Although a single visit to one of your unprotected websites may seem benign, some intruders look at the aggregate browsing activities of your users to make inferences about their behaviors and intentions...
Logged
Eclipse
Too Much Free Time Award

Posts: 29,109

« Reply #23 on: September 05, 2018, 01:08:32 PM »

Yes, thank you - I read the same article cited.

What, exactly, would be "revealed" from a public, free site?

I'm not arguing that it's not a best practice, but when there is cost involved, either soft or hard,
you have to look at what you're protecting, which in this case isn't anything (that I know of).

Making "aggregate inferences about intentions an behaviors?"  Seriously?
And how would one do that with just compromised data streams?

The intentions and behaviors are publicly published.

And using HTTPS doesn't necessarily protect the webserver or CMS from being compromised
with malware, it just protects the streams from being read in transit.

This site is free for users.  Who will pay for the certs?
« Last Edit: September 05, 2018, 01:12:52 PM by Eclipse » Logged


chuckmilam
Forum Regular

Posts: 123
Unit: GLR-KY-216

« Reply #24 on: September 05, 2018, 01:13:20 PM »

This site is free for users.  Who will pay for the certs?

Pay for certs?  Why?  There's this:  https://letsencrypt.org/
Logged
Holding Pattern
Salty & Seasoned Contributor

Posts: 1,278
Unit: Worry

« Reply #25 on: September 05, 2018, 01:14:11 PM »

There is no cost anymore.
Logged
Eclipse
Too Much Free Time Award

Posts: 29,109

« Reply #26 on: September 05, 2018, 01:25:07 PM »

Excellent - assert "security" is needed, then implement it from a free service that is the first one that pops up in Google.

FWIW, they are fine, but their certs expire on a regular basis, which is a PITA.

One that is unnecessary.
Logged


chuckmilam
Forum Regular

Posts: 123
Unit: GLR-KY-216

« Reply #27 on: September 05, 2018, 02:55:24 PM »

The certs will auto-renew via the Automatic Certificate Management Environment (ACME) clients.  I don't know the specifics of the CAP Talk hosting, but I imagine there's something that will fit the environment:  https://letsencrypt.org/docs/client-options/

HTTPS is becoming less of an option and more of a requirement, so it would be good to get ahead of the curve.
Logged
Holding Pattern
Salty & Seasoned Contributor

Posts: 1,278
Unit: Worry

« Reply #28 on: September 05, 2018, 03:11:43 PM »

The certs will auto-renew via the Automatic Certificate Management Environment (ACME) clients.  I don't know the specifics of the CAP Talk hosting, but I imagine there's something that will fit the environment:  https://letsencrypt.org/docs/client-options/

HTTPS is becoming less of an option and more of a requirement, so it would be good to get ahead of the curve.

Trust me, captalk is behind the curve.
Logged
Nick
Salty & Seasoned Contributor

Posts: 519
Unit: SWR-TX-001

« Reply #29 on: September 05, 2018, 03:48:42 PM »

What, exactly, would be "revealed" from a public, free site?
Usernames and passwords. And, if the user is anything like the other 65% of users out there, they’ve reused the password here on other, arguably more important sites. So capture the user’s username and password, log in as them, find their email address from their profile, then go hit their mailbox with that same password, profit.
Logged
Nicholas McLarty, Lt Col, CAP
Texas Wing Staff Guy
National Cadet Team Guy
Holding Pattern
Salty & Seasoned Contributor

Posts: 1,278
Unit: Worry

« Reply #30 on: September 05, 2018, 06:51:12 PM »

What, exactly, would be "revealed" from a public, free site?
Usernames and passwords. And, if the user is anything like the other 65% of users out there, they’ve reused the password here on other, arguably more important sites. So capture the user’s username and password, log in as them, find their email address from their profile, then go hit their mailbox with that same password, profit.

Or for bonus points, got the user's CAPID from an ill-advised thread that got a stack of members to post their CAPIDs or a reversible reference to them, got into capnhq, got into WMIRS, Member Reports, etc.
Logged
Pages: 1 [2]  All Print 
CAP Talk  |  General Discussion  |  The Lobby  |  Topic: Your input requested
 


Powered by MySQL Powered by PHP SMF 2.0.14 | SMF © 2017, Simple Machines Valid XHTML 1.0! Valid CSS!
Page created in 0.452 seconds with 25 queries.