Welcome, Guest. Please login or register.
Did you miss your activation email?
September 22, 2019, 06:08:13 AM
Home Help Login Register
News:

CAP Talk  |  General Discussion  |  The Lobby  |  Topic: Your input requested
0 Members and 2 Guests are viewing this topic.
Pages: 1 [2]  All Send this topic Print
Author Topic: Your input requested  (Read 6682 times)
Holding Pattern
Salty & Seasoned Contributor

Posts: 1,475
Unit: Worry

« Reply #20 on: September 05, 2018, 04:30:27 PM »

Google Developers Web Fundamentals:

https://developers.google.com/web/fundamentals/security/encrypt-in-transit/why-https

The question is no longer "why https" the question is "why aren't you following best practices?"
Report to moderator   Logged
Eclipse
Too Much Free Time With Silver Clasp
*
Posts: 30,223

« Reply #21 on: September 05, 2018, 04:39:33 PM »

No, the question is and was why is it necessary?

This site doesn't do anything that requires the additional overhead of HTTPS, nor the expense of the certificate(s) themselves.
Report to moderator   Logged


Blanding
Member

Posts: 52
Unit: MER-VA-102

« Reply #22 on: September 05, 2018, 04:53:28 PM »

No, the question is and was why is it necessary?

This site doesn't do anything that requires the additional overhead of HTTPS, nor the expense of the certificate(s) themselves.

Emphasis mine:

Quote from: The above linked article
One common misconception about HTTPS is that the only websites that need HTTPS are those that handle sensitive communications. Every unprotected HTTP request can potentially reveal information about the behaviors and identities of your users. Although a single visit to one of your unprotected websites may seem benign, some intruders look at the aggregate browsing activities of your users to make inferences about their behaviors and intentions...
Report to moderator   Logged
Eclipse
Too Much Free Time With Silver Clasp
*
Posts: 30,223

« Reply #23 on: September 05, 2018, 05:08:32 PM »

Yes, thank you - I read the same article cited.

What, exactly, would be "revealed" from a public, free site?

I'm not arguing that it's not a best practice, but when there is cost involved, either soft or hard,
you have to look at what you're protecting, which in this case isn't anything (that I know of).

Making "aggregate inferences about intentions an behaviors?"  Seriously?
And how would one do that with just compromised data streams?

The intentions and behaviors are publicly published.

And using HTTPS doesn't necessarily protect the webserver or CMS from being compromised
with malware, it just protects the streams from being read in transit.

This site is free for users.  Who will pay for the certs?
« Last Edit: September 05, 2018, 05:12:52 PM by Eclipse » Report to moderator   Logged


chuckmilam
Forum Regular

Posts: 143
Unit: GLR-KY-216

« Reply #24 on: September 05, 2018, 05:13:20 PM »

This site is free for users.  Who will pay for the certs?

Pay for certs?  Why?  There's this:  https://letsencrypt.org/
Report to moderator   Logged
Holding Pattern
Salty & Seasoned Contributor

Posts: 1,475
Unit: Worry

« Reply #25 on: September 05, 2018, 05:14:11 PM »

There is no cost anymore.
Report to moderator   Logged
Eclipse
Too Much Free Time With Silver Clasp
*
Posts: 30,223

« Reply #26 on: September 05, 2018, 05:25:07 PM »

Excellent - assert "security" is needed, then implement it from a free service that is the first one that pops up in Google.

FWIW, they are fine, but their certs expire on a regular basis, which is a PITA.

One that is unnecessary.
Report to moderator   Logged


chuckmilam
Forum Regular

Posts: 143
Unit: GLR-KY-216

« Reply #27 on: September 05, 2018, 06:55:24 PM »

The certs will auto-renew via the Automatic Certificate Management Environment (ACME) clients.  I don't know the specifics of the CAP Talk hosting, but I imagine there's something that will fit the environment:  https://letsencrypt.org/docs/client-options/

HTTPS is becoming less of an option and more of a requirement, so it would be good to get ahead of the curve.
Report to moderator   Logged
Holding Pattern
Salty & Seasoned Contributor

Posts: 1,475
Unit: Worry

« Reply #28 on: September 05, 2018, 07:11:43 PM »

The certs will auto-renew via the Automatic Certificate Management Environment (ACME) clients.  I don't know the specifics of the CAP Talk hosting, but I imagine there's something that will fit the environment:  https://letsencrypt.org/docs/client-options/

HTTPS is becoming less of an option and more of a requirement, so it would be good to get ahead of the curve.

Trust me, captalk is behind the curve.
Report to moderator   Logged
Nick
Salty & Seasoned Contributor

Posts: 519
Unit: SWR-TX-001

« Reply #29 on: September 05, 2018, 07:48:42 PM »

What, exactly, would be "revealed" from a public, free site?
Usernames and passwords. And, if the user is anything like the other 65% of users out there, they’ve reused the password here on other, arguably more important sites. So capture the user’s username and password, log in as them, find their email address from their profile, then go hit their mailbox with that same password, profit.
Report to moderator   Logged
Nicholas McLarty, Lt Col, CAP
Texas Wing Staff Guy
National Cadet Team Guy
Holding Pattern
Salty & Seasoned Contributor

Posts: 1,475
Unit: Worry

« Reply #30 on: September 05, 2018, 10:51:12 PM »

What, exactly, would be "revealed" from a public, free site?
Usernames and passwords. And, if the user is anything like the other 65% of users out there, they’ve reused the password here on other, arguably more important sites. So capture the user’s username and password, log in as them, find their email address from their profile, then go hit their mailbox with that same password, profit.

Or for bonus points, got the user's CAPID from an ill-advised thread that got a stack of members to post their CAPIDs or a reversible reference to them, got into capnhq, got into WMIRS, Member Reports, etc.
Report to moderator   Logged
Dr.Cole_Ph.D
Newbie

Posts: 3
Unit: GA-069

« Reply #31 on: Yesterday at 05:05:48 PM »

I would suggest that you try to make the site look cleaner. Maybe just make things look a little sharper and clean up some menu directories. I like the whole “this is a CAP only message board”. This site is great and I would be willing to help with anything you guys need.
Report to moderator   Logged
JohhnyD
Recruit

Posts: 23

« Reply #32 on: Today at 03:42:21 AM »

I like that obscure questions get answers, not so happy about the occasional flaming, but this is the internet.
Report to moderator   Logged
Pages: 1 [2]  All Send this topic Print 
CAP Talk  |  General Discussion  |  The Lobby  |  Topic: Your input requested
 


Powered by MySQL Powered by PHP SMF 2.0.15 | SMF © 2017, Simple Machines Valid XHTML 1.0! Valid CSS!
Page created in 0.066 seconds with 27 queries.
click here to email me