Started by whatevah, December 31, 2017, 03:51:32 am
0 Members and 1 Guest are viewing this topic.
Quote from: Eclipse on September 05, 2018, 04:39:33 pmNo, the question is and was why is it necessary?This site doesn't do anything that requires the additional overhead of HTTPS, nor the expense of the certificate(s) themselves.
Quote from: The above linked articleOne common misconception about HTTPS is that the only websites that need HTTPS are those that handle sensitive communications. Every unprotected HTTP request can potentially reveal information about the behaviors and identities of your users. Although a single visit to one of your unprotected websites may seem benign, some intruders look at the aggregate browsing activities of your users to make inferences about their behaviors and intentions...
Quote from: Eclipse on September 05, 2018, 05:08:32 pmThis site is free for users. Who will pay for the certs?
Quote from: chuckmilam on September 05, 2018, 06:55:24 pmThe certs will auto-renew via the Automatic Certificate Management Environment (ACME) clients. I don't know the specifics of the CAP Talk hosting, but I imagine there's something that will fit the environment: https://letsencrypt.org/docs/client-options/HTTPS is becoming less of an option and more of a requirement, so it would be good to get ahead of the curve.
Quote from: Eclipse on September 05, 2018, 05:08:32 pmWhat, exactly, would be "revealed" from a public, free site?
Quote from: Nick on September 05, 2018, 07:48:42 pmQuote from: Eclipse on September 05, 2018, 05:08:32 pmWhat, exactly, would be "revealed" from a public, free site?Usernames and passwords. And, if the user is anything like the other 65% of users out there, they've reused the password here on other, arguably more important sites. So capture the user's username and password, log in as them, find their email address from their profile, then go hit their mailbox with that same password, profit.
Page created in 0.062 seconds with 23 queries.