May 28, 2020, 02:11:39 am

Your input requested

Started by whatevah, December 31, 2017, 03:51:32 am

0 Members and 1 Guest are viewing this topic.

Holding Pattern

Google Developers Web Fundamentals:

https://developers.google.com/web/fundamentals/security/encrypt-in-transit/why-https

The question is no longer "why https" the question is "why aren't you following best practices?"

Eclipse

No, the question is and was why is it necessary?

This site doesn't do anything that requires the additional overhead of HTTPS, nor the expense of the certificate(s) themselves.



Blanding

Quote from: Eclipse on September 05, 2018, 04:39:33 pm
No, the question is and was why is it necessary?

This site doesn't do anything that requires the additional overhead of HTTPS, nor the expense of the certificate(s) themselves.


Emphasis mine:

Quote from: The above linked articleOne common misconception about HTTPS is that the only websites that need HTTPS are those that handle sensitive communications. Every unprotected HTTP request can potentially reveal information about the behaviors and identities of your users. Although a single visit to one of your unprotected websites may seem benign, some intruders look at the aggregate browsing activities of your users to make inferences about their behaviors and intentions...

Eclipse

September 05, 2018, 05:08:32 pm #23 Last Edit: September 05, 2018, 05:12:52 pm by Eclipse
Yes, thank you - I read the same article cited.

What, exactly, would be "revealed" from a public, free site?

I'm not arguing that it's not a best practice, but when there is cost involved, either soft or hard,
you have to look at what you're protecting, which in this case isn't anything (that I know of).

Making "aggregate inferences about intentions an behaviors?"  Seriously?
And how would one do that with just compromised data streams?

The intentions and behaviors are publicly published.

And using HTTPS doesn't necessarily protect the webserver or CMS from being compromised
with malware, it just protects the streams from being read in transit.

This site is free for users.  Who will pay for the certs?



chuckmilam

Quote from: Eclipse on September 05, 2018, 05:08:32 pm
This site is free for users.  Who will pay for the certs?


Pay for certs?  Why?  There's this:  https://letsencrypt.org/

Holding Pattern


Eclipse

Excellent - assert "security" is needed, then implement it from a free service that is the first one that pops up in Google.

FWIW, they are fine, but their certs expire on a regular basis, which is a PITA.

One that is unnecessary.



chuckmilam

The certs will auto-renew via the Automatic Certificate Management Environment (ACME) clients.  I don't know the specifics of the CAP Talk hosting, but I imagine there's something that will fit the environment:  https://letsencrypt.org/docs/client-options/

HTTPS is becoming less of an option and more of a requirement, so it would be good to get ahead of the curve.

Holding Pattern

Quote from: chuckmilam on September 05, 2018, 06:55:24 pm
The certs will auto-renew via the Automatic Certificate Management Environment (ACME) clients.  I don't know the specifics of the CAP Talk hosting, but I imagine there's something that will fit the environment:  https://letsencrypt.org/docs/client-options/

HTTPS is becoming less of an option and more of a requirement, so it would be good to get ahead of the curve.


Trust me, captalk is behind the curve.

Nick

Quote from: Eclipse on September 05, 2018, 05:08:32 pm
What, exactly, would be "revealed" from a public, free site?

Usernames and passwords. And, if the user is anything like the other 65% of users out there, they've reused the password here on other, arguably more important sites. So capture the user's username and password, log in as them, find their email address from their profile, then go hit their mailbox with that same password, profit.
Nicholas McLarty, Lt Col, CAP
Texas Wing Staff Guy
National Cadet Team Guy

Holding Pattern

Quote from: Nick on September 05, 2018, 07:48:42 pm
Quote from: Eclipse on September 05, 2018, 05:08:32 pm
What, exactly, would be "revealed" from a public, free site?

Usernames and passwords. And, if the user is anything like the other 65% of users out there, they've reused the password here on other, arguably more important sites. So capture the user's username and password, log in as them, find their email address from their profile, then go hit their mailbox with that same password, profit.


Or for bonus points, got the user's CAPID from an ill-advised thread that got a stack of members to post their CAPIDs or a reversible reference to them, got into capnhq, got into WMIRS, Member Reports, etc.

Dr.Cole_Ph.D

I would suggest that you try to make the site look cleaner. Maybe just make things look a little sharper and clean up some menu directories. I like the whole "this is a CAP only message board". This site is great and I would be willing to help with anything you guys need.

JohhnyD

I like that obscure questions get answers, not so happy about the occasional flaming, but this is the internet.