|
Enabling HTTPS ?
Hi,
I was wondering if there was a schedule or plan to enable HTTPS for the board? Charles |
Forwarded to Titus, he may take awhile to answer. :)
|
Thanks :)
One of my New Year's Resolutions is to be a little more tight on my electronic security, so I went through the various forums I post on asking to turn this feature on. Charles |
Hello
Charles no because we don't do ecommerce here so there is no imminent need to have htttps. However yes there is a plan as a general upgrade but I can't specify a date. Titus |
Quote:
None of the forums I frequent use https. All of the online vendors I frequent use https. I didn't think there was any need for https unless you were entering payment information. Could you explain more? |
Taken from a presentation at the Chrome Developers Summit 2016 by Kayce Basques.
Quote:
Quote:
|
Thanks Charles. Though I don't know what most of that means. :lol:
|
The quick summary is that HTTPS protects more than just e-commerce.
It means it would be harder for someone's account to be hacked, and if people wanted to pass on PayPal OT Interac payments through PM's they would be secure while doing so. It means that a malicious ad provider could not inject their ads instead of the ones the forum sponsors pay for. Charles |
Lost me... :biggrin:
|
What would the site use it for?
Isen't this a node.js thing? Where you require("https") and then set to a variable and extract something from a website like the weather or something |
I could see this being useful. Especially on a site where we constantly exchange addresses and phone numbers and potentially other info in PM
Back in february I got a wicked virus and other issues when I accessed the BCAquaria forum. I ended up with a crypto virus on my computer. All my login info for various emails and my bank accounts were stolen. I had $1990 removed from my bank through an EMT because of the shit put on my laptop they somehow got my login and password for stuff I dont have my computer remember. My email accounts somehow got hacked and were being caught sending out spam. I actually had gotten a virus or something else from visiting that forum a few years back as well. I will NEVER go back on that site. Then in the summer I got this email from the company the forum is apart of or whatever. Quote:
|
Quote:
|
They have not had an incident yet?
Google, Firefox and Microsoft have not put enough emphasis on it? It requires a bit more effort (getting an SSL certificate) that a regular implementation. Charles |
Quote:
|
Another post - https://www.google.ca/amp/s/www.troy...tin-forum/amp/
The vBulletin forums run on HTTPS as well. Charles |
More and more are using https, and for very good reason. I just checked some other forums that I sometimes frequent. Some use it, and some don't.
Can never totally prevent hacking, but in this day and age, with all the bots running, should at least keep the front doors closed. |
The only real benefit https would add is making it more difficult for intruders to intercept username and passwords at the time of login. This adds extra costs for the host because you need to pay to have your ssl certificate signed every year. The effectivness of https is extremly debatable too. Even with https in place, the user database is subject to its own vulnerabilities.
You cannot rely on forums to keep your information secure. They are being run on a shoestring budget which means most of the staff is volunteer, hosting is provided by an economy hosting service on an entry level plan with basic firewall and database offered. To make things worse, most people use the same username and password for every forum they are a member of. All it takes is for one forum to get their database dumped, and they have access to thousands of usernames and passwords with email addresses that they could use to login to paypall, banks, other forums, etc. all because of the same password being used over and over. Instead, use a password service like LastPass. You pick one good password for the main app, then it auto generates random 20+ character passwords for all the websites you use. It can do an audit on all the accounts saved in your computer and automatically change alot of them for you. Apps for Android and apple will automatically fill in username and password for all the sites and apps you use. This way if one site is hacked, you only have to change the password for the one site, not all of them. How many times does a forum database get dumped and the admins don't even realize? If you use a word or any part of a word for a password it can be cracked very quickly. To a dictionary brute force script, the difference between the password "isolated" and "1s0LaTed" is minimal. All my passwords are the maximum characters allowed by the site and look alot like: "gdIj65vj#5)9hKhy6" and i dont have to remember any because my password manager enters it for me. |
Quote:
|
Just wanted to clarify, as my previous responses where typed on a touch screen from an airplane...
Do I think https should be employed: whenever possible, yes! But does this mean you can rest easy that your user names, passwords, birthdates, email address and everything else is safe on this forum and any other: absolutely not! The reality is that maybe a few of the forums will spend the money and upgrade to https, but the vast majority simply cannot or will not, and it only marginally improves one aspect of the many security vulnerabilities that these forums face. The only thing you can rely on is yourself to follow the latest good security practices when it comes to what info you keep online and how you choose usernames and passwords and how often you change them. My information has been stolen once before, but they only got access to a limited amount of information and there was zero overlap with any other website be it banking info or other. |
Very interesting warriorcookie! I use the same username and email address on each forum I use, though I have a different password on each forum, and the email I use is not my main email, and doesn't share a password with anything else. Am I doing it "right"? I like this idea of a password manager, I'll have to look into it. :)
|
Quote:
There's lots of password managers out there. You need to make sure whichever you go with is secure. If it becomes compromised then they have everything. After looking into several, Lastpass was the one I settled on. |
Wow, I can't believe the contrast in staff response between here and Reef Central to my question. Myka and Titus, you guys have gained a ton of respect in my books.
Charles |
oh interesting. I didn't realize Canreef had been running this long without HTTPS enabled.
Without HTTPS, our login ids and passwords and everything else are sent to the webserver in plain text for anyone between the network endpoints to read with a packet sniffer. Of course, the users most at risk are the ones that use the same id/email and passwords on other websites. That's how many people get hacked. There are free certificates now such as letsencrypt. I haven't personally used them myself but it looks popular. Taking a quick scan at some aquarium forums, reef2reef, reefcentral, bcaquaria, plantedtank, etc are all using HTTPS. |
Hello
The plan is to migrate to Discourse and a lot of code was written to automate generation and rotation using Let's Encrypt, and no I'm not using certbot but written our own custom one. The UAT version was deployed on https://uat.canreef.com. You can see the cert expired on 20 Nov 2022. That's not the issue but the following. My original plan was to have the following: https://www.canreef.com/discussion for the discussion forums https://www.canreef.com/<other stuff> for other stuff And so I setup an NGINX reverse proxy to do this but there were some issues with Discuss supporting this. That was back in Oct and then I ran into a rabbit hole and then stopped. I could have gone with the following: https://www.canreef.com for discussion forum https://other.canreef.com for other stuff However doing it this way means we need different DNS alias entries for each incremental feature I want to add. It is not insurmountable as I setup our own DNS server with code as well but it's extra step and I really didn't like the idea of how the DNS look. Given how far we have gotten I'd rather just finish the work proper. Titus |
| All times are GMT. The time now is 01:55 AM. |
Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.