Enabling HTTPS ?

[Coasting]

I could see this being useful. Especially on a site where we constantly exchange addresses and phone numbers and potentially other info in PM

Back in february I got a wicked virus and other issues when I accessed the BCAquaria forum.
I ended up with a crypto virus on my computer. All my login info for various emails and my bank accounts were stolen. I had $1990 removed from my bank through an EMT because of the shit put on my laptop they somehow got my login and password for stuff I dont have my computer remember. My email accounts somehow got hacked and were being caught sending out spam. I actually had gotten a virus or something else from visiting that forum a few years back as well. I will NEVER go back on that site.

Then in the summer I got this email from the company the forum is apart of or whatever.

Quote:

Notice of Data Breach

You may have heard reports recently about a security issue involving VerticalScope. We would like to make sure you have the facts about what happened, what information was involved, and the steps we are taking to help protect you. VerticalScope owns and operates a number of community websites. You are receiving this email because you are a registered user of the following community website(s) involved in the data breach:
www.bcaquaria.com

What Happened?

On June 13, 2016, we became aware that February 2016 data stolen from VerticalScope was being made available online.

What Information Was Involved?

Community member usernames, email addresses, hashed passwords, community userIDS, community website, and the IP address the username originally registered with.

[Myka]

Quote:

Originally Posted by Coasting

I could see this being useful. Especially on a site where we constantly exchange addresses and phone numbers and potentially other info in PM

Back in february I got a wicked virus and other issues when I accessed the BCAquaria forum.
I ended up with a crypto virus on my computer. All my login info for various emails and my bank accounts were stolen. I had $1990 removed from my bank through an EMT because of the shit put on my laptop they somehow got my login and password for stuff I dont have my computer remember. My email accounts somehow got hacked and were being caught sending out spam. I actually had gotten a virus or something else from visiting that forum a few years back as well. I will NEVER go back on that site.

Then in the summer I got this email from the company the forum is apart of or whatever.

Wow! I've never heard of anything like this! If using https is "a thing", then why are none of the biggest forums using it?

[SoloSK71]

They have not had an incident yet?

Google, Firefox and Microsoft have not put enough emphasis on it?

It requires a bit more effort (getting an SSL certificate) that a regular implementation.

Charles

[Myka]

Quote:

Originally Posted by SoloSK71

They have not had an incident yet?

No idea. I checked a bunch of forums, and didn't find even one of them using https. I haven't heard of anything like this until this thread.

[SoloSK71]

Another post - https://www.google.ca/amp/s/www.troy...tin-forum/amp/

The vBulletin forums run on HTTPS as well.

Charles

[Reef Pilot]

More and more are using https, and for very good reason. I just checked some other forums that I sometimes frequent. Some use it, and some don't.

Can never totally prevent hacking, but in this day and age, with all the bots running, should at least keep the front doors closed.

[warriorcookie]

The only real benefit https would add is making it more difficult for intruders to intercept username and passwords at the time of login. This adds extra costs for the host because you need to pay to have your ssl certificate signed every year. The effectivness of https is extremly debatable too. Even with https in place, the user database is subject to its own vulnerabilities.

You cannot rely on forums to keep your information secure. They are being run on a shoestring budget which means most of the staff is volunteer, hosting is provided by an economy hosting service on an entry level plan with basic firewall and database offered.

To make things worse, most people use the same username and password for every forum they are a member of. All it takes is for one forum to get their database dumped, and they have access to thousands of usernames and passwords with email addresses that they could use to login to paypall, banks, other forums, etc. all because of the same password being used over and over.

Instead, use a password service like LastPass. You pick one good password for the main app, then it auto generates random 20+ character passwords for all the websites you use. It can do an audit on all the accounts saved in your computer and automatically change alot of them for you. Apps for Android and apple will automatically fill in username and password for all the sites and apps you use. This way if one site is hacked, you only have to change the password for the one site, not all of them. How many times does a forum database get dumped and the admins don't even realize?

If you use a word or any part of a word for a password it can be cracked very quickly. To a dictionary brute force script, the difference between the password "isolated" and "1s0LaTed" is minimal. All my passwords are the maximum characters allowed by the site and look alot like: "gdIj65vj#5)9hKhy6" and i dont have to remember any because my password manager enters it for me.

[warriorcookie]

Quote:

Originally Posted by Coasting

I could see this being useful. Especially on a site where we constantly exchange addresses and phone numbers and potentially other info in PM

Back in february I got a wicked virus and other issues when I accessed the BCAquaria forum.
I ended up with a crypto virus on my computer. All my login info for various emails and my bank accounts were stolen. I had $1990 removed from my bank through an EMT because of the shit put on my laptop they somehow got my login and password for stuff I dont have my computer remember. My email accounts somehow got hacked and were being caught sending out spam. I actually had gotten a virus or something else from visiting that forum a few years back as well. I will NEVER go back on that site.

Then in the summer I got this email from the company the forum is apart of or whatever.

While this sucks big time, to be clear, https would NOT have prevented this. This was a database dump.

[warriorcookie]

Just wanted to clarify, as my previous responses where typed on a touch screen from an airplane...

Do I think https should be employed: whenever possible, yes! But does this mean you can rest easy that your user names, passwords, birthdates, email address and everything else is safe on this forum and any other: absolutely not!

The reality is that maybe a few of the forums will spend the money and upgrade to https, but the vast majority simply cannot or will not, and it only marginally improves one aspect of the many security vulnerabilities that these forums face. The only thing you can rely on is yourself to follow the latest good security practices when it comes to what info you keep online and how you choose usernames and passwords and how often you change them. My information has been stolen once before, but they only got access to a limited amount of information and there was zero overlap with any other website be it banking info or other.

[Myka]

Very interesting warriorcookie! I use the same username and email address on each forum I use, though I have a different password on each forum, and the email I use is not my main email, and doesn't share a password with anything else. Am I doing it "right"? I like this idea of a password manager, I'll have to look into it.