Welcome! Log In Create A New Profile

Advanced

https

Posted by WesBrooks 
https
September 06, 2017 06:14AM
Hi All,

I'm sure I posted something along these lines on here before but I can't find the thread - so may be I didn't! :-D

The lack of https protection for the log in and general site usage seems to be making the users of this forum vulnerable. I'm not a website expert, but assume there is reason behind firefox warning me that logins to this site are not secure. My understanding is the passwords used at the login stage are vulnerable, and in turn if you use similar passwords for multiples sites then the problem multiplies.

Is there a plan in place to up grading this site to https?
Re: https
September 06, 2017 04:55PM
Don't use the same password on every site. Thats insecure right off the start. Plus you assuming, if the system used https encryption (which would involve purchasing a signed ssl certificate) and that if the site ever got hacked your login/password information would be safe, which it wouldn't be.
Re: https
September 06, 2017 08:48PM
[letsencrypt.org]

its now free to get a cert.
Just needs someone to set it up. Can be tricky on older systems... needs either a static IP or to support something like SNI (Server Name Indication)

Other than that, agreed, If you use the same password for multiple sites, you deserve a good {insert punishment you don't want, here}
Re: https
September 07, 2017 01:00AM
I did say similar! No need to state the obvious regarding passwords here. A well designed site will not store passwords in clear text. Yes, the encryption is fallible, but not as vulnerable as shouting out your pin code as you type it in at the cash point! We're all likely to have passwords for at least one bank account, multiple social sites, forums, and business log ons. Unless you are randomising your passwords (and so making them very easy to forget) then it's likely there are patterns in the way your passwords are generated even if they are subconscious. Likewise if you do randomise them there is a good chance you've written them down or stored them somewhere, making that a risk too.

When you login with http the password is sent in clear text and and can be intercepted at many points along the communication. Would you be happy using this site with no password at the login stage? This is effectively what any site is doing without https.

I was going to link to a thread on a Land Rover forum of them tackling this exact issue, but as it's it now all https you can't see nowt on protected pages without a log in!

Edited 2 time(s). Last edit at 09/07/2017 01:41AM by WesBrooks.
Re: https
September 07, 2017 01:21AM
Making light of a serious on line identity issue:

XKCD Password Reuse
XKCD Password Strength

...and just to show how awkward the password generation debate is:

Is the XKCD Scheme no Longer Good Advice?

Edited 2 time(s). Last edit at 09/07/2017 01:42AM by WesBrooks.
Sorry, only registered users may post in this forum.

Click here to login