The Money Mustache Community
General Discussion => Forum Information & FAQs => Topic started by: Frankies Girl on March 08, 2017, 02:05:36 PM
-
I'm sure this is something y'all are aware of, but I got a warning to not log in on this site due to the secure login no longer existing. I am using Firefox, and they alert you when you have login now when there is no https:// available. Pasting this in front of the existing addy gets a "page does not exist" error.
-
Exactly how would an ssl connection to this site improve your life? Other than not being pointlessly browbeaten by your chosen browser, that is...
-
Exactly how would an ssl connection to this site improve your life? Other than not being pointlessly browbeaten by your chosen browser, that is...
No idea. Not sure why the snark or snide response, but as the entire site was just migrated and there have been growing pains and likely others will be getting this same error and not sure what to do, so thought I'd mention it here to be helpful or something (so they know it's not just them and can ignore if necessary or voice their own concerns with the lack of security)... guess being helpful is the wrong thing to do?
-
I'm sure this is something y'all are aware of, but I got a warning to not log in on this site due to the secure login no longer existing.
Actually, it never existed, so it's not an issue with the migration.
That being said, I would prefer a secure connection, at least for logins.
-
Let's Encrypt is free SSL certs.
https://letsencrypt.org/
-
I would also like this site to be through https.
-
No encrypted login means your password is not kept secret, and if you use it in more than one place those accounts are insecure as well. More importantly if you are using openid your openid is directly compromised.
No SSL means your profile information (which may contain important details about you such as your email that can be used by identity thieves to impersonate you) is exposed to the world.
No SSL means anything you do is trivially intercepted, including things that you have a reasonable expectation of privacy with, such as sharing contact details with someone on a PM.
No SSL means that when a moderator browses the forum, which likely logs IP addresses viewable to a moderator, then someone intercepting a Moderator's connection has a nicely way to gather IPS of users, making it easier to collect this smorgusborg of user information.
No SSL means that someone can trivially perform a man in the middle attack on you, and make an embarrassing, illegal or illicit post in your name without even having to know your login.
It's really inexcusable to run a website in 2017 that does not at least attempt to be secure.
-
It also means that if you're posting via your company's internet connection (shame, shame) it's trivial for IT or whomever to record everything you post. Not to mention probably trivially figure out who you are and browse all your prior or future posts if they felt so inclined.
-
It also means that if you're posting via your company's internet connection (shame, shame) it's trivial for IT or whomever to record everything you post. Not to mention probably trivially figure out who you are and browse all your prior or future posts if they felt so inclined.
(https://media.giphy.com/media/NfGTU1FFnPIwo/giphy.gif)
We have a winner.
-
Thanks, MilesTeg, very informative. I'd thought about the password thing but not most of the other points.
-
Holy crap, how did I not notice that? Yeah, I'm not a fan of my password being sent in plain text even though I don't reuse passwords, someone could certainly hack my account and pose as me, the most powerful dragon on the site.
-
Holy crap, how did I not notice that? Yeah, I'm not a fan of my password being sent in plain text even though I don't reuse passwords, someone could certainly hack my account and pose as me, the most powerful dragon on the site.
Aren't you the most powerful dragon by default?
-
Holy crap, how did I not notice that? Yeah, I'm not a fan of my password being sent in plain text even though I don't reuse passwords, someone could certainly hack my account and pose as me, the most powerful dragon on the site.
Aren't you the most powerful dragon by default?
No, there are some competitors
-
Holy crap, how did I not notice that? Yeah, I'm not a fan of my password being sent in plain text even though I don't reuse passwords, someone could certainly hack my account and pose as me, the most powerful dragon on the site.
Aren't you the most powerful dragon by default?
No, there are some competitors
Pah. The Dragoncar is without peer,
-
Holy crap, how did I not notice that? Yeah, I'm not a fan of my password being sent in plain text even though I don't reuse passwords, someone could certainly hack my account and pose as me, the most powerful dragon on the site.
Aren't you the most powerful dragon by default?
No, there are some competitors
Pah. The Dragoncar is without peer,
You take this back missie.
-
Beware the dragon car without a walrus Stache!
-
Uh-Oh. Seriously, I am doomed. Moderators, what the hell???
Oh, fuckety fuck. At least I'm not posting on a work computer. Accccckkk!
-
No encrypted login means your password is not kept secret, and if you use it in more than one place those accounts are insecure as well. More importantly if you are using openid your openid is directly compromised.
No SSL means your profile information (which may contain important details about you such as your email that can be used by identity thieves to impersonate you) is exposed to the world.
No SSL means anything you do is trivially intercepted, including things that you have a reasonable expectation of privacy with, such as sharing contact details with someone on a PM.
No SSL means that when a moderator browses the forum, which likely logs IP addresses viewable to a moderator, then someone intercepting a Moderator's connection has a nicely way to gather IPS of users, making it easier to collect this smorgusborg of user information.
No SSL means that someone can trivially perform a man in the middle attack on you, and make an embarrassing, illegal or illicit post in your name without even having to know your login.
It's really inexcusable to run a website in 2017 that does not at least attempt to be secure.
I concur with all of this, and I just got approval from MMM to start implementing SSL here! Hopefully will be good to go by the end of the day.
Cheers!
-
Houston, we have SSL!
Let me know if you run into any problems since the change and I'll look into them!
-
Somebody has been impersonating me. Please investigate.
-
Firefox and Vivaldi browser (both Linux versions) still complain no HTTPS. Can someone give me the SSL vs HTTPS explanation?
-
clackapedia, thanks to you and MMM for your prompt response to addressing the concern that was raised. Appreciate it!
-
^^^Amen.^^^
-
Thanks for the quick response!
You can cancel my request for a refund of the site membership fee. :)
-
Awesome would buy again!
-
Somebody has been impersonating me. Please investigate.
Nice one Paul
(http://i.imgur.com/YT9IEfv.png?1)
-
Houston, we have SSL!
Let me know if you run into any problems since the change and I'll look into them!
Wow. Serious thanks to MMM and clackapedia for making the forum https.
In addition to all the good reasons listed by MilesTeg and omachi, I am also concerned that very recently the head of the FTC killed a rule that would have stopped your own ISP from spying on your Internet browsing (and posts), and then selling your data to data brokers and advertisers. A major violation of everyone's law abiding right to read and communicate with the expectation of privacy. Https puts a stop to that nonsense.
I post details here of my financial and personal life that I reveal to no one else, and I sure don't think it is any of my ISP's business.
One trivial thing. Chrome browser reports that there are insecure elements, so the site does not report as fully secure like for example a banking site. Chrome says “Your connection to this site is not fully secure. Attackers might be able to see the images you're looking at on this site and trick you by modifying them.” Clicking details adds "Mixed Content. The site includes HTTP resources."
-
No encrypted login means your password is not kept secret, and if you use it in more than one place those accounts are insecure as well. More importantly if you are using openid your openid is directly compromised.
No SSL means your profile information (which may contain important details about you such as your email that can be used by identity thieves to impersonate you) is exposed to the world.
No SSL means anything you do is trivially intercepted, including things that you have a reasonable expectation of privacy with, such as sharing contact details with someone on a PM.
No SSL means that when a moderator browses the forum, which likely logs IP addresses viewable to a moderator, then someone intercepting a Moderator's connection has a nicely way to gather IPS of users, making it easier to collect this smorgusborg of user information.
No SSL means that someone can trivially perform a man in the middle attack on you, and make an embarrassing, illegal or illicit post in your name without even having to know your login.
It's really inexcusable to run a website in 2017 that does not at least attempt to be secure.
I concur with all of this, and I just got approval from MMM to start implementing SSL here! Hopefully will be good to go by the end of the day.
Cheers!
Awes9me thanks for the (swift!) Attention and fix!
-
I don't believe the images not being secured is an issue. That is a pretty common "issue" on many web sites.
-
Thanks to the site operators/mods for putting in HTTPS support.
-
I don't believe the images not being secured is an issue. That is a pretty common "issue" on many web sites.
Even if it were an issue, this isn't something that can be solved by the mods. People can embed their own images in their posts that were uploaded to other sites such as imgur that aren't delivered via https.
-
just got this error message. using mozilla
The information you have entered on this page will be sent over an insecure connection and could be read by a third party.
Are you sure you want to send this information?"
-
While user content can still be linked insecurely, it would be helpful if the header image was linked via https:// - at least then on any pages that don't have user linked images, it would be 100% secure. Good for reducing confusion and paranoia.
-
ok, twice now when I have modified a post have I gotten the error message. and only then.
-
ok, twice now when I have modified a post have I gotten the error message. and only then.
I was just about to report the same issue – it's definitely on updating a post, though I don't remember if I pushed modify or edit.
-
Extreme excellentness that the forum gods implemented this request! Just posting to express appreciation, admiration, and thanks :)
-
just got this error message. using mozilla
The information you have entered on this page will be sent over an insecure connection and could be read by a third party.
Are you sure you want to send this information?"
Had this last week when responding to big threads and it would reload to "create new thread".
But I updated my iOS last night and so far no probs.
-
I posted too soon- tried to post in a big thread which I haven't posted in before eg more than 50? 100 posts? but won't let me. I couldn't even edit my previous post in this thread.
-
just got this error message. using mozilla
The information you have entered on this page will be sent over an insecure connection and could be read by a third party.
Are you sure you want to send this information?"
I just got this same error replying to a thread using Firefox Version 52.0.2. I post fairly frequently and have not seen this before today.