Author Topic: Site is not secure (no https://)  (Read 9875 times)

Frankies Girl

  • Magnum Stache
  • ******
  • Posts: 3899
  • Age: 86
  • Location: The oubliette.
  • Ghouls Just Wanna Have Funds!
Site is not secure (no https://)
« on: March 08, 2017, 02:05:36 PM »
I'm sure this is something y'all are aware of, but I got a warning to not log in on this site due to the secure login no longer existing. I am using Firefox, and they alert you when you have login now when there is no https:// available. Pasting this in front of the existing addy gets a "page does not exist" error.

bobechs

  • Handlebar Stache
  • *****
  • Posts: 1065
Re: Site is not secure (no https://)
« Reply #1 on: March 08, 2017, 03:16:58 PM »
Exactly how would an ssl connection to this site improve your life?  Other than not being pointlessly browbeaten by your chosen browser, that is...

Frankies Girl

  • Magnum Stache
  • ******
  • Posts: 3899
  • Age: 86
  • Location: The oubliette.
  • Ghouls Just Wanna Have Funds!
Re: Site is not secure (no https://)
« Reply #2 on: March 08, 2017, 03:31:43 PM »
Exactly how would an ssl connection to this site improve your life?  Other than not being pointlessly browbeaten by your chosen browser, that is...

No idea. Not sure why the snark or snide response, but as the entire site was just migrated and there have been growing pains and likely others will be getting this same error and not sure what to do, so thought I'd mention it here to be helpful or something (so they know it's not just them and can ignore if necessary or voice their own concerns with the lack of security)... guess being helpful is the wrong thing to do?

« Last Edit: March 11, 2017, 12:23:17 AM by Frankies Girl »

SoftwareGoddess

  • Stubble
  • **
  • Posts: 140
  • Location: Canada
Re: Site is not secure (no https://)
« Reply #3 on: March 08, 2017, 03:50:48 PM »
I'm sure this is something y'all are aware of, but I got a warning to not log in on this site due to the secure login no longer existing.

Actually, it never existed, so it's not an issue with the migration.

That being said, I would prefer a secure connection, at least for logins.

Syonyk

  • Magnum Stache
  • ******
  • Posts: 4610
    • Syonyk's Project Blog
Re: Site is not secure (no https://)
« Reply #4 on: March 08, 2017, 04:56:41 PM »
Let's Encrypt is free SSL certs.

https://letsencrypt.org/

RWD

  • Walrus Stache
  • *******
  • Posts: 6529
  • Location: Arizona
Re: Site is not secure (no https://)
« Reply #5 on: March 08, 2017, 06:10:47 PM »
I would also like this site to be through https.

MilesTeg

  • Handlebar Stache
  • *****
  • Posts: 1363
Re: Site is not secure (no https://)
« Reply #6 on: March 10, 2017, 08:04:00 PM »
No encrypted login means your password is not kept secret, and if you use it in more than one place those accounts are insecure as well. More importantly if you are using openid your openid is directly compromised.

No SSL means your profile information (which may contain important details about you such as your email that can be used by identity thieves to impersonate you) is exposed to the world.

No SSL means anything you do is trivially intercepted, including things that you have a reasonable expectation of privacy with, such as sharing contact details with someone on a PM.

No SSL means that when a moderator browses the forum, which likely logs IP addresses viewable to a moderator, then someone intercepting a Moderator's connection has a nicely way to gather IPS of users, making it easier to collect this smorgusborg of user information.

No SSL means that someone can trivially perform a man in the middle attack on you, and make an embarrassing, illegal or illicit post in your name without even having to know your login.

It's really inexcusable to run a website in 2017 that does not at least attempt to be secure.
« Last Edit: March 10, 2017, 08:16:33 PM by MilesTeg »

omachi

  • Handlebar Stache
  • *****
  • Posts: 1158
  • Location: Minnesota
Re: Site is not secure (no https://)
« Reply #7 on: March 10, 2017, 08:31:11 PM »
It also means that if you're posting via your company's internet connection (shame, shame) it's trivial for IT or whomever to record everything you post. Not to mention probably trivially figure out who you are and browse all your prior or future posts if they felt so inclined.

Paul der Krake

  • Walrus Stache
  • *******
  • Posts: 5854
  • Age: 16
  • Location: UTC-10:00
Re: Site is not secure (no https://)
« Reply #8 on: March 10, 2017, 08:44:07 PM »
It also means that if you're posting via your company's internet connection (shame, shame) it's trivial for IT or whomever to record everything you post. Not to mention probably trivially figure out who you are and browse all your prior or future posts if they felt so inclined.



We have a winner.

stashgrower

  • Bristles
  • ***
  • Posts: 343
  • Location: Australia
Re: Site is not secure (no https://)
« Reply #9 on: March 10, 2017, 10:23:08 PM »
Thanks, MilesTeg, very informative. I'd thought about the password thing but not most of the other points.

dragoncar

  • Walrus Stache
  • *******
  • Posts: 9923
  • Registered member
Re: Site is not secure (no https://)
« Reply #10 on: March 11, 2017, 01:22:14 AM »
Holy crap, how did I not notice that?  Yeah, I'm not a fan of my password being sent in plain text even though I don't reuse passwords, someone could certainly hack my account and pose as me, the most powerful dragon on the site.

johnny847

  • Magnum Stache
  • ******
  • Posts: 3188
    • My Blog
Re: Site is not secure (no https://)
« Reply #11 on: March 11, 2017, 02:26:04 PM »
Holy crap, how did I not notice that?  Yeah, I'm not a fan of my password being sent in plain text even though I don't reuse passwords, someone could certainly hack my account and pose as me, the most powerful dragon on the site.

Aren't you the most powerful dragon by default?

dragoncar

  • Walrus Stache
  • *******
  • Posts: 9923
  • Registered member
Re: Site is not secure (no https://)
« Reply #12 on: March 11, 2017, 04:25:08 PM »
Holy crap, how did I not notice that?  Yeah, I'm not a fan of my password being sent in plain text even though I don't reuse passwords, someone could certainly hack my account and pose as me, the most powerful dragon on the site.

Aren't you the most powerful dragon by default?


No, there are some competitors

Rural

  • Walrus Stache
  • *******
  • Posts: 5051
Re: Site is not secure (no https://)
« Reply #13 on: March 11, 2017, 05:05:11 PM »
Holy crap, how did I not notice that?  Yeah, I'm not a fan of my password being sent in plain text even though I don't reuse passwords, someone could certainly hack my account and pose as me, the most powerful dragon on the site.

Aren't you the most powerful dragon by default?


No, there are some competitors


Pah. The Dragoncar is without peer,

Paul der Krake

  • Walrus Stache
  • *******
  • Posts: 5854
  • Age: 16
  • Location: UTC-10:00
Re: Site is not secure (no https://)
« Reply #14 on: March 11, 2017, 11:24:23 PM »
Holy crap, how did I not notice that?  Yeah, I'm not a fan of my password being sent in plain text even though I don't reuse passwords, someone could certainly hack my account and pose as me, the most powerful dragon on the site.

Aren't you the most powerful dragon by default?


No, there are some competitors


Pah. The Dragoncar is without peer,
You take this back missie.

dragoncar

  • Walrus Stache
  • *******
  • Posts: 9923
  • Registered member
Re: Site is not secure (no https://)
« Reply #15 on: March 12, 2017, 01:25:51 AM »
Beware the dragon car without a walrus Stache!

Dicey

  • Senior Mustachian
  • ********
  • Posts: 22319
  • Age: 66
  • Location: NorCal
Re: Site is not secure (no https://)
« Reply #16 on: March 12, 2017, 03:36:44 AM »
Uh-Oh. Seriously, I am doomed. Moderators, what the hell???

Oh, fuckety fuck. At least I'm not posting on a work computer. Accccckkk!

clackapedia

  • Administrator
  • 5 O'Clock Shadow
  • *****
  • Posts: 24
Re: Site is not secure (no https://)
« Reply #17 on: March 12, 2017, 11:09:45 AM »
No encrypted login means your password is not kept secret, and if you use it in more than one place those accounts are insecure as well. More importantly if you are using openid your openid is directly compromised.

No SSL means your profile information (which may contain important details about you such as your email that can be used by identity thieves to impersonate you) is exposed to the world.

No SSL means anything you do is trivially intercepted, including things that you have a reasonable expectation of privacy with, such as sharing contact details with someone on a PM.

No SSL means that when a moderator browses the forum, which likely logs IP addresses viewable to a moderator, then someone intercepting a Moderator's connection has a nicely way to gather IPS of users, making it easier to collect this smorgusborg of user information.

No SSL means that someone can trivially perform a man in the middle attack on you, and make an embarrassing, illegal or illicit post in your name without even having to know your login.

It's really inexcusable to run a website in 2017 that does not at least attempt to be secure.

I concur with all of this, and I just got approval from MMM to start implementing SSL here!  Hopefully will be good to go by the end of the day.

Cheers!

clackapedia

  • Administrator
  • 5 O'Clock Shadow
  • *****
  • Posts: 24
Re: Site is not secure (no https://)
« Reply #18 on: March 12, 2017, 11:40:54 AM »
Houston, we have SSL!

Let me know if you run into any problems since the change and I'll look into them!


Paul der Krake

  • Walrus Stache
  • *******
  • Posts: 5854
  • Age: 16
  • Location: UTC-10:00
Re: Site is not secure (no https://)
« Reply #19 on: March 12, 2017, 11:45:37 AM »
Somebody has been impersonating me. Please investigate.

Just Joe

  • Walrus Stache
  • *******
  • Posts: 6721
  • Location: In the middle....
  • Teach me something.
Re: Site is not secure (no https://)
« Reply #20 on: March 12, 2017, 11:50:40 AM »
Firefox and Vivaldi browser (both Linux versions) still complain no HTTPS. Can someone give me the SSL vs HTTPS explanation?

PJ

  • Handlebar Stache
  • *****
  • Posts: 1427
  • Age: 53
  • Location: Toronto, Canada
Re: Site is not secure (no https://)
« Reply #21 on: March 12, 2017, 01:14:34 PM »
clackapedia, thanks to you and MMM for your prompt response to addressing the concern that was raised.  Appreciate it!

Dicey

  • Senior Mustachian
  • ********
  • Posts: 22319
  • Age: 66
  • Location: NorCal
Re: Site is not secure (no https://)
« Reply #22 on: March 12, 2017, 01:25:43 PM »
^^^Amen.^^^

katsiki

  • Handlebar Stache
  • *****
  • Posts: 2015
  • Age: 43
  • Location: La.
Re: Site is not secure (no https://)
« Reply #23 on: March 12, 2017, 01:30:14 PM »
Thanks for the quick response!

You can cancel my request for a refund of the site membership fee.  :)

Syonyk

  • Magnum Stache
  • ******
  • Posts: 4610
    • Syonyk's Project Blog
Re: Site is not secure (no https://)
« Reply #24 on: March 12, 2017, 02:06:44 PM »
Awesome would buy again!

dragoncar

  • Walrus Stache
  • *******
  • Posts: 9923
  • Registered member
Re: Site is not secure (no https://)
« Reply #25 on: March 12, 2017, 02:08:07 PM »
Somebody has been impersonating me. Please investigate.

Nice one Paul


FIRE me

  • Handlebar Stache
  • *****
  • Posts: 1097
  • Location: Louisville, KY
  • So much technology, so little talent.
Re: Site is not secure (no https://)
« Reply #26 on: March 13, 2017, 11:23:12 AM »
Houston, we have SSL!

Let me know if you run into any problems since the change and I'll look into them!

Wow. Serious thanks to MMM and clackapedia for making the forum https.

In addition to all the good reasons listed by MilesTeg and omachi, I am also concerned that very recently the head of the FTC killed a rule that would have stopped your own ISP from spying on your Internet browsing (and posts), and then selling your data to data brokers and advertisers. A major violation of everyone's law abiding right to read and communicate with the expectation of privacy. Https puts a stop to that nonsense.

I post details here of my financial and personal life that I reveal to no one else, and I sure don't think it is any of my ISP's business.

One trivial thing. Chrome browser reports that there are insecure elements, so the site does not report as fully secure like for example a banking site. Chrome says “Your connection to this site is not fully secure. Attackers might be able to see the images you're looking at on this site and trick you by modifying them.” Clicking details adds "Mixed Content. The site includes HTTP resources."

MilesTeg

  • Handlebar Stache
  • *****
  • Posts: 1363
Re: Site is not secure (no https://)
« Reply #27 on: March 13, 2017, 04:13:59 PM »
No encrypted login means your password is not kept secret, and if you use it in more than one place those accounts are insecure as well. More importantly if you are using openid your openid is directly compromised.

No SSL means your profile information (which may contain important details about you such as your email that can be used by identity thieves to impersonate you) is exposed to the world.

No SSL means anything you do is trivially intercepted, including things that you have a reasonable expectation of privacy with, such as sharing contact details with someone on a PM.

No SSL means that when a moderator browses the forum, which likely logs IP addresses viewable to a moderator, then someone intercepting a Moderator's connection has a nicely way to gather IPS of users, making it easier to collect this smorgusborg of user information.

No SSL means that someone can trivially perform a man in the middle attack on you, and make an embarrassing, illegal or illicit post in your name without even having to know your login.

It's really inexcusable to run a website in 2017 that does not at least attempt to be secure.

I concur with all of this, and I just got approval from MMM to start implementing SSL here!  Hopefully will be good to go by the end of the day.

Cheers!

Awes9me thanks for the (swift!) Attention and fix!

katsiki

  • Handlebar Stache
  • *****
  • Posts: 2015
  • Age: 43
  • Location: La.
Re: Site is not secure (no https://)
« Reply #28 on: March 13, 2017, 05:42:59 PM »
I don't believe the images not being secured is an issue.  That is a pretty common "issue" on many web sites.

RobFIRE

  • Bristles
  • ***
  • Posts: 277
  • Age: 40
  • Location: UK
  • Projected FIRE May 2020
Re: Site is not secure (no https://)
« Reply #29 on: March 16, 2017, 02:11:08 AM »
Thanks to the site operators/mods for putting in HTTPS support.

johnny847

  • Magnum Stache
  • ******
  • Posts: 3188
    • My Blog
Re: Site is not secure (no https://)
« Reply #30 on: March 16, 2017, 06:38:51 AM »
I don't believe the images not being secured is an issue.  That is a pretty common "issue" on many web sites.

Even if it were an issue, this isn't something that can be solved by the mods. People can embed their own images in their posts that were uploaded to other sites such as imgur that aren't delivered via https.

hoping2retire35

  • Handlebar Stache
  • *****
  • Posts: 1398
  • Location: UPCOUNTRY CAROLINA
  • just want to see where this appears
Re: Site is not secure (no https://)
« Reply #31 on: March 16, 2017, 07:24:58 AM »
just got this error message. using mozilla

The information you have entered on this page will be sent over an insecure connection and could be read by a third party.

Are you sure you want to send this information?"

neo von retorch

  • Magnum Stache
  • ******
  • Posts: 4918
  • Location: SE PA
    • Fi@retorch - personal finance tracking
Re: Site is not secure (no https://)
« Reply #32 on: March 16, 2017, 07:30:11 AM »
While user content can still be linked insecurely, it would be helpful if the header image was linked via https:// - at least then on any pages that don't have user linked images, it would be 100% secure. Good for reducing confusion and paranoia.

hoping2retire35

  • Handlebar Stache
  • *****
  • Posts: 1398
  • Location: UPCOUNTRY CAROLINA
  • just want to see where this appears
Re: Site is not secure (no https://)
« Reply #33 on: March 16, 2017, 07:54:52 AM »
ok, twice now when I have modified a post have I gotten the error message. and only then.

Rural

  • Walrus Stache
  • *******
  • Posts: 5051
Re: Site is not secure (no https://)
« Reply #34 on: March 16, 2017, 11:38:45 AM »
ok, twice now when I have modified a post have I gotten the error message. and only then.


 I was just about to report the same issue – it's definitely on updating a post, though I don't remember if I pushed modify or edit.

joonifloofeefloo

  • Magnum Stache
  • ******
  • Posts: 4865
  • On a forum break :)
Re: Site is not secure (no https://)
« Reply #35 on: April 04, 2017, 11:34:42 AM »
Extreme excellentness that the forum gods implemented this request! Just posting to express appreciation, admiration, and thanks :)

Sydneystache

  • Bristles
  • ***
  • Posts: 274
  • Location: Sydney (Westie!)
  • Aiming for RE!
Re: Site is not secure (no https://)
« Reply #36 on: April 04, 2017, 09:10:41 PM »
just got this error message. using mozilla

The information you have entered on this page will be sent over an insecure connection and could be read by a third party.

Are you sure you want to send this information?"

Had this last week when responding to big threads and it would reload to "create new thread".

But I updated my iOS last night and so far no probs.

Sydneystache

  • Bristles
  • ***
  • Posts: 274
  • Location: Sydney (Westie!)
  • Aiming for RE!
Re: Site is not secure (no https://)
« Reply #37 on: April 04, 2017, 10:14:47 PM »
I posted too soon- tried to post in a big thread which I haven't posted in before eg more than 50? 100 posts? but won't let me. I couldn't even edit my previous post in this thread.

Threshkin

  • Handlebar Stache
  • *****
  • Posts: 1088
  • Location: Colorado
    • My Journal
Re: Site is not secure (no https://)
« Reply #38 on: April 10, 2017, 04:52:50 PM »
just got this error message. using mozilla

The information you have entered on this page will be sent over an insecure connection and could be read by a third party.

Are you sure you want to send this information?"

I just got this same error replying to a thread using Firefox Version 52.0.2.  I post fairly frequently and have not seen this before today.