Author Topic: Forum login does not use HTTPS/SSL  (Read 898 times)

0 Members and 1 Guest are viewing this topic.

Offline MarkRWatts

  • Posts: 5
Forum login does not use HTTPS/SSL
« on: July 06, 2018, 10:20 AM »
I've noticed that the forum login page is not encrypted; perhaps this should be corrected with an SSL certificate?
(In fact, there are few good reasons why the entire site couldn't be accessed via HTTPS...).

Offline RKA

  • Posts: 1077
Re: Forum login does not use HTTPS/SSL
« Reply #1 on: July 06, 2018, 10:56 AM »
It’s been raised previously.  You’re right and in this day and age, it’s inexcusable. Hopefully the appropriate people see this and realize what kind of perceptions this creates. 
-Raj

Offline JimH2

  • Posts: 575
Re: Forum login does not use HTTPS/SSL
« Reply #2 on: July 06, 2018, 09:10 PM »
Paranoia about a non-issue. No banking is taking place here nor is confidential information being shared.

Offline SRSemenza

  • Global Moderator
  • *
  • Posts: 8414
  • Finger Lakes Region, NY State , USA
Re: Forum login does not use HTTPS/SSL
« Reply #3 on: July 06, 2018, 11:31 PM »
Looking into it.

Seth

Offline Alex

  • Posts: 5668
Re: Forum login does not use HTTPS/SSL
« Reply #4 on: July 07, 2018, 01:10 AM »
Paranoia about a non-issue. No banking is taking place here nor is confidential information being shared.

 I share your sentiment.

Offline RDMuller

  • Posts: 289
Re: Forum login does not use HTTPS/SSL
« Reply #5 on: July 07, 2018, 09:25 AM »
this needs to be done.  I get security warnings once in awhile on some devices. Why would you not want to do this?

Offline jmbfestool

  • Posts: 6611
Re: Forum login does not use HTTPS/SSL
« Reply #6 on: July 07, 2018, 10:47 AM »
Paranoia about a non-issue. No banking is taking place here nor is confidential information being shared.

I don’t know what kinda details could be accessed but if password is one of them some people do use same password for other things and Festoolownersgroup isn’t protecting these kinda people
*********************************************************************** [thumbs up]UK members click me
*********************************************************************** [thumbs up]

Offline Alex

  • Posts: 5668
Re: Forum login does not use HTTPS/SSL
« Reply #7 on: July 07, 2018, 02:54 PM »
Paranoia about a non-issue. No banking is taking place here nor is confidential information being shared.

I don’t know what kinda details could be accessed but if password is one of them some people do use same password for other things and Festoolownersgroup isn’t protecting these kinda people

Looks to me like those kinda people aren't protecting themselves.

Online justaguy

  • Posts: 166
Re: Forum login does not use HTTPS/SSL
« Reply #8 on: July 07, 2018, 03:43 PM »
Aside from protecting user id and password, one of the main benefits to using HTTPS/SSL is that it helps to keep web sites from getting compromised and passing malware to users of the site. This applies to all pages not just the site logon.

There are many who believe that all sites should be using HTTPS for everything. Google is one example. Google has altered it's search engine so that search results will be ranked giving priority to sites that use HTTPS over HTTP only sites. Starting this month Chrome will flag all non-HTTPS sites as "Not Secure" with the next Chrome update.

There have long been battles over securing the source side of the web vs securing the endpoints. IMHO in today's world it's better if everything has some level of security.

Offline SilviaS7

  • Posts: 13
Re: Forum login does not use HTTPS/SSL
« Reply #9 on: July 07, 2018, 04:37 PM »
Paranoia about a non-issue. No banking is taking place here nor is confidential information being shared.

 I share your sentiment.

HTTPS/SSL encryption doesn't just secure the data in transit, it also functions as a certificate of authenticity - we know we are at the correct website and the content being published is secure.  If you have an application on the web that users are interacting with, it really should have a certificate.  They're not super costly anymore, either, so I don't see the downside when there is an added security benefit even throwing out things like data security and username/password security.

Offline Gregor

  • Posts: 834
Re: Forum login does not use HTTPS/SSL
« Reply #10 on: July 08, 2018, 05:52 AM »
HTTPS/SSL encryption doesn't just secure the data in transit, it also functions as a certificate of authenticity - we know we are at the correct website and the content being published is secure.
No, it dosn't and no, we don't. This is because every certificate authority trusted by your browser can sign a certificate for every domain name (certs for google.com have been issued several times by third parties in the past).

Unless the certificate is supplied through a secure means (like DANE) the current 'security' we seem to have is none but just a scam to extract money for 'certified' certificates and force smaller (ISP) players out of the market. IMHO, YMMV.
Quote
... I don't see the downside ...
One quite visible downside of forced https everywhere is that eg. schools (with here have quite small uplinks to the internet, when divided by the amount of concurrent users in them) that prior could have a whole classroom watch a youtube video in parallel (each student, with headphones, on their own speed) because the local proxy would cache it on the first request... now can't as youtube forces everything to https and the local cache can't do it's job anymore (unless it's set to MITM everything https, which is a privacy nightmare and dosn't support BYOD).

Prior to this the teacher could run the video once (to have it cached by the proxy) before a class to guarantee being able to play it without stuttering, now that this isn't possible anymore they can't rely on online videos (as other teachers might decide to also show a video in their class, exceeding the available bandwith of the uplink) and are also unable to make a local copy (by copyright and DRM) to work around this problem.

You simply can't cache content coming in via https - unless you break the encryption.

So this has quite serious real-world consequences, like destroying any benefit in having of caching proxy servers - and through this increasing internet traffic, driving up the power and materials bill of the internet, or even breaking existing functionality/usability.

Offline tony_sheehan

  • Posts: 109
Re: Forum login does not use HTTPS/SSL
« Reply #11 on: July 08, 2018, 06:34 AM »
zzzzzzzzzzz........

Offline SilviaS7

  • Posts: 13
Re: Forum login does not use HTTPS/SSL
« Reply #12 on: July 09, 2018, 01:37 PM »
HTTPS/SSL encryption doesn't just secure the data in transit, it also functions as a certificate of authenticity - we know we are at the correct website and the content being published is secure.
No, it dosn't and no, we don't. This is because every certificate authority trusted by your browser can sign a certificate for every domain name (certs for google.com have been issued several times by third parties in the past).

Unless the certificate is supplied through a secure means (like DANE) the current 'security' we seem to have is none but just a scam to extract money for 'certified' certificates and force smaller (ISP) players out of the market. IMHO, YMMV.
Quote
... I don't see the downside ...
One quite visible downside of forced https everywhere is that eg. schools (with here have quite small uplinks to the internet, when divided by the amount of concurrent users in them) that prior could have a whole classroom watch a youtube video in parallel (each student, with headphones, on their own speed) because the local proxy would cache it on the first request... now can't as youtube forces everything to https and the local cache can't do it's job anymore (unless it's set to MITM everything https, which is a privacy nightmare and dosn't support BYOD).

Prior to this the teacher could run the video once (to have it cached by the proxy) before a class to guarantee being able to play it without stuttering, now that this isn't possible anymore they can't rely on online videos (as other teachers might decide to also show a video in their class, exceeding the available bandwith of the uplink) and are also unable to make a local copy (by copyright and DRM) to work around this problem.

You simply can't cache content coming in via https - unless you break the encryption.

So this has quite serious real-world consequences, like destroying any benefit in having of caching proxy servers - and through this increasing internet traffic, driving up the power and materials bill of the internet, or even breaking existing functionality/usability.

The examples you are talking about are (1) not relevant to this forum, which is the site in question per the original topic.  And (2), everything is going to HTTPS deep packet inspection (DPI) as a form of security in the future, so yes encryption will be broken on networks such as at schools and universities to defend against sophisticated malware and cyber attacks.  Caching issues are going to continue to decrease, especially since Netflix has lead the way in providing infrastructure for their content to be cached regionally all over the world.  But sure, feel free to explain to me how I'm wrong on a tangential topic that wasn't being discussed because you know me and you know exactly what I know.   ::)