OBSOLETE - Forum login does not use HTTPS/SSL

[MarkRWatts]

I've noticed that the forum login page is not encrypted; perhaps this should be corrected with an SSL certificate?
(In fact, there are few good reasons why the entire site couldn't be accessed via HTTPS...).

 

[RKA]

It’s been raised previously.  You’re right and in this day and age, it’s inexcusable. Hopefully the appropriate people see this and realize what kind of perceptions this creates. 

 

[jeh]

Paranoia about a non-issue. No banking is taking place here nor is confidential information being shared.

 

[semenza]

Looking into it.

Seth

 

[AlexThePalex]

Paranoia about a non-issue. No banking is taking place here nor is confidential information being shared.

I share your sentiment.

 

[RDMuller]

this needs to be done.  I get security warnings once in awhile on some devices. Why would you not want to do this?

 

[jmbfestool]

Paranoia about a non-issue. No banking is taking place here nor is confidential information being shared.

I don’t know what kinda details could be accessed but if password is one of them some people do use same password for other things and Festoolownersgroup isn’t protecting these kinda people

 

[AlexThePalex]

Paranoia about a non-issue. No banking is taking place here nor is confidential information being shared.

I don’t know what kinda details could be accessed but if password is one of them some people do use same password for other things and Festoolownersgroup isn’t protecting these kinda people

Looks to me like those kinda people aren't protecting themselves.

 

[justaguy]

Aside from protecting user id and password, one of the main benefits to using HTTPS/SSL is that it helps to keep web sites from getting compromised and passing malware to users of the site. This applies to all pages not just the site logon.

There are many who believe that all sites should be using HTTPS for everything. Google is one example. Google has altered it's search engine so that search results will be ranked giving priority to sites that use HTTPS over HTTP only sites. Starting this month Chrome will flag all non-HTTPS sites as "Not Secure" with the next Chrome update.

There have long been battles over securing the source side of the web vs securing the endpoints. IMHO in today's world it's better if everything has some level of security.

 

[SilviaS7]

Paranoia about a non-issue. No banking is taking place here nor is confidential information being shared.

I share your sentiment.

HTTPS/SSL encryption doesn't just secure the data in transit, it also functions as a certificate of authenticity - we know we are at the correct website and the content being published is secure.  If you have an application on the web that users are interacting with, it really should have a certificate.  They're not super costly anymore, either, so I don't see the downside when there is an added security benefit even throwing out things like data security and username/password security.

 

[Gregor]

HTTPS/SSL encryption doesn't just secure the data in transit, it also functions as a certificate of authenticity - we know we are at the correct website and the content being published is secure.

No, it dosn't and no, we don't. This is because every certificate authority trusted by your browser can sign a certificate for every domain name (certs for google.com have been issued several times by third parties in the past).

Unless the certificate is supplied through a secure means (like DANE) the current 'security' we seem to have is none but just a scam to extract money for 'certified' certificates and force smaller (ISP) players out of the market. IMHO, YMMV.

... I don't see the downside ...

One quite visible downside of forced https everywhere is that eg. schools (with here have quite small uplinks to the internet, when divided by the amount of concurrent users in them) that prior could have a whole classroom watch a youtube video in parallel (each student, with headphones, on their own speed) because the local proxy would cache it on the first request... now can't as youtube forces everything to https and the local cache can't do it's job anymore (unless it's set to MITM everything https, which is a privacy nightmare and dosn't support BYOD).

Prior to this the teacher could run the video once (to have it cached by the proxy) before a class to guarantee being able to play it without stuttering, now that this isn't possible anymore they can't rely on online videos (as other teachers might decide to also show a video in their class, exceeding the available bandwith of the uplink) and are also unable to make a local copy (by copyright and DRM) to work around this problem.

You simply can't cache content coming in via https - unless you break the encryption.

So this has quite serious real-world consequences, like destroying any benefit in having of caching proxy servers - and through this increasing internet traffic, driving up the power and materials bill of the internet, or even breaking existing functionality/usability.

 

[tony_sheehan]

zzzzzzzzzzz........

 

[SilviaS7]

HTTPS/SSL encryption doesn't just secure the data in transit, it also functions as a certificate of authenticity - we know we are at the correct website and the content being published is secure.

No, it dosn't and no, we don't. This is because every certificate authority trusted by your browser can sign a certificate for every domain name (certs for google.com have been issued several times by third parties in the past).

Unless the certificate is supplied through a secure means (like DANE) the current 'security' we seem to have is none but just a scam to extract money for 'certified' certificates and force smaller (ISP) players out of the market. IMHO, YMMV.

... I don't see the downside ...

One quite visible downside of forced https everywhere is that eg. schools (with here have quite small uplinks to the internet, when divided by the amount of concurrent users in them) that prior could have a whole classroom watch a youtube video in parallel (each student, with headphones, on their own speed) because the local proxy would cache it on the first request... now can't as youtube forces everything to https and the local cache can't do it's job anymore (unless it's set to MITM everything https, which is a privacy nightmare and dosn't support BYOD).

Prior to this the teacher could run the video once (to have it cached by the proxy) before a class to guarantee being able to play it without stuttering, now that this isn't possible anymore they can't rely on online videos (as other teachers might decide to also show a video in their class, exceeding the available bandwith of the uplink) and are also unable to make a local copy (by copyright and DRM) to work around this problem.

You simply can't cache content coming in via https - unless you break the encryption.

So this has quite serious real-world consequences, like destroying any benefit in having of caching proxy servers - and through this increasing internet traffic, driving up the power and materials bill of the internet, or even breaking existing functionality/usability.

The examples you are talking about are (1) not relevant to this forum, which is the site in question per the original topic.  And (2), everything is going to HTTPS deep packet inspection (DPI) as a form of security in the future, so yes encryption will be broken on networks such as at schools and universities to defend against sophisticated malware and cyber attacks.  Caching issues are going to continue to decrease, especially since Netflix has lead the way in providing infrastructure for their content to be cached regionally all over the world.  But sure, feel free to explain to me how I'm wrong on a tangential topic that wasn't being discussed because you know me and you know exactly what I know.  :

 

[threesixright]

If I may weigh in.

I don't think that the only reason to install a SSL certificate is because of sensitive information. Nowadays you can usehttps://letsencrypt.org as a free SSL cert. So costs should not be a issue IMO. Obviously by now you (the user) should use strong and different passwords of each account you own.

The drawbacks of stolen passwords is not just user/password that get stolen. The forum can easily be flooded with spam, once hacked.  A user with admin priv. could (probbaly remove threads), etc. Lots of stuf you (as a sysop) don't want to deal with.

 

[ElectricFeet]

Paranoia about a non-issue. No banking is taking place here nor is confidential information being shared.

< tecchy hat on >
Thats not the issue. People use the same password on many sites. They shouldn’t, but they do. We all have tens, sometimes hundreds, of passwords and re-use is frequent. I don’t do this, but I used to — specifically on site like FOG, where I didn’t think it mattered.

If someone takes a look at FOG from an airport / café / client’s network, then anyone who is also using that network (and who is even slightly tech-savvy**) is able to see the FOG-user’s password if it’s not encrypted with https.

Add that to the fact that there is money to be made selling passwords over the internet and you have a pretty good recipe for identity theft by using any site without encryption.

And the fewer non-encrypted sites there are, the more they will become targets.

Getting a site certificate is now free since Let’s Encrypt came along and, while it may still be non-trivial for some hosts, it’s rapidly becoming a one click install on others.

FOG is the only site I use without encryption and it bugs me every time I login. It’s the equivalent of leaving your front door keys under the mat.

** Increasingly, you don’t need to be that tech-savvy to hack anything. Troy Hunt (an Australian security researcher) has a nice video showing his 3 year-old son how to hack a database online:https://www.troyhunt.com/hacking-is-childs-play-sql-injection/ He uses a technique that used to require significant knowledge, but now only requires a program easily found on the internet and the ability to copy and paste.

< / tecchy hat on >

 

[Bob D.]

"A user with admin priv. could (probbaly remove threads), etc. Lots of stuf you (as a sysop) don't want to deal with."

Had something similar to this occur on another forum I frequent 3 years ago. The user account of one of the original sysops of the forum (from 2001) who had long ago moved on was not deleted/removed and the account remained active with admin privileges over 10 years after the persons last access.

A user who had been banned for posting porn and ads hacked the account and wreaked havoc on the site, deleting hundreds of posts and thousands of photos and a few targeted forum members. They put it all back together from backups except the last 24 hours so not too much lost but it was a mess. Unfortunately the photos were not backed up and many, including myself, lost many posts and photos.

 

[Gregor]

They put it all back together from backups except the last 24 hours so not too much lost but it was a mess. Unfortunately the photos were not backed up and many, including myself, lost many posts and photos.

I always encourage my customers to think about data without multiple backups as already being deleted and gone - makes life easier (before and after the drive with that data dies) and nights sleep more sound...

 

[rmhinden]

I too would like to see FOG use https.    It good practice.  I doubt it a technical problem, other Festool sites use https, like www.festoolusa.com.

Thanks.

 

[threesixright]

A user who had been banned for posting porn and ads hacked the account and wreaked havoc on the site, deleting hundreds of posts and thousands of photos and a few targeted forum members. They put it all back together from backups except the last 24 hours so not too much lost but it was a mess. Unfortunately the photos were not backed up and many, including myself, lost many posts and photos.

Exactly my point. Most often not a question of "if", but when.

 

[MikeDVB]

I actually run a web hosting company, that I won't name as I'm not here to shill/push my own personal business, but I've been doing it for more than a decade and we host tens of thousands of sites.

SSL is cheap [even free with Let's Encrypt] and stupid easy to configure and use.

If anybody at FOG/Admin needs help - I'm happy to help, for free, just let me know.