Using HTTPS

Problems with your computer or anything else? We have a lot of skilled members that are very knowledgeable and might be of help!
User avatar
Eliter
CC Member
CC Member
Posts: 580
Joined: April 2nd, 2014, 10:11 pm
Location: Western United States
Contact:

Using HTTPS

Post by Eliter » December 26th, 2017, 1:51 pm

I remember a while back you guys had this forum on HTTPS and used a LetsEncrypt certificate. I see that most of my browsing is on HTTP (not secure), but HTTPS is still allowed and cert is trusted. I was just wondering if you guys would redirect HTTP traffic over to HTTPS traffic. I just generally like the peace of mind that less sniffing and man-in-the-middle attacks are able to happen.

I remember hearing that you guys don't directly host the webserver, you guys pay for webhosting, so I don't know if that type of thing can be found on whatever weird control panel you have. In which case, it's not like my webservers (that I host on my fully controled Ubuntu servers) where I can do a few commands and edit configs to do stuff. If you guys need help with Apache (if your hosting provider uses Apache and hands you the .htaccess), I can help if you need it.

Also, private stuff that is transferred is actually secured that way. I'll have to look at the login/registration, and see if that page is secured, but you guys should probably make sure nothing like passwords get sent over plaintext.

EDIT1: Yeah, so the login form page is not sent to me in TLS/SSL/HTTPS, and the page doesn't tell the browser to send the form over TLS/SSL/HTTPS unless the page is already using HTTPS. When it has "./ucp.php?blawblawblawblaw" it will use the protocol that is already being used, and if HTTP is already being used, then the password will be sent over plaintext.

There are two options to secure this, either serve the entire page over HTTPS, or make the form (just the form) use HTTPS. You can change the form to only use HTTPS by either hard-coding it on the action attribute to the form element, or use something like Javascript (I found a jQuery example here)
word count: 334
~Eliter
Jesus wrote:father forgive them they know not what they do.

User avatar
KingSteve032
Tech Support Director
Tech Support Director
Posts: 1090
Joined: February 7th, 2013, 11:51 am
Steam Profile: KingSteve032
Origin Profile: KingSteve032
UPlay Player: KingSteve031
Battle.net Profile: KingSteve032#1134
Formerly Known As: The Boss Man
Location: Virginia Beach VA
Contact:

Re: Using HTTPS

Post by KingSteve032 » December 26th, 2017, 4:09 pm

I like http better. It's just easier to work with.
word count: 11
Image
Image
He said to them,“...if you don’t have a sword, sell your cloak and buy one."
Luke 22:36

User avatar
Eliter
CC Member
CC Member
Posts: 580
Joined: April 2nd, 2014, 10:11 pm
Location: Western United States
Contact:

Re: Using HTTPS

Post by Eliter » December 26th, 2017, 5:02 pm

KingSteve032 wrote:I like http better. It's just easier to work with.
It's not a matter of liking it, it's a matter of doing a job correctly.

Besides, what's so hard about HTTPS? I set it up once on my server, and have never had to think about or code for HTTPS again. All requests are
Redirected to HTTPS.

Anyway, you can enable HTTPS just for the form if you don't like dealing with HTTPS for the rest of the site.

If this is just my voice, then whatever. But I feel like the rest of the commuinity isn't using theirs because they don't see the issue, because they don't have an understanding of it.

I understand that User Experience is important, and it takes priority over design, but this does not impede user experience.
word count: 143
~Eliter
Jesus wrote:father forgive them they know not what they do.

User avatar
Crosser
Posts: 1111
Joined: February 17th, 2010, 7:03 pm
Steam Profile: crosser222
Contact:

Re: Using HTTPS

Post by Crosser » December 26th, 2017, 5:10 pm

And the worst that happens...Somebody steals info related to Jesus and becomes saved. Better get this HTTPS stuff fully integrated... And fast!

(j/k) ^_^
word count: 25
I look at the world from a different angle;
People change; even Satan used to be an angel..

User avatar
Eliter
CC Member
CC Member
Posts: 580
Joined: April 2nd, 2014, 10:11 pm
Location: Western United States
Contact:

Re: Using HTTPS

Post by Eliter » December 26th, 2017, 5:37 pm

Crosser wrote:And the worst that happens...Somebody steals info related to Jesus and becomes saved.
Well, that's not entirely true. Some people like to use the same password across platforms, so the password used for the forums account could be the same one for your Paypal account. It's also always a good idea to secure your users if you can, but not always required (I'll be honest).
Crosser wrote:Better get this HTTPS stuff fully integrated... And fast!
That is not at all what I was talking about. I had also suggested to just make the form itself use HTTPS, so the user and password in the form would be encrypted, while the rest of the site may not be.
word count: 124
~Eliter
Jesus wrote:father forgive them they know not what they do.

User avatar
Crosser
Posts: 1111
Joined: February 17th, 2010, 7:03 pm
Steam Profile: crosser222
Contact:

Re: Using HTTPS

Post by Crosser » December 26th, 2017, 5:48 pm

Well, you know what they say, "If you haven't what it isn't, then you shouldn't kiss a pheasant."

And to everyone else, don't worry, I'll stop now, lol...
word count: 33
I look at the world from a different angle;
People change; even Satan used to be an angel..

User avatar
Cptn Merika
Posts: 1055
Joined: November 11th, 2014, 11:33 pm
Steam Profile: Cptn Merika

Re: Using HTTPS

Post by Cptn Merika » December 26th, 2017, 6:22 pm

Seems like you are nit-picking the website. This website has been here for how long? And I don't recall anyone ever having security related issues...I could be wrong, but you got to pick the right battles.

Code: Select all

It's not a matter of liking it, it's a matter of doing a job correctly.
Also, this statement is very disrespectful, and for someone who has not contributed to building the website and it's systems, I will go as far to say you don't have a right call someone out on how well or not-well of a job they did building the website in this fashion (if that is what you are doing), especially given all that Kingsteve and the other webpage people have put into this site. Sorry if this comes across blunt and direct, but it is like the old saying goes.....if the bucket fits, fill it full of water.
word count: 159
191
"Be strong and courageous. Do not be afraid or terrified because of them, for the LORD your God goes with you; he will never leave you nor forsake you." - Deuteronomy 31:6

User avatar
Eliter
CC Member
CC Member
Posts: 580
Joined: April 2nd, 2014, 10:11 pm
Location: Western United States
Contact:

Re: Using HTTPS

Post by Eliter » December 26th, 2017, 6:46 pm

Cptn Merika wrote:Seems like you are nit-picking the website. This website has been here for how long? And I don't recall anyone ever having security related issues...I could be wrong, but you got to pick the right battles.
It seems that you lack knowledge in security and do not understand the issue.

I also do feel very blunt and direct about the issue as well, and I am willing to contribute, but have not been given such an opportunity.

A lot of work does not equate to good work at everything across the board. I am not criticising the entire project and saying it has no merit, I am just pointing out one (1) major security flaw that could be fixed in either one section of a page, the entire page, or the entire web server.

I think it's rude to not acknowledge the issue directly, instead a preference of the administrator was stated. He could have said he understands the issue, and said (or implied) that he's not going to anything about it.
word count: 180
~Eliter
Jesus wrote:father forgive them they know not what they do.

User avatar
NeoJabez
Council Operations
Council Operations
Posts: 10249
Joined: June 5th, 2005, 7:00 am

Re: Using HTTPS

Post by NeoJabez » December 26th, 2017, 6:54 pm

Let's be honest, though. If you worry about https (ssl) and you use the same password across multiple platforms, you are misplacing the onus of bad security onto the site rather than the asinine practice of using the same password everywhere. You can't complain about bad security on the site and promote bad personal security practices at the same time.

There are valid reasons for not going totally ssl, perhaps in your security-centric view, you've overlooked that? Everything isn't about security.
word count: 86
If serving is below you, leadership is beyond you. - Anonymous

Coram Deo, Soli Deo Gloria

Image

User avatar
Eliter
CC Member
CC Member
Posts: 580
Joined: April 2nd, 2014, 10:11 pm
Location: Western United States
Contact:

Re: Using HTTPS

Post by Eliter » December 26th, 2017, 7:08 pm

NeoJabez wrote:There are valid reasons for not going totally ssl, perhaps in your security-centric view, you've overlooked that? Everything isn't about security.
I said nothing about totally SSL. -_-
word count: 32
~Eliter
Jesus wrote:father forgive them they know not what they do.

Locked

Who is online

Users browsing this forum: No registered users and 3 guests