|
About this site... Do you have any thoughts, suggestions or comments about this site? Post them here... |
|
Thread Tools |
17 Mar 2016, 10:21 PM | #1 |
Member
Join Date: Feb 2016
Posts: 47
|
Redirect HTTPS to HTTP for this forum?
Can't hurt.
|
18 Mar 2016, 03:33 AM | #2 |
The "e" in e-mail
Join Date: Feb 2006
Location: EU
Posts: 4,944
|
SSL certificates cost money.
|
19 Mar 2016, 10:54 AM | #3 |
Member
Join Date: Feb 2016
Posts: 47
|
There's a few places where you can get them for free..
https://www.startssl.com/Support?v=1 https://letsencrypt.org/ But a simple re-direct from HTTPS to HTTP would be cool (which is also free) |
20 Mar 2016, 04:51 AM | #4 |
Master of the @
Join Date: Feb 2005
Location: USA
Posts: 1,873
|
There is absolutely NO REASON to have this site on HTTPS!!
Nothing private here........ All you do is cause potential connection problems FOR NO REASON!! |
10 Dec 2016, 07:18 AM | #5 |
Senior Member
Join Date: Feb 2010
Posts: 107
|
I resurrect this thread because I was just about to start a new thread and ask why the forum has no https... In fact, attempting to connect via https results in an error page for me.
While I agree with the previous poster that there is nothing really private on this forum, I believe that https should be best practice today for anything that involves a login procedure. Protecting your credentials should IMHO be taken serious these days. Are there any plans to offer https in the future? Best, gecko |
11 Dec 2016, 12:21 AM | #6 |
The "e" in e-mail
Join Date: Feb 2006
Location: EU
Posts: 4,944
|
|
11 Dec 2016, 04:54 AM | #7 |
The "e" in e-mail
Join Date: Jan 2002
Location: San Francisco
Posts: 2,458
|
The computationally expensive part of HTTPS is the initial negotiation. After that, it's cheap. And you want that to protect passwords anyway. It's impractical at best to attempt to securely request or submit passwords over HTTP. Any counterarguments probably addressed here. |
28 Dec 2016, 02:02 AM | #8 |
The "e" in e-mail
Join Date: Jan 2002
Location: San Francisco
Posts: 2,458
|
|
28 Dec 2016, 03:46 AM | #9 |
Intergalactic Postmaster
Join Date: May 2004
Location: Irving, Texas
Posts: 8,928
|
Why?
I find this old thread very strange. The original question (if I understand the subject in the post correctly) was to redirect https secure login requests from browsers to the existing nonsecure http URL for this forum. So you think you are using a secure connection, but you are redirected to an insecure connection to enter your login credentials.
I disagree with the original poster. This would hurt, since users would get a false sense of security without any benefit. Bill |
28 Dec 2016, 03:48 AM | #10 | |
Ultimate Contributor
Join Date: Dec 2001
Location: Canada.
Posts: 10,355
|
Quote:
|
|
31 Dec 2016, 03:21 AM | #11 | |
Master of the @
Join Date: Feb 2005
Location: USA
Posts: 1,873
|
Quote:
"Redirect HTTP to HTTPS for this forum?" There is NO reason to put a reg site like this on HTTPS!! |
|
31 Dec 2016, 03:49 AM | #12 | ||
Intergalactic Postmaster
Join Date: May 2004
Location: Irving, Texas
Posts: 8,928
|
Quote:
Quote:
|
||
1 Jan 2017, 07:50 PM | #13 |
Master of the @
Join Date: Feb 2005
Location: USA
Posts: 1,873
|
Ya I just noticed they said the same thing twice...... (They are confused.... They meant to say HTTP TO HTTPS (The other doesnt make any sense @ all))
|
9 Jan 2017, 11:34 PM | #14 |
Essential Contributor
Join Date: Apr 2008
Posts: 371
|
The only valid reason I could see for doing this would be to secure user credentials against interception, which is a somewhat valid concern, but perhaps not enough to justify the additional complexity, cost, and overhead of maintaining an HTTPS version of the site, and in particular forcing/redirecting users to that version — which as others have pointed out would potentially create needless connectivity issues.
Ultimately like any security assessment it comes down to the actual threat and risk we're talking about. As long as you're following best security practices and not reusing the same password everywhere (and password reuse is a very bad idea even if a site is fully SSL-protected), there's very little that an attacker is going to get from having your EMD password. Basically, they can compromise your account and impersonate you on these forums, read your private messages, and obtain your email address. How much of an issue that is for you really depends on what sort of things you're doing on these forums — if you're exchanging confidential information via the PM system, then perhaps you have something to be concerned about, but it's probably safe to say that most users aren't doing that. Personally, I think most hackers have better things to do with their resources than target EMD profiles, especially on a per-user basis. There's just nothing of sufficient value here to make it worth anybody's time and effort. Frankly, if I wanted to pick at nits, I'd be more concerned that EMD is still running considerably older versions of Apache (2.2.24 circa 2013), PHP (5.2.17, circa 2011), and vBulletin 3.6.12 (assuming PL2, circa 2009). That said, I'm not even that concerned about these, since with the exception of Apache, these are the latest patch releases for those streams. However, there are still known vulnerabilities in those as well that make a desire for SSL securing the transmission channels even less relevant by comparison. |
17 Jan 2017, 01:54 PM | #15 |
Cornerstone of the Community
Join Date: Jun 2003
Posts: 551
|
It should always be https nowadays. This is one of the few places without it. I'm pretty sure we won't see much effort here due to the falling interest overall.
I've been using a vpn service for years and am not concerned about an emd breach at my end. And like someone else mentioned, we are low priority. I would hate to see my many year account hacked. |