English Amiga Board

English Amiga Board (http://eab.abime.net/index.php)
-   project.EAB (http://eab.abime.net/forumdisplay.php?f=14)
-   -   Why is https:// not supported here? (http://eab.abime.net/showthread.php?t=98741)

hugo_nl 08 September 2019 10:37

Why is https:// not supported here?
 
Good day. I realised this site is not on HTTPS. This makes it vulnerable to snooping and session hi-jacking, and obvious easy targets for spammers and hackers.

Sure, a total lack of encryption does feel very retro :) But it's really not a wise thing these days. Certificates were costly, but today, they can be gotten, for free, from letsencrypt.org. (I am not affiliated with Let's Encrypt -- I just want to be able to use the web securely.)

Right now, everything is sent in clear text. A lot of people tend to reuse the same password on different sites. People unaware of this security hole need to be informed, and need to consider all their other accounts compromised until they have reset all their passwords.

Minuous 08 September 2019 16:00

It's hardly a "security hole" just because a site uses normal HTTP.

HTTPS was designed for banking and similar uses, it was never intended for it to be used on every site. And it causes site compatibility problems with a lot of browsers.

demolition 08 September 2019 16:26

Quote:

Originally Posted by Minuous (Post 1344341)
It's hardly a "security hole" just because a site uses normal HTTP.

HTTPS was designed for banking and similar uses, it was never intended for it to be used on every site. And it causes site compatibility problems with a lot of browsers.

HTTPS used to be quite server-heavy due to the extra CPU loading but today that is no longer much of an issue. I see no reason not to support HTTPS today on all sites even hobbyist sites like this one. What compatibility problems could it cause? Most browsers will now show warnings if you log on to a non HTTPS site and I don't think it will be long until it will be blocked as standard since it is a major potential security hole.

Blocking plain HTTP access altogether would not be nice on a site like this as it is still useful to be able to access with Amigabrowsers etc. that cannot handle SSL, but that doesn't exclude that there could be a HTTPS version for whenever you're on a PC.

Minuous 08 September 2019 16:36

Quote:

What compatibility problems could it cause?
You answered your own question in the next paragraph :-) If it's only SSL it's not so bad, but a lot of sites these days are using TLS which can cause problems on various platforms, not just Amigas.

nogginthenog 08 September 2019 20:10

Everyone here posts using their Amiga.
Have you used SSL on an 68060? It's not great :)

malko 08 September 2019 21:39

http://eab.abime.net/showthread.php?...63#post1228763

cloverskull 09 September 2019 11:50

Supporting https doesn’t mean you have to force https. It’s possible to maintain access via http.

BastyCDGS 09 September 2019 18:16

Quote:

Originally Posted by cloverskull (Post 1344501)
Supporting https doesn’t mean you have to force https. It’s possible to maintain access via http.

This and also don't forget that today's search engines (at least Google does it) rank sites down if they don't support SSL.

daxb 09 September 2019 19:18

Because Google can track you better if https is used. :P

gimbal 25 September 2019 11:13

Even though it is a good idea to support (but not necessarily force) HTTPS in a site, let's not kid ourselves that HTTPS makes browsing secure. It's the best effortless fix that can be done, it's not a solution.

Push comes to shove, data is only encrypted when going over the line. It's not encrypted at the source and the destination. So there are still plenty of points of attack to get to the unencrypted data.

Photon 25 September 2019 15:39

https doesn't matter for pages that don't pass credentials over the connection.

If a website has a user login, it should be over a secure connection.

Some phpBB versions, even old ones, do have login on a separate https page. If there's a setting for such in this version, it would be good to turn it on. :great

deimos 25 September 2019 15:55

Quote:

Originally Posted by Photon (Post 1347717)
https doesn't matter for pages that don't pass credentials over the connection.

If a website has a user login, it should be over a secure connection.

Some phpBB versions, even old ones, do have login on a separate https page. If there's a setting for such in this version, it would be good to turn it on. :great

It can get more subtle than this though, if session cookies are passed back over HTTP then it's possible to snoop them to impersonate the user even though the login might have been over HTTPS, for instance.

B2k_ad 10 October 2019 22:03

Please dont lock out my amigas. :o
With my 060 A4000 it would be just even possible to go for https
....if i invest in a propper phase 5 turbo board or so wich contains propper fastram.

But my A2000 would be locked out completely of EAB until i get a very Rare Turbo board.

Asking if EAB should go over SSL is a bit like asking if aminet.net should be encrypted as well.
I hope this stays open.

Posted from my 4000

turrican3 11 October 2019 03:04

You can keep http and https together than it won't block your amiga 4000.
But i don't see the point to make eab https...Perhaps someone could give good reasons but myself i can't.
But i could be wrong.

commodorejohn 11 October 2019 16:19

Quote:

Originally Posted by turrican3 (Post 1350439)
You can keep http and https together than it won't block your amiga 4000.

You can indeed...but it seems like the next step in these discussions after "why doesn't this site support HTTPS?" is inevitably "why does this site still support HTTP?"

Hewitson 13 October 2019 07:23

Quote:

Originally Posted by turrican3 (Post 1350439)
You can keep http and https together than it won't block your amiga 4000.
But i don't see the point to make eab https...Perhaps someone could give good reasons but myself i can't.
But i could be wrong.

Quote:

Originally Posted by Photon
If a website has a user login, it should be over a secure connection.

It's as simple as that. Whether you're a bank or an Amiga forum, it should be encrypted.

Unkown 13 October 2019 08:32

Quote:

Originally Posted by hugo_nl (Post 1344287)
Good day. I realised this site is not on HTTPS. This makes it vulnerable to snooping and session hi-jacking, and obvious easy targets for spammers and hackers.


There is no site safe on the interweb these days so whats the point ?. :agree

demolition 13 October 2019 09:35

Quote:

Originally Posted by Unkown (Post 1350880)
There is no site safe on the interweb these days so whats the point ?. :agree

Sure there are 'safe' sites. Nothing is 100% obviously but I'll take 99% over 1%. It's like saying you are going to die eventually anyway so you might as well step in front of a car to get it over with..


Do you lock the door to your house when you're out? You know that thieves can get in anyway if they really want to?

Unkown 13 October 2019 22:56

Quote:

Originally Posted by demolition (Post 1350891)
Sure there are 'safe' sites. Nothing is 100% obviously but I'll take 99% over 1%. It's like saying you are going to die eventually anyway so you might as well step in front of a car to get it over with..


Do you lock the door to your house when you're out? You know that thieves can get in anyway if they really want to?


Well lets see to day i could have been dead but a random choice saved my life, for real this is NOT a joke.


No a few times i have left my door open / unlocked and a few windows besides few times chosen to do so and other times just plain for got to lock the damn door.


Its also like people with bad passwords on the phone / computer / wifi etc, etc. don't take much if you or somebody else wanted to get in and have a good look round,



This is why every password i have ever used is kinda like a MD5 checksum, not enough time in one human life time to crack that kinda password. And its not as if people have Quantum computers laying around.So some things are 99.98% secure. As long as you don't leave then writen down on paper in plain view for strangers to see.


And what ever you do, Do NOT use password thingys in your browser dumbest thing to do these days.:crazy

Unkown 14 October 2019 05:17

PS: forgot to say that i will be going away on the 19th so no forum spam from me untill a later date. ;)

Tell you what tho want my address, will put the kettle on just sa i leave the house backdoor and front door will be left unlocked and all windows in the house will be open so its nice and fresh when you arrive, fresh milk in the fridge, plenty of cookies in the jar next to the microwave oven,

Knock your self out play some games on the PC's and or take your pick of the consoles.

WE have really nice interweb speed as well so yeah have fun and stay a while...

:banghead:crazy:spin:agree:nuts:great


All times are GMT +2. The time now is 16:37.

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2019, vBulletin Solutions Inc.

Page generated in 0.06520 seconds with 11 queries