English Amiga Board


Go Back   English Amiga Board > abime.net - Home Projects > project.EAB

 
 
Thread Tools
Old 08 September 2019, 10:37   #1
hugo_nl
Registered User

 
Join Date: Sep 2019
Location: Veenendaal, Netherlands
Posts: 2
Lightbulb Why is https:// not supported here?

Good day. I realised this site is not on HTTPS. This makes it vulnerable to snooping and session hi-jacking, and obvious easy targets for spammers and hackers.

Sure, a total lack of encryption does feel very retro But it's really not a wise thing these days. Certificates were costly, but today, they can be gotten, for free, from letsencrypt.org. (I am not affiliated with Let's Encrypt -- I just want to be able to use the web securely.)

Right now, everything is sent in clear text. A lot of people tend to reuse the same password on different sites. People unaware of this security hole need to be informed, and need to consider all their other accounts compromised until they have reset all their passwords.

Last edited by hugo_nl; 08 September 2019 at 10:38. Reason: Typo
hugo_nl is offline  
Old 08 September 2019, 16:00   #2
Minuous
Coder/webmaster/gamer
Minuous's Avatar
 
Join Date: Oct 2001
Location: Canberra/Australia
Posts: 1,991
It's hardly a "security hole" just because a site uses normal HTTP.

HTTPS was designed for banking and similar uses, it was never intended for it to be used on every site. And it causes site compatibility problems with a lot of browsers.
Minuous is offline  
Old 08 September 2019, 16:26   #3
demolition
Unregistered User
demolition's Avatar
 
Join Date: Sep 2012
Location: Copenhagen / DK
Age: 39
Posts: 3,971
Quote:
Originally Posted by Minuous View Post
It's hardly a "security hole" just because a site uses normal HTTP.

HTTPS was designed for banking and similar uses, it was never intended for it to be used on every site. And it causes site compatibility problems with a lot of browsers.
HTTPS used to be quite server-heavy due to the extra CPU loading but today that is no longer much of an issue. I see no reason not to support HTTPS today on all sites even hobbyist sites like this one. What compatibility problems could it cause? Most browsers will now show warnings if you log on to a non HTTPS site and I don't think it will be long until it will be blocked as standard since it is a major potential security hole.

Blocking plain HTTP access altogether would not be nice on a site like this as it is still useful to be able to access with Amigabrowsers etc. that cannot handle SSL, but that doesn't exclude that there could be a HTTPS version for whenever you're on a PC.
demolition is offline  
Old 08 September 2019, 16:36   #4
Minuous
Coder/webmaster/gamer
Minuous's Avatar
 
Join Date: Oct 2001
Location: Canberra/Australia
Posts: 1,991
Quote:
What compatibility problems could it cause?
You answered your own question in the next paragraph :-) If it's only SSL it's not so bad, but a lot of sites these days are using TLS which can cause problems on various platforms, not just Amigas.
Minuous is offline  
Old 08 September 2019, 20:10   #5
nogginthenog
Amigan

 
Join Date: Feb 2012
Location: London
Posts: 868
Everyone here posts using their Amiga.
Have you used SSL on an 68060? It's not great
nogginthenog is offline  
Old 08 September 2019, 21:39   #6
malko
Ex nihilo nihil

malko's Avatar
 
Join Date: Oct 2017
Location: CH
Posts: 2,289
http://eab.abime.net/showthread.php?...63#post1228763
malko is offline  
Old 09 September 2019, 11:50   #7
cloverskull
Registered User

 
Join Date: Sep 2018
Location: California
Posts: 65
Supporting https doesn’t mean you have to force https. It’s possible to maintain access via http.
cloverskull is offline  
Old 09 September 2019, 18:16   #8
BastyCDGS
Registered User
 
Join Date: Nov 2015
Location: Freiburg / Germany
Age: 39
Posts: 121
Send a message via ICQ to BastyCDGS
Quote:
Originally Posted by cloverskull View Post
Supporting https doesn’t mean you have to force https. It’s possible to maintain access via http.
This and also don't forget that today's search engines (at least Google does it) rank sites down if they don't support SSL.
BastyCDGS is offline  
Old 09 September 2019, 19:18   #9
daxb
Registered User
 
Join Date: Oct 2009
Location: Germany
Posts: 2,379
Because Google can track you better if https is used. :P
daxb is offline  
Old 25 September 2019, 11:13   #10
gimbal
cheeky scoundrel

gimbal's Avatar
 
Join Date: Nov 2004
Location: Spijkenisse/Netherlands
Age: 38
Posts: 3,449
Even though it is a good idea to support (but not necessarily force) HTTPS in a site, let's not kid ourselves that HTTPS makes browsing secure. It's the best effortless fix that can be done, it's not a solution.

Push comes to shove, data is only encrypted when going over the line. It's not encrypted at the source and the destination. So there are still plenty of points of attack to get to the unencrypted data.
gimbal is offline  
Old 25 September 2019, 15:39   #11
Photon
Moderator

Photon's Avatar
 
Join Date: Nov 2004
Location: Eksjö / Sweden
Posts: 4,772
https doesn't matter for pages that don't pass credentials over the connection.

If a website has a user login, it should be over a secure connection.

Some phpBB versions, even old ones, do have login on a separate https page. If there's a setting for such in this version, it would be good to turn it on.
Photon is offline  
Old 25 September 2019, 15:55   #12
deimos
Registered User

 
Join Date: Jul 2018
Location: Londonish / UK
Posts: 447
Quote:
Originally Posted by Photon View Post
https doesn't matter for pages that don't pass credentials over the connection.

If a website has a user login, it should be over a secure connection.

Some phpBB versions, even old ones, do have login on a separate https page. If there's a setting for such in this version, it would be good to turn it on.
It can get more subtle than this though, if session cookies are passed back over HTTP then it's possible to snoop them to impersonate the user even though the login might have been over HTTPS, for instance.
deimos is offline  
Old 10 October 2019, 22:03   #13
B2k_ad
Registered User

 
Join Date: Jul 2018
Location: Braunschweig / Germany
Posts: 28
Please dont lock out my amigas.
With my 060 A4000 it would be just even possible to go for https
....if i invest in a propper phase 5 turbo board or so wich contains propper fastram.

But my A2000 would be locked out completely of EAB until i get a very Rare Turbo board.

Asking if EAB should go over SSL is a bit like asking if aminet.net should be encrypted as well.
I hope this stays open.

Posted from my 4000
B2k_ad is offline  
Old 11 October 2019, 03:04   #14
turrican3
Moon 1969 = amiga 1985

turrican3's Avatar
 
Join Date: Apr 2007
Location: belgium
Age: 43
Posts: 3,616
You can keep http and https together than it won't block your amiga 4000.
But i don't see the point to make eab https...Perhaps someone could give good reasons but myself i can't.
But i could be wrong.
turrican3 is offline  
Old 11 October 2019, 16:19   #15
commodorejohn
Shameless recidivist
commodorejohn's Avatar
 
Join Date: Jun 2012
Location: Duluth, Minnesota (USA)
Age: 34
Posts: 195
Quote:
Originally Posted by turrican3 View Post
You can keep http and https together than it won't block your amiga 4000.
You can indeed...but it seems like the next step in these discussions after "why doesn't this site support HTTPS?" is inevitably "why does this site still support HTTP?"
commodorejohn is offline  
Old 13 October 2019, 07:23   #16
Hewitson
Registered User
Hewitson's Avatar
 
Join Date: Feb 2007
Location: Melbourne, Australia
Age: 37
Posts: 3,383
Quote:
Originally Posted by turrican3 View Post
You can keep http and https together than it won't block your amiga 4000.
But i don't see the point to make eab https...Perhaps someone could give good reasons but myself i can't.
But i could be wrong.
Quote:
Originally Posted by Photon
If a website has a user login, it should be over a secure connection.
It's as simple as that. Whether you're a bank or an Amiga forum, it should be encrypted.
Hewitson is offline  
Old 13 October 2019, 08:32   #17
Unkown
The Old Fart!

Unkown's Avatar
 
Join Date: Oct 2019
Location: Last Seen In Purgatory!
Age: 53
Posts: 91
Quote:
Originally Posted by hugo_nl View Post
Good day. I realised this site is not on HTTPS. This makes it vulnerable to snooping and session hi-jacking, and obvious easy targets for spammers and hackers.

There is no site safe on the interweb these days so whats the point ?.
Unkown is offline  
Old 13 October 2019, 09:35   #18
demolition
Unregistered User
demolition's Avatar
 
Join Date: Sep 2012
Location: Copenhagen / DK
Age: 39
Posts: 3,971
Quote:
Originally Posted by Unkown View Post
There is no site safe on the interweb these days so whats the point ?.
Sure there are 'safe' sites. Nothing is 100% obviously but I'll take 99% over 1%. It's like saying you are going to die eventually anyway so you might as well step in front of a car to get it over with..


Do you lock the door to your house when you're out? You know that thieves can get in anyway if they really want to?
demolition is offline  
Old 13 October 2019, 22:56   #19
Unkown
The Old Fart!

Unkown's Avatar
 
Join Date: Oct 2019
Location: Last Seen In Purgatory!
Age: 53
Posts: 91
Quote:
Originally Posted by demolition View Post
Sure there are 'safe' sites. Nothing is 100% obviously but I'll take 99% over 1%. It's like saying you are going to die eventually anyway so you might as well step in front of a car to get it over with..


Do you lock the door to your house when you're out? You know that thieves can get in anyway if they really want to?

Well lets see to day i could have been dead but a random choice saved my life, for real this is NOT a joke.


No a few times i have left my door open / unlocked and a few windows besides few times chosen to do so and other times just plain for got to lock the damn door.


Its also like people with bad passwords on the phone / computer / wifi etc, etc. don't take much if you or somebody else wanted to get in and have a good look round,



This is why every password i have ever used is kinda like a MD5 checksum, not enough time in one human life time to crack that kinda password. And its not as if people have Quantum computers laying around.So some things are 99.98% secure. As long as you don't leave then writen down on paper in plain view for strangers to see.


And what ever you do, Do NOT use password thingys in your browser dumbest thing to do these days.
Unkown is offline  
Old 14 October 2019, 05:17   #20
Unkown
The Old Fart!

Unkown's Avatar
 
Join Date: Oct 2019
Location: Last Seen In Purgatory!
Age: 53
Posts: 91
PS: forgot to say that i will be going away on the 19th so no forum spam from me untill a later date.

Tell you what tho want my address, will put the kettle on just sa i leave the house backdoor and front door will be left unlocked and all windows in the house will be open so its nice and fresh when you arrive, fresh milk in the fridge, plenty of cookies in the jar next to the microwave oven,

Knock your self out play some games on the PC's and or take your pick of the consoles.

WE have really nice interweb speed as well so yeah have fun and stay a while...

Unkown is offline  
 


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Similar Threads
Thread Thread Starter Forum Replies Last Post
https://www.imageupload.co.uk/ DamienD OT - General 31 22 September 2019 15:44
HTTPS Downgrader - surf the web with your amiga again! Cego support.Apps 0 07 January 2019 07:50
iBrowse and HTTPS sites? stu232 support.Apps 4 23 November 2014 20:54
ACATune not supported Retrofan support.Other 3 03 September 2012 02:24
games that need to be supported dlfrsilver Games images which need to be WHDified 0 08 January 2006 02:25

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 05:58.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2019, vBulletin Solutions Inc.
Page generated in 0.09228 seconds with 14 queries