Why is https:// not supported here?

[hugo_nl]

Good day. I realised this site is not on HTTPS. This makes it vulnerable to snooping and session hi-jacking, and obvious easy targets for spammers and hackers.

Sure, a total lack of encryption does feel very retro But it's really not a wise thing these days. Certificates were costly, but today, they can be gotten, for free, from letsencrypt.org. (I am not affiliated with Let's Encrypt -- I just want to be able to use the web securely.)

Right now, everything is sent in clear text. A lot of people tend to reuse the same password on different sites. People unaware of this security hole need to be informed, and need to consider all their other accounts compromised until they have reset all their passwords.

[Minuous]

It's hardly a "security hole" just because a site uses normal HTTP.

HTTPS was designed for banking and similar uses, it was never intended for it to be used on every site. And it causes site compatibility problems with a lot of browsers.

[demolition]

Quote:

Originally Posted by Minuous

It's hardly a "security hole" just because a site uses normal HTTP.

HTTPS was designed for banking and similar uses, it was never intended for it to be used on every site. And it causes site compatibility problems with a lot of browsers.

HTTPS used to be quite server-heavy due to the extra CPU loading but today that is no longer much of an issue. I see no reason not to support HTTPS today on all sites even hobbyist sites like this one. What compatibility problems could it cause? Most browsers will now show warnings if you log on to a non HTTPS site and I don't think it will be long until it will be blocked as standard since it is a major potential security hole.

Blocking plain HTTP access altogether would not be nice on a site like this as it is still useful to be able to access with Amigabrowsers etc. that cannot handle SSL, but that doesn't exclude that there could be a HTTPS version for whenever you're on a PC.

[Minuous]

Quote:

What compatibility problems could it cause?

You answered your own question in the next paragraph :-) If it's only SSL it's not so bad, but a lot of sites these days are using TLS which can cause problems on various platforms, not just Amigas.

[nogginthenog]

Everyone here posts using their Amiga.
Have you used SSL on an 68060? It's not great

[malko]

http://eab.abime.net/showthread.php?...63#post1228763

[cloverskull]

Supporting https doesn’t mean you have to force https. It’s possible to maintain access via http.

[BastyCDGS]

Quote:

Originally Posted by cloverskull

Supporting https doesn’t mean you have to force https. It’s possible to maintain access via http.

This and also don't forget that today's search engines (at least Google does it) rank sites down if they don't support SSL.

[daxb]

Because Google can track you better if https is used. :P

[gimbal]

Even though it is a good idea to support (but not necessarily force) HTTPS in a site, let's not kid ourselves that HTTPS makes browsing secure. It's the best effortless fix that can be done, it's not a solution.

Push comes to shove, data is only encrypted when going over the line. It's not encrypted at the source and the destination. So there are still plenty of points of attack to get to the unencrypted data.

[Photon]

https doesn't matter for pages that don't pass credentials over the connection.

If a website has a user login, it should be over a secure connection.

Some phpBB versions, even old ones, do have login on a separate https page. If there's a setting for such in this version, it would be good to turn it on.

[deimos]

Quote:

Originally Posted by Photon

https doesn't matter for pages that don't pass credentials over the connection.

If a website has a user login, it should be over a secure connection.

Some phpBB versions, even old ones, do have login on a separate https page. If there's a setting for such in this version, it would be good to turn it on.

It can get more subtle than this though, if session cookies are passed back over HTTP then it's possible to snoop them to impersonate the user even though the login might have been over HTTPS, for instance.

[B2k_ad]

Please dont lock out my amigas.
With my 060 A4000 it would be just even possible to go for https
....if i invest in a propper phase 5 turbo board or so wich contains propper fastram.

But my A2000 would be locked out completely of EAB until i get a very Rare Turbo board.

Asking if EAB should go over SSL is a bit like asking if aminet.net should be encrypted as well.
I hope this stays open.

Posted from my 4000

[turrican3]

You can keep http and https together than it won't block your amiga 4000.
But i don't see the point to make eab https...Perhaps someone could give good reasons but myself i can't.
But i could be wrong.

[commodorejohn]

Quote:

Originally Posted by turrican3

You can keep http and https together than it won't block your amiga 4000.

You can indeed...but it seems like the next step in these discussions after "why doesn't this site support HTTPS?" is inevitably "why does this site still support HTTP?"

[Hewitson]

Quote:

Originally Posted by turrican3

You can keep http and https together than it won't block your amiga 4000.
But i don't see the point to make eab https...Perhaps someone could give good reasons but myself i can't.
But i could be wrong.

Quote:

Originally Posted by Photon

If a website has a user login, it should be over a secure connection.

It's as simple as that. Whether you're a bank or an Amiga forum, it should be encrypted.

[Unkown]

Quote:

Originally Posted by hugo_nl

Good day. I realised this site is not on HTTPS. This makes it vulnerable to snooping and session hi-jacking, and obvious easy targets for spammers and hackers.

There is no site safe on the interweb these days so whats the point ?.

[demolition]

Quote:

Originally Posted by Unkown

There is no site safe on the interweb these days so whats the point ?.

Sure there are 'safe' sites. Nothing is 100% obviously but I'll take 99% over 1%. It's like saying you are going to die eventually anyway so you might as well step in front of a car to get it over with..


Do you lock the door to your house when you're out? You know that thieves can get in anyway if they really want to?

[Unkown]

Quote:

Originally Posted by demolition

Sure there are 'safe' sites. Nothing is 100% obviously but I'll take 99% over 1%. It's like saying you are going to die eventually anyway so you might as well step in front of a car to get it over with..


Do you lock the door to your house when you're out? You know that thieves can get in anyway if they really want to?

Well lets see to day i could have been dead but a random choice saved my life, for real this is NOT a joke.


No a few times i have left my door open / unlocked and a few windows besides few times chosen to do so and other times just plain for got to lock the damn door.


Its also like people with bad passwords on the phone / computer / wifi etc, etc. don't take much if you or somebody else wanted to get in and have a good look round,



This is why every password i have ever used is kinda like a MD5 checksum, not enough time in one human life time to crack that kinda password. And its not as if people have Quantum computers laying around.So some things are 99.98% secure. As long as you don't leave then writen down on paper in plain view for strangers to see.


And what ever you do, Do NOT use password thingys in your browser dumbest thing to do these days.

[Unkown]

PS: forgot to say that i will be going away on the 19th so no forum spam from me untill a later date.

Tell you what tho want my address, will put the kettle on just sa i leave the house backdoor and front door will be left unlocked and all windows in the house will be open so its nice and fresh when you arrive, fresh milk in the fridge, plenty of cookies in the jar next to the microwave oven,

Knock your self out play some games on the PC's and or take your pick of the consoles.

WE have really nice interweb speed as well so yeah have fun and stay a while...