PDA

View Full Version : https URL for this site?



peterw_diy
03-01-2016, 08:31 PM
Tim, Henry, any chance this forum could start using an https secure URL? This is one of very few websites I visit that still requires me to use an insecure http:// address. :-(

Thanks.

Tim Kelley
03-02-2016, 08:35 AM
Tim, Henry, any chance this forum could start using an https secure URL? This is one of very few websites I visit that still requires me to use an insecure http:// address. :-(

Thanks.

Not sure. I'll check with our web guy.

What's the advantage? Is there really a need for more security when there is no money or personal information being exchanged? How much extra work is this going to create for admins to implement?

Remember, we're just lowly bike advocates--not fancy pants IT folks.

jrenaut
03-02-2016, 10:05 AM
Have him check out Let's Encrypt (https://letsencrypt.org/), if he hasn't already, for free SSL certificates. It's going to become the default pretty soon. In the next year or two I wouldn't be surprised to see Chrome and Firefox making you click ok before you see any unencrypted web traffic at all. It works sort of like vaccinating - yes, the traffic on this site isn't likely to need encryption, but encrypting the whole internet makes us all safer.

Depending on your hosting, this may be something the hosting company can do for you.

hozn
03-02-2016, 11:31 AM
What's the advantage? Is there really a need for more security when there is no money or personal information being exchanged?

I agree with the sentiment here that it's definitely better to enable encryption -- and ideally to only allow encrypted traffic. While there's no money or (detailed) personal information being exchanged, there are a few things that one might not want to be visible to anyone watching (e.g.) the starbucks wifi traffic:
- Their password. Especially if they happen to use this password for any other website.
- Their email address. Probably is only transmitted if someone visits their profile settings page, but not out of the realm of possibility.

jrenaut
03-02-2016, 11:41 AM
- Their password. Especially if they happen to use this password for any other website.
Though I hope none of you are doing that. KeePass+Dropbox means I have strong unique passwords for every site I ever visit, available securely on all my devices. Feel free to PM me for advice on how to do something similar.

peterw_diy
03-08-2016, 12:39 PM
there are a few things that one might not want to be visible to anyone watching (e.g.) the starbucks wifi traffic:
- Their password. Especially if they happen to use this password for any other website.
- Their email address. Probably is only transmitted if someone visits their profile settings page, but not out of the realm of possibility.

And their forum "remember me" authentication cookies. If I can just get on the same WiFi as Tim long enough for him to make one single Web request I can read his saved PMs, add that Tumblr link, change rcannnon's avatar to a cat pic, you name it...

hozn
03-08-2016, 12:41 PM
Yes, good point on the cookie. You don't even have to wait for a login, in that case ... Yikes.