TexasCHLforum.com

Does anybody else have trouble using the https version of the forum? It tells me the certificate is invalid.

tbrown wrote:Does anybody else have trouble using the https version of the forum? It tells me the certificate is invalid.

There is no SSL on the Forum since it doesn't take data. If you are using the latest Firefox, it has what Mozzilla calls a "feature," that is actually an pain! I just deactivated mine last Friday.

Chas.

Thank you for the quick reply. I recently got the warning about username/password not being secure. I'll add an exception for the site.

In the web industry (from which I am retired), it is cosidered a best practice to use a secure connection for all login pages, as someone with a network sniffer could get passwords, log in, and leave a lot of spam messages with links. Not a danger, but hours of time to delete, change credentials, etc.

In addition, many SEO professionals believe that Google gives more weight to sites using a certificate, which improves their rankings.

If you accidentally use https to address a website that does not use a certificate, you will actually hit the server default certificate, which is self-signed. That encryption is valid, but since the Authority is invalid, you will get a security warning.

It is now considered a smart practice to secure all pages on all sites with a certificate, just to avoid all the problems, and potentially improve search engine rankings.

S

Chas,

It is fairly important that the site uses SSL. If anyone sends their password and the site doesn't default to SSl those passwords can get intercepted in plain text.

The industry is moving toward every site needing/requiring SSL.

Charles L. Cotton wrote:

tbrown wrote:Does anybody else have trouble using the https version of the forum? It tells me the certificate is invalid.

There is no SSL on the Forum since it doesn't take data. If you are using the latest Firefox, it has what Mozzilla calls a "feature," that is actually an pain! I just deactivated mine last Friday.

Chas.

No cert also means there is no way to ensure you are where you think you are. It is not hard to spoof a website like this and inject a bad link via a XSS attack. Every login page should be secured with SSL. Most users do not use unique credentials for each website, which means their credentials are in jeopardy every time they log in.

Certs are good. As long as they aren't from Symantec or any of their sub-CAs.

+1.

I understand why SSL is a pain, but for that effort there are benefits. On the other hand, I'm not complaining as I'm not the one going to the trouble of hosting a really good forum. And I really like the emoji's.

cyphur wrote:No cert also means there is no way to ensure you are where you think you are. It is not hard to spoof a website like this and inject a bad link via a XSS attack. Every login page should be secured with SSL. Most users do not use unique credentials for each website, which means their credentials are in jeopardy every time they log in.

Certs are good. As long as they aren't from Symantec or any of their sub-CAs.

just changed my password to a totally unique one. hopefully I can remember it next time I want to log on.

allisji wrote:

cyphur wrote:No cert also means there is no way to ensure you are where you think you are. It is not hard to spoof a website like this and inject a bad link via a XSS attack. Every login page should be secured with SSL. Most users do not use unique credentials for each website, which means their credentials are in jeopardy every time they log in.

Certs are good. As long as they aren't from Symantec or any of their sub-CAs.

just changed my password to a totally unique one. hopefully I can remember it next time I want to log on.

Look into a password manager like LastPass. Problem solved.

cyphur wrote:

allisji wrote:

cyphur wrote:No cert also means there is no way to ensure you are where you think you are. It is not hard to spoof a website like this and inject a bad link via a XSS attack. Every login page should be secured with SSL. Most users do not use unique credentials for each website, which means their credentials are in jeopardy every time they log in.

Certs are good. As long as they aren't from Symantec or any of their sub-CAs.

just changed my password to a totally unique one. hopefully I can remember it next time I want to log on.

Look into a password manager like LastPass. Problem solved.

Love LastPass.

I'm a roboform man myself. It's seemingly more secure because it's not as popular, but it doesn't support 2FA.

I vote that the admins enable SSL on this website. Granted I'm good enough to use a unique super random password for this site, not everyone does. Regardless, cost shouldn't be considered an issue thanks to https://letsencrypt.org/

uthornsfan wrote:Chas,

It is fairly important that the site uses SSL. If anyone sends their password and the site doesn't default to SSl those passwords can get intercepted in plain text.

The industry is moving toward every site needing/requiring SSL.

I ran WireShark just to see what was going on. Logged into TexasCHLForum and sure enough, there was my password in plain text. Now the password I use here is completely unique and never used anywhere else.

Enabling SSL is not as simple as clicking a button. There are several steps, and it requires a dedicated IP, which may not be part of their hosting deal. The forum probably uses an IP shared with dozens of other websites. Also, if every graphic is not addressed by https, browsers will throw "mixed content" errors.

S

I'll check with our web host about an SSL.

Chas.