PDA

View Full Version : Secure HTTP site?



Marc Zeitlin
01-05-2021, 04:41 PM
When should we expect the eaaforum.org site to become a secure site, using https rather than http? Especially since we need to input a password to access it.

Browsers are starting to block insecure websites - there's no excuse for having an insecure website that needs passwords to access.

lnuss
01-05-2021, 08:16 PM
I'm curious WHY you want the forums to be secure. Perhaps the login page, but as far as I'm concerned anyone can read anything I post here. No big deal to me...

Eric Page
01-05-2021, 08:41 PM
It has nothing to do with hiding or showing what you post to the forum, and everything to do with the security of the site itself, and of the traffic between it and its users.

This site [The HTTPS-Only Standard (https://https.cio.gov/)] is government specific, but it explains a lot about why https has become a near requirement for all websites.

Kyle Boatright
01-05-2021, 10:15 PM
It has nothing to do with hiding or showing what you post to the forum, and everything to do with the security of the site itself, and of the traffic between it and its users.

This site [The HTTPS-Only Standard (https://https.cio.gov/)] is government specific, but it explains a lot about why https has become a near requirement for all websites.

If the data between me and the EAA's forum gets hacked, what are the potential consequences? Some hacker sends me naughty pictures instead of airplane content? My posts to the forum become undecipherable after the hacker messes with them?

I don't have a problem with *more* security, but why do I care, given the content here?

FlyingRon
01-06-2021, 07:14 AM
It would be trivially easy and relatively cost free to put security certificates here and get https working. I've set up both vBulletin sites and the better XenForo to do so. You don't even have to buy the certificates anymore. There's a open "Let's Encrypt" source for them now. I've offered assistance to the forum folk here before, without even an acknowledgement.

Yeah, the value of EAA is small potatoes secruity wise, but other people running vB have been severely hacked by bots, so it's just a matter of time if the administrators bury their heads in the sand and do nothing. It's particularlly problematic if people use (they really should not) the same passwords and user names on multiple sites. The "junk" user id and password I use on such inconsequential sites now shows up compromised by Googles security checks. Of course, I need to be careful because some of the forum sites I administer deal with REAL MONEY (they're tied into a several different payment processors).