EmailDiscussions.com  

Go Back   EmailDiscussions.com > Miscellaneous > About this site...
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

About this site... Do you have any thoughts, suggestions or comments about this site? Post them here...

Reply
 
Thread Tools
Old 17 Mar 2016, 11:21 PM   #1
unlocktheinbox
Member
 
Join Date: Feb 2016
Posts: 47
Redirect HTTPS to HTTP for this forum?

Can't hurt.
unlocktheinbox is offline   Reply With Quote

Old 18 Mar 2016, 04:33 AM   #2
janusz
The "e" in e-mail
 
Join Date: Feb 2006
Location: EU
Posts: 4,311
SSL certificates cost money.
janusz is online now   Reply With Quote
Old 19 Mar 2016, 11:54 AM   #3
unlocktheinbox
Member
 
Join Date: Feb 2016
Posts: 47
There's a few places where you can get them for free..

https://www.startssl.com/Support?v=1
https://letsencrypt.org/

But a simple re-direct from HTTPS to HTTP would be cool (which is also free)
unlocktheinbox is offline   Reply With Quote
Old 20 Mar 2016, 05:51 AM   #4
Bamb0
Master of the @
 
Join Date: Feb 2005
Location: USA
Posts: 1,206
There is absolutely NO REASON to have this site on HTTPS!!

Nothing private here........ All you do is cause potential connection problems FOR NO REASON!!
Bamb0 is offline   Reply With Quote
Old 10 Dec 2016, 08:18 AM   #5
gecko
Member
 
Join Date: Feb 2010
Posts: 90
I resurrect this thread because I was just about to start a new thread and ask why the forum has no https... In fact, attempting to connect via https results in an error page for me.

While I agree with the previous poster that there is nothing really private on this forum, I believe that https should be best practice today for anything that involves a login procedure. Protecting your credentials should IMHO be taken serious these days.

Are there any plans to offer https in the future?

Best,
gecko
gecko is offline   Reply With Quote
Old 11 Dec 2016, 01:21 AM   #6
janusz
The "e" in e-mail
 
Join Date: Feb 2006
Location: EU
Posts: 4,311
Quote:
Originally Posted by gecko View Post
Are there any plans to offer https in the future
Of course the only person able to give an authoritative answer is Edwin, the forum administrator.

His last visit here was on 13 July 2016, six months ago.
janusz is online now   Reply With Quote
Old 11 Dec 2016, 05:54 AM   #7
elvey
The "e" in e-mail
 
Join Date: Jan 2002
Location: San Francisco
Posts: 2,362
Quote:
Originally Posted by unlocktheinbox View Post
Can't hurt.

The computationally expensive part of HTTPS is the initial negotiation. After that, it's cheap. And you want that to protect passwords anyway. It's impractical at best to attempt to securely request or submit passwords over HTTP.

Any counterarguments probably addressed here.
elvey is offline   Reply With Quote
Old 28 Dec 2016, 03:02 AM   #8
elvey
The "e" in e-mail
 
Join Date: Jan 2002
Location: San Francisco
Posts: 2,362
Whoops. Meant to quote/dispute
Quote:
Originally Posted by Bamb0 View Post
There is absolutely NO REASON to have this site on HTTPS!!

Nothing private here........ All you do is cause potential connection problems FOR NO REASON!!
not the OP's post.
elvey is offline   Reply With Quote
Old 28 Dec 2016, 04:46 AM   #9
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 7,948
Question Why?

Quote:
Originally Posted by unlocktheinbox View Post
Can't hurt.
I find this old thread very strange. The original question (if I understand the subject in the post correctly) was to redirect https secure login requests from browsers to the existing nonsecure http URL for this forum. So you think you are using a secure connection, but you are redirected to an insecure connection to enter your login credentials.

I disagree with the original poster. This would hurt, since users would get a false sense of security without any benefit.

Bill
n5bb is offline   Reply With Quote
Old 28 Dec 2016, 04:48 AM   #10
David
Ultimate Contributor
 
Join Date: Dec 2001
Location: Canada.
Posts: 10,339
Quote:
Originally Posted by n5bb View Post
I find this old thread very strange. The original question (if I understand the subject in the post correctly) was to redirect https secure login requests from browsers to the existing nonsecure http URL for this forum. So you think you are using a secure connection, but you are redirected to an insecure connection to enter your login credentials.

I disagree with the original poster. This would hurt, since users would get a false sense of security without any benefit.

Bill
I agree with Bill's post a thousandfold.
David is offline   Reply With Quote
Old 31 Dec 2016, 04:21 AM   #11
Bamb0
Master of the @
 
Join Date: Feb 2005
Location: USA
Posts: 1,206
Quote:
Originally Posted by n5bb
I find this old thread very strange. The original question (if I understand the subject in the post correctly) was to redirect https secure login requests from browsers to the existing nonsecure http URL for this forum.
They mistyped the title. They meant to say


"Redirect HTTP to HTTPS for this forum?"

There is NO reason to put a reg site like this on HTTPS!!
Bamb0 is offline   Reply With Quote
Old 31 Dec 2016, 04:49 AM   #12
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 7,948
Quote:
Originally Posted by Bamb0 View Post
They mistyped the title. They meant to say
"Redirect HTTP to HTTPS for this forum?"
There is NO reason to put a reg site like this on HTTPS!!
The OP repeated the same order in a later post:
Quote:
Originally Posted by unlocktheinbox View Post
...But a simple re-direct from HTTPS to HTTP would be cool (which is also free)
I don't disagree that a secure site is not needed. But that's not the topic in the subject. Redirecting does not cause a secure connection to occur unless a proper security certificate and other server features are available.
  • Redirecting as you describe (http to https) just causes a security warning in the browser, since a secure connection is not allowed. If it was allowed, it would work like the automatic redirection from http://www.fastmail.com to https://www.fastmail.com.
  • Redirecting as in the subject (https to http) would be a security flaw. We don't want to force a secure connection attempt with https and get redirection to an insecure http website.
Bill
n5bb is offline   Reply With Quote
Old 1 Jan 2017, 08:50 PM   #13
Bamb0
Master of the @
 
Join Date: Feb 2005
Location: USA
Posts: 1,206
Ya I just noticed they said the same thing twice...... (They are confused.... They meant to say HTTP TO HTTPS (The other doesnt make any sense @ all))
Bamb0 is offline   Reply With Quote
Old 10 Jan 2017, 12:34 AM   #14
jhollington
Essential Contributor
 
Join Date: Apr 2008
Posts: 232
The only valid reason I could see for doing this would be to secure user credentials against interception, which is a somewhat valid concern, but perhaps not enough to justify the additional complexity, cost, and overhead of maintaining an HTTPS version of the site, and in particular forcing/redirecting users to that version — which as others have pointed out would potentially create needless connectivity issues.

Ultimately like any security assessment it comes down to the actual threat and risk we're talking about. As long as you're following best security practices and not reusing the same password everywhere (and password reuse is a very bad idea even if a site is fully SSL-protected), there's very little that an attacker is going to get from having your EMD password. Basically, they can compromise your account and impersonate you on these forums, read your private messages, and obtain your email address. How much of an issue that is for you really depends on what sort of things you're doing on these forums — if you're exchanging confidential information via the PM system, then perhaps you have something to be concerned about, but it's probably safe to say that most users aren't doing that.

Personally, I think most hackers have better things to do with their resources than target EMD profiles, especially on a per-user basis. There's just nothing of sufficient value here to make it worth anybody's time and effort.

Frankly, if I wanted to pick at nits, I'd be more concerned that EMD is still running considerably older versions of Apache (2.2.24 circa 2013), PHP (5.2.17, circa 2011), and vBulletin 3.6.12 (assuming PL2, circa 2009). That said, I'm not even that concerned about these, since with the exception of Apache, these are the latest patch releases for those streams. However, there are still known vulnerabilities in those as well that make a desire for SSL securing the transmission channels even less relevant by comparison.
jhollington is offline   Reply With Quote
Old 17 Jan 2017, 02:54 PM   #15
beeboy
Cornerstone of the Community
 
Join Date: Jun 2003
Posts: 527
It should always be https nowadays. This is one of the few places without it. I'm pretty sure we won't see much effort here due to the falling interest overall.

I've been using a vpn service for years and am not concerned about an emd breach at my end. And like someone else mentioned, we are low priority. I would hate to see my many year account hacked.
beeboy is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 09:26 PM.

 

Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy