EmailDiscussions.com

EmailDiscussions.com (http://www.emaildiscussions.com/index.php)
-   About this site... (http://www.emaildiscussions.com/forumdisplay.php?f=12)
-   -   Redirect HTTPS to HTTP for this forum? (http://www.emaildiscussions.com/showthread.php?t=71582)

unlocktheinbox 17 Mar 2016 11:21 PM

Redirect HTTPS to HTTP for this forum?
 
Can't hurt.

janusz 18 Mar 2016 04:33 AM

SSL certificates cost money.

unlocktheinbox 19 Mar 2016 11:54 AM

There's a few places where you can get them for free..

https://www.startssl.com/Support?v=1
https://letsencrypt.org/

But a simple re-direct from HTTPS to HTTP would be cool (which is also free)

Bamb0 20 Mar 2016 05:51 AM

There is absolutely NO REASON to have this site on HTTPS!!

Nothing private here........ All you do is cause potential connection problems FOR NO REASON!!

gecko 10 Dec 2016 08:18 AM

I resurrect this thread because I was just about to start a new thread and ask why the forum has no https... In fact, attempting to connect via https results in an error page for me.

While I agree with the previous poster that there is nothing really private on this forum, I believe that https should be best practice today for anything that involves a login procedure. Protecting your credentials should IMHO be taken serious these days.

Are there any plans to offer https in the future?

Best,
gecko

janusz 11 Dec 2016 01:21 AM

Quote:

Originally Posted by gecko (Post 598220)
Are there any plans to offer https in the future

Of course the only person able to give an authoritative answer is Edwin, the forum administrator.

His last visit here was on 13 July 2016, six months ago.

elvey 11 Dec 2016 05:54 AM

Quote:

Originally Posted by unlocktheinbox (Post 592414)
Can't hurt.


The computationally expensive part of HTTPS is the initial negotiation. After that, it's cheap. And you want that to protect passwords anyway. It's impractical at best to attempt to securely request or submit passwords over HTTP.

Any counterarguments probably addressed here.

elvey 28 Dec 2016 03:02 AM

Whoops. Meant to quote/dispute
Quote:

Originally Posted by Bamb0 (Post 592498)
There is absolutely NO REASON to have this site on HTTPS!!

Nothing private here........ All you do is cause potential connection problems FOR NO REASON!!

not the OP's post.

n5bb 28 Dec 2016 04:46 AM

Why?
 
Quote:

Originally Posted by unlocktheinbox (Post 592414)
Can't hurt.

I find this old thread very strange. The original question (if I understand the subject in the post correctly) was to redirect https secure login requests from browsers to the existing nonsecure http URL for this forum. So you think you are using a secure connection, but you are redirected to an insecure connection to enter your login credentials.

I disagree with the original poster. This would hurt, since users would get a false sense of security without any benefit.

Bill

David 28 Dec 2016 04:48 AM

Quote:

Originally Posted by n5bb (Post 598536)
I find this old thread very strange. The original question (if I understand the subject in the post correctly) was to redirect https secure login requests from browsers to the existing nonsecure http URL for this forum. So you think you are using a secure connection, but you are redirected to an insecure connection to enter your login credentials.

I disagree with the original poster. This would hurt, since users would get a false sense of security without any benefit.

Bill

I agree with Bill's post a thousandfold.

Bamb0 31 Dec 2016 04:21 AM

Quote:

Originally Posted by n5bb
I find this old thread very strange. The original question (if I understand the subject in the post correctly) was to redirect https secure login requests from browsers to the existing nonsecure http URL for this forum.

They mistyped the title. They meant to say


"Redirect HTTP to HTTPS for this forum?"

There is NO reason to put a reg site like this on HTTPS!!

n5bb 31 Dec 2016 04:49 AM

Quote:

Originally Posted by Bamb0 (Post 598603)
They mistyped the title. They meant to say
"Redirect HTTP to HTTPS for this forum?"
There is NO reason to put a reg site like this on HTTPS!!

The OP repeated the same order in a later post:
Quote:

Originally Posted by unlocktheinbox (Post 592476)
...But a simple re-direct from HTTPS to HTTP would be cool (which is also free)

I don't disagree that a secure site is not needed. But that's not the topic in the subject. Redirecting does not cause a secure connection to occur unless a proper security certificate and other server features are available.
  • Redirecting as you describe (http to https) just causes a security warning in the browser, since a secure connection is not allowed. If it was allowed, it would work like the automatic redirection from http://www.fastmail.com to https://www.fastmail.com.
  • Redirecting as in the subject (https to http) would be a security flaw. We don't want to force a secure connection attempt with https and get redirection to an insecure http website.
Bill

Bamb0 1 Jan 2017 08:50 PM

Ya I just noticed they said the same thing twice...... (They are confused.... They meant to say HTTP TO HTTPS (The other doesnt make any sense @ all))

jhollington 10 Jan 2017 12:34 AM

The only valid reason I could see for doing this would be to secure user credentials against interception, which is a somewhat valid concern, but perhaps not enough to justify the additional complexity, cost, and overhead of maintaining an HTTPS version of the site, and in particular forcing/redirecting users to that version — which as others have pointed out would potentially create needless connectivity issues.

Ultimately like any security assessment it comes down to the actual threat and risk we're talking about. As long as you're following best security practices and not reusing the same password everywhere (and password reuse is a very bad idea even if a site is fully SSL-protected), there's very little that an attacker is going to get from having your EMD password. Basically, they can compromise your account and impersonate you on these forums, read your private messages, and obtain your email address. How much of an issue that is for you really depends on what sort of things you're doing on these forums — if you're exchanging confidential information via the PM system, then perhaps you have something to be concerned about, but it's probably safe to say that most users aren't doing that.

Personally, I think most hackers have better things to do with their resources than target EMD profiles, especially on a per-user basis. There's just nothing of sufficient value here to make it worth anybody's time and effort.

Frankly, if I wanted to pick at nits, I'd be more concerned that EMD is still running considerably older versions of Apache (2.2.24 circa 2013), PHP (5.2.17, circa 2011), and vBulletin 3.6.12 (assuming PL2, circa 2009). That said, I'm not even that concerned about these, since with the exception of Apache, these are the latest patch releases for those streams. However, there are still known vulnerabilities in those as well that make a desire for SSL securing the transmission channels even less relevant by comparison.

beeboy 17 Jan 2017 02:54 PM

It should always be https nowadays. This is one of the few places without it. I'm pretty sure we won't see much effort here due to the falling interest overall.

I've been using a vpn service for years and am not concerned about an emd breach at my end. And like someone else mentioned, we are low priority. I would hate to see my many year account hacked.

elvey 16 May 2017 09:45 AM

From an end-user perspective the most important thing is to be sure the password you use for these forums is not used for any other accounts. The fact that it's likely that many folks don't follow that advice makes the forum a rather attractive target. I follow it, and have for many years.

evilquoll 19 May 2017 11:07 PM

Authentication != encryption. Another point raised in that discussion is that an SSL certificate only proves that you're on the site that the URL says you're on; a link could point you to www.еmаіІdіѕсuѕѕіоnѕ.соm and you wouldn't know (from the URL or the certificate) that it isn't this site (apart from the "w", "m", "d" and "." characters, all the characters in that link are Cyrillic; goodness knows where, if anywhere, that link leads).

popowich 10 Jun 2017 01:54 AM

Encrypt everything by default is the way the world is going. SSL/TLS certificates can be obtained for free now. Eventually popular web browsers are going to begin displaying a warning or "not secure" when a site is running on http which could confuse visitors. For a site as old as this with lots of links, when the change is made, some care should be made not to mess up the redirection and there could be some temporary SEO type issues. It's probably good to get done sooner or later. Since revenue generation isn't much of a concern here I'd think it's best to just get it done at a convenient time for E.


All times are GMT +9. The time now is 11:06 PM.


Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy