my profile |
register |
faq |
search upload photo | donate | calendar |
|
12-26-2015, 04:53 PM | #1 |
Lifer
Lifetime Forum Patron Join Date: Sep 2006
Location: Wichita, KS USA
Posts: 453
Thanks: 573
Thanked 96 Times in 53 Posts
|
level of encryption ?
re a foxnews item - seems technically correct
By Kim Komando Published December 26, 2015 The Kim Komando Show http://www.foxnews.com/tech/2015/12/...ml?intcmp=hpff includes "Mozilla, the developer of the Firefox browser, is even making plans to stop supporting unencrypted websites entirely." I think the url showing in header is not browser dependent anyway - after site login the current url here has no https header - any plans to upgrade to full site encryption ? ex current page is http://forum.lugerforum.com/newthrea...ewthread&f=131 thanks ! Bill |
12-26-2015, 05:01 PM | #2 |
Administrator
& Site Owner LugerForum Patron Join Date: Jun 2002
Location: A Little NE of Somewhere...
Posts: 2,651
Thanks: 477
Thanked 515 Times in 128 Posts
|
I would never use a password and login while using a free public wifi. That is very old news.
As for putting the onus on unsecure browsers using an private network with a login using WPA/WPA2 with TKIP/AES encryption - that's would be the problem of the website admins "because"? Exactly? You want us to encrypt the data over circuits we don't control? Tell me how that works - even if I throw out an encrypted data stream oven an unsecured network - and to what level of encryption would make you feel "safe"... And we should all be worried about this because you share personal bank/credit card/SSN/financial data on this site? No you don't. John D. |
The following member says Thank You to John D. for your post: |
12-26-2015, 05:29 PM | #3 |
Super Moderator - Patron
LugerForum Life Patron Join Date: Dec 2009
Location: Eastern North Carolina, USA
Posts: 3,909
Thanks: 1,374
Thanked 3,110 Times in 1,510 Posts
|
I assume that the Fox article was discussing the use of SSL over HTTP. That is public key cryptography for all the session communications. It prevents things like passwords being sent from the browser to the server in the clear.
Lugerforum is being served over the standard port ":80" in the clear HTTP protocol. No server responds when you try and access it through the secured SSL port ":443" HTTPS encrypted protocol. Example: https://lugerforum.com Assuming he hasn't done it, in order to support SSL encrypted sessions, the server that John runs vBulletin the BBS software on will have to get it's own security certificate, and start supporting SSL. There is a discussion over at the vBulletin site, but it's not a trivial change: http://www.vbulletin.com/forum/forum...https-question It would also probably involve migrating to a newer version of vBulletin and the underlying PHP platform that fixed some issues... https://www.vbulletin.org/forum/showthread.php?t=274711 So... I run a server out of my home that is SSL enabled, and that forces SSL usage. It uses a self signed certificate (which is free - but which causes problems since it doesn't trace to a certificate authority). The services I run are designed to require SSL (https://) which takes much of the work out of configuring things. The issue for Lugerforum must boil down to how much the admins can put into upgrading vBulletin and then configuring and testing the platform for SSL. That is a bit of work! Marc
__________________
Igitur si vis pacem, para bellum - - Therefore if you want peace, prepare for war. |
12-26-2015, 05:47 PM | #4 |
Administrator
& Site Owner LugerForum Patron Join Date: Jun 2002
Location: A Little NE of Somewhere...
Posts: 2,651
Thanks: 477
Thanked 515 Times in 128 Posts
|
Since running, hosting and administering websites since 1998 - I can put it up into the https port - but, as I said - to what end - exactly?
You want to self-sign the cert? Great - it does nothing is is rejected by most modern browsers - as an FYI as it doesn't have the lookup from the SSL Authority. Frankly - I still want to know exactly what folks are trying to hide on this site to warrant an encrypted and secure data-stream? John D. |
The following member says Thank You to John D. for your post: |
12-26-2015, 06:10 PM | #5 |
Super Moderator - Patron
LugerForum Life Patron Join Date: Dec 2009
Location: Eastern North Carolina, USA
Posts: 3,909
Thanks: 1,374
Thanked 3,110 Times in 1,510 Posts
|
The only thing that I can imagine is a problem is the password/userid combo. So, user hijack and spoof would be the issue. Just make sure that your password/userid combo here is unique and not used on other sites...
Yes - the problem with self-sign is that the browsers reject them (requiring user override). For a personal site, not an issue. For a public one, unacceptable. Thus, additional expense if you do it. Thus, I'm happy with things as they are here unless the browser people do something to stop supporting port :80 in the clear HTTP... Marc
__________________
Igitur si vis pacem, para bellum - - Therefore if you want peace, prepare for war. |
The following member says Thank You to mrerick for your post: |
12-26-2015, 06:14 PM | #6 |
Administrator
& Site Owner LugerForum Patron Join Date: Jun 2002
Location: A Little NE of Somewhere...
Posts: 2,651
Thanks: 477
Thanked 515 Times in 128 Posts
|
Again - password and user combo - from the OP on a public & shared wifi is always an issue. Always has been for the last nearly 20 years....
As well - yep - I know I'm right about the self-signed, but thanks for the confirmation - as I run a few mail servers and cloud systems for clients and do secure those datastreams - so, I'm pretty sure about all that Best to you, John D. |
Thread Tools | |
Display Modes | |
|
|