LugerForum Discussion Forums my profile | register | faq | search
upload photo | donate | calendar

Go Back   LugerForum Discussion Forums > Announcements & Help > Site Technical Help or Site Feedback

Reply
 
Thread Tools Display Modes
Unread 12-26-2015, 04:53 PM   #1
lfid
Lifer
Lifetime Forum
Patron
 
Join Date: Sep 2006
Location: Wichita, KS USA
Posts: 453
Thanks: 573
Thanked 96 Times in 53 Posts
Default level of encryption ?

re a foxnews item - seems technically correct
By Kim Komando Published December 26, 2015 The Kim Komando Show
http://www.foxnews.com/tech/2015/12/...ml?intcmp=hpff

includes
"Mozilla, the developer of the Firefox browser, is even making plans to stop supporting unencrypted websites entirely."

I think the url showing in header is not browser dependent

anyway - after site login the current url here has no https header - any plans to upgrade to full site encryption ?

ex current page is
http://forum.lugerforum.com/newthrea...ewthread&f=131

thanks !
Bill
lfid is offline   Reply With Quote
Unread 12-26-2015, 05:01 PM   #2
John D.
Administrator
& Site Owner
LugerForum
Patron
 
Join Date: Jun 2002
Location: A Little NE of Somewhere...
Posts: 2,651
Thanks: 477
Thanked 515 Times in 128 Posts
Default

I would never use a password and login while using a free public wifi. That is very old news.

As for putting the onus on unsecure browsers using an private network with a login using WPA/WPA2 with TKIP/AES encryption - that's would be the problem of the website admins "because"? Exactly? You want us to encrypt the data over circuits we don't control?

Tell me how that works - even if I throw out an encrypted data stream oven an unsecured network - and to what level of encryption would make you feel "safe"...

And we should all be worried about this because you share personal bank/credit card/SSN/financial data on this site?

No you don't.

John D.
John D. is offline   Reply With Quote
The following member says Thank You to John D. for your post:
Unread 12-26-2015, 05:29 PM   #3
mrerick
Super Moderator - Patron
LugerForum
Life Patron
 
mrerick's Avatar
 
Join Date: Dec 2009
Location: Eastern North Carolina, USA
Posts: 3,909
Thanks: 1,374
Thanked 3,110 Times in 1,510 Posts
Default

I assume that the Fox article was discussing the use of SSL over HTTP. That is public key cryptography for all the session communications. It prevents things like passwords being sent from the browser to the server in the clear.

Lugerforum is being served over the standard port ":80" in the clear HTTP protocol.

No server responds when you try and access it through the secured SSL port ":443" HTTPS encrypted protocol.

Example:

https://lugerforum.com

Assuming he hasn't done it, in order to support SSL encrypted sessions, the server that John runs vBulletin the BBS software on will have to get it's own security certificate, and start supporting SSL.

There is a discussion over at the vBulletin site, but it's not a trivial change:

http://www.vbulletin.com/forum/forum...https-question

It would also probably involve migrating to a newer version of vBulletin and the underlying PHP platform that fixed some issues...

https://www.vbulletin.org/forum/showthread.php?t=274711

So...

I run a server out of my home that is SSL enabled, and that forces SSL usage. It uses a self signed certificate (which is free - but which causes problems since it doesn't trace to a certificate authority). The services I run are designed to require SSL (https://) which takes much of the work out of configuring things.

The issue for Lugerforum must boil down to how much the admins can put into upgrading vBulletin and then configuring and testing the platform for SSL. That is a bit of work!

Marc
__________________
Igitur si vis pacem, para bellum -
- Therefore if you want peace, prepare for war.
mrerick is offline   Reply With Quote
Unread 12-26-2015, 05:47 PM   #4
John D.
Administrator
& Site Owner
LugerForum
Patron
 
Join Date: Jun 2002
Location: A Little NE of Somewhere...
Posts: 2,651
Thanks: 477
Thanked 515 Times in 128 Posts
Default

Since running, hosting and administering websites since 1998 - I can put it up into the https port - but, as I said - to what end - exactly?

You want to self-sign the cert? Great - it does nothing is is rejected by most modern browsers - as an FYI as it doesn't have the lookup from the SSL Authority.

Frankly - I still want to know exactly what folks are trying to hide on this site to warrant an encrypted and secure data-stream?

John D.
John D. is offline   Reply With Quote
The following member says Thank You to John D. for your post:
Unread 12-26-2015, 06:10 PM   #5
mrerick
Super Moderator - Patron
LugerForum
Life Patron
 
mrerick's Avatar
 
Join Date: Dec 2009
Location: Eastern North Carolina, USA
Posts: 3,909
Thanks: 1,374
Thanked 3,110 Times in 1,510 Posts
Default

The only thing that I can imagine is a problem is the password/userid combo. So, user hijack and spoof would be the issue. Just make sure that your password/userid combo here is unique and not used on other sites...

Yes - the problem with self-sign is that the browsers reject them (requiring user override). For a personal site, not an issue. For a public one, unacceptable. Thus, additional expense if you do it.

Thus, I'm happy with things as they are here unless the browser people do something to stop supporting port :80 in the clear HTTP...

Marc
__________________
Igitur si vis pacem, para bellum -
- Therefore if you want peace, prepare for war.
mrerick is offline   Reply With Quote
The following member says Thank You to mrerick for your post:
Unread 12-26-2015, 06:14 PM   #6
John D.
Administrator
& Site Owner
LugerForum
Patron
 
Join Date: Jun 2002
Location: A Little NE of Somewhere...
Posts: 2,651
Thanks: 477
Thanked 515 Times in 128 Posts
Default

Again - password and user combo - from the OP on a public & shared wifi is always an issue. Always has been for the last nearly 20 years....

As well - yep - I know I'm right about the self-signed, but thanks for the confirmation - as I run a few mail servers and cloud systems for clients and do secure those datastreams - so, I'm pretty sure about all that

Best to you,

John D.
John D. is offline   Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 10:45 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright © 1998 - 2024, Lugerforum.com