Most people who don't have that skill are using a hosting panel like Plesk, cPanel.

Let's Encrypt is a one button click install and configure in Plesk these days.

I think it may be in cPanel as well.

And it auto renews now so short cert life not that big a deal anymore.

Don't disagree but think about what would need to happen for the browser to make a determination on the risk of each bit of content running under a non secure directory.

It'd probably be painfully slow and then there is the "...but you said it was not that big a threat and I got hacked..." crowd.

Personally I hate it.

Did you ask the Pelican Brain Trust first?

If you did I missed it so my apologies there.

You can always go Let's Encrypt when your current cert expires.

Nope! Shoulda known better too! If it can be answered, it'll be answered here.

When I switched my company's domain over to GoDaddy last year they really pushed me for a "secure" site.
They made it sound like I better spend the extra or ....you know.
It's a content only website.

It started showing up with the latest IPhone update.

It needs to be fixed period.

The page in the concern category is the login page; meaning your username and password are sent in clear text over the internet.

Please fix Pelican

If you offer a forum with free speech there are responsibilities...
The feds will want to be able to access all your messages and what you send (even if using a 2nd account).

So, this is not a technical thing... its a "I leave you alone but cooperate" kind of deal..

I read this entire thread. It reminds me of statistics. I sat through an entire term of statistics in college and didn’t understand any of it.

Meh, as long as one is not using the same user/pass as they use for say, their bank....

Which by the way, happy to see you don't.

Yes, I checked.SmileWavy

The Pelican forums are definitely not "free speech", but are a censor at whim and will platform (not sure if you were saying it is a free speech forum, however).

Can't have yer "tits" transmitted over the Internet so the geeks can't see 'em....WAH :(!

What if it literally cost 7 figures to encrypt those pics?

I used to live this stuff too...on a rather large scale ;).

T-Rex

Computer Science, Advanced Communications, and Quantitatitive Analysis are easy peasy if yer gifted in those arenas...

I have to mow my own lawn though ;)

Sorry they do have one, it just not implemented correctly ( I would suspect to let the adds in)

http://forums.pelicanparts.com/uploa...1574805896.JPG

There have been cases where someone's ID was stolen and used in a for sale scam here.

The "already pinged" list of spam seems to have disappeared.

As noted, "secure" should only required for some functions.
Maybe it's easier to code the whole site that way?

Https removes any anonymity for visitors not using proxies.
As does the new Pelican PARF loggin requirement and Google javascript required for private messages.
More tracking.

its a cross reference thing.. if the site is secure its harder to connect to unsecure sources of advertisements.. Also allows for xsite scripting injection, so more adevertisements and things like cookies can be injected and later harvested by other sites..

This is a technical choice.

Profits over everything else. Lets not forget we are the product here

The forum should also use https as the certificate not only serves to encrypt the connection between the browser and the server, it also validates that you are connecting to the legitimate pelican forum server. In its current configuration it would be rather trivial to bring up another server and mascarade as forums.pelicanparts.com, conduct a DNS poisoning attack to redirect everyone to the imposter server and capture everyone's logins. The fact this is not their e-commerce site should not preclude them from protecting the forum servers. Attackers may be able to find their way into more sensitive areas of their operation. Remember the Target credit card breach? The attackers exploited a weakness in the HVAC systems and found their way to the credit card machines.

The go daddy cert issued to pelican parts e-commerce site can only be used on www.pelicanparts.com and pelicanparts.com. Pelican parts would need to either get another cert for forums.pelicanparts.com or update their current cert to a SAN cert that could be used for Loading, pelicanparts.com and forums.pelicanparts.com. I would opt for a separate cert so if one is compromised (say the forum cert) it doesn't affect the other (cert used for e-commerce site).

Looking at the go daddy pricing for certs, a single domain is only $63.99 per year, a san cert is $159.99 per year and a wildcard cert which can be used on *.pelicanparts.com $295 per year. Cheap insurance IMHO.

Again, meh.

Far far far more likely the person hacked used an obvious easy to guess password than it was sniffed.

I use a random pass generator along with a pass manager and two factor on every site that I can. I have accounts that I don’t even know the password for.

We can rely on others for our security or take matters into our own hands.

Obviously, I’m an advocate for the later.

Just install the browser plugin "HTTPS Everywhere". Problem solved.