Why is this site, "not secure"??

[stomachmonkey]

Quote:

Originally Posted by id10t

Free, works, and works well. Also works for doing SMTP w/ SSL/TLS and wrapping both POP3 and IMAP in SSL.

"Only" down side is short certificate life but if you have the skills to be messing around setting up web/mail servers and needing SSL you should be able to set up a cron job to keep your certificate valid.

Most people who don't have that skill are using a hosting panel like Plesk, cPanel.

Let's Encrypt is a one button click install and configure in Plesk these days.

I think it may be in cPanel as well.

And it auto renews now so short cert life not that big a deal anymore.

[stomachmonkey]

Quote:

Originally Posted by cstreit

This is whats so frustrating about Google's decision and that of the browser companies following suit.

It scares the uninformed user. THere is simply no need to encrypt static boring content, but the "warning" implies that there is something nefarious going on.

Don't disagree but think about what would need to happen for the browser to make a determination on the risk of each bit of content running under a non secure directory.

It'd probably be painfully slow and then there is the "...but you said it was not that big a threat and I got hacked..." crowd.

Personally I hate it.

[stomachmonkey]

Quote:

Originally Posted by cabmando

Where were you a month ago!?

Did you ask the Pelican Brain Trust first?

If you did I missed it so my apologies there.

You can always go Let's Encrypt when your current cert expires.

[cabmandone]

Quote:

Originally Posted by stomachmonkey

Did you ask the Pelican Brain Trust first?

If you did I missed it so my apologies there.

You can always go Let's Encrypt when your current cert expires.

Nope! Shoulda known better too! If it can be answered, it'll be answered here.

[911 Rod]

When I switched my company's domain over to GoDaddy last year they really pushed me for a "secure" site.
They made it sound like I better spend the extra or ....you know.
It's a content only website.

[Ziggythecat]

Quote:

Originally Posted by speeder

I've never noticed this before, in the address bar it says, "Not Secure--forums.pelicanparts.com

What the what?

It started showing up with the latest IPhone update.

[stealthn]

It needs to be fixed period.

The page in the concern category is the login page; meaning your username and password are sent in clear text over the internet.

Please fix Pelican

[Oracle]

If you offer a forum with free speech there are responsibilities...
The feds will want to be able to access all your messages and what you send (even if using a 2nd account).

So, this is not a technical thing... its a "I leave you alone but cooperate" kind of deal..

[Crowbob]

I read this entire thread. It reminds me of statistics. I sat through an entire term of statistics in college and didn’t understand any of it.

[stomachmonkey]

Quote:

Originally Posted by stealthn

It needs to be fixed period.

The page in the concern category is the login page; meaning your username and password are sent in clear text over the internet.

Please fix Pelican

Meh, as long as one is not using the same user/pass as they use for say, their bank....

Which by the way, happy to see you don't.

Yes, I checked.

[Rawknees'Turbo]

Quote:

Originally Posted by Oracle

If you offer a forum with free speech there are responsibilities...
The feds will want to be able to access all your messages and what you send (even if using a 2nd account).

So, this is not a technical thing... its a "I leave you alone but cooperate" kind of deal..

The Pelican forums are definitely not "free speech", but are a censor at whim and will platform (not sure if you were saying it is a free speech forum, however).

[KFC911]

Can't have yer "tits" transmitted over the Internet so the geeks can't see 'em....WAH !

What if it literally cost 7 figures to encrypt those pics?

I used to live this stuff too...on a rather large scale .

T-Rex

[KFC911]

Quote:

Originally Posted by Crowbob

I read this entire thread. It reminds me of statistics. I sat through an entire term of statistics in college and didn’t understand any of it.

Computer Science, Advanced Communications, and Quantitatitive Analysis are easy peasy if yer gifted in those arenas...

I have to mow my own lawn though

[stealthn]

Sorry they do have one, it just not implemented correctly ( I would suspect to let the adds in)

[pmax]

Quote:

Originally Posted by stomachmonkey

Meh, as long as one is not using the same user/pass as they use for say, their bank....

Which by the way, happy to see you don't.

Yes, I checked.

There have been cases where someone's ID was stolen and used in a for sale scam here.

[john70t]

The "already pinged" list of spam seems to have disappeared.

As noted, "secure" should only required for some functions.
Maybe it's easier to code the whole site that way?

Https removes any anonymity for visitors not using proxies.
As does the new Pelican PARF loggin requirement and Google javascript required for private messages.
More tracking.

[Oracle]

its a cross reference thing.. if the site is secure its harder to connect to unsecure sources of advertisements.. Also allows for xsite scripting injection, so more adevertisements and things like cookies can be injected and later harvested by other sites..

This is a technical choice.

Profits over everything else. Lets not forget we are the product here

[930addict]

The forum should also use https as the certificate not only serves to encrypt the connection between the browser and the server, it also validates that you are connecting to the legitimate pelican forum server. In its current configuration it would be rather trivial to bring up another server and mascarade as forums.pelicanparts.com, conduct a DNS poisoning attack to redirect everyone to the imposter server and capture everyone's logins. The fact this is not their e-commerce site should not preclude them from protecting the forum servers. Attackers may be able to find their way into more sensitive areas of their operation. Remember the Target credit card breach? The attackers exploited a weakness in the HVAC systems and found their way to the credit card machines.

The go daddy cert issued to pelican parts e-commerce site can only be used on www.pelicanparts.com and pelicanparts.com. Pelican parts would need to either get another cert for forums.pelicanparts.com or update their current cert to a SAN cert that could be used for Loading, pelicanparts.com and forums.pelicanparts.com. I would opt for a separate cert so if one is compromised (say the forum cert) it doesn't affect the other (cert used for e-commerce site).

Looking at the go daddy pricing for certs, a single domain is only $63.99 per year, a san cert is $159.99 per year and a wildcard cert which can be used on *.pelicanparts.com $295 per year. Cheap insurance IMHO.

[stomachmonkey]

Quote:

Originally Posted by pmax

There have been cases where someone's ID was stolen and used in a for sale scam here.

Again, meh.

Far far far more likely the person hacked used an obvious easy to guess password than it was sniffed.

I use a random pass generator along with a pass manager and two factor on every site that I can. I have accounts that I don’t even know the password for.

We can rely on others for our security or take matters into our own hands.

Obviously, I’m an advocate for the later.

[Brando]

Just install the browser plugin "HTTPS Everywhere". Problem solved.