Many websites are now on HTTPS, worth exploring for BLF?

Even many websites without financial or sensitive data seem to be using HTTPS these days
Your thoughts?

I will recommend using Let’s Encrypt if you’re going to add SSL on this forum.

Yep, agree. It’s free, and surely adding security to the members.
I use it on my websites. Easy and fast to setup.

I’m not terribly excited to upgrade to it, but I’m sure I’ll make the jump eventually. It takes considerably more server resources to do the encryption, and we’re actually right on the edge of what my host allows in terms of CPU usage. Also it’s not trivially easy to set up due to the non-standard higher performance Nginx webserver configuration I use.

Meanwhile please make sure you use a complex and unique password for each one of your important sites, whether they run SSL or not.

It’s not broke don’t fix it.
Working good for me, some websites I go to make “improvements” that take forever to run right.
:sunglasses:

x2 :+1:

It’s not broke, but adding security.
So nothing being fix. It’s SSL, another layer of protection.
If you run your own website(s) you’ll know how good is that.

Nevertheless, it’s said above, that the host might at the edge of resources. Can’t argue more for that.

How about adding a reverse proxy server in-front, and terminating SSL there? You could also use Cloudflare to proxy and encrypt which would also reduce load on your primary server/s.

SSL on this website wouldn’t really be a fix, if anything it would be an improvement. Unless the current configuration is overly complex, which I doubt, SSL setup should be quite straight forward.

How is it easy and fast??
Last time I checked you need to pay for a certificate and activate it and then install it and then fix your website code to work with it…
So on top of a domain name now you need to pay for a certificate every year, and they are WAY more expensive than the domain name.

You’re thinking of an old-school SSL certificate. LetsEncrypt is totally free. Besides, you can find SSL certificates from top providers for dirt cheap.

That’s just called self-certification, is it not?
Does that still show the green address bar?

EDIT- ok so apparently it gives DV, which is the green padlock, but not EV, which is the green bar.

It’s different to self-certification because LetsEncrypt functions as the CA. Self-signed certificates don’t have CA’s recognised by browsers, and thus come up as untrusted.

LetsEncrypt certs will still show the green address bar, they’re considered domain verified.

Another trivia when running an SSL sites is you have to make sure all resources (media, javascript, css) are provided over SSL too.

So if ANY members posted image from non https page, the padlock will be broken.

Yup so unless we start dealing wtih banking details and making money transactions on here there seems little point in rushing to SSL. The added overhead in CPU resources and the extra cost - no matter how trivial are still something that needs to be considered.

I’d usually push people to SSL and turn off TLS1.0 etc but considering what data is on here I’d be more concerned about my username/email/password combo getting leaked. Apart from that I don’t really give a hoot.

New forum update, check it is SSL compliant.
Any funky scripts, re-write for SSL compliance.
Someone posts a link to imgur via standard http, SSL broken.

Sure the traffic to the site will still be good but the non techy people will see a ssl warning and worry.

Ah yes, very good point, I forgot about this. And that will definitely be the case here with externally hotlinked images all over the place.

I really hate how the browser makers (Chrome and Firefox especially) try to force the hand of webmasters with their scary icons about an “insecure” site just because there is a password input box on an HTTP:// page. I also think it creates a false sense of security when they add that nice green “Secure” padlock icon on HTTPS:// pages. SSL doesn’t magically make a site more safe. It does mitigate the possibility of snooping and man-in-the-middle attacks along the route between the web browser and the destination server. But it doesn’t protect against bad server administrators, bad server-side coding, or bad PC (and now mobile) security practices. A compromised server via an un-patched vulnerability or insecure configuration at the core server operating system level or the web services level (web server / server-side scripting language / database / cache mechanism) can be extremely insecure. Take Yahoo! as an example of that… and yet it’s still blessed by a nice green padlock in the browser’s URL bar. Or think of the damage that can be done if you have malware running a keylogger on your PC— no amount of encryption will prevent it from logging your keystrokes and ex-filtrating your nice complex password to the attackers as you type it into the trendy SSL secured site with its green padlock. There are even highly specialized malware that keep track of how much money they’ve siphoned out of your bank account and are capable of modifying the HTML that your (SSL secured) bank site spits out at a browser level in order to add back the stolen amount to the balance totals and hide transactions from the history so you don’t realize what’s going on. Or simpler yet: a single phishing email or social engineering slip-up could lead to you revealing your password to a scammer so that (s)he can enter it into the SSL secured site. The brutal truth is that the private encryption keys and the raw passwords and the raw data must exist somewhere, so if the hackers can’t get to your data while it’s “on the wire” during transmission, they’ll get the keys and/or the raw password at whatever level they exist at, even if it’s in your brain, via social engineering (i.e. “tricking you”).

So as far as BLF is concerned, I do take security very seriously at the server OS, web services, and forum software level. I always try to keep the entire software stack patched for security vulnerabilities, and my resistance to migrating to the popular proprietary/commercial forum software offerings (vBulletin et al.) is largely due to their deplorable history of security vulnerabilities. But as was mentioned earlier in this thread, BLF is not a financial institution, so I don’t see a lot of value in SSL, which is mainly useful to mitigate the risk of password snooping and modification of the final web page content during transmission. Just be sure to NEVER use your BLF password for any other web site or service that you care about, and in general ALWAYS use strong and unique passwords on all important sites, especially those significant to your financial and reputation/personal integrity. And don’t use insecure operating systems or devices to log into any online account or service that you care about.

OK, I’ll get off my soapbox now. :stuck_out_tongue: Have fun!

There is absolutely no point in encrypting anything other than the login, and that should be doable without using https. The data is accessible to anyone. Encrypting the transfer only uses more resources for no reason. Well, ok it does prevent someone intercepting your communication and spoofing the web site, well assuming the user doesn't do what we usually do and click "yeah whatever" when the security warning pops up. I don't see it as a big risk though. If it is desired just for key verification, it should possible to do it without encrypting all the data transfer.

I checked, it actually shows a green padlock, not the green addres bar. You need EV to get the green address bar.

That’s still good though, I’m gonna use this on my site, thanks :slight_smile:

EV is much more pricey. Hundreds up to thousands dollars for sure.
And you won’t need that. EV is for company or entity which should be validated.
Personal can’t get EV. For your own website(s) you can use DV, more than enough.
And yes, it’s easy to set, especially if you run your web serve under *nix OS.
Just use their own command line and you’ll done in minutes.
Best thing is you can generate (ask) almost hundred certificate for your own domain name.
And it’s not limit to only www, but other sub domain will do. And, it’s free.

[quote=sb56637]

I can live with that… :sunglasses:

But, Yahoo surely is another story, isn’t? Doubt that’s about ssl… LOL.