Many websites are now on HTTPS, worth exploring for BLF?

There is absolutely no point in encrypting anything other than the login, and that should be doable without using https. The data is accessible to anyone. Encrypting the transfer only uses more resources for no reason. Well, ok it does prevent someone intercepting your communication and spoofing the web site, well assuming the user doesn't do what we usually do and click "yeah whatever" when the security warning pops up. I don't see it as a big risk though. If it is desired just for key verification, it should possible to do it without encrypting all the data transfer.

I checked, it actually shows a green padlock, not the green addres bar. You need EV to get the green address bar.

That’s still good though, I’m gonna use this on my site, thanks :slight_smile:

EV is much more pricey. Hundreds up to thousands dollars for sure.
And you won’t need that. EV is for company or entity which should be validated.
Personal can’t get EV. For your own website(s) you can use DV, more than enough.
And yes, it’s easy to set, especially if you run your web serve under *nix OS.
Just use their own command line and you’ll done in minutes.
Best thing is you can generate (ask) almost hundred certificate for your own domain name.
And it’s not limit to only www, but other sub domain will do. And, it’s free.

[quote=sb56637]

I can live with that… :sunglasses:

But, Yahoo surely is another story, isn’t? Doubt that’s about ssl… LOL.

Yep, absolutely. But that was my point: they use SSL but still had bad security practices, resulting in some of the largest data ex-filtration in history.

I’m glad the forum Admin knows his stuff :+1:

I’m a web developer, and, while I generally advocate for SSL, I don’t think it’s necessary for this site. The biggest risk comes from users who use the same password for multiple sites.

All of the users just really need to use a unique password and a password manager to keep track of their unique passwords. Keepass, Lastpass, and 1Password are all potential options.

We have used Keepass for many years. It is a truly great way to keep track of all one’s passwords. Then all you need is one very random, mixed character, 16+ character master password.

Well, I’d have to disagree with you there, it really is trivial actually… :slight_smile:

Not sure if I see any reason to switch though, although Google might punish you for not having it - both in search hits and soon (?) in Chrome as well I think.

Pardon my apparently stupidity, but exactly what are we trying to protect? Anyone who wants to see what is on BLF can simply register and presto, it is all visible. You use encryption to hide things from prying eyes that otherwise might be up to no good. I regard anything posting on the BLF as essentially public, since there are no fees or other restrictions on membership that I am aware of. If you want to hide something, then don’t post it on a board!

Above all, it would be to protect the password you type in to login. But then again, it’s not a banking website, so I don’t see that as an imminent risk if it’s not encrypted.

The other use of encryption is to prevent some middleman from intercepting the connection and changing what comes from the server before it reaches you. So for example a site that gives the current state of alert for a certain threat could be intercepted while it’s “on the wire” in transmission and the attacker could change the threat level to give false information. Or somebody could intercept the contents of a news site while it’s in transmission to make it say that a certain country has initiated a nuclear attack on another state. Again, given the topic of flashlights, not really a risk.

I actually already set up LetsEncrypt once for a temporary project on this site. It wasn’t extremely hard, but it also wasn’t easy, due in part to the fact that I use a non-standard higher performance server stack (Nginx + PHP-FPM) that requires special configuration to integrate with this forum engine.

Well, I’ve never used LetsEncrypt so I don’t know about that part. I was thinking of a regular SSL setup in Nginx, which is not very complicated if you have a working non-https already. Either copy existing virtual host config to a new file, change port and add a few lines of ssl-config, or make a clean ssl config and use the http site as proxy server. I can barely remember how to configure apache nowadays as all servers I manage are on nginx, just so much nicer to work with.

While https MAY give users the impression of security, it may be prudent to remember the panic and consequences of the heartbleed bug.

That doesn’t make any sense, because technology is imperfect we should not try?
Why then do we have keys for doors and passwords for bank accounts? Doors can be broken down and banks can be robbed yet if a bank’s online password system was disabled the bank would be out of business very quickly which is not happening otherwise.

More then just flashlights though, forums have been hacked to scam money from other members, a person with many posts and a good reputation gets his account hacked and for example scammer “sells” items that are not delivered, raises money for a fraudulent cause, uses the account for posting spam, posts alternative facts :smiley:

@Bort My point is while https gives users the impression of security, there is the potential for failure that can have far-reaching consequences and diligence is necessary to avoid such exploits. Wading into security should not be done blindly or without thorough research and constant vigilance.

SO you’re saying https is worse than not using anything at all?
lol ok then

No, I’m not saying that. I’m saying that https has failed in the past, and has the potential to do so again. It requires effort to maintain security, and there is always the possibility of exploit or slow implementation of a fix when such an exploit is discovered. Consider the recently released information from wikileaks. The NSA has historically played a significant role in security standards and encryption. Ultimately, their allegiance is to the US government. I suspect there may be some major ‘holes’ exposed soon and ‘secure’ communications may not be as secure as assumed.

It sounds like you were saying just that.
No one posting here has claimed HTTPS is infallible and everyone posting here will have heard of technological fallibilities, your post does sound like you are saying technology is imperfect so we should not try, otherwise your point makes no sense and need not have been posted at all.

I’m saying that real security requires effort and research. Blindly assuming that a site using https is secure is foolish. It’s a near-daily occurrence to see some financial institution or major corporation report a security breach. These corporations rely on the faith of their customers. I’m not opposed to implementation of https. Quite the opposite - I’d like to see it happen. I’m just trying to point out possible pitfalls and potential for failure.