Many websites are now on HTTPS, worth exploring for BLF?

EV is much more pricey. Hundreds up to thousands dollars for sure.
And you won’t need that. EV is for company or entity which should be validated.
Personal can’t get EV. For your own website(s) you can use DV, more than enough.
And yes, it’s easy to set, especially if you run your web serve under *nix OS.
Just use their own command line and you’ll done in minutes.
Best thing is you can generate (ask) almost hundred certificate for your own domain name.
And it’s not limit to only www, but other sub domain will do. And, it’s free.

[quote=sb56637]

I can live with that… :sunglasses:

But, Yahoo surely is another story, isn’t? Doubt that’s about ssl… LOL.

Yep, absolutely. But that was my point: they use SSL but still had bad security practices, resulting in some of the largest data ex-filtration in history.

I’m glad the forum Admin knows his stuff :+1:

I’m a web developer, and, while I generally advocate for SSL, I don’t think it’s necessary for this site. The biggest risk comes from users who use the same password for multiple sites.

All of the users just really need to use a unique password and a password manager to keep track of their unique passwords. Keepass, Lastpass, and 1Password are all potential options.

We have used Keepass for many years. It is a truly great way to keep track of all one’s passwords. Then all you need is one very random, mixed character, 16+ character master password.

Well, I’d have to disagree with you there, it really is trivial actually… :slight_smile:

Not sure if I see any reason to switch though, although Google might punish you for not having it - both in search hits and soon (?) in Chrome as well I think.

Pardon my apparently stupidity, but exactly what are we trying to protect? Anyone who wants to see what is on BLF can simply register and presto, it is all visible. You use encryption to hide things from prying eyes that otherwise might be up to no good. I regard anything posting on the BLF as essentially public, since there are no fees or other restrictions on membership that I am aware of. If you want to hide something, then don’t post it on a board!

Above all, it would be to protect the password you type in to login. But then again, it’s not a banking website, so I don’t see that as an imminent risk if it’s not encrypted.

The other use of encryption is to prevent some middleman from intercepting the connection and changing what comes from the server before it reaches you. So for example a site that gives the current state of alert for a certain threat could be intercepted while it’s “on the wire” in transmission and the attacker could change the threat level to give false information. Or somebody could intercept the contents of a news site while it’s in transmission to make it say that a certain country has initiated a nuclear attack on another state. Again, given the topic of flashlights, not really a risk.

I actually already set up LetsEncrypt once for a temporary project on this site. It wasn’t extremely hard, but it also wasn’t easy, due in part to the fact that I use a non-standard higher performance server stack (Nginx + PHP-FPM) that requires special configuration to integrate with this forum engine.

Well, I’ve never used LetsEncrypt so I don’t know about that part. I was thinking of a regular SSL setup in Nginx, which is not very complicated if you have a working non-https already. Either copy existing virtual host config to a new file, change port and add a few lines of ssl-config, or make a clean ssl config and use the http site as proxy server. I can barely remember how to configure apache nowadays as all servers I manage are on nginx, just so much nicer to work with.

While https MAY give users the impression of security, it may be prudent to remember the panic and consequences of the heartbleed bug.

That doesn’t make any sense, because technology is imperfect we should not try?
Why then do we have keys for doors and passwords for bank accounts? Doors can be broken down and banks can be robbed yet if a bank’s online password system was disabled the bank would be out of business very quickly which is not happening otherwise.

More then just flashlights though, forums have been hacked to scam money from other members, a person with many posts and a good reputation gets his account hacked and for example scammer “sells” items that are not delivered, raises money for a fraudulent cause, uses the account for posting spam, posts alternative facts :smiley:

@Bort My point is while https gives users the impression of security, there is the potential for failure that can have far-reaching consequences and diligence is necessary to avoid such exploits. Wading into security should not be done blindly or without thorough research and constant vigilance.

SO you’re saying https is worse than not using anything at all?
lol ok then

No, I’m not saying that. I’m saying that https has failed in the past, and has the potential to do so again. It requires effort to maintain security, and there is always the possibility of exploit or slow implementation of a fix when such an exploit is discovered. Consider the recently released information from wikileaks. The NSA has historically played a significant role in security standards and encryption. Ultimately, their allegiance is to the US government. I suspect there may be some major ‘holes’ exposed soon and ‘secure’ communications may not be as secure as assumed.

It sounds like you were saying just that.
No one posting here has claimed HTTPS is infallible and everyone posting here will have heard of technological fallibilities, your post does sound like you are saying technology is imperfect so we should not try, otherwise your point makes no sense and need not have been posted at all.

I’m saying that real security requires effort and research. Blindly assuming that a site using https is secure is foolish. It’s a near-daily occurrence to see some financial institution or major corporation report a security breach. These corporations rely on the faith of their customers. I’m not opposed to implementation of https. Quite the opposite - I’d like to see it happen. I’m just trying to point out possible pitfalls and potential for failure.

@Bort So, it’s either agree or don’t bother posting? Fine. I’m done here. I tried to present a reasonable caution against blind assumptions but obviously it fell on deaf ears.

Bad opsec in any link in the chain is what causes most of those security failures.

Require a 16char password with a mixture of no less than all 4 of lc/uc alphabetic, numeric, and punctuation, and someone’ll come up with a great unguessable password… only to write it on a stickynote and slap it on his monitor.

Kinda like having a secure deadbolt with 4-sided laser-etched key, and then hide it in the flowerpot next to the door.

Too many people rely on “secure” tools as a crutch, while ignoring all other factors. People will panic if a website loses its green-bar or green-padlock or whatever, but will go and click on pr0n sites that install keystroke loggers when they’re not looking. Then they wonder how someone emptied their bank accounts… :stuck_out_tongue:

So, I agree, for a casual website like BLF, I don’t see much cause to worry about MITM attacks. Online banks, sure, but a flashlight-forum??

And blindly trudging along to go to https just because Everyone Else™ does it, is hardly a reason why. Dunno, but it just reminds me of these piss-ant companies that attach page-long warnings at the end of each email:

*WARNING*!! This is the Voice Of Doom™ speaking! This email is private and confidential! If you receive this email by accident, you are hereby *ordered* to destroy this email and all other copies (and probably violate Sarbanes-Oxley in the process), never ever share the contents of this email under pain of death and eternal torment in the afterlife, and immediately report this transgression to us so that we may continually harangue you and make sure you adhere to the other demands we make of you as if you signed some sort of binding contract with us.

So a nothing company that could disappear off the planet and not have more than those people currently working for it even notice, sees what the Big Boys are doing, and wants to put on its own Big Boy pants and act just like them. Monkey see, monkey do. Most other people, though, would find such a warning laughable and tell them to get stuffed. Ah, but it makes management feel Big and Important…

And so, for no reason, they go locking down their companies as if they’re guarding the Sangraal, installing MFA on their logins, requiring passwords so restrictive that it leaves only like 3 possible passwords in all of ascii-space, all sorts of rot, just to Feel Secure.

Not to be secure, but to feel secure.