Thanks for the update sb. l’m glad the forum is secure.
Now can you do something about the insecure members here? I know I am not the only one.

I use the pickiest Android browser (Chrome), and I've not seen a single warning. 

Now that we're here sb56637, I am going to suggest a forum improvement in emojis/emoticons. The available range via simple post editor is a little bit limited and definitively outdated (and not to say the advanced post editor is a @#$% in this regard) . I know you just have to host a good handful of emoji images and make them available for insert via some small applet, there are plenty of nice emoji sources free to use nowadays. Hijacking outside bandwidth to make use of them is uncomfortable and worries  me a little bit.

Thanks. 

Cheers

He didn’t say it was secure, just that it wasn’t necessary to be secure…as we don’t process transactions on the site or share detailed personal information.

I understand SB. Thanks.
I vote for SSL though. It’s fast, free, and renews itself. I’d love all sites to use it.

//Install LetsEncrypt//
add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install python-certbot-apache

//create certificates
certbot —apache -d example.com

//Test the renewal process. It will keep itself renewed.
certbot renew —dry-run
certbot renew

//See certificates
/etc/letsencrypt/live

Its Google they updated the verification process and if a website doesn’t have a SSL its flagged as unsafe they want all servers/websites to use HTTPS. Is the issue only with Chrome?

Firefox gives me a warning when I log in.

I use a lesser known browser, Opera.

I haven't received any warnings, so far, that I remember.  

Joshk wrote:

I understand SB. Thanks.
I vote for SSL though. It’s fast, free, and renews itself. I’d love all sites to use it.

//Install LetsEncrypt//
add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install python-certbot-apache

//create certificates
certbot —apache -d example.com

//Test the renewal process. It will keep itself renewed.
certbot renew —dry-run
certbot renew

//See certificates
/etc/letsencrypt/live

The problem is not the installation of a certificate, but all the other services that are only available through http. You will get an unsecure/mixed content loaded message (there is a workaround: Load all external content through BLF server).

But I agree, https is the way to go: https://doesmysiteneedhttps.com

I’d prefer HTTPS at least for log in data.

raccoon city wrote:

I use a lesser known browser, Opera.

…

Opera uses a Chrome engine.

And G00gl€ can $#%& my @#%$ with the security stuff and whatever, by the way. They get bully with sheesh and I hate that. I've posted a few messages in the G00gle help forums and its surprising to see how awkward and @#$% is the code/engine which runs them. Its a unbelievably freakin' mess.

G00gl€, Appl€ and the dimwits feeding them blindly need a flogging.

Off-topic again, sorry. 

Cheers

Man Without Shadow wrote:

He didn’t say it was secure, just that it wasn’t necessary to be secure…as we don’t process transactions on the site or share detailed personal information.

I use a unique password generated by Lastpass for each and every website. That said, I don’t give out personal information on websites that are not secure. Plus, I use a VPN. I’m no expert, but I think I’m a couple of steps above the average Joe.

My home ISP injects advertising into web pages that are not encrypted.
My cell ISP severely reduces the quality of the video clips I text out if they can process them. (non iMessage encrypted deliveries)

If they have the balls to do that, they have the balls to profile me based on comments I post on BLF. For that reason I wish BLF had SSL.

Joshk wrote:

My home ISP injects advertising into web pages that are not encrypted.
My cell ISP _+severely+_ reduces the quality of the video clips I text out if they can process them. (non iMessage encrypted deliveries)

If they have the balls to do that, they have the balls to profile me based on comments I post on BLF. For that reason I wish BLF had SSL.

I'd tell your ISP to lick my @#$%.

With regards to advertising I have it blacklisted by default on Android thanks to AdAway (root). It can also be done by other means on Windows (done it) or Linux machines.

Adverts are an unnecesary pester illness in my honest opinion. I never buy based on advertising alone (if at all), but rather on my own needs and objective reviews.

Cheers

I have NO choices for ISP. If I want home internet, there is only one choice.

sb56637 wrote:

Since BLF doesn’t process any sensitive information

That’s just not true. At very least, BLF processes email addresses during registration. If my contact information doesn’t fit your definition of sensitive, what more do you want?

It’s not good practice, but I’m sure enough users also use a generic password for this site as well – that could definitely be considered ‘sensitive’, depending on what else it’s used for.

How much money would you need to raise to add more processing resources to your system SB? I would chip in yearly. Many would. I would like to see BLF grow.

Joshk wrote:

//Install LetsEncrypt// add-apt-repository ppa:certbot/certbot …

If I recall correctly, BLF runs on a SuSE-based platform. But I might use your cert tips for a project I’m doing… thanks!

(mostly, I just need ssl for a bit of a toy project, to enable secure cross-site data transfer)

I would also find it useful if BLF acted as an oauth2 (or similar) identity provider, which requires ssl, so I could slave other sites/services off it using a single sign-on. I’ve been tempted to add some kickstarter-like features to make community projects easier for everyone. But even if BLF had identity provider features, I’m not sure I’d actually have enough time and motivation to do the rest. Too many projects.

CrashOne wrote:

The problem is not the installation of a certificate, but all the other services that are only available through http. You will get an unsecure/mixed content loaded message (there is a workaround: Load all external content through BLF server).

This would create a whole lot of warnings and/or break a lot of image links. Like, I’d probably have to add https to my site (finally) and edit every post I’ve ever made with images. Which isn’t really all that much of a problem for me personally, but in a site-wide sense it would be pretty disruptive.

The server-passthrough workaround could reduce disruption, but it’s even more complication and more server load for sb to deal with. And some of the sites I’ve seen with that method end up breaking half the time anyway.

sb56637 wrote:

3. The risk of somebody hijacking the webpage data while it’s in transit “on the wire” between the web server and the visitor and modifying and/or stealing the data. This is not common.

• This is what SSL (https://) is designed to protect against.

So I don’t see any imminent risk for BLF users by not immediately implementing SSL. I’m sure I will eventually, but it’s not a priority. A frequently overlooked downside of implementing SSL is that it requires significantly more server resources to encrypt and decrypt all the traffic. The BLF server is already under rather heavy load most of the time, and SSL would surely push it over the edge, requiring another server upgrade or even a migration to a different host.

It’s certainly an open attack vector, but it hasn’t been a problem here that I’m aware of. There are probably people in the NSA and KGB quietly collecting our login data and stuff. Large-scale route hijacking attacks have been found in the wild for at least the past five years, ever since people noticed BGP attacks routing traffic through Iceland in 2013.

But if they were to ever actually use that data, we’d have much bigger things to worry about. And in the mean time, ssl is a significant cost and complication for BLF.

…

TL;DR: What sb56637 said. Https should probably happen eventually, but it’s a major PITA.

ToyKeeper wrote:

This would create a whole lot of warnings and/or break a lot of image links. Like, I’d probably have to add https to my site (finally) and edit every post I’ve ever made with images. Which isn’t really all that much of a problem for me personally, but in a site-wide sense it would be pretty disruptive.

You don’t have to force https. Just answer “no” to the force https option at install and nothing changes as far as the public sees. Leaving SB and some users free to doddle around with the https.

As the very title of this thread makes clear, browsers are on the verge of out-right blocking users with a red screen and scaring them away if the site is not https. Requiring SSL really is something that is going to happen soon. There are been years of marching, and some companies are now pushing hard.

Joshk wrote:

You don’t have to force https. Just answer “no” to the force https option at install and nothing changes as far as the public sees. Leaving SB and some users free to doddle around with the https.

Oh, cool. That certainly helps.

(in case it wasn’t obvious, I’ve been dragging my feet about https for a long time and haven’t really dived in yet… last time I really looked at it was before it was compatible with name-based vhosts, so I didn’t implement it then and haven’t gotten back to it since)

Joshk wrote:

As the very title of this thread makes clear, browsers are on the verge of out-right blocking users with a red screen and scaring them away if the site is not https. Requiring SSL really is something that is going to happen soon. There are been years of marching, and some companies are now pushing hard.

I’ll be honest, I expect SSL on any site I visit and it puts me off when I don’t see it. I’ve dipped into these forums over the last few months but would only login if I really needed something. Frankly there’s too much bad stuff happening on the web to be worrying about how secure my credentials are – I’d rather avoid a site entirely and avoid the issue.

tenohfive wrote:

Joshk wrote:

As the very title of this thread makes clear, browsers are on the verge of out-right blocking users with a red screen and scaring them away if the site is not https. Requiring SSL …

I'll be honest, I expect SSL on any site I visit and it puts me off when I don't see it. … Frankly there's too much bad stuff happening on the web to be worrying about how secure my cred…

Right now I am not seeing such “explicit” warnings. Why? Namely because I “downgraded” my browser version a little bit. I do not update my software if the developer is screwing up. I am the one deciding how and when to update my software. Those of you who regularly go to whatever software “stores” to “upgrade” your software blindly are allowing yourselves to be manipulated, sorry to say. Nowadays software development is quite focused on milking the cows and this means speaking half truths to people (how not?). SSL is not really necessary for many stuff no matter what bullying G00gl€ says.

There's too much bad stuff happening? Sorry?  Bad stuff happens to those of you who allow it via your subconscious beliefs. My advice is for you to believe right, as the reality you experience is created via your chosen beliefs (as above, so below), not the other way around.

Cheers  

As mentioned above let’s encrypt would be a great idea… at least the login in page. Also, Google will be prioritizing ranking based on certain security variables including SSL.

You really won’t have much choice about implementing SSL going forward, it’s not going to be long until this is required by most consumer browsers and search engines.