Can we get the forum secured?

Several months ago Chrome and Firefox (maybe IE too, anyone even use IE?) started warning users about sites (like BLF) that doesn’t have an SSL to make their URL http*S*://

When sites don’t use an SSL everything we enter into any field is sent clear text. That means each time we log in our username and passwords are all clear text and anyone that wants to see them could see them.

With services like Lets Encrypt (https://letsencrypt.org/) website owners can get FREE SSL certs and take a big step toward protecting us users and our login credentials.

I’ve done this several times and would be happy to help make it happen here if needed.

This has been brought up several times, and it's not going to happen.

I'm sure others will elaborate.

Here's two threads on the subject that may answer your questions:

https://budgetlightforum.com/t/-/52457

https://budgetlightforum.com/t/-/44660

I don’t believe there is any personal data on BLF, not sure why we need to secure anything… you can secure everything on your end though, generally. Use a VPN for web stuff, don’t do anything personal on public wifi etc

If someone would literally steal my posts or content from here I wouldn’t be worried, it is a public forum after all (again, I don’t think that will happen).

♫ In the garage, you feel safe
No one cares about your ways
In the garage, where you belong
No one hears you sing this song ♫

I use LastPass with a uniquely long password and a VPN. I’m not worried

^

Does that encrypt your userid and pw while transmitting? I generally us a VPN too, but have to turn it off when accessing certain financial institutions and my work.

There is a tendency for folks to used a common pw (and userid too). So at a minimum, one should try to use a different pw for unsecured websites. That wouldn't prevent a hacker for using a BLF member's login data to make fictitious posts, edit existing posts, rude button, etc.

Congrats on 7777 posts :smiley:
If people use the same user ID, are you saying the ImA4Wheelr on the slingshot forum is the same as on here :sunglasses:

I know that Drupal encrypts the db, but is the u/p transmission secure as well?

Please by all means, post your email address along with your BLF password if you really believe what you say.

It would take a lot more work on the server.

For why ?

To talk about torches ?

You will be warned about the insecurity when logging in, just be careful, it’s not a big deal unless you are an idiot.

Yes, you too. Please post your password… it’s not a big deal.

It’s obvious that the admin/owner here either doesn’t understand (bad) or doesn’t care (worse) about security.

SSL is free, takes little to zero effort to do. I’ve personally deploy Lets Encrypt across more than a dozen websites running various server configurations from Apache to Nginx and even Microsoft IIS.

I guess we can’t be all that surprised, looking at the site - it’s running Durpal 7 which is 8 year old software. The owner can’t be bothered to not only apply a simple SSL but can’t even be bothered to software up-to-date.

Those that are saying this isn’t a big deal, you clearly don’t understand the purpose of it. Sure THIS site is a flashlight forum, but there is still sensitive data on here that not every member wants to be shared publicly such as email and passwords… all of which is passed in the clear over HTTP.

Again, this is an easy and FREE layer of security that has no good reason not to apply it.

Further, search engines give higher ranking to sites that do use HTTPS. So not only is deploying an SSL good for the users and site owner, but the site also benefits from it from search engines.

I have to admit I used a separate email address and different password for this forum. If somewhere would compromise that data it wouldn’t hurt me at all (no content in that inbox) although I wouldn’t want it to happen (I don’t think it will happen). If someone would use a personal/important address or an easy password it might be another issue? so far I have not heard of any issues on here.

From what I gather there is one person providing us a free of charge, place to talk about flashlights and other closely related topics. From the amount of advertising on this site I would assume not much money is being brought in by that advertising and that the man running the show probably puts out more time and money in keeping it up and running than is being brought in from said advertising. There is one absolute way to ease all of your concerns about the security you seek. Don’t use the site.

In this day and age it is not someone else’s responsibility to make sure you are feeling all safe and warm. That is your responsibility. If you feel you aren’t safe, change your circumstance. You may have gotten a warmer reception to this topic by PM’ing the admin and taking it up with him privately. You chose a different route so now you get to hear everyone else’s opinions. So enjoy. Good day to ya.

Okay, let’s go with that. The site doesn’t make much money. No problem… again SSL can be had for FREE. It doesn’t get much cheaper than that.

I’m not looking for “warm reception”, I’m looking for a site owner to make the right decision and take steps to protect the data we submit here, such as our email and password.

In this case it IS someone else’s responsibility to make this site secure… not me. In fact I’ve offered to assist if the owner is unfamiliar. Exactly what more can a regular user do?

[quote=79ford]

Accept that it will happen when the site owner feels like it, or move on?

"Security" of a website is an extremely nebulous and general term, with countless factors coming into play:

https://budgetlightforum.com/t/-/52457/15

https://budgetlightforum.com/t/-/52457/15

https://budgetlightforum.com/t/-/52457/22

This is blatant misinformation and pure FUD. Here's the most recent Drupal 7 security patch from October 17 (4 days ago), which I applied on that very same day within hours of its release, as I have for every single other security update released during the past 8+ years of administering BLF:

https://www.drupal.org/psa-2018-10-17

Drupal 7 is fully supported still, with both security and feature / bug fixes.

In short, @79ford, if you feel insecure by using BLF despite all the above facts, or if you insist on spreading false information, I suggest you stop using it.

What is pure FUD? :open_mouth:

I know what FODDER is and what FUBAR means, don’t have any Idea of what FUD is about :smiley:

:slight_smile:

https://en.wikipedia.org/wiki/Fear,\_uncertainty_and_doubt

Oh that’s why I don’t know it…it is one of them “nice” acronyms…abbreviations… :person_facepalming:

This is flat out wrong. You don’t run SSL on this server yet somehow you know it’s going to cripple your server? SSL adds little to no resources, in fact with the use of features such as HTTP/2 (most up-to-date webservers support this) the load on a web server is actually LESS.

At no time have I said SSL makes your website 100% hack proof… nothing does. It adds another layer of protection. Security has always been about layers. There is no one silver bullet that stops everything. Pretending SSL doesn’t provide security is silly.

To think no one ever does this, or that it’s “not common” is completely wrong. In fact there are serveral applications, add-ons and hardware that assist people in doing this. Browser add-ons like Firesheep - Wikipedia or hardware like the Pineapple https://shop.hak5.org/products/wifi-pineapple.

Their sole purpose is to intercept traffic.

Even well known anti-virus softwares does this - Project Zero calls out Kaspersky AV for SSL interception practices | ZDNET

The benefits of SSL are obvious. The users (and the site) benefit from the EXTRA security, the site benefits from less load on the server and better search engine rankings. It’s a win win.