It looks like you're new here. If you want to get involved, click one of these buttons!
Subscribe to our Patreon, and get image uploads with no ads on the site!
Base theme by DesignModo & ported to Powered by Vanilla by Chris Ireland, modified by the "theFB" team.
Comments
That seems an odd decision by Google many sites will have areas that have no requirement for https to delist them as they are not secure is somewhat perverse.
Remember, it's easier to criticise than create!
On a guitar forum where we have no financial data being transmitted and (I'm assuming) the password are already sent encrypted what is the actual point of encrypting the session between you and the webserver. The only thing adding SSL is doing here is adding overhead - payload encryption/decryption, cost of SSL cert, adding the SSL to the hosting costs, remembering to renew the damn certificate, the inevitable scenario where you get incorrectly added to a certificate revocation list etc.
Now were this a banking site or stock trading platform it would be different, SSL would be a must as the transmission is sensitive (and probably required for PCI DSS anyway).
is it crazy how saying sentences backwards creates backwards sentences saying how crazy it is?
Okay we might be encrypting our email if Google have anything to say in it!
https://lemongrassmedia.co.uk/https-better-website/
By the way I am viewing in Chrome and it doesn't warn me of anything unless I click the info button, and then it says I shouldn't send sensitive information.
Secondly @webrthomson said "and (I'm assuming) the password are already sent encrypted" - is that really the case if https is not being used?
@digitalscream will give the full answer on why we're not secure - because he's done it before.
The password encryption is totally separate from the http/https thing which is, when https is on, encrypting the entire session between the browser and webserver.
That said I'm assuming things here - and we could be sending password in clear text over http - which would be bad
I'm sure we are not.
Personally I have tons of logins, but only a handful are actually financially sensitive ones (eg paypal, my bank, etc) and for those I use a different password than forum accounts etc.
As you said better safe than sorry have separate passwords for sensitive stuff.
Anyway I don't believe this is done. I think passwords are sent in plaintext. Willing to be educated if you know the details though.
Right...here's the lowdown on where we are:
- We're not HTTPS protected. Stating the obvious, but got to start somewhere.
- Yes, unfortunately your passwords are sent in plain text from your browser to our server at the moment.
- Authenticating with Facebook or Google bypasses that to a certain degree (although it's not perfect).
- At no point - other than initial login - is your password stored in plain text. They're all hashed in the database, and they're omitted from all web server logs.
- Bank details are relatively safe anyway - after all, we wouldn't be giving them out to people we've never met if they weren't.
- PMs are stored as plain text in the database, but the server is as secure as it can be (it's locked down such that the database server isn't actually accessible except from the server's local network, so the only way to get access is to compromise the server itself...and if that happens on any site you pass details on, it's game over anyway).
- I'm the only one with access to the server; yes, that means I could read your PMs, but I don't because I actually have ethics (surprising, I know....) and I'm not that interested in what people are saying anyway....
So...the future...
HTTPS is something I'm currently working on. Unfortunately, implementing it right now would fuck up half of the site because most of the client-side Javascripts in use by the plugins are, for want of a better expression, shit. It's mainly down to the forum plugins, but they provide essential functionality that we can't live without - the editor, for example.
I'm getting through them slowly, but it means testing every script one-by-one and I only have so much time in the day. This isn't something I can farm out, because they're all so inter-related it's a case of load forum -> test function 1 -> find broken script -> fix script / find version that works -> test function 1 -> load forum -> test function 2 -> find broken script -> fix/find version that works -> test function 1 -> fix incompatibilities with new function 2 script -> etc etc. I have to work within the confines of the software we have, and it's not the most developer-friendly of codebases (and the community developing plugins are typical PHP developers, so nothing's written the way you'd expect it to be).
Of course, this new development with Google has lit a fire under me, so I'm clearly going to have to find a way to accelerate the process. I'm hoping I'll be able to get something working within the next four weeks or so...basically, bear with me