2018-07-12 18:10:31

I've logged in the last few times to the forum with Safari on the latest High sierra updates. It has been telling me the website is not secure. This is true as there is no TLS https certificate for the forum. I can also confirm that my iPhone is saying that the forum isn't a secure connection running the iOS 12 beta but i also saw this on the previous versions of iOS 11. .

The strange thing is if i manually type in "https://" to the URL it will reload the page and not complain. However, the URL never changes to show "https://forum.audiogames.net." It still shows "forum.audiogames.net" no matter what I type in.

If the forum and audiogames.net doesn't have an https cert, there is Lets encrypt for providing free certs if paying for a cert is out of the question. Additionally, if the forum is already https, please let the https show in the url and offer to use https for all connections by default.

I don’t believe in fighting unnecessarily.  But if something is worth fighting for, then its always a fight worth winning.
check me out on Twitter and on GitHub

2018-07-12 19:24:12

Why? There's nothing here that requires a secure connection.

Thumbs up

2018-07-13 16:33:49

You don't think sending passwords over a secure connection is important? an https cert not only provides encryption, but authentication. You can prove that AG is the site it says it is and not a site posing as a middleman imposter.

Warnings are only the beginning. Soon   browsers will start refusing to connect to non-https sites completely.

I don’t believe in fighting unnecessarily.  But if something is worth fighting for, then its always a fight worth winning.
check me out on Twitter and on GitHub

2018-07-13 18:33:07

That depends on how the password is sent. Some sites use javascript or something similar to encrypt the password before transmitting it, but most don't.

With that in mind, each site I go to that requires I create a login, gets a unique 16 character password made up of random upper and lower case letters and numbers.

That way if somebody were to get my audiogames password, that's all they'd have.

So I don't worry about it.

Thumbs up

2018-07-13 19:39:51

Kyleman123 has a point. HSTS is starting to become more and more enforced as time goes by. HTTPS is becoming more common and HTTP less so.

"On two occasions I have been asked [by members of Parliament!]: 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out ?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."    — Charles Babbage.

Thumbs up

2018-07-13 20:38:10

While that may be true, the server certificates that the security protocols require aren't free. Are either of you offering to put up the money for audiogames.net to acquire and maintain how ever many certificates they need? I'm not, because I don't see it as needed here.

Thumbs up

2018-07-14 06:35:13

@Orko, There is a service called LetsEncrypt that allows you to obtain SSL/TLS certificates for free. All you then need to do is set up a Cron job to renew the certificate(s) after 90 days The only other thing that's a downside is that they do not offer wildcard certificates (for probably good reasons).

"On two occasions I have been asked [by members of Parliament!]: 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out ?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."    — Charles Babbage.

Thumbs up

2018-07-14 15:28:41

@7 is correct. I linked it in my first post. There are registries/hosting providers that offer certs free, through Lets Encrypt or just because https is a good thing to do.

I don’t believe in fighting unnecessarily.  But if something is worth fighting for, then its always a fight worth winning.
check me out on Twitter and on GitHub

2018-07-18 22:07:35

and there are a good bit of people who don't use password managers, have master passwords or schemes, etc. PunBB wasn't the best with security and I don't think it even supports? Https. Correct me if I'm wrong. Maybe it doesn't need to. I don't know if it has a security protocol in place with javascript or what have you to do that stuff. Since they don't process payments, I guess it isn't an absolute must but I'm in +1 of having a let's encrypt cert or whatever. We should make a pole on it.

----------
An anomaly in the matrix. An error in existence. A being who cannot get inside the goddamn box! A.K.A. Me.

2018-07-19 18:44:52

@xo is right. Most people don't use a password manager. Also, looking more int PunDB i'm not surprised they don't support https. the last update was in 2015 and the prior one before that was in 2012. It is open source, so it could get added, but most sites now are using wordpress. Honestly that would be a much better solution for moving AG into the future than keeping with PDB and hoping any pray https support gets added and kept up to date. I'm honestly surprised we haven't had more security issues. I know converting over to WP would be a monumental project, but it's probably better in the long run. I would be happy to help out with the process if i was needed.

I don’t believe in fighting unnecessarily.  But if something is worth fighting for, then its always a fight worth winning.
check me out on Twitter and on GitHub

2018-07-23 07:10:18

From a vulnerability standpoint, word press wouldn't be the wisest idea, since word press is the most searched-for attack platform. But heh, that's me.

"On two occasions I have been asked [by members of Parliament!]: 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out ?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."    — Charles Babbage.

Thumbs up

2018-07-24 16:14:42

Its pounded on a lot yes, but its also updated constantly. I'd much rather be on a platform that is constantly updated. Hence why I've chosen iOS. If a PunDB issue were found and it took 3 years to get it patched, thats an issue.

I don’t believe in fighting unnecessarily.  But if something is worth fighting for, then its always a fight worth winning.
check me out on Twitter and on GitHub

2018-08-03 23:14:02

problem is I don't think that we can just conver this forum over to a new system like that, especiall word press. Word press is a blogging and maybe comments system no? I just don't think it should be running forums. Also PunBB is about the only truely nicely accessible one there is. The rest have weird tables and no headings and maybe block quotes if you're lucky and gigantic lists and ehh.

----------
An anomaly in the matrix. An error in existence. A being who cannot get inside the goddamn box! A.K.A. Me.

2018-08-10 23:43:21

I just saw something that may make this whole discussion moot, I don't recall the exact date, but fairly soon as I recall, Chrome will start declaring sites not using HTTPS as insecure. I'd imagine that this feature may optionally issue a warning to the user, and I also imagine that they may add a setting to allow users to not allow browsing a site unless it is secured with HTTPS.

Thumbs up

2018-08-13 20:18:07

yes. Chrome 68 has started actively warning users of non-https websites. as i said earlier, its only a matter of time before this warning expands to other browsers and then the warning switches to outright blocking.

I don’t believe in fighting unnecessarily.  But if something is worth fighting for, then its always a fight worth winning.
check me out on Twitter and on GitHub