MozillaZine

Any Forum Plans for https ?

Talk about stuff specific to the site -- bugs, suggestions, and of course praise welcome.
costark
 
Posts: 313
Joined: July 14th, 2004, 5:03 am

Post Posted July 9th, 2018, 4:36 am

EDIT: KUDOS to Mbam Sppt ... The http load issue in FF 61 is Fixed via Mbam Component Pkg 1.0.391

I have to Disable Web Protection in Mbam Prem to view -- http -- sites -- which is not life threatening -- but -- How much longer will this Forum use http?
I may keep it ON and just disable it when I want to view this Forum / any Mozillazine site but How big a deal is the change?

I also had to do an ESET SSL Filter Off/Re-Start/Bk On exercise just to view the site -- https://jhannuities.com -- so it's not like browsing is getting any simpler these days. "ghacks.net" discussed this - Secure Connection Failed - issue with FF 61 below although my one-time-exercise-Fix was via ESET.

https://www.ghacks.net/2018/06/27/firef ... on-failed/
Last edited by costark on July 9th, 2018, 5:42 am, edited 3 times in total.
Firefox 63.0.3 (64) - Win 7-64 Hm Prem - Hm-Stdnt Ofce '10 - ESET EIS - Mbam Prem v3 - DK PRO '15 - NO Java or Flash - How Many Letters in Mozilla is 6 (unique letters), NOT Actual 7 -

the-edmeister

User avatar
 
Posts: 32122
Joined: February 25th, 2003, 12:51 am
Location: Chicago, IL, USA

Post Posted July 9th, 2018, 4:50 am

I doubt if HTTPS would happen here. The owner is still maintaining this forum, but probably isn't interested in doing any changes.


.
A mind is a terrible thing to waste. Mine has wandered off and I'm out looking for it.

costark
 
Posts: 313
Joined: July 14th, 2004, 5:03 am

Post Posted July 9th, 2018, 5:08 am

the-edmeister wrote:I doubt if HTTPS would happen here. The owner is still maintaining this forum, but probably isn't interested in doing any changes.

Thanks.

EDIT: KUDOS to Mbam Sppt ... The http load issue in FF 61 is Fixed via Mbam Component Pkg 1.0.391
Firefox 63.0.3 (64) - Win 7-64 Hm Prem - Hm-Stdnt Ofce '10 - ESET EIS - Mbam Prem v3 - DK PRO '15 - NO Java or Flash - How Many Letters in Mozilla is 6 (unique letters), NOT Actual 7 -

Daifne
Moderator

User avatar
 
Posts: 123039
Joined: July 31st, 2005, 9:17 pm
Location: Where the Waters Meet, Wisconsin

Post Posted July 9th, 2018, 8:06 am

Moving to Mozillazine Site Discussion

Brummelchen
 
Posts: 3894
Joined: March 19th, 2005, 10:51 am

Post Posted July 9th, 2018, 9:01 am

it was known since 30. of june that package 390 is failing.
https://forums.malwarebytes.com/topic/2 ... 0390-beta/

it has benefit to read vendors forum first ;)

lucideer
 
Posts: 178
Joined: May 17th, 2009, 6:47 pm
Location: Ireland

Post Posted August 2nd, 2018, 10:35 am

the-edmeister wrote:I doubt if HTTPS would happen here. The owner is still maintaining this forum, but probably isn't interested in doing any changes.


Is there any way to contact the owner/offer help with the transition. mozillaZine is a well-known site on the web, it would be a shame to see it die like this.

DanRaisch
Moderator

User avatar
 
Posts: 120589
Joined: September 23rd, 2004, 8:57 pm
Location: Somewhere on the right coast

Post Posted August 2nd, 2018, 6:24 pm

Why would it die without HTTPS? This is not a bank, on-line retailer or medical facility.

lucideer
 
Posts: 178
Joined: May 17th, 2009, 6:47 pm
Location: Ireland

Post Posted August 3rd, 2018, 5:36 am

DanRaisch wrote:This is not a bank, on-line retailer or medical facility.


Why do you think HTTPS should be limited to banks? mozillaZine collects and stores user credentials, for that it needs HTTPS. I mean, it actually needs it to comply with EU law if it has EU users, but even quite apart from EU law I just generally don't want to be signing into any website with my personal details via an unsecure connection, I don't care if it's my bank or not. This is quickly becoming the norm among technical users on the web, and will soon become the norm among non-technical users when browsers (both Mozilla and Google are proactively doing this) start to push users to expect HTTPS everywhere (as they very well should).

DanRaisch
Moderator

User avatar
 
Posts: 120589
Joined: September 23rd, 2004, 8:57 pm
Location: Somewhere on the right coast

Post Posted August 3rd, 2018, 7:41 am

Personal credentials don't amount to more than an email address and a user name and password that might/should be completely unique to this forum. That hardly constitutes any real risk to the user.

lucideer
 
Posts: 178
Joined: May 17th, 2009, 6:47 pm
Location: Ireland

Post Posted August 3rd, 2018, 9:28 am

As surprised as I was to find mozillaZine didn't have HTTPS, what I really didn't expect was having to explain to site mods why it's even a good idea. I'd accept "it's too much work and we don't have time/resources"—that's a legitimate excuse—but claiming it's not needed at all is... surprising.

OK so, firstly, you don't even need to have user accounts or even forms on your site to want HTTPS. The web is moving towards a HTTPS-only model for this reason: the HTTP/2 specification has been implemented by all browsers as HTTPS-only. This means any servers using HTTP/2 won't have an option to do plain HTTP at all. This switchover will happen slowly but it is the general intent of browsers that all sites be HTTPS.

Some reasons behind that are:


To summarise that more clearly: users visiting your site are at real risk if it's not HTTPS, even without login sessions.

Secondly and more relevantly to mozillaZine, a site that does have user accounts...

DanRaisch wrote:password that might/should be completely unique to this forum


I'm sure you must know that the above statement is not grounded in reality. Most people reuse passwords. Password-reuse is the primary means by which attackers gain access to accounts. If you were to run any mozillaZine user details through https://haveibeenpwned.com/ I'm certain you would get quite a a large number of hits. And you're OK with these details being transferred over the web in plaintext, completely visible to anyone.

Lastly, and least importantly but still relevant, as I very briefly eluded to above, it is actually illegal to handle any EU-based user's credentials in an insecure manner like this, no matter how unimportant you personally believe those user credentials to be. There is a genuine risk of pretty scary fines here.

If it is a lot of work, I would be more than willing to help out, as I'm sure many others here would, but please don't dismiss the issue as if it doesn't matter.

mightyglydd

User avatar
 
Posts: 9260
Joined: November 4th, 2006, 7:07 pm
Location: Hollywood Ca.

Post Posted August 3rd, 2018, 10:47 am

lucideer wrote:As surprised as I was to find mozillaZine didn't have HTTPS, what I really didn't expect was having to explain to site mods why it's even a good idea.

Agree 100 %...but not surprised ;)
#KeepFightingMichael

Brummelchen
 
Posts: 3894
Joined: March 19th, 2005, 10:51 am

Post Posted August 3rd, 2018, 7:29 pm

Using free wifi hotspots without vpn is not wise.
I dont see many risks here without ssl but it has benefit with. Nevertheless it is recommended to change password regularly, even strong pw.

Haveibeenpawned is a bunch of hacked data, less sniffed. Adobe,mbam aso.
users using outdated and vulnerable software probably never will get an answer from me - sticked with the past? stay alone.

kerz
mozillaZine Admin

User avatar
 
Posts: 1801
Joined: November 4th, 2002, 2:04 pm

Post Posted August 8th, 2018, 1:41 am

Hopefully soon.

jimfitter
Folder@Home

User avatar
 
Posts: 5222
Joined: January 28th, 2005, 11:17 am
Location: Chicagoland area

Post Posted August 8th, 2018, 10:35 am

kerz wrote:Hopefully soon.

How about a frozen custard machine, too? Some soft-serve would be sweet, right about now. :)
The poor have sometimes objected to being governed badly; the rich have always objected to being governed at all. ― G.K. Chesterton

lucideer
 
Posts: 178
Joined: May 17th, 2009, 6:47 pm
Location: Ireland

Post Posted August 19th, 2018, 6:10 am

Brummelchen wrote:Using free wifi hotspots without vpn is not wise.
[...]
it is recommended to change password regularly, even strong pw.


There are many things that users can do to protect themselves, but expecting every mozilaZine user to use a vpn and change their password regularly is a much more fanciful dream than what's involved in installing a TLS cert. The former would be nice, and should always be recommended, but will never happen. The latter is easy to do, and gives users additional protection from the dangers of not doing the latter.



[off-topic]
One small note about regular password changes recommended above: unless you're using a password manager with autogenerated passwords (highly recommended), then encouraging users to change their password regularly has been generally shown to lead to users using less secure passwords (memorising many secure passwords is much more difficult than memorising one secure password once). But—as mentioned above—they should just be encouraged use a password manager (with a secure master pw).
[/off-topic]

Return to MozillaZine Site Discussion


Who is online

Users browsing this forum: No registered users and 5 guests