Any Forum Plans for https ?
- costark
- Posts: 548
- Joined: July 14th, 2004, 5:03 am
Any Forum Plans for https ?
EDIT: KUDOS to Mbam Sppt ... The http load issue in FF 61 is Fixed via Mbam Component Pkg 1.0.391
I have to Disable Web Protection in Mbam Prem to view -- http -- sites -- which is not life threatening -- but -- How much longer will this Forum use http?
I may keep it ON and just disable it when I want to view this Forum / any Mozillazine site but How big a deal is the change?
I also had to do an ESET SSL Filter Off/Re-Start/Bk On exercise just to view the site -- https://jhannuities.com -- so it's not like browsing is getting any simpler these days. "ghacks.net" discussed this - Secure Connection Failed - issue with FF 61 below although my one-time-exercise-Fix was via ESET.
https://www.ghacks.net/2018/06/27/firef ... on-failed/
I have to Disable Web Protection in Mbam Prem to view -- http -- sites -- which is not life threatening -- but -- How much longer will this Forum use http?
I may keep it ON and just disable it when I want to view this Forum / any Mozillazine site but How big a deal is the change?
I also had to do an ESET SSL Filter Off/Re-Start/Bk On exercise just to view the site -- https://jhannuities.com -- so it's not like browsing is getting any simpler these days. "ghacks.net" discussed this - Secure Connection Failed - issue with FF 61 below although my one-time-exercise-Fix was via ESET.
https://www.ghacks.net/2018/06/27/firef ... on-failed/
Last edited by costark on July 9th, 2018, 5:42 am, edited 3 times in total.
W10 22H2 - SSD-HDD i5 12G -
- the-edmeister
- Posts: 32249
- Joined: February 25th, 2003, 12:51 am
- Location: Chicago, IL, USA
Re: Any Forum Plans for https ?
I doubt if HTTPS would happen here. The owner is still maintaining this forum, but probably isn't interested in doing any changes.
.
.
A mind is a terrible thing to waste. Mine has wandered off and I'm out looking for it.
- costark
- Posts: 548
- Joined: July 14th, 2004, 5:03 am
Re: Any Forum Plans for https ?
Thanks.the-edmeister wrote:I doubt if HTTPS would happen here. The owner is still maintaining this forum, but probably isn't interested in doing any changes.
EDIT: KUDOS to Mbam Sppt ... The http load issue in FF 61 is Fixed via Mbam Component Pkg 1.0.391
W10 22H2 - SSD-HDD i5 12G -
- Daifne
- Moderator
- Posts: 123071
- Joined: July 31st, 2005, 9:17 pm
- Location: Where the Waters Meet, Wisconsin
Re: Any Forum Plans for https ?
Moving to Mozillazine Site Discussion
-
- Posts: 4480
- Joined: March 19th, 2005, 10:51 am
Re: Any Forum Plans for https ?
it was known since 30. of june that package 390 is failing.
https://forums.malwarebytes.com/topic/2 ... 0390-beta/
it has benefit to read vendors forum first
https://forums.malwarebytes.com/topic/2 ... 0390-beta/
it has benefit to read vendors forum first
-
- Posts: 178
- Joined: May 17th, 2009, 6:47 pm
- Location: Ireland
Re: Any Forum Plans for https ?
Is there any way to contact the owner/offer help with the transition. mozillaZine is a well-known site on the web, it would be a shame to see it die like this.the-edmeister wrote:I doubt if HTTPS would happen here. The owner is still maintaining this forum, but probably isn't interested in doing any changes.
- DanRaisch
- Moderator
- Posts: 127228
- Joined: September 23rd, 2004, 8:57 pm
- Location: Somewhere on the right coast
Re: Any Forum Plans for https ?
Why would it die without HTTPS? This is not a bank, on-line retailer or medical facility.
-
- Posts: 178
- Joined: May 17th, 2009, 6:47 pm
- Location: Ireland
Re: Any Forum Plans for https ?
Why do you think HTTPS should be limited to banks? mozillaZine collects and stores user credentials, for that it needs HTTPS. I mean, it actually needs it to comply with EU law if it has EU users, but even quite apart from EU law I just generally don't want to be signing into any website with my personal details via an unsecure connection, I don't care if it's my bank or not. This is quickly becoming the norm among technical users on the web, and will soon become the norm among non-technical users when browsers (both Mozilla and Google are proactively doing this) start to push users to expect HTTPS everywhere (as they very well should).DanRaisch wrote:This is not a bank, on-line retailer or medical facility.
- DanRaisch
- Moderator
- Posts: 127228
- Joined: September 23rd, 2004, 8:57 pm
- Location: Somewhere on the right coast
Re: Any Forum Plans for https ?
Personal credentials don't amount to more than an email address and a user name and password that might/should be completely unique to this forum. That hardly constitutes any real risk to the user.
-
- Posts: 178
- Joined: May 17th, 2009, 6:47 pm
- Location: Ireland
Re: Any Forum Plans for https ?
As surprised as I was to find mozillaZine didn't have HTTPS, what I really didn't expect was having to explain to site mods why it's even a good idea. I'd accept "it's too much work and we don't have time/resources"—that's a legitimate excuse—but claiming it's not needed at all is... surprising.
OK so, firstly, you don't even need to have user accounts or even forms on your site to want HTTPS. The web is moving towards a HTTPS-only model for this reason: the HTTP/2 specification has been implemented by all browsers as HTTPS-only. This means any servers using HTTP/2 won't have an option to do plain HTTP at all. This switchover will happen slowly but it is the general intent of browsers that all sites be HTTPS.
Some reasons behind that are:
Secondly and more relevantly to mozillaZine, a site that does have user accounts...
Lastly, and least importantly but still relevant, as I very briefly eluded to above, it is actually illegal to handle any EU-based user's credentials in an insecure manner like this, no matter how unimportant you personally believe those user credentials to be. There is a genuine risk of pretty scary fines here.
If it is a lot of work, I would be more than willing to help out, as I'm sure many others here would, but please don't dismiss the issue as if it doesn't matter.
OK so, firstly, you don't even need to have user accounts or even forms on your site to want HTTPS. The web is moving towards a HTTPS-only model for this reason: the HTTP/2 specification has been implemented by all browsers as HTTPS-only. This means any servers using HTTP/2 won't have an option to do plain HTTP at all. This switchover will happen slowly but it is the general intent of browsers that all sites be HTTPS.
Some reasons behind that are:
- https://www.troyhunt.com/heres-why-your ... eds-https/
- AND perhaps more urgently https://www.forbes.com/sites/adrianking ... -networks/ - free wifi hotspots can and do inject malware into otherwise "trusted" HTTP websites like mozillaZine. This has been observed happening.
Secondly and more relevantly to mozillaZine, a site that does have user accounts...
I'm sure you must know that the above statement is not grounded in reality. Most people reuse passwords. Password-reuse is the primary means by which attackers gain access to accounts. If you were to run any mozillaZine user details through https://haveibeenpwned.com/ I'm certain you would get quite a a large number of hits. And you're OK with these details being transferred over the web in plaintext, completely visible to anyone.DanRaisch wrote:password that might/should be completely unique to this forum
Lastly, and least importantly but still relevant, as I very briefly eluded to above, it is actually illegal to handle any EU-based user's credentials in an insecure manner like this, no matter how unimportant you personally believe those user credentials to be. There is a genuine risk of pretty scary fines here.
If it is a lot of work, I would be more than willing to help out, as I'm sure many others here would, but please don't dismiss the issue as if it doesn't matter.
- mightyglydd
- Posts: 9813
- Joined: November 4th, 2006, 7:07 pm
- Location: Hollywood Ca.
Re: Any Forum Plans for https ?
lucideer wrote:As surprised as I was to find mozillaZine didn't have HTTPS, what I really didn't expect was having to explain to site mods why it's even a good idea.
Agree 100 %...but not surprised
#KeepFightingMichael and Alex.
-
- Posts: 4480
- Joined: March 19th, 2005, 10:51 am
Re: Any Forum Plans for https ?
Using free wifi hotspots without vpn is not wise.
I dont see many risks here without ssl but it has benefit with. Nevertheless it is recommended to change password regularly, even strong pw.
Haveibeenpawned is a bunch of hacked data, less sniffed. Adobe,mbam aso.
I dont see many risks here without ssl but it has benefit with. Nevertheless it is recommended to change password regularly, even strong pw.
Haveibeenpawned is a bunch of hacked data, less sniffed. Adobe,mbam aso.
the magic number is 51 and you are probably part of it
- kerz
- mozillaZine Admin
- Posts: 1804
- Joined: November 4th, 2002, 2:04 pm
- Contact:
Re: Any Forum Plans for https ?
Hopefully soon.
- jimfitter
- Folder@Home
- Posts: 5225
- Joined: January 28th, 2005, 11:17 am
- Location: Chicagoland area
- Contact:
Re: Any Forum Plans for https ?
How about a frozen custard machine, too? Some soft-serve would be sweet, right about now.kerz wrote:Hopefully soon.
Inside every old man is a young man wondering what the hell happened. - Terry Pratchett
-
- Posts: 178
- Joined: May 17th, 2009, 6:47 pm
- Location: Ireland
Re: Any Forum Plans for https ?
There are many things that users can do to protect themselves, but expecting every mozilaZine user to use a vpn and change their password regularly is a much more fanciful dream than what's involved in installing a TLS cert. The former would be nice, and should always be recommended, but will never happen. The latter is easy to do, and gives users additional protection from the dangers of not doing the latter.Brummelchen wrote:Using free wifi hotspots without vpn is not wise.
[...]
it is recommended to change password regularly, even strong pw.
[off-topic]
One small note about regular password changes recommended above: unless you're using a password manager with autogenerated passwords (highly recommended), then encouraging users to change their password regularly has been generally shown to lead to users using less secure passwords (memorising many secure passwords is much more difficult than memorising one secure password once). But—as mentioned above—they should just be encouraged use a password manager (with a secure master pw).
[/off-topic]