Any Forum Plans for https ?

Talk about stuff specific to the site -- bugs, suggestions, and of course praise welcome.
User avatar
costark
Posts: 548
Joined: July 14th, 2004, 5:03 am

Any Forum Plans for https ?

Post by costark »

EDIT: KUDOS to Mbam Sppt ... The http load issue in FF 61 is Fixed via Mbam Component Pkg 1.0.391

I have to Disable Web Protection in Mbam Prem to view -- http -- sites -- which is not life threatening -- but -- How much longer will this Forum use http?
I may keep it ON and just disable it when I want to view this Forum / any Mozillazine site but How big a deal is the change?

I also had to do an ESET SSL Filter Off/Re-Start/Bk On exercise just to view the site -- https://jhannuities.com -- so it's not like browsing is getting any simpler these days. "ghacks.net" discussed this - Secure Connection Failed - issue with FF 61 below although my one-time-exercise-Fix was via ESET.

https://www.ghacks.net/2018/06/27/firef ... on-failed/
Last edited by costark on July 9th, 2018, 5:42 am, edited 3 times in total.
W10 22H2 - SSD-HDD i5 12G -
User avatar
the-edmeister
Posts: 32249
Joined: February 25th, 2003, 12:51 am
Location: Chicago, IL, USA

Re: Any Forum Plans for https ?

Post by the-edmeister »

I doubt if HTTPS would happen here. The owner is still maintaining this forum, but probably isn't interested in doing any changes.


.
A mind is a terrible thing to waste. Mine has wandered off and I'm out looking for it.
User avatar
costark
Posts: 548
Joined: July 14th, 2004, 5:03 am

Re: Any Forum Plans for https ?

Post by costark »

the-edmeister wrote:I doubt if HTTPS would happen here. The owner is still maintaining this forum, but probably isn't interested in doing any changes.
Thanks.

EDIT: KUDOS to Mbam Sppt ... The http load issue in FF 61 is Fixed via Mbam Component Pkg 1.0.391
W10 22H2 - SSD-HDD i5 12G -
User avatar
Daifne
Moderator
Posts: 123071
Joined: July 31st, 2005, 9:17 pm
Location: Where the Waters Meet, Wisconsin

Re: Any Forum Plans for https ?

Post by Daifne »

Moving to Mozillazine Site Discussion
Brummelchen
Posts: 4480
Joined: March 19th, 2005, 10:51 am

Re: Any Forum Plans for https ?

Post by Brummelchen »

it was known since 30. of june that package 390 is failing.
https://forums.malwarebytes.com/topic/2 ... 0390-beta/

it has benefit to read vendors forum first ;)
lucideer
Posts: 178
Joined: May 17th, 2009, 6:47 pm
Location: Ireland

Re: Any Forum Plans for https ?

Post by lucideer »

the-edmeister wrote:I doubt if HTTPS would happen here. The owner is still maintaining this forum, but probably isn't interested in doing any changes.
Is there any way to contact the owner/offer help with the transition. mozillaZine is a well-known site on the web, it would be a shame to see it die like this.
User avatar
DanRaisch
Moderator
Posts: 127187
Joined: September 23rd, 2004, 8:57 pm
Location: Somewhere on the right coast

Re: Any Forum Plans for https ?

Post by DanRaisch »

Why would it die without HTTPS? This is not a bank, on-line retailer or medical facility.
lucideer
Posts: 178
Joined: May 17th, 2009, 6:47 pm
Location: Ireland

Re: Any Forum Plans for https ?

Post by lucideer »

DanRaisch wrote:This is not a bank, on-line retailer or medical facility.
Why do you think HTTPS should be limited to banks? mozillaZine collects and stores user credentials, for that it needs HTTPS. I mean, it actually needs it to comply with EU law if it has EU users, but even quite apart from EU law I just generally don't want to be signing into any website with my personal details via an unsecure connection, I don't care if it's my bank or not. This is quickly becoming the norm among technical users on the web, and will soon become the norm among non-technical users when browsers (both Mozilla and Google are proactively doing this) start to push users to expect HTTPS everywhere (as they very well should).
User avatar
DanRaisch
Moderator
Posts: 127187
Joined: September 23rd, 2004, 8:57 pm
Location: Somewhere on the right coast

Re: Any Forum Plans for https ?

Post by DanRaisch »

Personal credentials don't amount to more than an email address and a user name and password that might/should be completely unique to this forum. That hardly constitutes any real risk to the user.
lucideer
Posts: 178
Joined: May 17th, 2009, 6:47 pm
Location: Ireland

Re: Any Forum Plans for https ?

Post by lucideer »

As surprised as I was to find mozillaZine didn't have HTTPS, what I really didn't expect was having to explain to site mods why it's even a good idea. I'd accept "it's too much work and we don't have time/resources"—that's a legitimate excuse—but claiming it's not needed at all is... surprising.

OK so, firstly, you don't even need to have user accounts or even forms on your site to want HTTPS. The web is moving towards a HTTPS-only model for this reason: the HTTP/2 specification has been implemented by all browsers as HTTPS-only. This means any servers using HTTP/2 won't have an option to do plain HTTP at all. This switchover will happen slowly but it is the general intent of browsers that all sites be HTTPS.

Some reasons behind that are:
To summarise that more clearly: users visiting your site are at real risk if it's not HTTPS, even without login sessions.

Secondly and more relevantly to mozillaZine, a site that does have user accounts...
DanRaisch wrote:password that might/should be completely unique to this forum
I'm sure you must know that the above statement is not grounded in reality. Most people reuse passwords. Password-reuse is the primary means by which attackers gain access to accounts. If you were to run any mozillaZine user details through https://haveibeenpwned.com/ I'm certain you would get quite a a large number of hits. And you're OK with these details being transferred over the web in plaintext, completely visible to anyone.

Lastly, and least importantly but still relevant, as I very briefly eluded to above, it is actually illegal to handle any EU-based user's credentials in an insecure manner like this, no matter how unimportant you personally believe those user credentials to be. There is a genuine risk of pretty scary fines here.

If it is a lot of work, I would be more than willing to help out, as I'm sure many others here would, but please don't dismiss the issue as if it doesn't matter.
User avatar
mightyglydd
Posts: 9813
Joined: November 4th, 2006, 7:07 pm
Location: Hollywood Ca.

Re: Any Forum Plans for https ?

Post by mightyglydd »

lucideer wrote:As surprised as I was to find mozillaZine didn't have HTTPS, what I really didn't expect was having to explain to site mods why it's even a good idea.

Agree 100 %...but not surprised ;)
#KeepFightingMichael and Alex.
Brummelchen
Posts: 4480
Joined: March 19th, 2005, 10:51 am

Re: Any Forum Plans for https ?

Post by Brummelchen »

Using free wifi hotspots without vpn is not wise.
I dont see many risks here without ssl but it has benefit with. Nevertheless it is recommended to change password regularly, even strong pw.

Haveibeenpawned is a bunch of hacked data, less sniffed. Adobe,mbam aso.
the magic number is 51 and you are probably part of it :p
User avatar
kerz
mozillaZine Admin
Posts: 1804
Joined: November 4th, 2002, 2:04 pm
Contact:

Re: Any Forum Plans for https ?

Post by kerz »

Hopefully soon.
User avatar
jimfitter
Folder@Home
Posts: 5225
Joined: January 28th, 2005, 11:17 am
Location: Chicagoland area
Contact:

Re: Any Forum Plans for https ?

Post by jimfitter »

kerz wrote:Hopefully soon.
How about a frozen custard machine, too? Some soft-serve would be sweet, right about now. :)
Inside every old man is a young man wondering what the hell happened. - Terry Pratchett
lucideer
Posts: 178
Joined: May 17th, 2009, 6:47 pm
Location: Ireland

Re: Any Forum Plans for https ?

Post by lucideer »

Brummelchen wrote:Using free wifi hotspots without vpn is not wise.
[...]
it is recommended to change password regularly, even strong pw.
There are many things that users can do to protect themselves, but expecting every mozilaZine user to use a vpn and change their password regularly is a much more fanciful dream than what's involved in installing a TLS cert. The former would be nice, and should always be recommended, but will never happen. The latter is easy to do, and gives users additional protection from the dangers of not doing the latter.



[off-topic]
One small note about regular password changes recommended above: unless you're using a password manager with autogenerated passwords (highly recommended), then encouraging users to change their password regularly has been generally shown to lead to users using less secure passwords (memorising many secure passwords is much more difficult than memorising one secure password once). But—as mentioned above—they should just be encouraged use a password manager (with a secure master pw).
[/off-topic]
Locked