Considering how sensitive this hobby is, it really should be a priority to implement. Admins, I make a living in IT and can set it up if you'd like my help. Originally Posted by MrCManMods, take this guy up on his offer! Once you do it, it is done and just adds another layer of security.
- orlyo
- 09-28-2015, 09:46 PM
- orlyo
- 09-28-2015, 09:53 PM
Forgot to mention that I would venture to say that many who use this website regularly do not use VPN or Tor because they never have heard about it or it may seem to complicated to setup for them. Implementing https would allow them at least to easily have their info encrypted when on the website.
- squashhead
- 10-03-2015, 11:37 AM
The extra layer of security would be nice. It does not appear that there would be much difficulty in implementing https on eccie.
- iowadodger80
- 10-19-2015, 11:48 AM
Bump. This needs to be addressed ASAP.
- ravishme
- 11-15-2015, 08:32 AM
ANY site that accepts passwords SHOULD use HTTPS. Period. Otherwise any user logging in immediately gives his/her credentials to everybody between the two ends of the connection, and many of those middlemen serve that data up on a platter to everybody who asks, and everybody who's hacked into their networks.
This also means that from the moment one logs in without HTTPS, a number of people and/or software entities can then log into one's account at will and do anything with it.
Configuring the web server's TLS (since the older SSL is basically cracked now) is interesting too, since ideally you want to provide only modern, more secure encryptions and forward secrecy (which means cracking keys doesn't crack all the past sessions' content along with them).
I think the problem is that most folks assume a site like this would at least have HTTPS, and then spill their guts all over the site in utterly readable-on-the-wire cleartest based on that faith.
HTTPS isn't uncrackable - the odds are any organization with enough cash to throw at the problem will eventually be able to crack it (hence the desire for forward secrecy), But it does change things from anybody being able to read *everything* without ANY effort, to requiring (usually) an expensive operation to capture any text at all. Assuming the web servers TLS (used by HTTPS) is correctly set up, etc.
Refs:
http://httpd.apache.org/docs/2.4/ssl/ssl_howto.html
https://www.ssllabs.com/ssltest/
I'm not offering to do it (sorry), but I do want to emphasize the someone really, really needs to.
This also means that from the moment one logs in without HTTPS, a number of people and/or software entities can then log into one's account at will and do anything with it.
Configuring the web server's TLS (since the older SSL is basically cracked now) is interesting too, since ideally you want to provide only modern, more secure encryptions and forward secrecy (which means cracking keys doesn't crack all the past sessions' content along with them).
I think the problem is that most folks assume a site like this would at least have HTTPS, and then spill their guts all over the site in utterly readable-on-the-wire cleartest based on that faith.
HTTPS isn't uncrackable - the odds are any organization with enough cash to throw at the problem will eventually be able to crack it (hence the desire for forward secrecy), But it does change things from anybody being able to read *everything* without ANY effort, to requiring (usually) an expensive operation to capture any text at all. Assuming the web servers TLS (used by HTTPS) is correctly set up, etc.
Refs:
http://httpd.apache.org/docs/2.4/ssl/ssl_howto.html
https://www.ssllabs.com/ssltest/
I'm not offering to do it (sorry), but I do want to emphasize the someone really, really needs to.