Not Secure website

Report all board glitches and bugs in this forum, please. Our staff of competent, highly-trained forum orangutans will assist you. Just don't call them monkeys.
9ansean
Officer
Posts: 96
Joined: Mon Feb 04, 2019 2:00 am

Not Secure website

Post by 9ansean »

My address bar has recently been marking certain website I've visited as not secure and now sfdebris.net/forums is among them. Should I be concerned?
Koshundheit
Officer
Posts: 54
Joined: Mon Mar 05, 2018 12:39 am

Re: Not Secure website

Post by Koshundheit »

Hi. That's a change that web browsers, such as Chrome, have made to indicate which sites you are connecting to without an encrypted connection. Used to non-encrypted was the norm for most sites, but for various reasons browser makers have been encouraging everyone to move to encrypted connections. Since the forum site doesn't deal in payment details or other secure or private info, the main benefit of encryption would be to help avoid a "Man in the Middle" attack if you were visiting the site from a less trusted connection like public wi-fi.

The site does seem to work okay in encrypted mode if you specifically visit or bookmark https://sfdebris.net . However, due to the site's encryption certificate not having been renewed since 2018, web browsers will currently give a warning when visiting the site that way, and will still show it as not secure if you bypass the warnings due to the certificate being expired. sfdebris.com's certificate is current. Presumably the forum one being out of date is just an oversight.

Since it isn't good to train people to ignore security warnings, ideally sites that don't currently work without warnings would become compliant.
"The power of accurate observation is commonly called cynicism by those who have not got it." George Bernard Shaw
User avatar
PerrySimm
Captain
Posts: 689
Joined: Mon Feb 20, 2017 2:37 am

Re: Not Secure website

Post by PerrySimm »

Well, it's a webdev thing. If you run your own server or VPS, and you are in the know, it takes about 10 minutes and $0 to fix. Otherwise on shared hosting you're just at the mercy of the host or whatever, they may sell you the certificate or "installation" as a service, yuck.
UGxlYXNlIHByb3ZpZGUgeW91ciBjaGFsbGVuZ2UgcmVzcG9uc2UgZm9yIFJFRCA5NC4K
Darth Wedgius
Captain
Posts: 2948
Joined: Fri Aug 11, 2017 7:43 pm

Re: Not Secure website

Post by Darth Wedgius »

The short form is, don't worry too much about it, but use https:// to sign in instead of http://.

EDIT: This applies to the forums website only, not the Patreon or the videos site.

If you get to the site through a URL starting with http:// then the communication is unencrypted and someone could intercept your password (but it would take significant effort). Since there's probably no financial data or personal identifying information about you on the site, that's probably a modest inconvenience in and of itself. But if they intercepted your traffic as you signed in they might be able to log in as you and send threatening messages, and, while I don't know that would get you into legal trouble, I don't know that it couldn't. And if you use the same password for banking then you're in more potential trouble.

Ideally you want to use a different password for every web site that wants its own password anyway. That doesn't apply to web sites you sign into using a Google or Facebook account, though.

If you get to the site through a URL starting with https:// then you'll probably get a warning about the certificate being out of date, but communication should still be encrypted and it's just a nuisance to get through the warning.
User avatar
Deledrius
Captain
Posts: 1965
Joined: Sat Feb 11, 2017 3:24 pm

Re: Not Secure website

Post by Deledrius »

Darth Wedgius wrote: Sun Apr 21, 2019 5:37 pm If you get to the site through a URL starting with http:// then the communication is unencrypted and someone could intercept your password (but it would take significant effort). Since there's probably no financial data or personal identifying information about you on the site, that's probably a modest inconvenience in and of itself. But if they intercepted your traffic as you signed in they might be able to log in as you and send threatening messages, and, while I don't know that would get you into legal trouble, I don't know that it couldn't. And if you use the same password for banking then you're in more potential trouble.
One other vector of attack to consider these days when using any website over HTTP, whether you're logging in or not, is that any bad actor between you and the sfdebris server can change the contents of the page without your knowledge. This can include your own ISP, as some have taken to inject or overwrite ads on a site with their own, or other annoying modifications. It's also possible to have this happen if you're connecting over WiFi, etc. The results can range from harmless to quite dangerous depending on what is added to the page loads. This is a large part of the reason for the push in recent years to move everything to HTTPS, even sites that have no concern about credential or payment exchanges. With HTTPS, you can be more* certain that the content you're viewing is the content you requested and is only produced by site from which you requested it.

* - It's not perfect, but that's a whole other conversation. It's safe to say it's more secure under most circumstances relevant to this topic.
User avatar
PerrySimm
Captain
Posts: 689
Joined: Mon Feb 20, 2017 2:37 am

Re: Not Secure website

Post by PerrySimm »

Bump for squeaky wheels getting grease. Will the sysadmin do it for a Scooby Snack?
UGxlYXNlIHByb3ZpZGUgeW91ciBjaGFsbGVuZ2UgcmVzcG9uc2UgZm9yIFJFRCA5NC4K
User avatar
Azaz129
Redshirt
Posts: 8
Joined: Sat Feb 11, 2017 8:24 pm

Re: Not Secure website

Post by Azaz129 »

Do we know who's responsible for updating the website? Is it Chuck, himself, or one of the admins?
User avatar
TexasRed
Doctor's Assistant
Posts: 123
Joined: Thu Dec 08, 2016 9:48 am

Re: Not Secure website

Post by TexasRed »

I update and backup the forum, but I have no control over the site itself.

User avatar
PerrySimm
Captain
Posts: 689
Joined: Mon Feb 20, 2017 2:37 am

Re: Not Secure website

Post by PerrySimm »

sfdebris.com certificate expired again. Maybe a good time to fix the similar but apparently separate sfdebris.net issue too? Good luck, mighty sysadmins! o7
UGxlYXNlIHByb3ZpZGUgeW91ciBjaGFsbGVuZ2UgcmVzcG9uc2UgZm9yIFJFRCA5NC4K
Sir Will
Officer
Posts: 476
Joined: Sat Jul 15, 2017 6:30 am

Re: Not Secure website

Post by Sir Will »

PerrySimm wrote: Mon Jul 15, 2019 6:00 am sfdebris.com certificate expired again. Maybe a good time to fix the similar but apparently separate sfdebris.net issue too? Good luck, mighty sysadmins! o7
Seems to be a problem with his video host:
https://twitter.com/sfdebris

Poor Chuck. One thing after another. And terrible timing, as he's wasted a bunch of time today on it and he has plans tomorrow with his kids. This show's going to be the death of him :(
Locked