Not Secure website

[9ansean]

My address bar has recently been marking certain website I've visited as not secure and now sfdebris.net/forums is among them. Should I be concerned?

[Koshundheit]

Hi. That's a change that web browsers, such as Chrome, have made to indicate which sites you are connecting to without an encrypted connection. Used to non-encrypted was the norm for most sites, but for various reasons browser makers have been encouraging everyone to move to encrypted connections. Since the forum site doesn't deal in payment details or other secure or private info, the main benefit of encryption would be to help avoid a "Man in the Middle" attack if you were visiting the site from a less trusted connection like public wi-fi.

The site does seem to work okay in encrypted mode if you specifically visit or bookmark https://sfdebris.net . However, due to the site's encryption certificate not having been renewed since 2018, web browsers will currently give a warning when visiting the site that way, and will still show it as not secure if you bypass the warnings due to the certificate being expired. sfdebris.com's certificate is current. Presumably the forum one being out of date is just an oversight.

Since it isn't good to train people to ignore security warnings, ideally sites that don't currently work without warnings would become compliant.

[PerrySimm]

Well, it's a webdev thing. If you run your own server or VPS, and you are in the know, it takes about 10 minutes and $0 to fix. Otherwise on shared hosting you're just at the mercy of the host or whatever, they may sell you the certificate or "installation" as a service, yuck.

[Darth Wedgius]

The short form is, don't worry too much about it, but use https:// to sign in instead of http://.

EDIT: This applies to the forums website only, not the Patreon or the videos site.

If you get to the site through a URL starting with http:// then the communication is unencrypted and someone could intercept your password (but it would take significant effort). Since there's probably no financial data or personal identifying information about you on the site, that's probably a modest inconvenience in and of itself. But if they intercepted your traffic as you signed in they might be able to log in as you and send threatening messages, and, while I don't know that would get you into legal trouble, I don't know that it couldn't. And if you use the same password for banking then you're in more potential trouble.

Ideally you want to use a different password for every web site that wants its own password anyway. That doesn't apply to web sites you sign into using a Google or Facebook account, though.

If you get to the site through a URL starting with https:// then you'll probably get a warning about the certificate being out of date, but communication should still be encrypted and it's just a nuisance to get through the warning.

[Deledrius]

If you get to the site through a URL starting with http:// then the communication is unencrypted and someone could intercept your password (but it would take significant effort). Since there's probably no financial data or personal identifying information about you on the site, that's probably a modest inconvenience in and of itself. But if they intercepted your traffic as you signed in they might be able to log in as you and send threatening messages, and, while I don't know that would get you into legal trouble, I don't know that it couldn't. And if you use the same password for banking then you're in more potential trouble.

One other vector of attack to consider these days when using any website over HTTP, whether you're logging in or not, is that any bad actor between you and the sfdebris server can change the contents of the page without your knowledge. This can include your own ISP, as some have taken to inject or overwrite ads on a site with their own, or other annoying modifications. It's also possible to have this happen if you're connecting over WiFi, etc. The results can range from harmless to quite dangerous depending on what is added to the page loads. This is a large part of the reason for the push in recent years to move everything to HTTPS, even sites that have no concern about credential or payment exchanges. With HTTPS, you can be more* certain that the content you're viewing is the content you requested and is only produced by site from which you requested it.

* - It's not perfect, but that's a whole other conversation. It's safe to say it's more secure under most circumstances relevant to this topic.

[PerrySimm]

Bump for squeaky wheels getting grease. Will the sysadmin do it for a Scooby Snack?

[Azaz129]

Do we know who's responsible for updating the website? Is it Chuck, himself, or one of the admins?

[TexasRed]

I update and backup the forum, but I have no control over the site itself.

[PerrySimm]

sfdebris.com certificate expired again. Maybe a good time to fix the similar but apparently separate sfdebris.net issue too? Good luck, mighty sysadmins! o7

[Sir Will]

sfdebris.com certificate expired again. Maybe a good time to fix the similar but apparently separate sfdebris.net issue too? Good luck, mighty sysadmins! o7

Seems to be a problem with his video host:
https://twitter.com/sfdebris

Poor Chuck. One thing after another. And terrible timing, as he's wasted a bunch of time today on it and he has plans tomorrow with his kids. This show's going to be the death of him