HTTPS
 

[URL]https://www.vbulletin.com/forum/articles/4361080-converting-your-forum-to-https[/URL]

The process looks easy enough to do, but our current hosting provider wants to charge us more:[QUOTE]Adding SSL Service to your account will require the account be moved to a server set up to support SSL. If you press the button below to confirm this upgrade, we will contact you in the near future with full details of the pending move.

Enabling SSL Secure Server on your account type will incur additional charges: [B]$20[/B] set up, and [B]$9.95[/B] monthly.[/QUOTE]We see three available options to pursue:
[LIST=1][*]Leave things the way they are.[*]Pay the extra fee for HTTPS.[*]Change to a different hosting provider that offers a better deal.[/LIST]We are very hesitant to take option three, because everything works right now and we are concerned about breaking things in a big way.

Anyways, we are open to suggestions and comments!

:mike:

[QUOTE=Xyzzy;454696][URL]https://www.vbulletin.com/forum/articles/4361080-converting-your-forum-to-https[/URL]

The process looks easy enough to do, but our current hosting provider wants to charge us more:We see three available options to pursue:
[LIST=1][*]Leave things the way they are.[*]Pay the extra fee for HTTPS.[*]Change to a different hosting provider that offers a better deal.[/LIST]We are very hesitant to take option three, because everything works right now and we are concerned about breaking things in a big way.

Anyways, we are open to suggestions and comments!


:mike:[/QUOTE]

I'd forget option 3 as well... :smile:
I don't see any reason to pass to https, as we do not deal with sensible data (apart from the happy me and unhappy me threads), but I will do my part with no hesitation in case you should approach option 2.

Luigi

[QUOTE=ET_;454727]I don't see any reason to pass to https, as we do not deal with sensible data[/QUOTE]

In French [I]sensible[/I] means "sensitive". I'm guessing that it's the same in Italian.

In English, our data is sensible but not sensitive.

This site should probably go to HTTPS eventually simply because search engines might start penalizing sites that don't, and browsers are already starting to display "not secure" warnings. If contributions are needed, hopefully there will be some easy one-click option for that that doesn't require registering with yet another payments website.

[QUOTE=GP2;454732]In French [I]sensible[/I] means "sensitive". I'm guessing that it's the same in Italian.

In English, our data is sensible but not sensitive.

This site should probably go to HTTPS eventually simply because search engines might start penalizing sites that don't, and browsers are already starting to display "not secure" warnings. If contributions are needed, hopefully there will be some easy one-click option for that that doesn't require registering with yet another payments website.[/QUOTE]

Sensitive, that's it.

But sensible would have applied as well in some circumstances :smile:
Finding (Mersenne) primes IS sensible...

Option 3 definitely. Don't be afraid to get a better just because of F.U. & D. It'll all work out in the end.

What about the forum software, by the way?

According to Wikipedia, vBulletin is currently at version 5.2.5. This board is running version 3.8.9 though. Is it still supported? Are there any unpatched security holes that could result in data loss or ransomware attacks?

Regarding the costs for SSL, maybe there could be a GoFundMe page, like we did for the KNL thing. I'm sure we could cover setup and monthlies for a year or two, and then you could consider researching a move to a different service provider at your leisure.

[QUOTE=GP2;454745]What about the forum software, by the way?

According to Wikipedia, vBulletin is currently at version 5.2.5. This board is running version 3.8.9 though. Is it still supported? Are there any unpatched security holes that could result in data loss or ransomware attacks?[/QUOTE]The version we use is fully patched and supported.

The newer versions are, in our opinion, too bloated and cluttered with features and social media plug-ins.

We believe the version we use is optimal for readability and simplicity.

If they stopped supporting our version, we would "upgrade" to the next branch that is supported.

:mike:

[QUOTE=GP2;454745]Regarding the costs for SSL, maybe there could be a GoFundMe page, like we did for the KNL thing. I'm sure we could cover setup and monthlies for a year or two, and then you could consider researching a move to a different service provider at your leisure.[/QUOTE]The cost is not really an issue. People have been very generous with supporting the forum.

We are more concerned with not wasting money and getting a good return on the money spent.

We think we are currently operating in the $1 a day range, which is fairly reasonable. Once we pass the $1 a day mark it feels like we are not being thrifty.

:mike:

[QUOTE=Xyzzy;454752]The version we use is fully patched and supported.

The newer versions are, in our opinion, too bloated and cluttered with features and social media plug-ins.

We believe the version we use is optimal for readability and simplicity.

If they stopped supporting our version, we would "upgrade" to the next branch that is supported.[/QUOTE]

:goodposting: [like]

Has anyone done a risk assessment?
Are there threats that we are genuinely concerned about?

[QUOTE=Nick;454922]Has anyone done a risk assessment?
Are there threats that we are genuinely concerned about?[/QUOTE]

This is actually relatively important. Mostly because many people reuse passwords.

This is a message I received from Google today about GPU72.com:[QUOTE]Beginning in January 2017, Chrome (version 56 and later) will mark pages that collect passwords or credit card details as “Not Secure” unless the pages are served over HTTPS.

The following URLs include input fields for passwords or credit card details that will trigger the new Chrome warning. Review these examples to see where these warnings will appear, and so you can take action to help protect users’ data. The list is not exhaustive.[/QUOTE]

GPU72 has supported SSL for many years, but it doesn't _force_ people to use HTTPS.

Much like Aaron, I'm going to start doing HTTP to HTTPS redirections. Mike might want to work towards this sooner rather than latter.

Somewhat tangential, I consider Snowden to be a hero, and Assange a bit of a twat.