HTTPS - Page 4

Nick · 2018-02-10, 21:10

Quote:

Originally Posted by heliosh

many people share the same login information (password) for different services.

That would be a very risky thing to do!

Quote:

Originally Posted by heliosh

And since these information are transmitted plain-text, it can be a problem.

What makes you think this forum sends your password in plain text?
Have you looked?

S485122 · 2018-02-10, 21:16

Quote:

Originally Posted by yoyo

Any answer from the admins if HTTPS will be enabled or why not?

The forum is run by volunteers, https is more work...

Quote:

Originally Posted by heliosh

...
It may not be a problem for forum content, but many people share the same login information (password) for different services. And since these information are transmitted plain-text, it can be a problem.

You mean that the forum administrators are responsible for the possible lack of security of some forums users ?

Jacob

yoyo · 2018-02-10, 21:24

I also run as volunteer some websites and know what https means from admin point of view.

I would like to get an answer from the admins.

If you have root access to the host it is easy to setup https based on letsencrypt.

yoyo

heliosh · 2018-02-10, 22:38

Quote:

Originally Posted by Nick

What makes you think this forum sends your password in plain text?

Well, the md5sum.

Quote:

Originally Posted by S485122

The forum is run by volunteers, https is more work...

Thanks to letsencrypt it took me less than 10 minutes to set up https for my webserver. That's very little effort.

Quote:

You mean that the forum administrators are responsible for the possible lack of security of some forums users ?

I haven't said that.

ewmayer · 2018-02-12, 22:05

My main concern re. https is this: I use an older version of FF due to the crapification of various key browser aspects, e.g. removal of easy user control over image loading post v22. I'm finding an increasing % os webpages unviewable due to crypto incompatibility, mostly I believe due to my version of FF only supporting TLS 1.0. So https ok in principle, but if we switch to it can we please make an effort to balance security and support for older browsers and OSes?

CRGreathouse · 2018-02-12, 22:48

Quote:

Originally Posted by ewmayer

I'm finding an increasing % os webpages unviewable due to crypto incompatibility, mostly I believe due to my version of FF only supporting TLS 1.0.

It's going to be everyone under PCI by June 30:
https://blog.pcisecuritystandards.or...-ssl-early-tls

Regardless of what mersenneforum does, you should seriously think about upgrading. It looks like FF 23 (2013) supported TLS 1.1, though you'll have to enable it.

heliosh · 2018-02-12, 23:57

@ewmayer
You should be upgrading Firefox in any case, since older versions have many known security issues. Maybe you want to stick to the ESR version, which is an older release but still gets security updates.

S485122 · 2018-02-13, 06:36

Just switch over to PaleMoon a FF 24 ESR fork that gets security upgrades.
Pale Moon on Wikipedia
www.palemoon.org

Jacob

yoyo · 2018-02-13, 07:53

It is is possible to support https and http in parallel.

retina · 2018-02-13, 08:17

Quote:

Originally Posted by yoyo

It is is possible to support https and http in parallel.

Yes. They are on different ports, so no problem.

chalsall · 2018-02-14, 20:52

Quote:

Originally Posted by S485122

The forum is run by volunteers, https is more work...

Just to bump this thread...

Mersenne.org, Mersenne.ca and GPU72 are also run by volunteers. Yes, HTTPS takes a /little/ more work, but not really all that much. And nowadays it doesn't cost any more even on shared hosting, unless the hosting provider is still in the dark ages.

Lastly, except for Mersenne.ca, all (including, obviously, this forum) use access credentials which should be transmitted over a secure channel.

2018-02-10, 21:24	#36
yoyo Oct 2006 Berlin, Germany 617 Posts	I also run as volunteer some websites and know what https means from admin point of view. I would like to get an answer from the admins. If you have root access to the host it is easy to setup https based on letsencrypt. yoyo Last fiddled with by yoyo on 2018-02-10 at 21:24

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Why is https://www.mersenne.org so damn buggy?	jxsl13	Information & Answers	2	2017-02-22 03:06
https and www etc etc	Uncwilly	Forum Feedback	1	2012-03-12 20:46
https access to www.mersenne.org failed	LLL	PrimeNet	17	2008-12-26 20:34

2018-02-12, 22:05	#38
ewmayer ∂²ω=0 Sep 2002 República de California 10110101110111₂ Posts	My main concern re. https is this: I use an older version of FF due to the crapification of various key browser aspects, e.g. removal of easy user control over image loading post v22. I'm finding an increasing % os webpages unviewable due to crypto incompatibility, mostly I believe due to my version of FF only supporting TLS 1.0. So https ok in principle, but if we switch to it can we please make an effort to balance security and support for older browsers and OSes?

2018-02-12, 23:57	#40
heliosh Oct 2017 ++41 5³ Posts	@ewmayer You should be upgrading Firefox in any case, since older versions have many known security issues. Maybe you want to stick to the ESR version, which is an older release but still gets security updates.

2018-02-13, 06:36	#41
S485122 Sep 2006 Brussels, Belgium 2·3·281 Posts	Just switch over to PaleMoon a FF 24 ESR fork that gets security upgrades. Pale Moon on Wikipedia www.palemoon.org Jacob

2018-02-13, 07:53	#42
yoyo Oct 2006 Berlin, Germany 1001101001₂ Posts	It is is possible to support https and http in parallel.