Jump to content











- - - - -

Suggestion: use more secure HTTPS protocol for forum login


  • Please log in to reply
9 replies to this topic

#1 Guest_AnonVendetta_*

Guest_AnonVendetta_*
  • Guests

Posted 01 July 2021 - 07:14 AM

I suspect that only the primary admin/forum owner (Nuno) can implement this, but he's probably too lazy to consider it.

I've recently noticed that my browsers say the connection to this site is insecure, when I visit while logged in.

HTTPS over TLS/SSL isnt that hard to implement these days. It's understandable that, say, a banking login portal would need it. But given how common these are nowadays, i dont really think there's much of a good excuse why a forum, etc (anything that requires logging in for more than just viewing) shouldnt be adopting this. Security is always important.

@Nuno: I got your "concern troll" right here. But this is actually a serious suggestion.

#2 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 01 July 2021 - 07:40 AM

Sure, we need also 2FA to be on the safe side and "current", and of course an app (actually two, one for Ios and one for Androiid) would be a nice and trendy addition.

 

Think of all the personal, financial and *what not* data that can be gathered from reboot.pro over an unsecured connection.

 

All our members are at high risk without HTTPS! :ph34r:

 

Logically, the migration will take some time, I would say that an objective estimation could be some 18 months for planning, though seemingly in some simnilar cases it is not enough:

 

https://www.theregis...m_email_outage/

 

:duff:

Wonko.

 

"



#3 Guest_AnonVendetta_*

Guest_AnonVendetta_*
  • Guests

Posted 01 July 2021 - 08:32 AM

@Wonko: I think 2FA would be a bit much, since no money/personal data is at stake here.

Our own custom app isnt necessary either, TapaTalk forums app is available for iOS and Android, allowing users to access a multitude of forums from one app. Of course, minimal alterations to the site would be required for them to integrate nicely. But either way, I'm not advocating for an app. I hate mobile viewing of webpages, i always load tabs in desktop mode when possible (this is probably accomplished by spoofing the User Agent of a PC based browser).

i still think HTTPS support would be a good thing, if only to minimize unauthorized account access, modifications to our profiles/settings, access to our files...the stakes need not be personal or financial.

18 months for migration!? That's absurd, and i honestly doubt your claim. I've did it in less than a month on other sites I've managed.

#4 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 01 July 2021 - 10:52 AM

Oww, come on, I was just joking, but provided a recent real life similar enough example.

 

And of course the fact that there is "secure" in the name of the protocol doesn't really mean that anything is actually "secure", a more accurate name would be HTTPSBTN (Slightly Better Than Nothing), buyt of course the acronym is too long.

 

:duff:

Wonko



#5 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 03 July 2021 - 06:59 PM

Just to make AnonVendetta happy (one of my life's goals) : https://reboot.pro/ but also so that we dont go over the same discussion like this one.

 

Eventually, later on, if nicely asked (I trust the kind and caring AnonVendetta to do so), I could make the https the default (with a redirect from http to https).



#6 Guest_AnonVendetta_*

Guest_AnonVendetta_*
  • Guests

Posted 03 July 2021 - 09:17 PM

Just to make AnonVendetta happy (one of my life's goals) : https://reboot.pro/ but also so that we dont go over the same discussion like this one.

Eventually, later on, if nicely asked (I trust the kind and caring AnonVendetta to do so), I could make the https the default (with a redirect from http to https).


Ha...manually appending an s to the end of http wont do anything. It will still load the forum insecurely.

Why would i ask you nicely for anything? You dont have anything i want. And you dont own the site. It's too bad that Nuno made the poor choice of letting a les incompétent guy like you handle the technical side of the forum. It crashes frequently, going offline for days sometimes. You've managed to mitigate the issue, but you dont do anything that actually resolves the problem over the long term. And yet, if you asked me nicely, then i might just tell you how to fix this forever.

Also, I never really liked you (or most other frequent members here) to begin with.

So, go smoke on that cigar, dont forget to blow the smoke up your self-righteous ass while you're at it.

#7 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 04 July 2021 - 08:44 AM

And yet, if you asked me nicely, then i might just tell you how to fix this forever.

Hmmm :dubbio:, likely noone will ask you anything (nicely or otherwise), it is a pity, as surely we will miss rare - if not unique - pearls of wisdom :eek: .  

 

Also, I never really liked you (or most other frequent members here) to begin with.

 

I *somehow* suspect this sentiment to be widely reciprocal/symmetrical.  :unsure:

 

:duff:

Wonko



#8 Guest_AnonVendetta_*

Guest_AnonVendetta_*
  • Guests

Posted 04 July 2021 - 10:06 AM

Hmmm :dubbio:, likely noone will ask you anything (nicely or otherwise), it is a pity, as surely we will miss rare - if not unique - pearls of wisdom :eek: .



I *somehow* suspect this sentiment to be widely reciprocal/symmetrical. :unsure:

:duff:
Wonko

Yes, well, I have far more experience administrating and designing websites than erwan.l does. And I've faced database failures before. It's not that hard to nip these things in the bud permanently, it just takes someone who is competent.

And I suspect I'm not THAT hated around here. If this were true, many members would have long ago asked Nuno to ban me.

Probably every forum has someone who's a natural at being at an asshole without even trying, and so it is here.

#9 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 04 July 2021 - 11:46 AM

@all

I have enabled the ssl apache module,

i have added an extra apache virtualhost listening on tcp:443 (next to the tcp:80 one) and handling SSL on reboot.pro.

I have set the certificate to self renew every 30 days (I'll review it then).

 

Later on, we could (but again this is not a have to) make this virtualhost the default one (the tcp:80 virtualhost is the default one for now).

 

For those who have a browser extension like "https everywhere", well, you can benefit from this change immediately and transparently.

 

If you want to double check the certificate, i recommend the excellent ssllabs.com here which I have been using for years to setup/check my web services.

https://reboot.pro/ gets a A Rating (after a bit of apache tuning) which is more that what you get on many web sites out there.

 

e1u3okK.png

 

 

Like previous https thread, I'll unsubscribe from this one as I dont feel like debating forever about who has the biggest one when it comes to deal with technical topics but who knows, may be this time, haters not gonna hate.

 

Last but not least, since the last server transfer completed in march 2021 (topic here), reboot.pro is rather stable and common issues we had in the past (mostly database related) are history now.

 

Cheers,

Erwan



#10 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 04 July 2021 - 01:25 PM

Yes, well, I have far more experience administrating and designing websites than erwan.l does. And I've faced database failures before. It's not that hard to nip these things in the bud permanently, it just takes someone who is competent.

How do you know? :unsure:

 

 

 

And I suspect I'm not THAT hated around here. If this were true, many members would have long ago asked Nuno to ban me.

 

Well, we could make a poll about that.

 

 

 

Probably every forum has someone who's a natural at being at an asshole without even trying, and so it is here.

Sure, and actually the one and only reason why I personally can *somehow* bear you is your absolute transparency/honesty in being (or just behaving like) one in an open manner. without the usual excuses or denials..

 

 

 

:duff:

Wonko






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users