mozillaZine Forums

EDIT: KUDOS to Mbam Sppt ... The http load issue in FF 61 is Fixed via Mbam Component Pkg 1.0.391

I have to Disable Web Protection in Mbam Prem to view -- http -- sites -- which is not life threatening -- but -- How much longer will this Forum use http?
I may keep it ON and just disable it when I want to view this Forum / any Mozillazine site but How big a deal is the change?

I also had to do an ESET SSL Filter Off/Re-Start/Bk On exercise just to view the site -- https://jhannuities.com -- so it's not like browsing is getting any simpler these days. "ghacks.net" discussed this - Secure Connection Failed - issue with FF 61 below although my one-time-exercise-Fix was via ESET.

https://www.ghacks.net/2018/06/27/firef ... on-failed/

I doubt if HTTPS would happen here. The owner is still maintaining this forum, but probably isn't interested in doing any changes.


.

the-edmeister wrote:I doubt if HTTPS would happen here. The owner is still maintaining this forum, but probably isn't interested in doing any changes.

Thanks.

EDIT: KUDOS to Mbam Sppt ... The http load issue in FF 61 is Fixed via Mbam Component Pkg 1.0.391

Moving to Mozillazine Site Discussion

it was known since 30. of june that package 390 is failing.
https://forums.malwarebytes.com/topic/2 ... 0390-beta/

it has benefit to read vendors forum first

the-edmeister wrote:I doubt if HTTPS would happen here. The owner is still maintaining this forum, but probably isn't interested in doing any changes.

Is there any way to contact the owner/offer help with the transition. mozillaZine is a well-known site on the web, it would be a shame to see it die like this.

Why would it die without HTTPS? This is not a bank, on-line retailer or medical facility.

DanRaisch wrote:This is not a bank, on-line retailer or medical facility.

Why do you think HTTPS should be limited to banks? mozillaZine collects and stores user credentials, for that it needs HTTPS. I mean, it actually needs it to comply with EU law if it has EU users, but even quite apart from EU law I just generally don't want to be signing into any website with my personal details via an unsecure connection, I don't care if it's my bank or not. This is quickly becoming the norm among technical users on the web, and will soon become the norm among non-technical users when browsers (both Mozilla and Google are proactively doing this) start to push users to expect HTTPS everywhere (as they very well should).

Personal credentials don't amount to more than an email address and a user name and password that might/should be completely unique to this forum. That hardly constitutes any real risk to the user.

As surprised as I was to find mozillaZine didn't have HTTPS, what I really didn't expect was having to explain to site mods why it's even a good idea. I'd accept "it's too much work and we don't have time/resources"—that's a legitimate excuse—but claiming it's not needed at all is... surprising.

OK so, firstly, you don't even need to have user accounts or even forms on your site to want HTTPS. The web is moving towards a HTTPS-only model for this reason: the HTTP/2 specification has been implemented by all browsers as HTTPS-only. This means any servers using HTTP/2 won't have an option to do plain HTTP at all. This switchover will happen slowly but it is the general intent of browsers that all sites be HTTPS.

Some reasons behind that are:

• https://www.troyhunt.com/heres-why-your ... eds-https/
• AND perhaps more urgently https://www.forbes.com/sites/adrianking ... -networks/ - free wifi hotspots can and do inject malware into otherwise "trusted" HTTP websites like mozillaZine. This has been observed happening.

To summarise that more clearly: users visiting your site are at real risk if it's not HTTPS, even without login sessions.

Secondly and more relevantly to mozillaZine, a site that does have user accounts...

DanRaisch wrote:password that might/should be completely unique to this forum

I'm sure you must know that the above statement is not grounded in reality. Most people reuse passwords. Password-reuse is the primary means by which attackers gain access to accounts. If you were to run any mozillaZine user details through https://haveibeenpwned.com/ I'm certain you would get quite a a large number of hits. And you're OK with these details being transferred over the web in plaintext, completely visible to anyone.

Lastly, and least importantly but still relevant, as I very briefly eluded to above, it is actually illegal to handle any EU-based user's credentials in an insecure manner like this, no matter how unimportant you personally believe those user credentials to be. There is a genuine risk of pretty scary fines here.

If it is a lot of work, I would be more than willing to help out, as I'm sure many others here would, but please don't dismiss the issue as if it doesn't matter.

lucideer wrote:As surprised as I was to find mozillaZine didn't have HTTPS, what I really didn't expect was having to explain to site mods why it's even a good idea.

Agree 100 %...but not surprised

Using free wifi hotspots without vpn is not wise.
I dont see many risks here without ssl but it has benefit with. Nevertheless it is recommended to change password regularly, even strong pw.

Haveibeenpawned is a bunch of hacked data, less sniffed. Adobe,mbam aso.

Hopefully soon.

kerz wrote:Hopefully soon.

How about a frozen custard machine, too? Some soft-serve would be sweet, right about now.

Brummelchen wrote:Using free wifi hotspots without vpn is not wise.
[...]
it is recommended to change password regularly, even strong pw.

There are many things that users can do to protect themselves, but expecting every mozilaZine user to use a vpn and change their password regularly is a much more fanciful dream than what's involved in installing a TLS cert. The former would be nice, and should always be recommended, but will never happen. The latter is easy to do, and gives users additional protection from the dangers of not doing the latter.



[off-topic]
One small note about regular password changes recommended above: unless you're using a password manager with autogenerated passwords (highly recommended), then encouraging users to change their password regularly has been generally shown to lead to users using less secure passwords (memorising many secure passwords is much more difficult than memorising one secure password once). But—as mentioned above—they should just be encouraged use a password manager (with a secure master pw).
[/off-topic]