Page 1 of 2

Any Forum Plans for https ?

PostPosted: July 9th, 2018, 4:36 am
by costark
EDIT: KUDOS to Mbam Sppt ... The http load issue in FF 61 is Fixed via Mbam Component Pkg 1.0.391

I have to Disable Web Protection in Mbam Prem to view -- http -- sites -- which is not life threatening -- but -- How much longer will this Forum use http?
I may keep it ON and just disable it when I want to view this Forum / any Mozillazine site but How big a deal is the change?

I also had to do an ESET SSL Filter Off/Re-Start/Bk On exercise just to view the site -- https://jhannuities.com -- so it's not like browsing is getting any simpler these days. "ghacks.net" discussed this - Secure Connection Failed - issue with FF 61 below although my one-time-exercise-Fix was via ESET.

https://www.ghacks.net/2018/06/27/firef ... on-failed/

Re: Any Forum Plans for https ?

PostPosted: July 9th, 2018, 4:50 am
by the-edmeister
I doubt if HTTPS would happen here. The owner is still maintaining this forum, but probably isn't interested in doing any changes.


.

Re: Any Forum Plans for https ?

PostPosted: July 9th, 2018, 5:08 am
by costark
the-edmeister wrote:I doubt if HTTPS would happen here. The owner is still maintaining this forum, but probably isn't interested in doing any changes.

Thanks.

EDIT: KUDOS to Mbam Sppt ... The http load issue in FF 61 is Fixed via Mbam Component Pkg 1.0.391

Re: Any Forum Plans for https ?

PostPosted: July 9th, 2018, 8:06 am
by Daifne
Moving to Mozillazine Site Discussion

Re: Any Forum Plans for https ?

PostPosted: July 9th, 2018, 9:01 am
by Brummelchen
it was known since 30. of june that package 390 is failing.
https://forums.malwarebytes.com/topic/2 ... 0390-beta/

it has benefit to read vendors forum first ;)

Re: Any Forum Plans for https ?

PostPosted: August 2nd, 2018, 10:35 am
by lucideer
the-edmeister wrote:I doubt if HTTPS would happen here. The owner is still maintaining this forum, but probably isn't interested in doing any changes.


Is there any way to contact the owner/offer help with the transition. mozillaZine is a well-known site on the web, it would be a shame to see it die like this.

Re: Any Forum Plans for https ?

PostPosted: August 2nd, 2018, 6:24 pm
by DanRaisch
Why would it die without HTTPS? This is not a bank, on-line retailer or medical facility.

Re: Any Forum Plans for https ?

PostPosted: August 3rd, 2018, 5:36 am
by lucideer
DanRaisch wrote:This is not a bank, on-line retailer or medical facility.


Why do you think HTTPS should be limited to banks? mozillaZine collects and stores user credentials, for that it needs HTTPS. I mean, it actually needs it to comply with EU law if it has EU users, but even quite apart from EU law I just generally don't want to be signing into any website with my personal details via an unsecure connection, I don't care if it's my bank or not. This is quickly becoming the norm among technical users on the web, and will soon become the norm among non-technical users when browsers (both Mozilla and Google are proactively doing this) start to push users to expect HTTPS everywhere (as they very well should).

Re: Any Forum Plans for https ?

PostPosted: August 3rd, 2018, 7:41 am
by DanRaisch
Personal credentials don't amount to more than an email address and a user name and password that might/should be completely unique to this forum. That hardly constitutes any real risk to the user.

Re: Any Forum Plans for https ?

PostPosted: August 3rd, 2018, 9:28 am
by lucideer
As surprised as I was to find mozillaZine didn't have HTTPS, what I really didn't expect was having to explain to site mods why it's even a good idea. I'd accept "it's too much work and we don't have time/resources"—that's a legitimate excuse—but claiming it's not needed at all is... surprising.

OK so, firstly, you don't even need to have user accounts or even forms on your site to want HTTPS. The web is moving towards a HTTPS-only model for this reason: the HTTP/2 specification has been implemented by all browsers as HTTPS-only. This means any servers using HTTP/2 won't have an option to do plain HTTP at all. This switchover will happen slowly but it is the general intent of browsers that all sites be HTTPS.

Some reasons behind that are:


To summarise that more clearly: users visiting your site are at real risk if it's not HTTPS, even without login sessions.

Secondly and more relevantly to mozillaZine, a site that does have user accounts...

DanRaisch wrote:password that might/should be completely unique to this forum


I'm sure you must know that the above statement is not grounded in reality. Most people reuse passwords. Password-reuse is the primary means by which attackers gain access to accounts. If you were to run any mozillaZine user details through https://haveibeenpwned.com/ I'm certain you would get quite a a large number of hits. And you're OK with these details being transferred over the web in plaintext, completely visible to anyone.

Lastly, and least importantly but still relevant, as I very briefly eluded to above, it is actually illegal to handle any EU-based user's credentials in an insecure manner like this, no matter how unimportant you personally believe those user credentials to be. There is a genuine risk of pretty scary fines here.

If it is a lot of work, I would be more than willing to help out, as I'm sure many others here would, but please don't dismiss the issue as if it doesn't matter.

Re: Any Forum Plans for https ?

PostPosted: August 3rd, 2018, 10:47 am
by mightyglydd
lucideer wrote:As surprised as I was to find mozillaZine didn't have HTTPS, what I really didn't expect was having to explain to site mods why it's even a good idea.

Agree 100 %...but not surprised ;)

Re: Any Forum Plans for https ?

PostPosted: August 3rd, 2018, 7:29 pm
by Brummelchen
Using free wifi hotspots without vpn is not wise.
I dont see many risks here without ssl but it has benefit with. Nevertheless it is recommended to change password regularly, even strong pw.

Haveibeenpawned is a bunch of hacked data, less sniffed. Adobe,mbam aso.

Re: Any Forum Plans for https ?

PostPosted: August 8th, 2018, 1:41 am
by kerz
Hopefully soon.

Re: Any Forum Plans for https ?

PostPosted: August 8th, 2018, 10:35 am
by jimfitter
kerz wrote:Hopefully soon.

How about a frozen custard machine, too? Some soft-serve would be sweet, right about now. :)

Re: Any Forum Plans for https ?

PostPosted: August 19th, 2018, 6:10 am
by lucideer
Brummelchen wrote:Using free wifi hotspots without vpn is not wise.
[...]
it is recommended to change password regularly, even strong pw.


There are many things that users can do to protect themselves, but expecting every mozilaZine user to use a vpn and change their password regularly is a much more fanciful dream than what's involved in installing a TLS cert. The former would be nice, and should always be recommended, but will never happen. The latter is easy to do, and gives users additional protection from the dangers of not doing the latter.



[off-topic]
One small note about regular password changes recommended above: unless you're using a password manager with autogenerated passwords (highly recommended), then encouraging users to change their password regularly has been generally shown to lead to users using less secure passwords (memorising many secure passwords is much more difficult than memorising one secure password once). But—as mentioned above—they should just be encouraged use a password manager (with a secure master pw).
[/off-topic]