MozillaZine


Possible to make Mozillazine login secure?

Talk about stuff specific to the site -- bugs, suggestions, and of course praise welcome.
phkhgh
 
Posts: 840
Joined: January 25th, 2007, 2:49 pm
Location: So. U.S.A.

Post Posted January 1st, 2021, 6:09 pm

It's been like this forever - no security certificate for login page. I don't use my UN / PW for here, on any other site, though some foolishly still do. However, kiddies could intercept anyone's PW, then impersonate them & cause lots of trouble or a ban for the real user.

We all know the web has gotten to where hackers often do malicious things for the fun? - some compromised sites or users UN & PW may have no monetary value on some sites. Little old grannies & grandpas may still not understand the risk in re-using PWs at other sites.

How much would a certificate cost per yr? What if the users with over 828 posts all chipped in - what would each have to pay. I'd guess very little.

Several other sites that I or others mentioned this to operators did eventually get valid certificates.

DanRaisch
Moderator

User avatar
 
Posts: 125475
Joined: September 23rd, 2004, 8:57 pm
Location: Somewhere on the right coast

Post Posted January 1st, 2021, 8:49 pm

Moving to MozillaZine Site Discussion.

This has been discussed before. There are no financial transactions involved on the forums nor is any personal data used, other than an email address which doesn’t have to be the user's usual address. Finally, the forum administrator has been virtually incommunicado for months as they have a full time job elsewhere and it is doubtful that they would commit the time to address this.

phkhgh
 
Posts: 840
Joined: January 25th, 2007, 2:49 pm
Location: So. U.S.A.

Post Posted April 1st, 2021, 3:09 pm

I'm a bit late responding, but there is the real threat of stolen user name / password. Though most "technically aware" users don't use the same PW on other sites, the same can't be said for many non-technical users, who often visit sites like this. I know very, very few sites / forums that still use http. A couple of software support sites that used http in last couple yrs, were asked to at least make the login page secure & they apparently thought it was a good idea.

What you say is true. Even stealing a "junk email" acct, they could cause problems & make it look like you were violating the email provider's TOS & risk getting all accts banned. You might have other more important email accts w/ the same provider & don't want to spend time trying to prove "it wasn't me" causing all the trouble.

Even if they only got a UN / PW good on this site, they could cause some headaches, get you temporarily banned (hopefully) & generally waste a lot of time. Which is why a lot of younger kids (I'm assuming) do this sort of thing, just for kicks.

rleeden
 
Posts: 1
Joined: October 19th, 2004, 1:24 am

Post Posted April 9th, 2021, 2:46 am

I realise that nothing is likely to change on the forum regarding making it secure, but just to add to the discussion. It's not only the risk of stolen usernames / passwords there are many other risks when running a unsecured website. Even when no financial transactions are taking place. For a full explanation I would recommend reading Troy Hunt's blog on this subject: Here's Why Your Static Website Needs HTTPS

And if you have the time and interest watch the YouTube video on that page where he demonstrates some of these threats.

And regarding the cost of a certificate - there are several companies offering free certificates. See the great work that Let's Encrypt do.

Ideation_at_M
 
Posts: 30
Joined: October 25th, 2013, 12:29 am

Post Posted June 5th, 2021, 6:28 pm

I have been very guilty with one of my sites in this area of security and this thread reminds me to be more responsible in the community sense at that site, because I have slowly come to realize these forums are no longer simply websites. They are communities. The key aspect of these forums/communities is the human element. No humans and no website. The problem is that I have for so long been stuck in the thinking that a community is only identified as such if is in brick-and-mortar setting, which is wrong. It is the human element that defines a community, whether brick-and-mortar or online. So just as you would not want to start to drastically reduce funding for your police force in the brick-and-mortar community, one should have a similar regard for online community security.

I think this was the first time I logged onto here using a much older OS and FireFox, so the first time to see that warning about logging into an environment that some professional seems to think is not secure. It has been a warning to me to be more respectful of the citizens in my own community that is not properly secure. Kind of like I do not think I would be so happy at a brick-and-mortar community border if I saw a big sign board as I drove into that town/village that stated the community was not so safe because the funding for their already tiny police force had been reduced by 50%. Or something like that.

I think I will give my admin team on that site a few funds to get that site adding that 's' thingy to the address. Sort of like I have seen an 'SOS' which stands for Spend On Security.

James
Moderator

User avatar
 
Posts: 27833
Joined: June 18th, 2003, 3:07 pm
Location: Made in Canada

Post Posted June 5th, 2021, 8:04 pm

Ideation_at_M wrote:I think I will give my admin team on that site a few funds to get that site adding that 's' thingy to the address.

https://letsencrypt.org/

Return to MozillaZine Site Discussion


Who is online

Users browsing this forum: No registered users and 5 guests