I've been around long enough to recall the referenced thread... Back then, I didn't care as much, but this idea has come due. No site should be non-SSL (TLS 1.2 or better) these days.
Printable View
I've been around long enough to recall the referenced thread... Back then, I didn't care as much, but this idea has come due. No site should be non-SSL (TLS 1.2 or better) these days.
As someone trying to change a forum to https, I can confirm the difficulty of such a venture. The cost benefit seems hardly worth it considering the nature of this forum.
I'd be more than willing to help get this set up. Working in IT, I deal with this constantly. I'd say the benefit is well worth it, as it confirms every user sending a username/password to the server isn't getting intercepted by a malicious party. Working with "end users" daily, it's common place for people to reuse passwords. While that habit is bad, it happens, and if those passwords can get stolen it increases chances of popping their other accounts.
Sorry for all the techy talk here, but just trying to add some benefit to the effort. If i'm able to assist I'd be glad to!
it's not really hard AT ALL. the only work Dan (or whoever) has to do is generate some free certs, change the configs some, reboot apache or nginx or whatever and then make sure all non-https links are being proxied correctly so it doesn't result in a mixed content warning...
it's actually kind of a joke that in 2019, a political site like PAFOA isn't running over HTTPS...
No it's not, especially with lets encrypt. We just need an admin to get this going....
Yes, Exactly. We are a big juicy target just waiting to be attacked. I'm confident there are elements out there that would love to identify and dox our users.
Whether you want to admit it or not, lack of HTTPS does put our members at risk. Not all of our members are tech savvy and I believe forums like this one should endeavor to provide HTTPS, at a minimum, in order to attempt to protect the privacy and security of our users. In 2019, it's almost negligent not to do so.
In addition to the password reuse issue, anyone who uses the PM feature to contact another member about an item in the classifieds has to disclose some sort of alternate contact info which could itself be considered sensitive. I'm betting not everyone creates a new burner email every time and then monitors it diligently for a reply.
In case anyone hasn't noticed, gun rights are under attack, and the opposition doesn't really seem to care about fighting fair.
I'm very thankful to those who have volunteered their time to help fix this issue. I'm hoping someone with the authority to act takes someone up on their offer.
Can we get an admin to weigh in? What's it going to take? Money? Labor? I will help with both. This really needs to happen - we need to secure this site and everything that goes between it and our members.
last I knew, danp owned the site. as per their team listing, it still says he's an admin:
http://forum.pafoa.org/showgroups.php