Can we get some HTTPS up in here?
To site admins, et al.:
I suspect this may have been discussed before, but couldn't find it, and in any case, felt compelled to bring it up again...
Is there any chance we could get the forum upgraded to use SSL/TLS / HTTPS? I don't mean to look a gift horse in the mouth, and I am appreciative of this forum and its proprietors, but it's 2019 so we need to be honest about the implications:
Continuing to use unencrypted HTTP exposes everything that everyone ever does on this site to anyone who can capture network traffic. This potentially includes multiple ISPs, your employer, your neighbors, your cellular provider, your favorite coffee shop, other third party companies, government, etc. -- you can use your imagination for the rest.
Certificates are free from https://letsencrypt.org/ , so I can't really think of an excuse for not upgrading. I know this requires effort, but the cost of doing nothing could be worse as it could lead to a compromise of personal information, identity theft, loss of access, etc.
I think this is pretty important. I mean, I realize it's a forum, so most actions are going to be public anyway, but people do sometimes send PMs and do have to log in. HTTP only for these actions is inherently insecure. At this point, doing nothing unnecessarily puts everyone at risk.
pafoa certainly isn't the only offender; it seems like a common theme among pro-gun organizations. They invariably all seem to have weak web security, stemming primarily from no HTTPS. We can't afford to become a target for identity theft.
Please consider taking action to adopt HTTPS by obtaining an SSL/TLS certificate. It isn't that difficult, and can be done for free, after all.
Again, I am very appreciative of this site and its owners, moderators, etc. but I am concerned.
Thanks for your consideration!
Re: Can we get some HTTPS up in here?
Re: Can we get some HTTPS up in here?
Re: Can we get some HTTPS up in here?
I raised it (in so many words) a couple years ago. There were reasons explained (forget what).
My thoughts....no money is being transacted, no personal or account information is being divulged unless done so voluntarily and in disregard of. https:// is secure for sensitive transmissions, but not subpoena-proof.
Re: Can we get some HTTPS up in here?
Re: Can we get some HTTPS up in here?
Quote:
Originally Posted by
Bang
I raised it (in so many words) a couple years ago. There were reasons explained (forget what).
My thoughts....no money is being transacted, no personal or account information is being divulged unless done so voluntarily and in disregard of. https:// is secure for sensitive transmissions, but not subpoena-proof.
Well sure, it's not subpoena proof. Nobody should expect that anyway as you suggested. Still, HTTPS would provide a level of protection for users of this site that don't understand how they are vulnerable. I suspect some users of this forum do exchange information in PMs that they'd prefer wasn't potentially available for anyone to see. We have a classifieds section, for example, so it stands to reason some probably use PMs to exchange contact info, at a minimum, or maybe a home address. (Not saying it should happen, just acknowledging that it probably does.)
HTTP-only also doesn't provide a means to authenticate a user to the site securely, so there is an underlying security issue even if there was no concern about all the rest of the information being in the clear. Maybe that's just a risk everyone is willing to accept, but it should at least be acknowledged.
Ultimately, it comes down to what threat models we're considering and what level of risk the admins/mods/everyone is willing to accept.The truth is that HTTP is inherently insecure and someone with malicious intent could make this site a target. I hope it doesn't happen, but it's not outside the realm of possibility, given the motivation of some of the opposition.
While I know that implementing HTTPS would require some time/effort, it isn't insurmountable, and now with letsencrypt, the certificate cost barrier is gone too. In 2019, HTTPS should really be considered the bare minimum for any site that allows user authentication.
JMHO.
Quote:
Originally Posted by
bogey1
Would a VPN work?
A VPN could provide a bit of privacy, especially at a coffee shop or on an employer's wifi, as an example (assuming they allow your VPN traffic through). It doesn't do anything for you with regard to end-to-end privacy since the other end of the VPN terminates somewhere "else", not the pafoa server. If there were monitoring anywhere on the path between the other endpoint of the VPN and the pafoa server, it's totally unprotected. HTTPS is the correct architectural solution to this problem.
Re: Can we get some HTTPS up in here?
HTTPS should be considered mandatory for the vast majority of websites today.
Using let's encrypt comes with its own set of caveats compared to commercial certificates in regards to how the auto-renew process is conducted.. Those caveats aren't a matter of security, just some additional configuration.
Web server configuration is part of my job.. If an admin wants to hit me up, I can probably set this up on their behalf.
Re: Can we get some HTTPS up in here?
Quote:
Originally Posted by
dogmeatfordinner
HTTPS should be considered mandatory for the vast majority of websites today.
Using let's encrypt comes with its own set of caveats compared to commercial certificates in regards to how the auto-renew process is conducted.. Those caveats aren't a matter of security, just some additional configuration.
Web server configuration is part of my job.. If an admin wants to hit me up, I can probably set this up on their behalf.
I like using acme.sh to generate and renew the certs...I believe it even adds a line in the root user's crontab to fully automate the process.
Re: Can we get some HTTPS up in here?
btw, the other thread where someone asked about moving the site to https: http://forum.pafoa.org/showthread.php?t=298344
Re: Can we get some HTTPS up in here?
+1 to this
Also not being https lowers the likelihood of the forum appearing in search results....and this is by far the best location for information we have.