Can we get some HTTPS up in here?

**buckengr** · May 11th, 2019, 11:52 PM

To site admins, et al.:

I suspect this may have been discussed before, but couldn't find it, and in any case, felt compelled to bring it up again...

Is there any chance we could get the forum upgraded to use SSL/TLS / HTTPS? I don't mean to look a gift horse in the mouth, and I am appreciative of this forum and its proprietors, but it's 2019 so we need to be honest about the implications:

Continuing to use unencrypted HTTP exposes everything that everyone ever does on this site to anyone who can capture network traffic. This potentially includes multiple ISPs, your employer, your neighbors, your cellular provider, your favorite coffee shop, other third party companies, government, etc. -- you can use your imagination for the rest.

Certificates are free from https://letsencrypt.org/ , so I can't really think of an excuse for not upgrading. I know this requires effort, but the cost of doing nothing could be worse as it could lead to a compromise of personal information, identity theft, loss of access, etc.

I think this is pretty important. I mean, I realize it's a forum, so most actions are going to be public anyway, but people do sometimes send PMs and do have to log in. HTTP only for these actions is inherently insecure. At this point, doing nothing unnecessarily puts everyone at risk.

pafoa certainly isn't the only offender; it seems like a common theme among pro-gun organizations. They invariably all seem to have weak web security, stemming primarily from no HTTPS. We can't afford to become a target for identity theft.

Please consider taking action to adopt HTTPS by obtaining an SSL/TLS certificate. It isn't that difficult, and can be done for free, after all.

Again, I am very appreciative of this site and its owners, moderators, etc. but I am concerned.

Thanks for your consideration!

**Gunsnwater** · May 11th, 2019, 11:57 PM

Seems like a good topic.

**icp4life162005** · May 12th, 2019, 12:05 AM

+1

**Bang** · May 13th, 2019, 03:47 PM

I raised it (in so many words) a couple years ago. There were reasons explained (forget what).

My thoughts....no money is being transacted, no personal or account information is being divulged unless done so voluntarily and in disregard of. https:// is secure for sensitive transmissions, but not subpoena-proof.

**bogey1** · May 13th, 2019, 05:06 PM

Would a VPN work?

**buckengr** · May 14th, 2019, 02:12 AM

Originally Posted by Bang

I raised it (in so many words) a couple years ago. There were reasons explained (forget what).

My thoughts....no money is being transacted, no personal or account information is being divulged unless done so voluntarily and in disregard of. https:// is secure for sensitive transmissions, but not subpoena-proof.

Well sure, it's not subpoena proof. Nobody should expect that anyway as you suggested. Still, HTTPS would provide a level of protection for users of this site that don't understand how they are vulnerable. I suspect some users of this forum do exchange information in PMs that they'd prefer wasn't potentially available for anyone to see. We have a classifieds section, for example, so it stands to reason some probably use PMs to exchange contact info, at a minimum, or maybe a home address. (Not saying it should happen, just acknowledging that it probably does.)

HTTP-only also doesn't provide a means to authenticate a user to the site securely, so there is an underlying security issue even if there was no concern about all the rest of the information being in the clear. Maybe that's just a risk everyone is willing to accept, but it should at least be acknowledged.

Ultimately, it comes down to what threat models we're considering and what level of risk the admins/mods/everyone is willing to accept.The truth is that HTTP is inherently insecure and someone with malicious intent could make this site a target. I hope it doesn't happen, but it's not outside the realm of possibility, given the motivation of some of the opposition.

While I know that implementing HTTPS would require some time/effort, it isn't insurmountable, and now with letsencrypt, the certificate cost barrier is gone too. In 2019, HTTPS should really be considered the bare minimum for any site that allows user authentication.

JMHO.

Originally Posted by bogey1

Would a VPN work?

A VPN could provide a bit of privacy, especially at a coffee shop or on an employer's wifi, as an example (assuming they allow your VPN traffic through). It doesn't do anything for you with regard to end-to-end privacy since the other end of the VPN terminates somewhere "else", not the pafoa server. If there were monitoring anywhere on the path between the other endpoint of the VPN and the pafoa server, it's totally unprotected. HTTPS is the correct architectural solution to this problem.