Results 1 to 10 of 28
-
May 11th, 2019, 11:52 PM #1Super Member
- Join Date
- Jan 2012
- Location
-
somewhere,
Pennsylvania
- Posts
- 624
- Rep Power
- 21474849
Can we get some HTTPS up in here?
To site admins, et al.:
I suspect this may have been discussed before, but couldn't find it, and in any case, felt compelled to bring it up again...
Is there any chance we could get the forum upgraded to use SSL/TLS / HTTPS? I don't mean to look a gift horse in the mouth, and I am appreciative of this forum and its proprietors, but it's 2019 so we need to be honest about the implications:
Continuing to use unencrypted HTTP exposes everything that everyone ever does on this site to anyone who can capture network traffic. This potentially includes multiple ISPs, your employer, your neighbors, your cellular provider, your favorite coffee shop, other third party companies, government, etc. -- you can use your imagination for the rest.
Certificates are free from https://letsencrypt.org/ , so I can't really think of an excuse for not upgrading. I know this requires effort, but the cost of doing nothing could be worse as it could lead to a compromise of personal information, identity theft, loss of access, etc.
I think this is pretty important. I mean, I realize it's a forum, so most actions are going to be public anyway, but people do sometimes send PMs and do have to log in. HTTP only for these actions is inherently insecure. At this point, doing nothing unnecessarily puts everyone at risk.
pafoa certainly isn't the only offender; it seems like a common theme among pro-gun organizations. They invariably all seem to have weak web security, stemming primarily from no HTTPS. We can't afford to become a target for identity theft.
Please consider taking action to adopt HTTPS by obtaining an SSL/TLS certificate. It isn't that difficult, and can be done for free, after all.
Again, I am very appreciative of this site and its owners, moderators, etc. but I am concerned.
Thanks for your consideration!I am not a lawyer.
-
May 11th, 2019, 11:57 PM #2
Re: Can we get some HTTPS up in here?
Seems like a good topic.
The Gun is the Badge of a Free Man
-
May 12th, 2019, 12:05 AM #3
Re: Can we get some HTTPS up in here?
+1
-
May 13th, 2019, 03:47 PM #4
Re: Can we get some HTTPS up in here?
I raised it (in so many words) a couple years ago. There were reasons explained (forget what).
My thoughts....no money is being transacted, no personal or account information is being divulged unless done so voluntarily and in disregard of. https:// is secure for sensitive transmissions, but not subpoena-proof.There are two kinds of guns. Those I have acquired, and those I hope to.
-
May 13th, 2019, 05:06 PM #5
Re: Can we get some HTTPS up in here?
Would a VPN work?
-
May 14th, 2019, 02:12 AM #6Super Member
- Join Date
- Jan 2012
- Location
-
somewhere,
Pennsylvania
- Posts
- 624
- Rep Power
- 21474849
Re: Can we get some HTTPS up in here?
Well sure, it's not subpoena proof. Nobody should expect that anyway as you suggested. Still, HTTPS would provide a level of protection for users of this site that don't understand how they are vulnerable. I suspect some users of this forum do exchange information in PMs that they'd prefer wasn't potentially available for anyone to see. We have a classifieds section, for example, so it stands to reason some probably use PMs to exchange contact info, at a minimum, or maybe a home address. (Not saying it should happen, just acknowledging that it probably does.)
HTTP-only also doesn't provide a means to authenticate a user to the site securely, so there is an underlying security issue even if there was no concern about all the rest of the information being in the clear. Maybe that's just a risk everyone is willing to accept, but it should at least be acknowledged.
Ultimately, it comes down to what threat models we're considering and what level of risk the admins/mods/everyone is willing to accept.The truth is that HTTP is inherently insecure and someone with malicious intent could make this site a target. I hope it doesn't happen, but it's not outside the realm of possibility, given the motivation of some of the opposition.
While I know that implementing HTTPS would require some time/effort, it isn't insurmountable, and now with letsencrypt, the certificate cost barrier is gone too. In 2019, HTTPS should really be considered the bare minimum for any site that allows user authentication.
JMHO.
A VPN could provide a bit of privacy, especially at a coffee shop or on an employer's wifi, as an example (assuming they allow your VPN traffic through). It doesn't do anything for you with regard to end-to-end privacy since the other end of the VPN terminates somewhere "else", not the pafoa server. If there were monitoring anywhere on the path between the other endpoint of the VPN and the pafoa server, it's totally unprotected. HTTPS is the correct architectural solution to this problem.Last edited by buckengr; May 14th, 2019 at 02:24 AM.
I am not a lawyer.
-
May 27th, 2019, 02:54 PM #7Junior Member
- Join Date
- Feb 2018
- Location
-
Philadelphia,
Pennsylvania
- Posts
- 4
- Rep Power
- 0
Re: Can we get some HTTPS up in here?
HTTPS should be considered mandatory for the vast majority of websites today.
Using let's encrypt comes with its own set of caveats compared to commercial certificates in regards to how the auto-renew process is conducted.. Those caveats aren't a matter of security, just some additional configuration.
Web server configuration is part of my job.. If an admin wants to hit me up, I can probably set this up on their behalf.
-
June 29th, 2019, 07:39 PM #8
-
June 29th, 2019, 07:52 PM #9
Re: Can we get some HTTPS up in here?
btw, the other thread where someone asked about moving the site to https: http://forum.pafoa.org/showthread.php?t=298344
Peace, Prosperity, and Liberty
-
July 30th, 2019, 09:40 AM #10
Re: Can we get some HTTPS up in here?
+1 to this
Also not being https lowers the likelihood of the forum appearing in search results....and this is by far the best location for information we have."Cives Arma Ferant"
"I know I'm not James Bond, that's why I don't keep a loaded gun under the pillow, or bang Russian spies on a regular basis." - GunLawyer001
Similar Threads
-
Move to https://
By free in forum Support & SuggestionsReplies: 38Last Post: March 21st, 2016, 10:23 PM -
https://thefirearmlawyers.com
By carl_g in forum NFA/Class 3/Title IIReplies: 0Last Post: December 30th, 2014, 09:49 PM -
https://www.checkpointusa.org unbelievable
By Biggworm in forum GeneralReplies: 0Last Post: January 7th, 2009, 04:53 AM
Bookmarks