Pennsylvania Firearm Owners Association
Page 1 of 3 123 LastLast
Results 1 to 10 of 28
  1. #1
    Join Date
    Jan 2012
    Location
    somewhere, Pennsylvania
    Posts
    623
    Rep Power
    21474849

    Exclamation Can we get some HTTPS up in here?

    To site admins, et al.:

    I suspect this may have been discussed before, but couldn't find it, and in any case, felt compelled to bring it up again...

    Is there any chance we could get the forum upgraded to use SSL/TLS / HTTPS? I don't mean to look a gift horse in the mouth, and I am appreciative of this forum and its proprietors, but it's 2019 so we need to be honest about the implications:

    Continuing to use unencrypted HTTP exposes everything that everyone ever does on this site to anyone who can capture network traffic. This potentially includes multiple ISPs, your employer, your neighbors, your cellular provider, your favorite coffee shop, other third party companies, government, etc. -- you can use your imagination for the rest.

    Certificates are free from https://letsencrypt.org/ , so I can't really think of an excuse for not upgrading. I know this requires effort, but the cost of doing nothing could be worse as it could lead to a compromise of personal information, identity theft, loss of access, etc.

    I think this is pretty important. I mean, I realize it's a forum, so most actions are going to be public anyway, but people do sometimes send PMs and do have to log in. HTTP only for these actions is inherently insecure. At this point, doing nothing unnecessarily puts everyone at risk.

    pafoa certainly isn't the only offender; it seems like a common theme among pro-gun organizations. They invariably all seem to have weak web security, stemming primarily from no HTTPS. We can't afford to become a target for identity theft.

    Please consider taking action to adopt HTTPS by obtaining an SSL/TLS certificate. It isn't that difficult, and can be done for free, after all.

    Again, I am very appreciative of this site and its owners, moderators, etc. but I am concerned.

    Thanks for your consideration!
    I am not a lawyer.

  2. #2
    Join Date
    Jul 2013
    Location
    Mohnton, Pennsylvania
    (Berks County)
    Posts
    7,194
    Rep Power
    21474854

    Default Re: Can we get some HTTPS up in here?

    Seems like a good topic.
    The Gun is the Badge of a Free Man

  3. #3
    Join Date
    Nov 2007
    Location
    Belly of the BEAST, Pennsylvania
    (Montgomery County)
    Posts
    2,387
    Rep Power
    21367481

    Default Re: Can we get some HTTPS up in here?

    +1

  4. #4
    Join Date
    Feb 2010
    Location
    Levittown, Pennsylvania
    (Bucks County)
    Posts
    9,636
    Rep Power
    21474860

    Default Re: Can we get some HTTPS up in here?

    I raised it (in so many words) a couple years ago. There were reasons explained (forget what).

    My thoughts....no money is being transacted, no personal or account information is being divulged unless done so voluntarily and in disregard of. https:// is secure for sensitive transmissions, but not subpoena-proof.
    There are two kinds of guns. Those I have acquired, and those I hope to.

  5. #5
    Join Date
    Feb 2007
    Location
    next to my neighbor, Pennsylvania
    Posts
    13,585
    Rep Power
    21474867

    Default Re: Can we get some HTTPS up in here?

    Would a VPN work?

  6. #6
    Join Date
    Jan 2012
    Location
    somewhere, Pennsylvania
    Posts
    623
    Rep Power
    21474849

    Default Re: Can we get some HTTPS up in here?

    Quote Originally Posted by Bang View Post
    I raised it (in so many words) a couple years ago. There were reasons explained (forget what).

    My thoughts....no money is being transacted, no personal or account information is being divulged unless done so voluntarily and in disregard of. https:// is secure for sensitive transmissions, but not subpoena-proof.
    Well sure, it's not subpoena proof. Nobody should expect that anyway as you suggested. Still, HTTPS would provide a level of protection for users of this site that don't understand how they are vulnerable. I suspect some users of this forum do exchange information in PMs that they'd prefer wasn't potentially available for anyone to see. We have a classifieds section, for example, so it stands to reason some probably use PMs to exchange contact info, at a minimum, or maybe a home address. (Not saying it should happen, just acknowledging that it probably does.)

    HTTP-only also doesn't provide a means to authenticate a user to the site securely, so there is an underlying security issue even if there was no concern about all the rest of the information being in the clear. Maybe that's just a risk everyone is willing to accept, but it should at least be acknowledged.

    Ultimately, it comes down to what threat models we're considering and what level of risk the admins/mods/everyone is willing to accept.The truth is that HTTP is inherently insecure and someone with malicious intent could make this site a target. I hope it doesn't happen, but it's not outside the realm of possibility, given the motivation of some of the opposition.

    While I know that implementing HTTPS would require some time/effort, it isn't insurmountable, and now with letsencrypt, the certificate cost barrier is gone too. In 2019, HTTPS should really be considered the bare minimum for any site that allows user authentication.

    JMHO.

    Quote Originally Posted by bogey1 View Post
    Would a VPN work?
    A VPN could provide a bit of privacy, especially at a coffee shop or on an employer's wifi, as an example (assuming they allow your VPN traffic through). It doesn't do anything for you with regard to end-to-end privacy since the other end of the VPN terminates somewhere "else", not the pafoa server. If there were monitoring anywhere on the path between the other endpoint of the VPN and the pafoa server, it's totally unprotected. HTTPS is the correct architectural solution to this problem.
    Last edited by buckengr; May 14th, 2019 at 02:24 AM.
    I am not a lawyer.

  7. #7
    Join Date
    Feb 2018
    Location
    Philadelphia, Pennsylvania
    Posts
    4
    Rep Power
    0

    Default Re: Can we get some HTTPS up in here?

    HTTPS should be considered mandatory for the vast majority of websites today.

    Using let's encrypt comes with its own set of caveats compared to commercial certificates in regards to how the auto-renew process is conducted.. Those caveats aren't a matter of security, just some additional configuration.

    Web server configuration is part of my job.. If an admin wants to hit me up, I can probably set this up on their behalf.

  8. #8
    Join Date
    Mar 2008
    Location
    Lansdowne, Pennsylvania
    (Delaware County)
    Age
    37
    Posts
    5,994
    Rep Power
    3189408

    Default Re: Can we get some HTTPS up in here?

    Quote Originally Posted by dogmeatfordinner View Post
    HTTPS should be considered mandatory for the vast majority of websites today.

    Using let's encrypt comes with its own set of caveats compared to commercial certificates in regards to how the auto-renew process is conducted.. Those caveats aren't a matter of security, just some additional configuration.

    Web server configuration is part of my job.. If an admin wants to hit me up, I can probably set this up on their behalf.
    I like using acme.sh to generate and renew the certs...I believe it even adds a line in the root user's crontab to fully automate the process.
    Peace, Prosperity, and Liberty

  9. #9
    Join Date
    Mar 2008
    Location
    Lansdowne, Pennsylvania
    (Delaware County)
    Age
    37
    Posts
    5,994
    Rep Power
    3189408

    Default Re: Can we get some HTTPS up in here?

    btw, the other thread where someone asked about moving the site to https: http://forum.pafoa.org/showthread.php?t=298344
    Peace, Prosperity, and Liberty

  10. #10
    Join Date
    Jan 2013
    Location
    ..., Pennsylvania
    (Juniata County)
    Posts
    4,418
    Rep Power
    21474852

    Default Re: Can we get some HTTPS up in here?

    +1 to this

    Also not being https lowers the likelihood of the forum appearing in search results....and this is by far the best location for information we have.
    "Cives Arma Ferant"

    "I know I'm not James Bond, that's why I don't keep a loaded gun under the pillow, or bang Russian spies on a regular basis." - GunLawyer001

Page 1 of 3 123 LastLast

Similar Threads

  1. Move to https://
    By free in forum Support & Suggestions
    Replies: 38
    Last Post: March 21st, 2016, 10:23 PM
  2. https://thefirearmlawyers.com
    By carl_g in forum NFA/Class 3/Title II
    Replies: 0
    Last Post: December 30th, 2014, 09:49 PM
  3. https://www.checkpointusa.org unbelievable
    By Biggworm in forum General
    Replies: 0
    Last Post: January 7th, 2009, 04:53 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •