This bulletin board does not use https
Moderators: winston, another_commander, Cody
-
- ---- E L I T E ----
- Posts: 1248
- Joined: Sat Sep 12, 2009 11:58 pm
- Location: Essex (mainly industrial and occasionally anarchic)
This bulletin board does not use https
Dear all
I imagine this has been discussed before - though I can't find any such discussion - but why does this board use the insecure http protocol and not rather the secure https? I'd prefer the latter!
I imagine this has been discussed before - though I can't find any such discussion - but why does this board use the insecure http protocol and not rather the secure https? I'd prefer the latter!
- Cody
- Sharp Shooter Spam Assassin
- Posts: 16081
- Joined: Sat Jul 04, 2009 9:31 pm
- Location: The Lizard's Claw
- Contact:
Re: This bulletin board does not use https
I've no idea what that would entail, but it'd be down to Giles (or perhaps Jens) to sort out, and neither are about much.
I would advise stilts for the quagmires, and camels for the snowy hills
And any survivors, their debts I will certainly pay. There's always a way!
And any survivors, their debts I will certainly pay. There's always a way!
- Diziet Sma
- ---- E L I T E ----
- Posts: 6312
- Joined: Mon Apr 06, 2009 12:20 pm
- Location: Aboard the Pitviper S.E. "Blackwidow"
Re: This bulletin board does not use https
Yep.. It would be up to Giles, as owner of the domain, to arrange an SSL certificate. Unfortunately, they're not free. Prices typically range from $70 - $250 or more per year, depending on your registrar and what kind of site you run. So there's that to consider also.
Edit: I did a little digging using 'whois', and found Giles' hosting company. Here's a list of their SSL Certificate prices.
Edit: I did a little digging using 'whois', and found Giles' hosting company. Here's a list of their SSL Certificate prices.
Most games have some sort of paddling-pool-and-water-wings beginning to ease you in: Oolite takes the rather more Darwinian approach of heaving you straight into the ocean, often with a brick or two in your pockets for luck. ~ Disembodied
- Cody
- Sharp Shooter Spam Assassin
- Posts: 16081
- Joined: Sat Jul 04, 2009 9:31 pm
- Location: The Lizard's Claw
- Contact:
Re: This bulletin board does not use https
Of more importance to me would be repair and upgrade of the forum software - and an alternative colour scheme.
I would advise stilts for the quagmires, and camels for the snowy hills
And any survivors, their debts I will certainly pay. There's always a way!
And any survivors, their debts I will certainly pay. There's always a way!
- Diziet Sma
- ---- E L I T E ----
- Posts: 6312
- Joined: Mon Apr 06, 2009 12:20 pm
- Location: Aboard the Pitviper S.E. "Blackwidow"
Re: This bulletin board does not use https
That gets my vote!
Most games have some sort of paddling-pool-and-water-wings beginning to ease you in: Oolite takes the rather more Darwinian approach of heaving you straight into the ocean, often with a brick or two in your pockets for luck. ~ Disembodied
-
- ---- E L I T E ----
- Posts: 1248
- Joined: Sat Sep 12, 2009 11:58 pm
- Location: Essex (mainly industrial and occasionally anarchic)
Re: This bulletin board does not use https
Am I to take it from the image that the site might have SSL already, only not a version that registers in the browser?
Also, what about Let's Encrypt? Can that organisation provide us with free SSL? I don't know how these things work.
Also, what about Let's Encrypt? Can that organisation provide us with free SSL? I don't know how these things work.
- Cody
- Sharp Shooter Spam Assassin
- Posts: 16081
- Joined: Sat Jul 04, 2009 9:31 pm
- Location: The Lizard's Claw
- Contact:
Re: This bulletin board does not use https
No idea really, but I expect that's a current price/feature list, and this software hasn't been upgraded properly for a fair while.Am I to take it from the image that the site might have SSL already, only not a version that registers in the browser?
I would advise stilts for the quagmires, and camels for the snowy hills
And any survivors, their debts I will certainly pay. There's always a way!
And any survivors, their debts I will certainly pay. There's always a way!
-
- ---- E L I T E ----
- Posts: 1248
- Joined: Sat Sep 12, 2009 11:58 pm
- Location: Essex (mainly industrial and occasionally anarchic)
Re: This bulletin board does not use https
I think the most important thing is security (and I don't mind the board interface). We don't want a flood of spam, or people's credentials being stolen. We did hacked by some bot once before, I seem to recall. I am afraid I can't contribute a hosting computer or any relevant programming of systems administration ability but I could donate a few quid if that would help.
- Diziet Sma
- ---- E L I T E ----
- Posts: 6312
- Joined: Mon Apr 06, 2009 12:20 pm
- Location: Aboard the Pitviper S.E. "Blackwidow"
Re: This bulletin board does not use https
No.. even the cheapest option will put a padlock icon in the browser address bar. Pricier options turn the bar green as well. But neither Oolite's BB or the Oolite.org website have a padlock icon.
UK_Eliter wrote: ↑Mon Oct 23, 2017 4:21 pmAlso, what about Let's Encrypt? Can that organisation provide us with free SSL? I don't know how these things work.
Yes, they absolutely can! It would, of course, still need someone with admin rights to the server to set it up.
And thank you SO much for that link! I've been wanting to add SSL encryption to my family's business website for a while now. This means there's one less annual cost involved. Much appreciated!
Most games have some sort of paddling-pool-and-water-wings beginning to ease you in: Oolite takes the rather more Darwinian approach of heaving you straight into the ocean, often with a brick or two in your pockets for luck. ~ Disembodied
Re: This bulletin board does not use https
Let's Encrypt is an excellent provider - I use them for my sites - but it depends whether the hosting provider supports it.UK_Eliter wrote: ↑Mon Oct 23, 2017 4:21 pmAlso, what about Let's Encrypt? Can that organisation provide us with free SSL? I don't know how these things work.
- Diziet Sma
- ---- E L I T E ----
- Posts: 6312
- Joined: Mon Apr 06, 2009 12:20 pm
- Location: Aboard the Pitviper S.E. "Blackwidow"
Re: This bulletin board does not use https
I think you may be over-estimating what https can do, a little..
Essentially, it encrypts all data sent between the browser and server, in both directions. From the perspective of a BB like ours, the practical benefit is that member logins would be encrypted. This means that passwords are no longer transmitted in plain text. Plain text logins are easily "sniffed" during transmission, by anyone with the motive and means (not a high barrier) to do so. I'm not privy to the details of the bot hack, but I doubt it was done by sniffing an admin's password. A password guessing bot would be my first guess, and against those, the only defence is a high quality password.
Https is not going to result in a reduction in spam attempts, either. Spam bots will still be able to connect to the account creation page, to try and create an account, and then log in. There are tools and organisations available to help keep almost all spammers out of the forum, and I'm an admin on a forum that uses them. They work very well. But they won't work with the antiquated BB software we use here. The upgrade Cody spoke of would go a long way in helping with that particular problem.
Most games have some sort of paddling-pool-and-water-wings beginning to ease you in: Oolite takes the rather more Darwinian approach of heaving you straight into the ocean, often with a brick or two in your pockets for luck. ~ Disembodied
-
- ---- E L I T E ----
- Posts: 1248
- Joined: Sat Sep 12, 2009 11:58 pm
- Location: Essex (mainly industrial and occasionally anarchic)
Re: This bulletin board does not use https
Dizzy: ah, yes, right. But still, especially given the 'KRACK' vulnerability, SSL would indeed - as you'd agree, I think - be good. I believe that the aforementioned vulnerability would be rendered safe by a VPN (but not everyone using these boards has one) and perhaps by operating system and/or router patches (but perhaps not everyone's system would be patched).
By the way: by 'I don't mind the board interface' I didn't mean that I don't how the interface is. Rather I meant I am happy enough with the current interface.
By the way: by 'I don't mind the board interface' I didn't mean that I don't how the interface is. Rather I meant I am happy enough with the current interface.
- Diziet Sma
- ---- E L I T E ----
- Posts: 6312
- Joined: Mon Apr 06, 2009 12:20 pm
- Location: Aboard the Pitviper S.E. "Blackwidow"
Re: This bulletin board does not use https
UK_Eliter wrote: ↑Mon Oct 23, 2017 5:24 pmDizzy: ah, yes, right. But still, especially given the 'KRACK' vulnerability, SSL would indeed - as you'd agree, I think - be good.
Hmm.. I'd missed seeing that one. And yeah, it's nasty. Yes, SSL would help protect against passwords to the BB being obtained via that attack.
In some ways yes, in others no. SSL does essentially the same thing as a VPN, in a more limited way. But a VPN won't stop someone using krack to break into your home wi-fi network, for example.
I'm happy enough with the current interface as well.. (APART FROM THE MISSING "LIKE" BUTTON!!!) But unfortunately, this forum software is showing its age. The fact we even need Spam Assassins is proof of that. There are better ways to handle spam.
Most games have some sort of paddling-pool-and-water-wings beginning to ease you in: Oolite takes the rather more Darwinian approach of heaving you straight into the ocean, often with a brick or two in your pockets for luck. ~ Disembodied
- Cody
- Sharp Shooter Spam Assassin
- Posts: 16081
- Joined: Sat Jul 04, 2009 9:31 pm
- Location: The Lizard's Claw
- Contact:
Re: This bulletin board does not use https
That'd be the only way being made redundant could make me happy!The fact we even need Spam Assassins is proof of that. There are better ways to handle spam.
I would advise stilts for the quagmires, and camels for the snowy hills
And any survivors, their debts I will certainly pay. There's always a way!
And any survivors, their debts I will certainly pay. There's always a way!