HTTPS for the forum

Started by initrd, May 21, 2019, 06:22:44 PM

Previous topic - Next topic

initrd

Dear Polycom, and your forum users,

Is it normal, that thousands of users connect to this forum using plain, unencrypted HTTP, and HTTPS is basically dysfunctional ( searches, etc. ) Should you not default to and allow only https? instead of defaulting plain http? I find it quite dangerous to login via my Google account, and have HTTP only traffic while logged in to the forum... kinda *weak*, and scary, at least from my point of view...

Thanks,

Mike

EDIT: about to switch my VoIP to GV, and use your device... main reason why I am here...

Lavarock7

It is pretty simple to enable HTTPS site-wide whether they use a paid certificate or a free one. Then again, this version of forum is quite old. Still it should work fine under HTTPS.
My websites: Kona Coffee: http://itskona.com and Web Hosting: http://planetaloha.info
A simplified Voip explanation: http://voip.planet-aloha.com

Sheffield_Steve

The login is encrypted, but I don't see why the site itself needs to be securely transmitted to the end user?  i.e. What difference does it make?  What is secret about the information?


Lavarock7

Quote from: Sheffield_Steve on May 24, 2019, 07:29:33 AM
The login is encrypted, but I don't see why the site itself needs to be securely transmitted to the end user?  i.e. What difference does it make?  What is secret about the information?



It is not just about encrypting data but also because many new browser features rely upon it.

Google wants it and lowers sites rankings when not using it.

https://developers.google.com/web/fundamentals/security/encrypt-in-transit/why-https
My websites: Kona Coffee: http://itskona.com and Web Hosting: http://planetaloha.info
A simplified Voip explanation: http://voip.planet-aloha.com

Sheffield_Steve

There are no "features" that I'm aware of that need https:

I understand it's being pushed and is essential for banking and other sites where it's critical to make sure the data cannot be intercepted or changed. 

But for a site like this.  Does it really make any difference? 

SteveInWA

Aside from encryption of information sent over the Internet, using SSL/TLS involves using a server certificate that can be verified back to the root certificate authority.  This is a protection against attacks such as a "man in the middle" or DNS spoofing.

I'll agree that it is not a worrisome risk for this particular forum, but in general, it is now considered bad practice to host a website that doesn't use HTTPS.

Sheffield_Steve

I think you are confusing regular encrypted web browsing with DNS over HTTPS.  They are not the same

To protect from DNS attacks you need to implement secure DNS (DNSSEC) and DNS over https (experimental) which is a totally different thing from using https on websites.

Very few people have these things configured.  I just happen to be one that has.

Here is a test for DNSSEC:

http://dnssec.vs.uni-due.de/

SteveInWA

I am talking about the general vulnerability to attacks of a website that doesn't have a web server certificate.

Sheffield_Steve

I don't see that using https on a website helps at all in that respect.  All it does is make sure other people cannot see the data being transmitted back and forth. Man in the middle attacks are still possible.

DNSSEC and DNS over https is what will mitigate those attacks