Website Security (1 Viewer)

[Mr Pogle]

Hello MotorhomeFun members and administrators.
Newbie, obtained Motorhome in January. Just signed up for this forum a few minutes ago.

Rather surprised to find that the registration page is not https - not even when entering password.
So the bad web people can intercept everything I enter: email address, password etc.

Nearly changed my mind but carried on against my better judgement and used a password that cannot in any way be used to access anything else I do online.
Perhaps I am paranoid because I am an IT Manager.

Anyway my first feedback to the site administrators is please update this for the protection of all the members.

Thank you.

 

[MC 55 FUN]

@Jim ?

 

[Mr Pogle]

@Jim ?

No MH 55, not Jim. I prefer web anonymity. Very paranoid. So I'm Mr Pogle. Or, if we get to know each other better, you can call me Amos and you can call Wife Edna.

^{_{Subscribers  do not see these advertisements}}

 

[MC 55 FUN]

No MH 55, not Jim. I prefer web anonymity. Very paranoid. So I'm Mr Pogle. Or, if we get to know each other better, you can call me Amos and you can call Wife Edna.

By using the highlight @Jim - I've brought your post to the attention of the website owner - his name is Jim

 

[Mr Pogle]

By using the highlight @Jim - I've brought your post to the attention of the website owner - his name is Jim

Got it! Thanks MH 55 and always good to have a Jim to sort things

 

[Bill_OR]

So @Mr Pogle you're on the Isle of Wight (my county of birth)- are you a caulkhead or an overner?

^{_{Subscribers  do not see these advertisements}}

 

[Mr Pogle]

So @Mr Pogle you're on the Isle of Wight (my county of birth)- are you a caulkhead or an overner?

Very recently took up residence on IOW Bill (1988), so definitely overner.

 

[Armytwowheels]

http://www.motorhomefun.co.uk

Not quite sure what you mean but the Web address is a http.......I think? Oh and welcome to the forum too!

 

[tofo]

@Mr Pogle
You will go read only after after a couple of posts
£15.00 allows as many posts as you like for a year

Upsetting the big @Jim lord and master sir lord
Gives a trip to Coventry or expulsion

^{_{Subscribers  do not see these advertisements}}

 

[Armytwowheels]

Or is http and https two different things?

 

[Baileysbus]

Or is http and https two different things?

So far as I'm aware yes they are different. The "s" you'll see on secure sites when you are for e.g. Giving your card details online. Don't know more than that though or whether the "s" means its foolproof secure.

 

[Bill_OR]

Sorry @Mr Pogle - I've started this parallel conversation on your security thread but I do hope you enjoy living on the Island. It was a great place to grow up. I lived at Thornton Cross (between Ryde & Seaview) and I met my wife on the Island (she's a Ventnor girl). We always regarded the Island as 'home' until our last visit a couple of years ago when we realised that it has changed so much that it is no longer 'home'!

By the way, welcome to Motorhome fun!

^{_{Subscribers  do not see these advertisements}}

 

[buttons]

Hi mr and mrs Pogle and welcome. You have made a good start, do keep it up....

 

[rangi]

Mate! We, 'ave got @Gromett looking after our sorry A***s, this fellas an Axe handle across the shoulders, chews old rubber boots, and spits tractor tyres, shaves with an angle grinder, and wrestles Crocs in his spare time, mate! any spotty Russki habitant of the Darkside he eviscerates wiv a soup spoon, and mate!! won't even mention @Tootles & @movan our Amazonial funsteress, no way will she give out her last Rollo to any hacker!

 

[MC 55 FUN]

Or is http and https two different things?

https://en.wikipedia.org/wiki/HTTPS

^{_{Subscribers  do not see these advertisements}}

 

[Gromett]

https only secures the connection between the server and your computer. https is designed for two things. To encrypt the connection between the server and the users computer/table/phone and to authenticate that the site you are connecting to is who they say they are. It does nothing to improve the security of the server at all. You can install https on a windows 98SE web server with 1,000's of security holes and the server will get hacked in seconds. If however you have a secured server then SSL brings very little to the party with regards to security for non sensitive data.

@Mr Pogle If we were taking payments over the site or handling any information that is of a sensitive nature the server would have been running https from the very beginning.

As it is there are many competing concerns when running https. The big one is mixed content warnings. On this forum you can link images from remote locations. If these are not running https and we were then you would get an ! exclamation mark in your browser and warnings about mixed content. This can also happen for user footers if they include images from remote http locations.

This would cause an overload of complaints and concerns from people thinking we had been hacked. That all said though I have had some chats with jim about https and it is on the cards for a future update.

Switching on https for a site that you fully control the content for is trivial for me, however for a site with user generated content that is stored remotely it is not a simple task. We can do things like local caching proxies but there is overhead to this and also other concerns.

SSL for this site is not critical and if a man in the middle attack is targetting you, then you have more serious concerns I think. Man in the middle attack are rare at the network level and tend to be end point based (except for wifi attacks obviously). We do constantly monitor for unauthorised accesses to the server so a MITM attack at our end would be noticed.

As for passwords. Ideally you should be using a different password for each login.

 

[Gromett]

Mate! We, 'ave got @Gromett looking after our sorry A***s, this fellas an Axe handle across the shoulders, chews old rubber boots, and spits tractor tyres, shaves with an angle grinder, and wrestles Crocs in his spare time, mate! any spotty Russki habitant of the Darkside he eviscerates wiv a soup spoon, and mate!! won't even mention @Tootles & @movan our Amazonial funsteress, no way will she give out her last Rollo to any hacker!

I am guessing that wasn't referring to me. If so I have to correct the record, I am a short, chubby, geeky type who's most energetic activity is standing up to walk to the toilet and the heaviest weight I lift is a close call between a pint of beer and a hard drive..

Scrap that I do lift my 18 litre thetford cassette down to ground level but it has wheels so I don't think it counts

 

[Riverbankannie]

@Mr Pogle

^{_{Subscribers  do not see these advertisements}}

 

[Mr Pogle]

Thank you everybody for your kind welcome messages.
I have been out this evening and come back to lots of replies, which proves that this is an active forum.

Gromet's reply is good and gets to the heart of the issue I intended to raise. This was not intended to trigger a detailed IT discussion about protocols.
I have not used forums much in the past and I certainly have no personal experience of administering them. So offence intended to Jim & co.

My expectation was simply to be presented with https when filling out my registration details, not for the entire forum. There is rather a lot of personal information on the registration form and I would consider it good practice, not to mention reassuring for new people, to have this information encrypted for upload. I was close to backing out, which would have been a shame. It was only the fact that I had been mellowed by some glasses of Mrs Pogle's bilberry wine that I signed up.

 

[big map]

Hi and welcome. Lovin' your avatar.

 

[wigster]

^{_{Subscribers  do not see these advertisements}}

 

[treetops1]

T