| View previous topic :: View next topic |
| Author |
Message |
Nsof
Daedalian Member
|
 Posted: Sun Sep 02, 2012 11:25 pm Post subject: 1 |
 |
|
prevents anyone* from eves dropping on what we post and message each other.
obviously this doesn't prevent anyone from scraping the site for content but the private messages are secure (and scraping is not easy).
* excluding major super powers' intelligence agencies.
can be self signed certificate to cut cost to zero, however there are some caveats. the biggest is that the first time one tries to enter the site using https one gets an ugly browser warning.
we should keep the regular http access.
login page should definitely be protected somehow otherwise someone at the coffee shop is going to sniff our pw
thoughts? |
|
| Back to top |
|
 |
Jedo the Jedi
Paragon in Training
|
| Posted: Mon Sep 03, 2012 2:40 am Post subject: 2 |
|
|
Are you keeping top-secret stuff on here that you think a random person will want? I personally can't see why anybody would want to hack my account on the GL other than to show they can.
_________________
Paragon Tally: 19 mafia, 3 SKs (1 twice), 1 cultist, numerous chat scum...and counting. |
|
| Back to top |
|
|
Nsof
Daedalian Member
|
| Posted: Mon Sep 03, 2012 4:52 am Post subject: 3 |
|
|
I dont keep any super secret stuff here and I tend to agree that no one will want to hack our GL account. However,
In many cases people use the same pw over and over. If somebody fishes your GL pw while you were signing in to the GL then they might know something about your other pw.
PW should never be sent in cleartext.
all security agencies have systems that monitor internet traffic (hosted at your ISP). They sieve out traffic that looks interesting. https makes it much harder to do that.
why not do it?
_________________
Will sell this place for beer |
|
| Back to top |
|
|
Neo
Daedalian Member
|
| Posted: Mon Sep 03, 2012 6:47 am Post subject: 4 |
|
|
Yeah. So, how do I do that?
_________________
Ad Astra
|
|
| Back to top |
|
|
The Ragin' South Asian
Head Poncho
|
| Posted: Mon Sep 03, 2012 9:35 am Post subject: 5 |
|
|
| This is a real problem for the GL since 87% of users' passwords are "RSAissogreat" |
|
| Back to top |
|
|
Zag
Unintentionally offensive old coot
|
| Posted: Mon Sep 03, 2012 2:27 pm Post subject: 6 |
|
|
| In general, I would highly recommend that you don't use the same password for free sites that you use for, say, your bank account. In fact, I have only 2 passwords that I use a lot, with exactly that distinction. So, if you manage to hack my GL account, you'll also be able to get into my Facebook account and probably a dozen others, but nothing that would be worth your time. |
|
| Back to top |
|
|
Jedo the Jedi
Paragon in Training
|
| Posted: Mon Sep 03, 2012 2:49 pm Post subject: 7 |
|
|
| Zag wrote: |
| In general, I would highly recommend that you don't use the same password for free sites that you use for, say, your bank account. In fact, I have only 2 passwords that I use a lot, with exactly that distinction. So, if you manage to hack my GL account, you'll also be able to get into my Facebook account and probably a dozen others, but nothing that would be worth your time. |
My thoughts exactly.
If it isn't hard to implement and maintain though, I don't see any reason not to do it if somebody wants it. I personally don't see any good reason for it though.
_________________
Paragon Tally: 19 mafia, 3 SKs (1 twice), 1 cultist, numerous chat scum...and counting. |
|
| Back to top |
|
|
groza528
No Place Like Home
|
| Posted: Mon Sep 03, 2012 3:19 pm Post subject: 8 |
|
|
| Zag wrote: |
| So, if you manage to hack my GL account, you'll also be able to get into my Facebook account and probably a dozen others, but nothing that would be worth your time. |
The problem there is that facebook and other such sites contains a lot of personal information that can still be used in unethical ways, If I get into your facebook account, can I track down your cousin? Bam, mother's maiden name.
Granted, most hackers and identity thieves probably won't take the effort to dig through your contacts, but that's because there are much simpler ways that I don't really know about.
One way the experts have suggested to combat this is to make the answers to your security questions fictional. The downside is that you have that many more things to remember. The upside is that access to your facebook account is never going to help me guess that your online banking site thinks your mother's maiden name is "Squarepants." |
|
| Back to top |
|
|
Jack_Ian
Big Endian
|
| Posted: Mon Sep 03, 2012 4:50 pm Post subject: 9 |
|
|
I keep password regions, each with their own password and each with a different security level.
My PayPal, Banking etc passwords are long and complex.
My password here is very simple and the same as my mail account for this site.
My personal email has a higher level of security, though not as high as my PayPal A/C.
IMO supporting https for a public forum is like putting a time-lock on your kid's tricycle.
A lot of added complexity with the potential for the introduction of problems while adding very little real benefit securing something which should not be worth stealing in the first place. |
|
| Back to top |
|
|
Nsof
Daedalian Member
|
| Posted: Mon Sep 03, 2012 10:10 pm Post subject: 10 |
|
|
| Quote: |
| but nothing that would be worth your time |
There are more ways to take advantage of user FB data other than secret verification question. For example: where you live and when you are out on vacation.
I wouldn't want my FB data (as meager as it is - ~20 likes and ~ 10 replies ever) to be in someone else's hands. Its less because of the break in issue and more of about the privacy invasion.
I admit I am more concerned about my online privacy than most people I know. The idea of someone sniffing my passwords and data in general is not very appealing to me.
Mostly my email and social networks receive the same strength level as that of my bank. My bank pw is not very complex – it's just complex enough to make brute force useless.
All of that is irrelevant if someone can just see the pw.
| Quote: |
| IMO supporting https for a public forum is like putting a time-lock on your kid's tricycle. |
First iteration, I went to Wikipedia to see what a time-lock is.
Second iteration, I tried to figure out how can anyone use a time-lock to lock a bicycle.
The third iteration actually made sense  . (its me - the analogy is nice)
| Quote: |
| A lot of added complexity with the potential for the introduction of problems while adding very little real benefit securing something which should not be worth stealing in the first place. |
Not sure what you mean by complexity but I'll try to rephrase and please correct me where I got it wrong: On one side there are work/effort and disadvantages. On the other hand the advantages.
If I got this right then:
- Having some technical background I don’t think the work is very complex (I have done something similar/related in the past).
- Disadvantages in this case are potential introduction of problems are a bit hard to evaluate. The only way I can respond to "introduction of problems" is "a lot can be avoided and the rest dealt with".
- Advantages: Already mentioned
Anyhow, I can only speak for the advantage I see.
I don’t do the work.
I am ready to suffer the consequences of issue until they are resolved but that is something I think most of our users should not have to go through given the very small advantage most people on this thread see in this.
(too bad this one cannot be solved with just client side work…)
_________________
Will sell this place for beer |
|
| Back to top |
|
|
The Potter
Feat of Clay
|
| Posted: Tue Sep 04, 2012 12:48 am Post subject: 11 |
|
|
The GL is maintained by countless hours voluntarily by our members. If you are able and willing to make the switch with minimal impact to the members it is possible to give you the necessary permissions. Providing the people currently with the keys feel that it is right.
I personally recommend using an easy password and don't associate your email. People don't use the email link much these days because of the messaging system. The ramifications of having your account hacked should be very minimal.
The old board used to have passwords that were visible to site administrators. Now that was low security! |
|
| Back to top |
|
|
Jack_Ian
Big Endian
|
| Posted: Tue Sep 04, 2012 8:16 am Post subject: 12 |
|
|
To make things worse, it's not just the effort required to add in support for https, it's the effort to support it and re-add it back in for every new release of phpBB.
The solution is not to make the GL secure, but to place your valuable objects in a secure place. If you are in the habit of using the same password everywhere then how do you deal with online shopping that forces you to register? Will you trust those too just because they support https? |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
