level of encryption ?

lfid · 12-26-2015, 03:53 PM

re a foxnews item - seems technically correct
By Kim Komando Published December 26, 2015 The Kim Komando Show
http://www.foxnews.com/tech/2015/12/...ml?intcmp=hpff

includes
"Mozilla, the developer of the Firefox browser, is even making plans to stop supporting unencrypted websites entirely."

I think the url showing in header is not browser dependent

anyway - after site login the current url here has no https header - any plans to upgrade to full site encryption ?

ex current page is
http://forum.lugerforum.com/newthrea...ewthread&f=131

thanks !
Bill

John D. · 12-26-2015, 04:01 PM

I would never use a password and login while using a free public wifi. That is very old news.

As for putting the onus on unsecure browsers using an private network with a login using WPA/WPA2 with TKIP/AES encryption - that's would be the problem of the website admins "because"? Exactly? You want us to encrypt the data over circuits we don't control?

Tell me how that works - even if I throw out an encrypted data stream oven an unsecured network - and to what level of encryption would make you feel "safe"...

And we should all be worried about this because you share personal bank/credit card/SSN/financial data on this site?

No you don't.

John D.

mrerick · 12-26-2015, 04:29 PM

I assume that the Fox article was discussing the use of SSL over HTTP. That is public key cryptography for all the session communications. It prevents things like passwords being sent from the browser to the server in the clear.

Lugerforum is being served over the standard port ":80" in the clear HTTP protocol.

No server responds when you try and access it through the secured SSL port ":443" HTTPS encrypted protocol.

Example:

https://lugerforum.com

Assuming he hasn't done it, in order to support SSL encrypted sessions, the server that John runs vBulletin the BBS software on will have to get it's own security certificate, and start supporting SSL.

There is a discussion over at the vBulletin site, but it's not a trivial change:

http://www.vbulletin.com/forum/forum...https-question

It would also probably involve migrating to a newer version of vBulletin and the underlying PHP platform that fixed some issues...

https://www.vbulletin.org/forum/showthread.php?t=274711

So...

I run a server out of my home that is SSL enabled, and that forces SSL usage. It uses a self signed certificate (which is free - but which causes problems since it doesn't trace to a certificate authority). The services I run are designed to require SSL (https://) which takes much of the work out of configuring things.

The issue for Lugerforum must boil down to how much the admins can put into upgrading vBulletin and then configuring and testing the platform for SSL. That is a bit of work!

Marc

John D. · 12-26-2015, 04:47 PM

Since running, hosting and administering websites since 1998 - I can put it up into the https port - but, as I said - to what end - exactly?

You want to self-sign the cert? Great - it does nothing is is rejected by most modern browsers - as an FYI as it doesn't have the lookup from the SSL Authority.

Frankly - I still want to know exactly what folks are trying to hide on this site to warrant an encrypted and secure data-stream?

John D.

mrerick · 12-26-2015, 05:10 PM

The only thing that I can imagine is a problem is the password/userid combo. So, user hijack and spoof would be the issue. Just make sure that your password/userid combo here is unique and not used on other sites...

Yes - the problem with self-sign is that the browsers reject them (requiring user override). For a personal site, not an issue. For a public one, unacceptable. Thus, additional expense if you do it.

Thus, I'm happy with things as they are here unless the browser people do something to stop supporting port :80 in the clear HTTP...

Marc

John D. · 12-26-2015, 05:14 PM

Again - password and user combo - from the OP on a public & shared wifi is always an issue. Always has been for the last nearly 20 years....

As well - yep - I know I'm right about the self-signed, but thanks for the confirmation - as I run a few mail servers and cloud systems for clients and do secure those datastreams - so, I'm pretty sure about all that

Best to you,

John D.

12-26-2015, 03:53 PM	#1
lfid Lifer Lifetime Forum Patron Join Date: Sep 2006 Location: Wichita, KS USA Posts: 453 Thanks: 573 Thanked 96 Times in 53 Posts	level of encryption ? re a foxnews item - seems technically correct By Kim Komando Published December 26, 2015 The Kim Komando Show http://www.foxnews.com/tech/2015/12/...ml?intcmp=hpff includes "Mozilla, the developer of the Firefox browser, is even making plans to stop supporting unencrypted websites entirely." I think the url showing in header is not browser dependent anyway - after site login the current url here has no https header - any plans to upgrade to full site encryption ? ex current page is http://forum.lugerforum.com/newthrea...ewthread&f=131 thanks ! Bill

12-26-2015, 04:29 PM	#3
mrerick Super Moderator - Patron LugerForum Life Patron Join Date: Dec 2009 Location: Eastern North Carolina, USA Posts: 3,900 Thanks: 1,370 Thanked 3,094 Times in 1,503 Posts	I assume that the Fox article was discussing the use of SSL over HTTP. That is public key cryptography for all the session communications. It prevents things like passwords being sent from the browser to the server in the clear. Lugerforum is being served over the standard port ":80" in the clear HTTP protocol. No server responds when you try and access it through the secured SSL port ":443" HTTPS encrypted protocol. Example: https://lugerforum.com Assuming he hasn't done it, in order to support SSL encrypted sessions, the server that John runs vBulletin the BBS software on will have to get it's own security certificate, and start supporting SSL. There is a discussion over at the vBulletin site, but it's not a trivial change: http://www.vbulletin.com/forum/forum...https-question It would also probably involve migrating to a newer version of vBulletin and the underlying PHP platform that fixed some issues... https://www.vbulletin.org/forum/showthread.php?t=274711 So... I run a server out of my home that is SSL enabled, and that forces SSL usage. It uses a self signed certificate (which is free - but which causes problems since it doesn't trace to a certificate authority). The services I run are designed to require SSL (https://) which takes much of the work out of configuring things. The issue for Lugerforum must boil down to how much the admins can put into upgrading vBulletin and then configuring and testing the platform for SSL. That is a bit of work! Marc __________________ Igitur si vis pacem, para bellum - - Therefore if you want peace, prepare for war.

12-26-2015, 05:10 PM	#5
mrerick Super Moderator - Patron LugerForum Life Patron Join Date: Dec 2009 Location: Eastern North Carolina, USA Posts: 3,900 Thanks: 1,370 Thanked 3,094 Times in 1,503 Posts	The only thing that I can imagine is a problem is the password/userid combo. So, user hijack and spoof would be the issue. Just make sure that your password/userid combo here is unique and not used on other sites... Yes - the problem with self-sign is that the browsers reject them (requiring user override). For a personal site, not an issue. For a public one, unacceptable. Thus, additional expense if you do it. Thus, I'm happy with things as they are here unless the browser people do something to stop supporting port :80 in the clear HTTP... Marc __________________ Igitur si vis pacem, para bellum - - Therefore if you want peace, prepare for war.

12-26-2015, 04:01 PM	#2
John D. Administrator & Site Owner LugerForum Patron Join Date: Jun 2002 Location: A Little NE of Somewhere... Posts: 2,651 Thanks: 471 Thanked 513 Times in 127 Posts	I would never use a password and login while using a free public wifi. That is very old news. As for putting the onus on unsecure browsers using an private network with a login using WPA/WPA2 with TKIP/AES encryption - that's would be the problem of the website admins "because"? Exactly? You want us to encrypt the data over circuits we don't control? Tell me how that works - even if I throw out an encrypted data stream oven an unsecured network - and to what level of encryption would make you feel "safe"... And we should all be worried about this because you share personal bank/credit card/SSN/financial data on this site? No you don't. John D.

12-26-2015, 04:47 PM	#4
John D. Administrator & Site Owner LugerForum Patron Join Date: Jun 2002 Location: A Little NE of Somewhere... Posts: 2,651 Thanks: 471 Thanked 513 Times in 127 Posts	Since running, hosting and administering websites since 1998 - I can put it up into the https port - but, as I said - to what end - exactly? You want to self-sign the cert? Great - it does nothing is is rejected by most modern browsers - as an FYI as it doesn't have the lookup from the SSL Authority. Frankly - I still want to know exactly what folks are trying to hide on this site to warrant an encrypted and secure data-stream? John D.

12-26-2015, 05:14 PM	#6
John D. Administrator & Site Owner LugerForum Patron Join Date: Jun 2002 Location: A Little NE of Somewhere... Posts: 2,651 Thanks: 471 Thanked 513 Times in 127 Posts	Again - password and user combo - from the OP on a public & shared wifi is always an issue. Always has been for the last nearly 20 years.... As well - yep - I know I'm right about the self-signed, but thanks for the confirmation - as I run a few mail servers and cloud systems for clients and do secure those datastreams - so, I'm pretty sure about all that Best to you, John D.