topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Friday December 13, 2024, 3:17 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Securing the DC website with HTTPS  (Read 7282 times)

davcom

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 26
    • View Profile
    • Donate to Member
Securing the DC website with HTTPS
« on: March 26, 2017, 08:23 AM »
Starting with Firefox 51, users were shown a grey padlock with a red strike-through, to indicate that the (DonationCoder) website they were visiting was not secure (passwords are transmitted insecurely and subject to MITM sniffing).
From Firefox 52, there's now a dropdown box on the user login field that shows in plain language that "This connection is not secure. Logins entered here could be compromised."

I understand that there is a little more work to do to set up a site with SSL but in this day and age it is becoming more and more of a concern that the criminal element are getting more pervasive and taking username/password pairs from unprotected sites and using them on the more important sites.
It's also a fact of life that in order to make our (online) lives as simple as possible we tend to reuse that favourite password or login combo on several different sites which increases our chances of one day really getting pwned by some low-life.

I'm prompted to write and ask about this on the very day that Pwned ( https://haveibeenpwned.com/ ) sent me an email advising my login at Evony was pwned in a breach in 2016 (took their time telling me but sometimes that data is not immediately available). Haven't played that game for a number of years and frankly have no idea what password I used but it serves as a reminder not to be too complacent about security.

My question is : (not if but) when will DC get an SSL Certificate to encrypt the login information and protect this data ??

Using a site such as Let's Encrypt ( https://letsencrypt.org/ ) which became active April 2016, provides an automated service to obtain free SSL Certificates (and which I can vouch for works well as it's part of our setting up Test environments on various Cloud Servers)

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,544
  • @Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Securing the DC website with HTTPS
« Reply #1 on: March 26, 2017, 09:17 AM »
Ruddy heck. What are we going to do about this?

19_448x557_F00BDE49.png

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,914
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Securing the DC website with HTTPS
« Reply #2 on: March 26, 2017, 09:29 AM »
users were shown a grey padlock with a red strike-through, to indicate that the (DonationCoder) website they were visiting was not secure (passwords are transmitted insecurely and subject to MITM sniffing).

Make sure you open up https://www.donationcoder.com

We offer both http and https (secure) connection options.

The https one shows all copacetic green padlock to me.

davcom

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 26
    • View Profile
    • Donate to Member
Re: Securing the DC website with HTTPS
« Reply #3 on: March 26, 2017, 09:42 AM »
 :-[ My bad that I didn't even try to type the "s" and change it to https.
Hadn't used the link before on Twitter and they're spitting out the URL as plain old http.
Thanks mouser.

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,914
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Securing the DC website with HTTPS
« Reply #4 on: March 26, 2017, 09:45 AM »
No problem -- a lot of sites automatically redirect everyone to https these days -- we may do that eventually but for now you have to remember to open https if you want the secure way in.