SSL

To keep abreast of site changes, or to post a question, idea or suggestion for the website.

Moderators: Keith B, Charles L. Cotton, carlson1

User avatar

Topic author
tbrown
Senior Member
Posts: 1541
Joined: Thu Mar 17, 2011 4:47 pm

SSL

Postby tbrown » Sun Mar 12, 2017 7:24 pm

Does anybody else have trouble using the https version of the forum? It tells me the certificate is invalid.
sent to you from my safe space in the hill country

User avatar

Charles L. Cotton
Site Admin
Posts: 16501
Joined: Wed Dec 22, 2004 9:31 pm
Location: Friendswood, TX
Contact:

Re: SSL

Postby Charles L. Cotton » Sun Mar 12, 2017 7:28 pm

tbrown wrote:Does anybody else have trouble using the https version of the forum? It tells me the certificate is invalid.

There is no SSL on the Forum since it doesn't take data. If you are using the latest Firefox, it has what Mozzilla calls a "feature," that is actually an pain! I just deactivated mine last Friday.

Chas.
Image

User avatar

Topic author
tbrown
Senior Member
Posts: 1541
Joined: Thu Mar 17, 2011 4:47 pm

Re: SSL

Postby tbrown » Sun Mar 12, 2017 7:30 pm

Thank you for the quick reply. I recently got the warning about username/password not being secure. I'll add an exception for the site.
sent to you from my safe space in the hill country


skeathley
Member
Posts: 140
Joined: Tue Feb 11, 2014 8:29 am
Location: McKinney, TX
Contact:

Re: SSL

Postby skeathley » Sat Apr 15, 2017 10:27 pm

In the web industry (from which I am retired), it is cosidered a best practice to use a secure connection for all login pages, as someone with a network sniffer could get passwords, log in, and leave a lot of spam messages with links. Not a danger, but hours of time to delete, change credentials, etc.

In addition, many SEO professionals believe that Google gives more weight to sites using a certificate, which improves their rankings.

If you accidentally use https to address a website that does not use a certificate, you will actually hit the server default certificate, which is self-signed. That encryption is valid, but since the Authority is invalid, you will get a security warning.

It is now considered a smart practice to secure all pages on all sites with a certificate, just to avoid all the problems, and potentially improve search engine rankings.

S
Texas LTC Instructor / RSO
Viet Nam Veteran: 25th Infantry, Cu Chi
https://mckinneyfirearmstraining.com


uthornsfan
Senior Member
Posts: 381
Joined: Sun Jan 30, 2011 11:13 pm
Location: Austin, TX

Re: SSL

Postby uthornsfan » Sat Apr 15, 2017 11:29 pm

Chas,

It is fairly important that the site uses SSL. If anyone sends their password and the site doesn't default to SSl those passwords can get intercepted in plain text.

The industry is moving toward every site needing/requiring SSL.

User avatar

tx mountaineer
Member
Posts: 50
Joined: Fri Jan 29, 2010 10:52 pm
Location: Clear Lake

Re: SSL

Postby tx mountaineer » Sun Apr 16, 2017 7:35 am

Charles L. Cotton wrote:
tbrown wrote:Does anybody else have trouble using the https version of the forum? It tells me the certificate is invalid.

There is no SSL on the Forum since it doesn't take data. If you are using the latest Firefox, it has what Mozzilla calls a "feature," that is actually an pain! I just deactivated mine last Friday.

Chas.


:iagree:


cyphur
Senior Member
Posts: 1306
Joined: Fri Jun 23, 2006 10:02 am
Location: Flower Mound, Tx

Re: SSL

Postby cyphur » Fri Apr 28, 2017 10:50 am

No cert also means there is no way to ensure you are where you think you are. It is not hard to spoof a website like this and inject a bad link via a XSS attack. Every login page should be secured with SSL. Most users do not use unique credentials for each website, which means their credentials are in jeopardy every time they log in.

Certs are good. As long as they aren't from Symantec or any of their sub-CAs.
"All that is necessary for the triumph of evil is that good men do nothing." ~ Edmund Burke
"Despite what your momma told you, violence does solve problems." - Ryan Job, SEAL Team 3
"Only the dead have seen the end of war."

User avatar

ScottDLS
Senior Member
Posts: 3860
Joined: Sun Jun 26, 2005 1:04 am
Location: DFW Area, TX

Re: SSL

Postby ScottDLS » Fri Apr 28, 2017 10:57 am

:iagree:

+1.

I understand why SSL is a pain, but for that effort there are benefits. On the other hand, I'm not complaining as I'm not the one going to the trouble of hosting a really good forum. And I really like the emoji's.
4/13/1996 Completed CHL Class, 4/16/1996 Fingerprints, Affidavits, and Application Mailed, 10/4/1996 Received CHL, renewed 1998, 2002, 2006, 2011, 2016...). "ATF... Uhhh...heh...heh....Alcohol, tobacco, and GUNS!! Cool!!!!"

User avatar

allisji
Senior Member
Posts: 732
Joined: Fri Sep 25, 2015 10:44 am
Location: Seabrook

Re: SSL

Postby allisji » Fri Apr 28, 2017 11:01 am

cyphur wrote:No cert also means there is no way to ensure you are where you think you are. It is not hard to spoof a website like this and inject a bad link via a XSS attack. Every login page should be secured with SSL. Most users do not use unique credentials for each website, which means their credentials are in jeopardy every time they log in.

Certs are good. As long as they aren't from Symantec or any of their sub-CAs.


just changed my password to a totally unique one. hopefully I can remember it next time I want to log on.

:tiphat:
LTC since 2015
I have contacted my state rep Dennis Paul about co-sponsoring HB560.


cyphur
Senior Member
Posts: 1306
Joined: Fri Jun 23, 2006 10:02 am
Location: Flower Mound, Tx

Re: SSL

Postby cyphur » Fri Apr 28, 2017 11:16 am

allisji wrote:
cyphur wrote:No cert also means there is no way to ensure you are where you think you are. It is not hard to spoof a website like this and inject a bad link via a XSS attack. Every login page should be secured with SSL. Most users do not use unique credentials for each website, which means their credentials are in jeopardy every time they log in.

Certs are good. As long as they aren't from Symantec or any of their sub-CAs.


just changed my password to a totally unique one. hopefully I can remember it next time I want to log on.

:tiphat:


Look into a password manager like LastPass. Problem solved.
"All that is necessary for the triumph of evil is that good men do nothing." ~ Edmund Burke
"Despite what your momma told you, violence does solve problems." - Ryan Job, SEAL Team 3
"Only the dead have seen the end of war."

User avatar

The Annoyed Man
Senior Member
Posts: 22672
Joined: Wed Jan 16, 2008 12:59 pm
Location: Grapevine, Texas
Contact:

Re: SSL

Postby The Annoyed Man » Fri Apr 28, 2017 12:27 pm

cyphur wrote:
allisji wrote:
cyphur wrote:No cert also means there is no way to ensure you are where you think you are. It is not hard to spoof a website like this and inject a bad link via a XSS attack. Every login page should be secured with SSL. Most users do not use unique credentials for each website, which means their credentials are in jeopardy every time they log in.

Certs are good. As long as they aren't from Symantec or any of their sub-CAs.


just changed my password to a totally unique one. hopefully I can remember it next time I want to log on.

:tiphat:


Look into a password manager like LastPass. Problem solved.

Love LastPass.
"Give me Liberty, or I'll get up and get it myself."—Hookalakah Meshobbab
"I don't carry because of the odds, I carry because of the stakes."—The Annoyed Boy
"Id aegre et in omnibus semper."—Quod Homo Aegre


strogg
Member
Posts: 80
Joined: Wed Mar 29, 2017 1:51 pm
Location: DFW (Denton County)

Re: SSL

Postby strogg » Tue May 02, 2017 12:39 am

I'm a roboform man myself. It's seemingly more secure because it's not as popular, but it doesn't support 2FA.

I vote that the admins enable SSL on this website. Granted I'm good enough to use a unique super random password for this site, not everyone does. Regardless, cost shouldn't be considered an issue thanks to https://letsencrypt.org/


casp625
Senior Member
Posts: 671
Joined: Sun Jan 04, 2015 9:24 pm

Re: SSL

Postby casp625 » Tue May 02, 2017 12:41 am

uthornsfan wrote:Chas,

It is fairly important that the site uses SSL. If anyone sends their password and the site doesn't default to SSl those passwords can get intercepted in plain text.

The industry is moving toward every site needing/requiring SSL.

I ran WireShark just to see what was going on. Logged into TexasCHLForum and sure enough, there was my password in plain text. Now the password I use here is completely unique and never used anywhere else.


skeathley
Member
Posts: 140
Joined: Tue Feb 11, 2014 8:29 am
Location: McKinney, TX
Contact:

Re: SSL

Postby skeathley » Tue May 02, 2017 7:18 am

Enabling SSL is not as simple as clicking a button. There are several steps, and it requires a dedicated IP, which may not be part of their hosting deal. The forum probably uses an IP shared with dozens of other websites. Also, if every graphic is not addressed by https, browsers will throw "mixed content" errors.

S
Texas LTC Instructor / RSO
Viet Nam Veteran: 25th Infantry, Cu Chi
https://mckinneyfirearmstraining.com

User avatar

Charles L. Cotton
Site Admin
Posts: 16501
Joined: Wed Dec 22, 2004 9:31 pm
Location: Friendswood, TX
Contact:

Re: SSL

Postby Charles L. Cotton » Tue May 02, 2017 5:31 pm

I'll check with our web host about an SSL.

Chas.
Image


Return to “Site Announcements, Questions & Suggestions”

Who is online

Users browsing this forum: No registered users and 1 guest