Asher Guitars WD Music Products Amplified Parts Mod Kits DIY Nordstarnd Pickups darrenriley.com
Asher Guitars WD Music Products Amplified Parts Mod Kits DIY Nordstarnd Pickups Warmoth.com
Asher Guitars WD Music Products Amplified Parts Mod Kits DIY Nordstarnd Pickups Warmoth.com

HTTPS

Discussion in 'Forum Problems & Issues' started by amplifiedhermit, Mar 28, 2016.

  1. amplifiedhermit

    amplifiedhermit Tele-Meister

    488
    Jan 5, 2015
    Western US
    Is it possible to connect to TDPRI using HTTPS? Every other website I log into uses SSL, if not for the whole site, at least on the login page. Correct me if I'm wrong, but it looks like everything here is being transmitted in the clear, which would leave people's sessions open to being hijacked- especially on open wi-fi- as well as other potential security issues.
     
  2. dankilling

    dankilling Tele-Afflicted

    Oct 28, 2014
    Lehigh Valley, PA
    It really should have an SSL login.
     
  3. TDPRI

    TDPRI Administrator Staff Member

    Mar 2, 2003
    TDPRILAND
    Admin Post
    Could you please tell me why you think we need SSL security here?

    Is it because of all the sensitive date we hold? We don't have any. Is it because we have personal information on all of our members? We don't have any of that info either. No names. No addresses. No account numbers. We are not selling anything and for the special once a year Fundraiser donations we use a 100% SSL secured off-site shopping cart that is 100% hosted by Intuit Payment Systems. None of the data from those transactions is available to us and never touches our servers. The Ad Free accounts that we offer and any other premium account subscriptions are 100% handled by SSL security at PayPal and we have no access to that information either.

    Yes, people's sessions here - questions about Telecasters, what wood sounds best and lies made up about the poster above you are all open and subject to being hijacked. It's fine if that somehow worries you. It does not worry us.

    I'm not saying that we'll never go SSL security for the TDPRI. But at this time there are far to many technical and monetary reasons not too - and not any reasons to add a secure socket layer here.
     
  4. amplifiedhermit

    amplifiedhermit Tele-Meister

    488
    Jan 5, 2015
    Western US
    Session hijacking may not be a major concern here, though it does happen. A bigger problem is that since a lot of people unfortunately use the same username and password on different sites, plaintext TDPRI login info can be intercepted and used to break into other accounts that do hold personal information like someone's email, facebook, their bank, etc.

    Even though that's not technically your problem, I would hope you care about it since a lot of TDPRI users are older folks who are likely unaware of the dangers of reusing passwords. But in either case, there are problems just within the realm of TDPRI too. Compromised accounts from known users can upload malicious images, post spam, or put up links to malware infected websites, among other things. And if an admin account gets compromised, the damage can be a lot worse.

    Most of these problems can be prevented by at least having HTTPS on login and account pages, if running it all the time is an issue for some reason.
     
  5. dankilling

    dankilling Tele-Afflicted

    Oct 28, 2014
    Lehigh Valley, PA
    Agreed with amplifiedhermit - session hijacking is the biggest concern. There are too many instances where someone is redirected to a malware site and their personal computer is infected because they visited a 'trusted' site. Minimizing the chance of that happening really is the responsibility of the site owner, and SSL logins go a long way to help.

    Also, adding an SSL login isn't a huge deal. My day job is managing large web farms, and SSL logins are SOP for all user data touchpoints regardless of the nature of the data. It's to protect the users from themselves, because in all honesty, users use the same passwords everywhere. Running it all the time creates overhead,sure, but the login session should at the very least be protected.

    Also, if you ever intend on allowing third party logins from places like Google, Facebook, etc.... it would pretty much be required at that point.
     
  6. TDPRI

    TDPRI Administrator Staff Member

    Mar 2, 2003
    TDPRILAND
    Admin Post
    All of our passwords are encrypted (bcrypt) and salted - it's not uncrackable but it would take serious efforts to break. Yes, when transmitted they would be sniffable. However, keep in mind that these passwords protect nothing of value. Hence there is no reason to spend the time, money and effort to capture them.

    Yes, "some" people use the same passwords across all websites. But there is also nothing to link the accounts here to the real person - there is no personal info contained in the account. So, there's no way to connect "amplifiedhermit" to John Doe of Elmyra, New York - let alone your personal info such as address and SSN. Again, so the risk is miniscule that someone would waste the time and money necessary to capture an anonymous forum password.

    We've looked at HTTPS and once some technological barriers are cleared we may change to it. Some other forums have done so. But it's not as simple as buying a certificate and making the switch.
     
  7. metastable

    metastable TDPRI Member

    64
    Jul 17, 2012
    Is there any progress on this? With the advent of Let's Encrypt the barrier to encryption is very low https://letsencrypt.org/
     
IMPORTANT: Treat everyone here with respect, no matter how difficult!
No sex, drug, political, religion or hate discussion permitted here.