Separate names with a comma.
Discussion in 'Forum Problems & Issues' started by mfguitar, Dec 31, 2018.
Any reason why the site has not been updated with SSL?
Don't mention this, last time I did in a thread some users threw a hissy fit about how it's not needed. Even though I work in web development I chose not to engage in the argument.
A proper SSL certificate is a tiny expense and the site should be running one.
Don't know why I even bothered. How can an extra layer of security be a bad thing these days? Over at The Amp Garage, they have Let's Encrypt SSL and it's FREE. Huh?
But SSL - "It's expensive and unnecessary, unless you have a store!" Yeah, right.
I wish I knew. I would only guess maybe it's the cost, or maybe the site owners don't see a need for it. TDU has a point that it's not expensive really.
While I agree with TDU that an SSL cert is a small expense worth some peace of mind maybe, I suspect the reason a web forum decides not to use SSL is for the same reason many web forums haven't used SSL for a long time: all it does is protect your login credentials from being viewed and stolen. So let's suppose your username and password were stolen by someone: 1) how did this happen? 2) What is the result? 3) How does SSL prevent this?
Ever since Google's Chrome browser started flagging sites that don't have SSL in July of 2018, lots of people think they shouldn't visit sites that don't use SSL. I never used to see people demanding SSL on TDPRI until Chrome started doing that. On the one hand, I can see how this tactic to promote "SSL Everywhere" is a good idea, but OTOH, even SSL is not foolproof, and highlighting it in this way (by flagging every site that doesn't use SSL) is a bit misleading because having a picture of a little green lock in the URL does not always mean a website is "secure."
After the length of time the server migration took, I'm a firm believer in "if it ain't broke, doon't fix it". I also can't imagine using Chrome as a browser and worrying about security.
Here's another way of looking at layers of security: I have a shed with a lawnmower, a rake, shovel and other assorted tools in it. There is a padlock on the shed. Should I also point a security camera at the shed? It would be added security, and cameras are cheap and easy to install now.
There's obviously no right or wrong way to answer that question.
Now I own and operate a storage facility with 100 customers. Cameras seem like a good idea now, as well as a pin pad access gate system. Should I also require a fingerprint scanner at the gate as a two-factor authentication, to prevent someone from using a stolen pin?
Without a guard on duty somebody might steal the gate...
"It seemed a bit daft, me having to guard him when he's a guard."
SSL would be nice for login other than that it’s pointless.
Depending on the hosting provider installing an SSL can be a real PITA. The verification step can be surprisingly difficult.
Google must make money off certificates somehow. It’s promotion of SSL is a little misleading to the general public.
Run Forrest RUN
SSL is an interesting topic lately. I do think the way it's being advertised and even "marketed" to some extent makes the average user think it is the end all, be all to security. As @ScribbleSomething mentioned, it would protect the logins. I do think it's silly that browsers are requiring it now for all pages, although I do also understand that it would be hard to determine "on the fly" what pages would benefit and what wouldn't.
The most important part of this, related to the forum, is that it wouldn't do anything for the spam attacks/post.
I'm not really sure what exactly this is about. I'm using exclusively https and I am accessing the site, therefore the site must support TLS (SSLv3 was killed off 2014). When I right-click the page in Firefox and look at Security-tab, see this:
As per two separate SSL tests, the site supports TLSv1.2 only, for example:
Something's funky. Pictures from imgur don't seem to work for me... here's the certificate picture I was trying to attach:
Maybe also should be noted that no browser has supported SSL by default since 2014 either, only TLS. If you for some reason still do need SSL, you have to specifically enable it in the browser settings.
No, I do not get any complaints from Chrome.
According to your screenshot, it's still called an SSL certificate, and many certificate providers are called SSL - something or other. Even though it's technically now TLS. Probably best to keep it simple and not nitpick. SSL= in common usage, like you can call a Dyson a Hoover
Interesting. That looks like maybe for Domain Validation?
I think people want to see the green lock in the URL, implying the Extended Validation.
Nah, I think it's more that it doesn't auto-redirect if you just go to "tdpri.com" without manually putting in the https.
This is true. I don't agree with calling TLS SSL even if technically TLS is only a new name to SSL. Simply because SSL was dead and buried over four years ago.
That might be. But I don't think that's possible as some elements on the page do use http. These include the logo image preload, the banner ads and a few others. I'm fairly certain those alone are sufficient that Firefox shows yellow lock with explanation "Parts of this page are not secure (for example images)".
But every relevant link I can find (i.e. links inside TDPRI itself to forums etc.) are precluded with https://.
Quickly checked this. My Chrome does, Firefox doesn't. Which is interesting as I'm using "HTTPS Everywhere" addon. But I see that more of a browser issue than a site issue. Let's see after I restart Firefox...
Weird... when I look at the certificate details in both Chrome and Firefox, it shows that the certificate was issued by Bitdefender, not cPanel, and the certification path also points to my local antivirus program, Bitdefender, which I assume is trying to stand in for a cert authority or something.
Yap. Not even after clearing all TDPRI-related history, cookies etc. and restarting Firefox. If I simply enter "tdpri.com" to the address bar, I get to http://. I do have to manually enter https://. Same with Edge. I think Chrome behaves the same way - it probably redirects me to https:// cuz that's what I've always used. So that does seem to be a site issue, was I managing the site I'd redirect all http requests to https. At minimum non-encrypted login should not be allowed (didn't check if it is).
However the problem isn't really that the site doesn't support security. With all due respect it's more that people don't exactly understand web security; and I'm not saying I do @corliss1 is right, marketing machinery is (in addition to keeping the obsolete term SSL alive ) trying to make TLS something it definitely is not.