SSL

Discussion in 'Forum Problems & Issues' started by mfguitar, Dec 31, 2018.

  1. mfguitar

    mfguitar Tele-Holic

    Age:
    59
    Posts:
    778
    Joined:
    Aug 12, 2008
    Location:
    Buffalo
    Any reason why the site has not been updated with SSL?
     
    Ekko and rogb like this.
  2. tdu

    tdu Friend of Leo's

    Posts:
    3,764
    Joined:
    Jan 4, 2005
    Location:
    Ontario, Canada
    Don't mention this, last time I did in a thread some users threw a hissy fit about how it's not needed. Even though I work in web development I chose not to engage in the argument.

    A proper SSL certificate is a tiny expense and the site should be running one.
     
  3. rogb

    rogb Tele-Afflicted

    Posts:
    1,062
    Joined:
    Jan 3, 2012
    Location:
    London, England
    Don't know why I even bothered. How can an extra layer of security be a bad thing these days? Over at The Amp Garage, they have Let's Encrypt SSL and it's FREE. Huh?
    But SSL - "It's expensive and unnecessary, unless you have a store!" Yeah, right.
     
    Modman68, Ekko and mfguitar like this.
  4. SolidSteak

    SolidSteak Friend of Leo's

    Posts:
    2,930
    Joined:
    Apr 27, 2016
    Location:
    USA
    I wish I knew. I would only guess maybe it's the cost, or maybe the site owners don't see a need for it. TDU has a point that it's not expensive really.

    While I agree with TDU that an SSL cert is a small expense worth some peace of mind maybe, I suspect the reason a web forum decides not to use SSL is for the same reason many web forums haven't used SSL for a long time: all it does is protect your login credentials from being viewed and stolen. So let's suppose your username and password were stolen by someone: 1) how did this happen? 2) What is the result? 3) How does SSL prevent this?

    Ever since Google's Chrome browser started flagging sites that don't have SSL in July of 2018, lots of people think they shouldn't visit sites that don't use SSL. I never used to see people demanding SSL on TDPRI until Chrome started doing that. On the one hand, I can see how this tactic to promote "SSL Everywhere" is a good idea, but OTOH, even SSL is not foolproof, and highlighting it in this way (by flagging every site that doesn't use SSL) is a bit misleading because having a picture of a little green lock in the URL does not always mean a website is "secure."
     
    ScribbleSomething likes this.
  5. beagle

    beagle Friend of Leo's

    Age:
    60
    Posts:
    2,834
    Joined:
    Jul 20, 2010
    Location:
    Yorkshire
    After the length of time the server migration took, I'm a firm believer in "if it ain't broke, doon't fix it". I also can't imagine using Chrome as a browser and worrying about security.
     
    bgmacaw and BelairPlayer like this.
  6. SolidSteak

    SolidSteak Friend of Leo's

    Posts:
    2,930
    Joined:
    Apr 27, 2016
    Location:
    USA
    Here's another way of looking at layers of security: I have a shed with a lawnmower, a rake, shovel and other assorted tools in it. There is a padlock on the shed. Should I also point a security camera at the shed? It would be added security, and cameras are cheap and easy to install now.

    There's obviously no right or wrong way to answer that question.

    Now I own and operate a storage facility with 100 customers. Cameras seem like a good idea now, as well as a pin pad access gate system. Should I also require a fingerprint scanner at the gate as a two-factor authentication, to prevent someone from using a stolen pin?
     
  7. beagle

    beagle Friend of Leo's

    Age:
    60
    Posts:
    2,834
    Joined:
    Jul 20, 2010
    Location:
    Yorkshire
    Without a guard on duty somebody might steal the gate...
     
    bgmacaw likes this.
  8. SolidSteak

    SolidSteak Friend of Leo's

    Posts:
    2,930
    Joined:
    Apr 27, 2016
    Location:
    USA
    "It seemed a bit daft, me having to guard him when he's a guard."

    [​IMG]
     
    beagle likes this.
  9. ScribbleSomething

    ScribbleSomething Tele-Holic

    Posts:
    652
    Joined:
    Mar 12, 2016
    Location:
    San Antonio
    SSL would be nice for login other than that it’s pointless.

    Depending on the hosting provider installing an SSL can be a real PITA. The verification step can be surprisingly difficult.

    Google must make money off certificates somehow. It’s promotion of SSL is a little misleading to the general public.
     
    LocoTex, beagle and notmyusualuserid like this.
  10. rogb

    rogb Tele-Afflicted

    Posts:
    1,062
    Joined:
    Jan 3, 2012
    Location:
    London, England
    Run Forrest RUN:lol:
     
  11. corliss1

    corliss1 Friend of Leo's Platinum Supporter

    Posts:
    3,506
    Joined:
    Sep 13, 2008
    Location:
    Lansing, MI
    SSL is an interesting topic lately. I do think the way it's being advertised and even "marketed" to some extent makes the average user think it is the end all, be all to security. As @ScribbleSomething mentioned, it would protect the logins. I do think it's silly that browsers are requiring it now for all pages, although I do also understand that it would be hard to determine "on the fly" what pages would benefit and what wouldn't.

    The most important part of this, related to the forum, is that it wouldn't do anything for the spam attacks/post.
     
  12. SolidSteak

    SolidSteak Friend of Leo's

    Posts:
    2,930
    Joined:
    Apr 27, 2016
    Location:
    USA
    :lol:
     
  13. Peregrino69

    Peregrino69 Tele-Afflicted

    Age:
    50
    Posts:
    1,349
    Joined:
    Dec 12, 2016
    Location:
    Amsterdam
    I'm not really sure what exactly this is about. I'm using exclusively https and I am accessing the site, therefore the site must support TLS (SSLv3 was killed off 2014). When I right-click the page in Firefox and look at Security-tab, see this:

    [​IMG]

    As per two separate SSL tests, the site supports TLSv1.2 only, for example:

    https://www.ssllabs.com/ssltest/analyze.html?d=tdpri.com


    EDIT

    Something's funky. Pictures from imgur don't seem to work for me... here's the certificate picture I was trying to attach:

    https://imgur.com/a/RGxoJCM
     
  14. Peregrino69

    Peregrino69 Tele-Afflicted

    Age:
    50
    Posts:
    1,349
    Joined:
    Dec 12, 2016
    Location:
    Amsterdam
    Maybe also should be noted that no browser has supported SSL by default since 2014 either, only TLS. If you for some reason still do need SSL, you have to specifically enable it in the browser settings.

    No, I do not get any complaints from Chrome.
     
  15. rogb

    rogb Tele-Afflicted

    Posts:
    1,062
    Joined:
    Jan 3, 2012
    Location:
    London, England
    According to your screenshot, it's still called an SSL certificate, and many certificate providers are called SSL - something or other. Even though it's technically now TLS. Probably best to keep it simple and not nitpick. SSL= in common usage, like you can call a Dyson a Hoover;)
     
  16. SolidSteak

    SolidSteak Friend of Leo's

    Posts:
    2,930
    Joined:
    Apr 27, 2016
    Location:
    USA
    Interesting. That looks like maybe for Domain Validation?

    I think people want to see the green lock in the URL, implying the Extended Validation.
     
  17. corliss1

    corliss1 Friend of Leo's Platinum Supporter

    Posts:
    3,506
    Joined:
    Sep 13, 2008
    Location:
    Lansing, MI
    Nah, I think it's more that it doesn't auto-redirect if you just go to "tdpri.com" without manually putting in the https.
     
  18. Peregrino69

    Peregrino69 Tele-Afflicted

    Age:
    50
    Posts:
    1,349
    Joined:
    Dec 12, 2016
    Location:
    Amsterdam
    This is true. I don't agree with calling TLS SSL even if technically TLS is only a new name to SSL. Simply because SSL was dead and buried over four years ago.

    That might be. But I don't think that's possible as some elements on the page do use http. These include the logo image preload, the banner ads and a few others. I'm fairly certain those alone are sufficient that Firefox shows yellow lock with explanation "Parts of this page are not secure (for example images)".

    But every relevant link I can find (i.e. links inside TDPRI itself to forums etc.) are precluded with https://.

    Quickly checked this. My Chrome does, Firefox doesn't. Which is interesting as I'm using "HTTPS Everywhere" addon. But I see that more of a browser issue than a site issue. Let's see after I restart Firefox...
     
  19. SolidSteak

    SolidSteak Friend of Leo's

    Posts:
    2,930
    Joined:
    Apr 27, 2016
    Location:
    USA
    Weird... when I look at the certificate details in both Chrome and Firefox, it shows that the certificate was issued by Bitdefender, not cPanel, and the certification path also points to my local antivirus program, Bitdefender, which I assume is trying to stand in for a cert authority or something.
     
  20. Peregrino69

    Peregrino69 Tele-Afflicted

    Age:
    50
    Posts:
    1,349
    Joined:
    Dec 12, 2016
    Location:
    Amsterdam
    Yap. Not even after clearing all TDPRI-related history, cookies etc. and restarting Firefox. If I simply enter "tdpri.com" to the address bar, I get to http://. I do have to manually enter https://. Same with Edge. I think Chrome behaves the same way - it probably redirects me to https:// cuz that's what I've always used. So that does seem to be a site issue, was I managing the site I'd redirect all http requests to https. At minimum non-encrypted login should not be allowed (didn't check if it is).

    However the problem isn't really that the site doesn't support security. With all due respect it's more that people don't exactly understand web security; and I'm not saying I do :D @corliss1 is right, marketing machinery is (in addition to keeping the obsolete term SSL alive :p) trying to make TLS something it definitely is not.
     
IMPORTANT: Treat everyone here with respect, no matter how difficult!
No sex, drug, political, religion or hate discussion permitted here.


  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.