Website, does it need to be https ?

Notifications and info on forum or website work and issues
Post Reply
stuart.wilby
Posts: 58
Joined: Mon Dec 30, 2013 5:21 pm
Location: Wakefield
Contact:

Website, does it need to be https ?

Post by stuart.wilby »

I’ve been on a cyber security course to wise up on my limited knowledge of online security, the guy running it is a retired police expert on cyber crime, the content revolves around passwords, and the need to regularly change and don’t use the same one for everything, try to use a password manager which google offer for free on chrome, be careful if the website your visiting is not secure, this is evident by the letter S missing from the http bit of the website, it should be https, also a secure site has a little padlock at the side of the web address in the bar at the top of the page, if you pay by credit card on a site, be very careful if these items are missing, maybe don’t use them, finally, the AOMCC site is not yet secure, is there a good reason for this or is it on the to do list?
1948 4G Square.
Dave.Barkshire
Holder of a Silver Anorak
Holder of a Silver Anorak
Posts: 866
Joined: Thu Feb 24, 2011 3:33 pm
Location: Exmoor UK & Lamma Island HK
Contact:

Re: Website, does it need to be https ?

Post by Dave.Barkshire »

I doubt whether any payment systems are without SSL nowadays.

Also, websites like this where people discuss gearbox giblets don't really need SSL as there is nothing worth stealing.
TonyBaxter
Holder of a Waxed Cotton Anorak
Holder of a Waxed Cotton Anorak
Posts: 379
Joined: Mon Jan 20, 2014 9:03 am
Contact:

Re: Website, does it need to be https ?

Post by TonyBaxter »

Dave.Barkshire wrote:
Also, websites like this where people discuss gearbox giblets don't really need SSL as there is nothing worth stealing.
I don't entirely agree, I was a member on a bike forum many years ago that got hacked by some smart Alec hacker (he reckoned he was a teenager though some wondered if he was a disgruntled ex-member).
He got in and deleted pretty much everything on the site.
For fun.
Simon.Gardiner
Holder of a Golden Anorak
Holder of a Golden Anorak
Posts: 1670
Joined: Tue Aug 02, 2011 11:37 pm
Location: South West (Bristol-ish)
Contact:

Re: Website, does it need to be https ?

Post by Simon.Gardiner »

TonyBaxter wrote: ....He got in and deleted pretty much everything on the site.
I'd say that was an issue with the security of the admin area(s) rather than https. Also, there should probably be a regular site backup going on anyway to cater for equipment failures, among other things.

SG
Web admin (webmaster@arielownersmcc.com)

'55 Huntmaster, '56 VH, ' 51 VH, '62 Arrow, '80 R100RT, '00 Sprint ST (now with a new Arrow project, and just now those 4-stroke Ariel parts can't even make one running bike...)
Dave.Barkshire
Holder of a Silver Anorak
Holder of a Silver Anorak
Posts: 866
Joined: Thu Feb 24, 2011 3:33 pm
Location: Exmoor UK & Lamma Island HK
Contact:

Re: Website, does it need to be https ?

Post by Dave.Barkshire »

The forum is an 'out of the box' web application setup and administered by John Nash for free. It might be possible to host within SSL but the app would need to be converted so that every embedded resource was also called with SSL too, there would be considerable cost to do this and I'm not sure anyone would be willing to donate the money and time.
User avatar
harry.thompson
Posts: 17
Joined: Mon Apr 18, 2011 12:49 pm
Contact:

Re: Website, does it need to be https ?

Post by harry.thompson »

Simon.Gardiner wrote: I'd say that was an issue with the security of the admin area(s) rather than https. Also, there should probably be a regular site backup going on anyway to cater for equipment failures, among other things.
SG
This is absolutely correct, Simon. HTTPS won't prevent the site being hacked and the site owner has to take other precautions against this.

For the benefit of others who think there is no requirement for HTTPS to be added, think again please. This is not about the site or its content.

The HTTPS and the site certificate that supports this are there to protect us and information we pass to and from the site. It is very important that this is set up correctly so you know you can trust that this is the "real" owners forum and not a spoof site. At the moment you can't tell, so you might be caught by a MitM (Man in the Middle) attack which is designed to steal your info or land malware on your computer. You think you are on the real forum but in fact it may not be, or at least not for the first page that delivers the payload and compromises you before sending you on to the real site.

It happens more frequently than you think and the fact that AV may not even detect the event means you may never know. They aren't just after the password you reuse here and everywhere else (banking sites), they are after selling your details on to others. Data is monetizable your interest in motorcycles may just be what some lobby group needs to persuade a set of voters to make a bogus decision as in Brexit and US election campaigns.

You think you are immune? Think again!

I have to say that risk here is low because there are no adverts and not a huge number of users to leverage but the lack of a proper site certificate will attract low level hackers who see an easy target. The forum people should sort this out because its easy and it acts as a deterrent. Also, you will soon see newer releases of web browsers refusing to open sites like this.

Sorry guys, this is the second time in a row that I have posted about something which has nothing to do with an Ariel. I promise to stick to the main purpose next time!
User avatar
admin
Holder of a Golden Anorak
Holder of a Golden Anorak
Posts: 1199
Joined: Thu Feb 10, 2011 1:22 pm
Contact:

Re: Website, does it need to be https ?

Post by admin »

Yes.
It is possible to move to a more "secure" system
However, that wouldn't lessen our risk of hackers getting to our source code and subverting/corrupting it.
It has happened once in my tenure, and we tightened up a little (and also migrated off the microsoft platform - which is at far greater risk) and perform more regular backups (the forum is backed up everyday)

As Dave Berkshire pointed out, we don't utilise adverts, trackers or anything else here and the content is pretty mundane.

I tend to agree that newer browsers may well start to recognise us as "risky", which may well confuse members.
Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests