Website, does it need to be https ?

[stuart.wilby]

I’ve been on a cyber security course to wise up on my limited knowledge of online security, the guy running it is a retired police expert on cyber crime, the content revolves around passwords, and the need to regularly change and don’t use the same one for everything, try to use a password manager which google offer for free on chrome, be careful if the website your visiting is not secure, this is evident by the letter S missing from the http bit of the website, it should be https, also a secure site has a little padlock at the side of the web address in the bar at the top of the page, if you pay by credit card on a site, be very careful if these items are missing, maybe don’t use them, finally, the AOMCC site is not yet secure, is there a good reason for this or is it on the to do list?

[Dave.Barkshire]

I doubt whether any payment systems are without SSL nowadays.

Also, websites like this where people discuss gearbox giblets don't really need SSL as there is nothing worth stealing.

[TonyBaxter]

Also, websites like this where people discuss gearbox giblets don't really need SSL as there is nothing worth stealing.

I don't entirely agree, I was a member on a bike forum many years ago that got hacked by some smart Alec hacker (he reckoned he was a teenager though some wondered if he was a disgruntled ex-member).
He got in and deleted pretty much everything on the site.
For fun.

[Simon.Gardiner]

....He got in and deleted pretty much everything on the site.

I'd say that was an issue with the security of the admin area(s) rather than https. Also, there should probably be a regular site backup going on anyway to cater for equipment failures, among other things.

SG

[Dave.Barkshire]

The forum is an 'out of the box' web application setup and administered by John Nash for free. It might be possible to host within SSL but the app would need to be converted so that every embedded resource was also called with SSL too, there would be considerable cost to do this and I'm not sure anyone would be willing to donate the money and time.

[harry.thompson]

I'd say that was an issue with the security of the admin area(s) rather than https. Also, there should probably be a regular site backup going on anyway to cater for equipment failures, among other things.
SG

This is absolutely correct, Simon. HTTPS won't prevent the site being hacked and the site owner has to take other precautions against this.

For the benefit of others who think there is no requirement for HTTPS to be added, think again please. This is not about the site or its content.

The HTTPS and the site certificate that supports this are there to protect us and information we pass to and from the site. It is very important that this is set up correctly so you know you can trust that this is the "real" owners forum and not a spoof site. At the moment you can't tell, so you might be caught by a MitM (Man in the Middle) attack which is designed to steal your info or land malware on your computer. You think you are on the real forum but in fact it may not be, or at least not for the first page that delivers the payload and compromises you before sending you on to the real site.

It happens more frequently than you think and the fact that AV may not even detect the event means you may never know. They aren't just after the password you reuse here and everywhere else (banking sites), they are after selling your details on to others. Data is monetizable your interest in motorcycles may just be what some lobby group needs to persuade a set of voters to make a bogus decision as in Brexit and US election campaigns.

You think you are immune? Think again!

I have to say that risk here is low because there are no adverts and not a huge number of users to leverage but the lack of a proper site certificate will attract low level hackers who see an easy target. The forum people should sort this out because its easy and it acts as a deterrent. Also, you will soon see newer releases of web browsers refusing to open sites like this.

Sorry guys, this is the second time in a row that I have posted about something which has nothing to do with an Ariel. I promise to stick to the main purpose next time!

[admin]

Yes.
It is possible to move to a more "secure" system
However, that wouldn't lessen our risk of hackers getting to our source code and subverting/corrupting it.
It has happened once in my tenure, and we tightened up a little (and also migrated off the microsoft platform - which is at far greater risk) and perform more regular backups (the forum is backed up everyday)

As Dave Berkshire pointed out, we don't utilise adverts, trackers or anything else here and the content is pretty mundane.

I tend to agree that newer browsers may well start to recognise us as "risky", which may well confuse members.

[garycullen]

Sorry but staying on HTTP instead of migrating to HTTPS is a no brainer I am afraid.

Both my home iMac and work Windows laptop present me with trust issues/Warnings for this site every time I log on.
I am told it is not even very expensive to move but I can’t claim any knowledge about the cost.
Preventing MIM attacks is a good step toward a secure site.
Since there is no ecommerce going on here with credit cards etc the only danger is someone corrupting or deleting the database of knowledge.