reinvestor
Member of DD Central
Posts: 194 
Likes: 224
|
Post by reinvestor on Apr 17, 2019 6:42:05 GMT
My iphone keeps alerting me to the fact that this site is not secure.
It hasn't done that until this week.
Has a certificate expired or has something changed?
|
|
|
|
Post by batchoy on Apr 17, 2019 9:01:11 GMT
Its an iOS change in a recent update that means Safari flags sites that use HTTP rather than HTTPS as not secure.
|
|
reinvestor
Member of DD Central
Posts: 194
Likes: 224
|
Post by reinvestor on Apr 17, 2019 9:16:41 GMT
Many thanks!
|
|
nummo
Member of DD Central
Posts: 50
Likes: 12
|
Post by nummo on Jul 25, 2019 7:45:27 GMT
Yeah happens in Chrome too for same reason.
|
|
jontyab
Member of DD Central
Posts: 117
Likes: 79
|
Post by jontyab on Jul 25, 2019 11:19:32 GMT
Yeah happens in Chrome too for same reason. And rightly so! Fortunately Login and registration are HTTPS, I assume it's a proboards limitation that the forum itself is not. There's really little excuse otherwise.
|
|
nummo
Member of DD Central
Posts: 50
Likes: 12
|
Post by nummo on Jul 25, 2019 11:23:39 GMT
Yeah most stuff is HTTPS these days so the boards software requires an update!
|
|
keitha
Member of DD Central
2024, hopefully the year I get out of P2P
Posts: 4,587
Likes: 2,622
|
Post by keitha on Jan 14, 2020 10:53:00 GMT
But if everything goes to HTTPS it becomes pointless
it feels to me that lines are getting blurred
HTTPS was for stuff that needed to be secure, HTTP for everything else
so HTTP could be a website with advertising for company X but you then go to the HTTPS site to buy.
It's a bit like .com
that was intended for multinational companies Microsoft, shell etc,
purely British companies should be .co.uk
but people assumed either .com was better or stood for company
|
|
iRobot
Member of DD Central
Posts: 1,680
Likes: 2,477
|
Post by iRobot on Jan 14, 2020 11:11:39 GMT
But if everything goes to HTTPS it becomes pointless it feels to me that lines are getting blurred HTTPS was for stuff that needed to be secure, HTTP for everything else so HTTP could be a website with advertising for company X but you then go to the HTTPS site to buy. It's a bit like .com that was intended for multinational companies Microsoft, shell etc, purely British companies should be .co.uk but people assumed either .com was better or stood for company I'm typically of the opinion that improved security is generally a good thing, but happy to have explained to me why the inherent security improvements of HTTPS over HTTP isn't always worthwhile?
|
|
michaelc
Member of DD Central
Say No To T.D.S.
Posts: 5,703
Likes: 2,981
|
Post by michaelc on Jan 14, 2020 12:53:20 GMT
But if everything goes to HTTPS it becomes pointless it feels to me that lines are getting blurred HTTPS was for stuff that needed to be secure, HTTP for everything else so HTTP could be a website with advertising for company X but you then go to the HTTPS site to buy. It's a bit like .com that was intended for multinational companies Microsoft, shell etc, purely British companies should be .co.uk but people assumed either .com was better or stood for company I'm typically of the opinion that improved security is generally a good thing, but happy to have explained to me why the inherent security improvements of HTTPS over HTTP isn't always worthwhile? I'm sure some information security management type might provide a better summary but the only reasons I can think of are: 1/ For small hobby like websites located at home, it could be some effort to add ssl to the website. 2/ Until recently, you needed to pay for an ssl certificate with main browser supported chain of trust. I say until recently because letsenrypt.org provides such certs for free now. 3/ In times gone past, perhaps the extra load of authentication and decrytpion of content might have been more significant on hardware resources than it is now. e.g. doing it on an old pc might have slowed it down and doing it on an old phone or laptop might have made the battery run out quicker. 4/ Historically, everything was http but that was a _Very_ long time ago. Then for a period of maybe 20 years, many sites added https only for when providing your own credentials in order to obtain a session key. THen the session key would be passed in the clear - I think thats how proboards works but haven't analysed it so could be wrong. 5/ Do we need to encrypt our connection to bbc weather ? 6/ Harder for law enforcement to do their job
|
|
mrk
Posts: 807
Likes: 753
|
Post by mrk on Jan 14, 2020 15:02:29 GMT
|
|
mrk
Posts: 807
Likes: 753
|
Post by mrk on Jan 14, 2020 15:06:31 GMT
Its an iOS change in a recent update that means Safari flags sites that use HTTP rather than HTTPS as not secure. I'm pretty sure I was able to use HTTPS on this site without that error though. Chrome says This server could not prove that it is p2pindependentforum.com; its security certificate is from ssl919226.cloudflaressl.com.With Cloudflare you should get a certificate for your custom domain even on the free plan.
|
|
iRobot
Member of DD Central
Posts: 1,680
Likes: 2,477
|
Post by iRobot on Jan 14, 2020 15:29:55 GMT
I'm typically of the opinion that improved security is generally a good thing, but happy to have explained to me why the inherent security improvements of HTTPS over HTTP isn't always worthwhile? I'm sure some information security management type might provide a better summary but the only reasons I can think of are: 1/ For small hobby like websites located at home, it could be some effort to add ssl to the website. For home websites adding SSL is just the sort of thing a geeky home hobbyist enjoys. For non-technical hobbyists, there are lord-knows how many free resources they can adopt to showcase their passions to the waiting world - Google Sites, WordPress, Wix to name but three.
Difficulty to one side the question remains as to whether HTTPS (SSL & HTTP/2 etc) is advantageous over HTTP even to the home-hoster hobbyist.2/ Until recently, you needed to pay for an ssl certificate with main browser supported chain of trust. I say until recently because letsenrypt.org provides such certs for free now. Indeed, although letsencrypt is now >5 years old! Things may have moved on, but I recall that having one of their certs expiring every 90 days was a bit of an pita - or, more accurately, deploying an auto-renew facility was on some hosts.
An alternative free offering worthy of shortlisting is Cloudflare's Universal SSL and Origin CA features. 'Serious' websites are still likely to go for some kind of paid-for offering though.3/ In times gone past, perhaps the extra load of authentication and decrytpion of content might have been more significant on hardware resources than it is now. e.g. doing it on an old pc might have slowed it down and doing it on an old phone or laptop might have made the battery run out quicker. HTTPS - thanks to SSL facilitating HTTP/2 - is now quicker than HTTP with lower transit and compute overheads. No (mainstream) reasons not to go HTTPS from a performance perspective, in my opinion.4/ Historically, everything was http but that was a _Very_ long time ago. Then for a period of maybe 20 years, many sites added https only for when providing your own credentials in order to obtain a session key. THen the session key would be passed in the clear - I think thats how proboards works but haven't analysed it so could be wrong. "Historically ...."  Just about sums up ProBoards: 'Living in the past... ' - still shouldn't knock it if it's free, and at least it is secure at the point of signing in.5/ Do we need to encrypt our connection to bbc weather ? Technically? Maybe not. (Although see above re: performance increases inherent in HTTP/2 - not a bad thing for media rich sites.) But it's also a trust thing, not just an encryption thing. 6/ Harder for law enforcement to do their job And harder for criminals to do their 'job'; a more secure web means there's less work for law enforcement to do  Some thoughts / comments above - just an alternative view. With the exception of some edge cases - eg: legacy kit / software - I'm still struggling to think of a situation in 2020 where HTTPS isn't more suitable than HTTP. (But don't take that to mean there isn't one!!) Crossed with mrk - got distracted by proboards v6 lack-of-development thread (I'm being harsh )
|
|
michaelc
Member of DD Central
Say No To T.D.S.
Posts: 5,703
Likes: 2,981
|
Post by michaelc on Feb 11, 2020 23:44:20 GMT
... P.S.P.S. This website collects people's email addresses. Including email addresses of EU citizens. G ... D... P...R....  Is that the thing that has caused hundreds of thousands of websites to spend money in order to provide landing page pop-ups to visitors typically containing a large amount of small print that most people ignore? Did the architects of it envisage this to be possibly the biggest impact to most people's daily lives?
|
|
Just about sums up ProBoards: 'Living in the past... ' - still shouldn't knock it if it's free, and at least it is secure at the point of signing in.
