Thetownend.com

With many following suit from the advice of Chrome, Mozilla, et al, we are now on the brink of all websites leaning towards full HTTPS adoption.

It's no secret that Google have been promoting this since around four years ago, with a simple step; to influence website administrator behaviour - for the better. They are now at a point where Chrome72 release is targeted for January 2019 and an expectation of HTTPS page loads to be >85%.

Mozilla have stated they intend to deprecate HTTP eventually, while of course Microsoft and Apple do tend to be slower with browser security adoption but they do update less frequently than the former. However they are sure to enact similar changes too. In fact, I think I'm right in saying that Apple apps must be built using "App Transport Security" (ATS), in order to be accepted on the App Store. For those that aren't aware; ATS prohibits the use of plaintext HTTP - driving adoption of HTTPS.

Why HTTPS, some of you might ask? Well it's fairly simple - users that feel safe on the internet, will interact longer. A safe browsing experience is good for everyone (well everyone except the attackers, DDoS Flooders, Hostile Pinners). HTTPS is fast and there’s no excuses needed for not using SSL/TLS. Static sites need encryption too, which prevent a malicious 3rd party from tracking users or injecting adverts into your site.

While we trust and mostly know the admins of this forum, and we (the user) have our own responsibility not to enter/publish our own sensitive data. We can't be certain that all visitors to the site are genuine/trusting/honest. I'm also realistic about the TEFs position as being a highly targeted site too ;) Even so, this brings me to a question for the TEF;

Will the TEF Lead Admins be updating (via SMF) their certificates and adopting HTTPS?*

A final thought;
Any page not served over HTTPS today is insecure, by definition.

When you browse a non-HTTPS page, someone could inject whatever they want into it. Malware, flash exploits, cred sniffer, and more recently a cryptocurrency miner. Even if you don't submit any private information to the server, an attacker can still make a standard website or blog dangerous, purely because they can do what they want with the traffic.

*Please don't kill me, I think it's a rather sensible query in this day in age with us all still learning. If anything, your insight can help us to learn much more. Thanks, BNS

I have no idea what you are talking about

This must be what you all feel like when I start talking about planning........

I know what he's talking about, but that's Barry's thang.

Sorry  ::)

I think we should risk injection attacks.

And not only  because my (not)tapatalk app didn't seem to like https.

I thought as much, FH.

The volume of bollocks talked on here should be enough to deter most malicious intent.

But yeah, can see where Bamboo is coming from,  albeit with a lot of words to get there.  :)

I know, I know.  ;D

It is important though. Even if many would disregard.

Plain http doesnt really bother me as there are no payments etc on here, and it's an extra cost to consider. Anyway any malicious hackers on here would soon get confused and bugger off, they certainly wouldn't be gaining insight or intelligence for their efforts ;)

Bamboo? With a lot of words? Surely not.  ;)

True on confusion but it's not our intelligence they'd be after  :)

I have a whey with curds  ;D

In all likelihood no.

I'm perhaps quite arrogant/complacent about the whole thing, but fuck it. I suppose in short, I just don't care.

HTTPS is only encrypting data transfer between clients and the server. It won't stop hacking, injection attacks or SMF vulnerabilities. And as nothing sensitive is being transferred, there's no real reason to bother imao.

I might one day, but the server is secure enough (famous last words) to take the only abuse I'm really concerned with.

Hacking and penetration (oo-er) will always happen but HTTPS does help to prevent attacks over HTTP. You don't need sensitive information being transferred for someone do do what they like with your traffic, HTTP allows that and freely.

It might be a case of having to though as adoption nears full scale. Why would you be against something securing the site further? Also why no certificate update, they're easy enough to obtain?

I'm not having a go btw, I'm just curious as to why? My only concern is that you seem happy for the site traffic to be diverted anywhere and for any use?

Each to their own. I just thought it was an important matter and the users of the site should be aware. You might not care but you have a duty of care to the users of the site, as a minimum. People scarily don't know enough about this stuff yet are using it every day. On a further note, we could all be being backdoored and not be aware of it.

I'll cross the bridge of having to do when I come to it. If it ever becomes a necessary requirement to use the internet, then I'll see. It won't prevent the issues I'm concerned with as we stand. I'm not against it, I just can't be bothered.


I know you're not having a go, I'm not either. It's a friendly discussion and it's all good. :)

Please see bold part of reply above as to why.

And if site traffic is being diverted elsewhere then I'll worry about it when that happens. The scenario you describe will either be a hack server-side, or on a users computer. HTTPS wouldn't prevent either.


No worries.


Nope. People are capable of looking after themselves. I don't need to protect them from the internet boogieman. I have many websites, all of which have survived without SSL for a long time. The same as I have several that get hacked regularly, but for the most part those hacks are completely and utterly inert and none have any affect on users at all.


People don't. But it's nowhere near as bad as you make out. And the the majority of people "being backdoored" from websites are people visiting websites they shouldn't and people with little to no knowledge of computers coupled with going bareback. This isn't 15 years ago when no one had firewalls or antivirus and downloaded screensavers and all manner of crap.

Besides, "being backdoored" wouldn't be stopped by SSL, it'd hopefully be stopped by securing your own computer though.

All the SSL is doing is encrypting the passageway between the user and the server. It doesn't stop the server getting hacked. It doesn't stop the user getting a virus. It doesn't stop the user getting fucked by a hacked site or server. It just means it fucks you while encrypted.

Appreciate the time take to reply in fair detail Barry. Something that seems lost in communication these days is an ability to talk at length (yes some may call it rambling) but it is appreciated.

I'll admit, I don't know everything on the matter but I do know two penetration testers and have had discussions at length about "cyber security" with them. I wasn't trying to scaremonger anyone though. I'm aware that there are more resistant systems in place now, than there was before but these kind of things are better to be talked about.

I agree we shouldn't have to hand hold anyone but such as the net is, many competent adults are left unsecured. Don't get me started on some business "cyber security" protocols, as some are pretty much non-existent. I could tell you a story about a tester sat in the CEOs (of a very large company) email inbox and countless others personal info, based purely on a password policy of "CAP-one word-number". I won't though because I'll only bore the crap out of you and anyone else reading.

Thanks again.

Finger on the pulse as alwasy Bamboo.

I raised this with Barry over 2 years ago in the mods forum and we decided then we couldn't be fucked.

I don't want to be backdoored......

Don’t take on so


https://m.youtube.com/watch?v=ch_NuUgvb7s

Cheers Jayo  ;)

I wasn't aware of the "mods forum". To be honest though, always worth a revisit as many casual internet users aren't aware of this kind of stuff. Even if the implementation has been public for over 4 years.

My last question would be; If you can't be fucked to adopt HTTPS then why have over 85% of sites, to date (static included) been fucked to bother?

Thanks again my good mate :)

There is probably a lot more for Barry to upgrade and implement than simply a few clicks of a button. For one, the TEF's software would need to be upgraded (which may not be a bad thing) but I seem to recall previous upgrades didn't go very smoothly. What we need to remember is that Barry ensures this forum is hosted and maintained all on his own. Other admin/mods just keep the front end tidy (in theory).

Posts may get intercepted in theory, though it would be pretty bizarre if anyone wanted to do that as they are published for all to see anyway i.e. nobody in their right mind would post their credit card details here.

In terms of passwords, all passwords stored in the server are hashed and they are also hashed on the client side at entry so no plain text is sent between the two.

Those are the reasons why it got left last time.

Yeah, I appreciate Barry maintains and hosts the TEF by himself. We should all be grateful for that. No question.

RE: Credit card details etc. Of course it would be incredibly naive to post on the main forum but what about those kind of details in Private Messages?  :hmmm:

Ok, that gives a bit more clarity on the password side of things, appreciate that.

Thanks Simon.

If anyone's stupid enough to post their credit card info in a PM, they need urgent protection and they should immediately post me the details of all their credit cards and bank accounts so I can ensure they are properly protected. I will look after their money for them - I will take great care of it and take it on little trips round the shops.

You say that but... :hmmm: