Pages: [1] 2   Go Down
Print
Author Topic: TEF HTTPS Adoption  (Read 2056 times)
bamboonoshop


+83/-274
Offline Offline

Posts: 3069


Chief Feather Ruffler


WWW

Ignore
« on: Thursday, November 22, 2018, 15:09:04 »

With many following suit from the advice of Chrome, Mozilla, et al, we are now on the brink of all websites leaning towards full HTTPS adoption.

It's no secret that Google have been promoting this since around four years ago, with a simple step; to influence website administrator behaviour - for the better. They are now at a point where Chrome72 release is targeted for January 2019 and an expectation of HTTPS page loads to be >85%.

Mozilla have stated they intend to deprecate HTTP eventually, while of course Microsoft and Apple do tend to be slower with browser security adoption but they do update less frequently than the former. However they are sure to enact similar changes too. In fact, I think I'm right in saying that Apple apps must be built using "App Transport Security" (ATS), in order to be accepted on the App Store. For those that aren't aware; ATS prohibits the use of plaintext HTTP - driving adoption of HTTPS.

Why HTTPS, some of you might ask? Well it's fairly simple - users that feel safe on the internet, will interact longer. A safe browsing experience is good for everyone (well everyone except the attackers, DDoS Flooders, Hostile Pinners). HTTPS is fast and there’s no excuses needed for not using SSL/TLS. Static sites need encryption too, which prevent a malicious 3rd party from tracking users or injecting adverts into your site.

While we trust and mostly know the admins of this forum, and we (the user) have our own responsibility not to enter/publish our own sensitive data. We can't be certain that all visitors to the site are genuine/trusting/honest. I'm also realistic about the TEFs position as being a highly targeted site too Wink Even so, this brings me to a question for the TEF;

Will the TEF Lead Admins be updating (via SMF) their certificates and adopting HTTPS?*

A final thought;
Any page not served over HTTPS today is insecure, by definition.

When you browse a non-HTTPS page, someone could inject whatever they want into it. Malware, flash exploits, cred sniffer, and more recently a cryptocurrency miner. Even if you don't submit any private information to the server, an attacker can still make a standard website or blog dangerous, purely because they can do what they want with the traffic.

*Please don't kill me, I think it's a rather sensible query in this day in age with us all still learning. If anything, your insight can help us to learn much more. Thanks, BNS
« Last Edit: Thursday, November 22, 2018, 15:34:24 by bamboonoshoe » Logged

COYR WAPBRAWA COYR
The Artist Formerly Known as Audrey


+65/-93
Online Online

Posts: 4039




Ignore
« Reply #1 on: Thursday, November 22, 2018, 15:27:39 »

I have no idea what you are talking about
Logged
horlock07


+31284/-27190
Offline Offline

Posts: 9060


Lives up north




Ignore
« Reply #2 on: Thursday, November 22, 2018, 15:32:48 »

This must be what you all feel like when I start talking about planning........
Logged
Flashheart


+54/-10083
Offline Offline

Posts: 26181


FUCK YEAH! ©™



« Reply #3 on: Thursday, November 22, 2018, 15:36:06 »

I know what he's talking about, but that's Barry's thang.
Logged

I like it firm and fruity.
bamboonoshop


+83/-274
Offline Offline

Posts: 3069


Chief Feather Ruffler


WWW

Ignore
« Reply #4 on: Thursday, November 22, 2018, 15:36:10 »

This must be what you all feel like when I start talking about planning........

Sorry  Roll Eyes
Logged

COYR WAPBRAWA COYR
Batch
Thingie


+136/-51
Offline Offline

Posts: 39474





Ignore
« Reply #5 on: Thursday, November 22, 2018, 15:37:19 »

I think we should risk injection attacks.

And not only  because my (not)tapatalk app didn't seem to like https.

Logged
bamboonoshop


+83/-274
Offline Offline

Posts: 3069


Chief Feather Ruffler


WWW

Ignore
« Reply #6 on: Thursday, November 22, 2018, 15:37:40 »

I know what he's talking about, but that's Barry's thang.

I thought as much, FH.
Logged

COYR WAPBRAWA COYR
Wobbly Bob


+42/-15
Offline Offline

Posts: 1464





Ignore
« Reply #7 on: Thursday, November 22, 2018, 15:44:06 »

The volume of bollocks talked on here should be enough to deter most malicious intent.

But yeah, can see where Bamboo is coming from,  albeit with a lot of words to get there.  Smiley
Logged

Now you give me everything.
bamboonoshop


+83/-274
Offline Offline

Posts: 3069


Chief Feather Ruffler


WWW

Ignore
« Reply #8 on: Thursday, November 22, 2018, 16:16:29 »

The volume of bollocks talked on here should be enough to deter most malicious intent.

But yeah, can see where Bamboo is coming from,  albeit with a lot of words to get there.  Smiley

I know, I know.  Grin

It is important though. Even if many would disregard.
Logged

COYR WAPBRAWA COYR
suttonred


+27/-8
Offline Offline

Posts: 11696





Ignore
« Reply #9 on: Thursday, November 22, 2018, 18:27:51 »

Plain http doesnt really bother me as there are no payments etc on here, and it's an extra cost to consider. Anyway any malicious hackers on here would soon get confused and bugger off, they certainly wouldn't be gaining insight or intelligence for their efforts Wink
Logged
Quagmire


+17/-16
Offline Offline

Posts: 1283





Ignore
« Reply #10 on: Thursday, November 22, 2018, 18:43:35 »


But yeah, can see where Bamboo is coming from,  albeit with a lot of words to get there.  Smiley
Bamboo? With a lot of words? Surely not.  Wink
Logged
bamboonoshop


+83/-274
Offline Offline

Posts: 3069


Chief Feather Ruffler


WWW

Ignore
« Reply #11 on: Thursday, November 22, 2018, 19:01:09 »

Plain http doesnt really bother me as there are no payments etc on here, and it's an extra cost to consider. Anyway any malicious hackers on here would soon get confused and bugger off, they certainly wouldn't be gaining insight or intelligence for their efforts Wink

True on confusion but it's not our intelligence they'd be after  Smiley
Logged

COYR WAPBRAWA COYR
bamboonoshop


+83/-274
Offline Offline

Posts: 3069


Chief Feather Ruffler


WWW

Ignore
« Reply #12 on: Thursday, November 22, 2018, 19:02:17 »

Bamboo? With a lot of words? Surely not.  Wink

I have a whey with curds  Grin
Logged

COYR WAPBRAWA COYR
Barry Scott


+25/-18
Offline Offline

Posts: 8733




« Reply #13 on: Thursday, November 22, 2018, 20:38:01 »

Will the TEF Lead Admins be updating (via SMF) their certificates and adopting HTTPS?*

In all likelihood no.

I'm perhaps quite arrogant/complacent about the whole thing, but fuck it. I suppose in short, I just don't care.

HTTPS is only encrypting data transfer between clients and the server. It won't stop hacking, injection attacks or SMF vulnerabilities. And as nothing sensitive is being transferred, there's no real reason to bother imao.

I might one day, but the server is secure enough (famous last words) to take the only abuse I'm really concerned with.
Logged
bamboonoshop


+83/-274
Offline Offline

Posts: 3069


Chief Feather Ruffler


WWW

Ignore
« Reply #14 on: Thursday, November 22, 2018, 21:19:43 »

In all likelihood no.

I'm perhaps quite arrogant/complacent about the whole thing, but fuck it. I suppose in short, I just don't care.

HTTPS is only encrypting data transfer between clients and the server. It won't stop hacking, injection attacks or SMF vulnerabilities. And as nothing sensitive is being transferred, there's no real reason to bother imao.

I might one day but the server is secure enough (famous last words) to take the only abuse I'm really concerned with.

Hacking and penetration (oo-er) will always happen but HTTPS does help to prevent attacks over HTTP. You don't need sensitive information being transferred for someone do do what they like with your traffic, HTTP allows that and freely.

It might be a case of having to though as adoption nears full scale. Why would you be against something securing the site further? Also why no certificate update, they're easy enough to obtain?

I'm not having a go btw, I'm just curious as to why? My only concern is that you seem happy for the site traffic to be diverted anywhere and for any use?

Each to their own. I just thought it was an important matter and the users of the site should be aware. You might not care but you have a duty of care to the users of the site, as a minimum. People scarily don't know enough about this stuff yet are using it every day. On a further note, we could all be being backdoored and not be aware of it.
Logged

COYR WAPBRAWA COYR
Pages: [1] 2   Go Up
Print
Jump to: