Pages: [1] 2   Go Down
Print
Author Topic: TEF HTTPS Adoption  (Read 8981 times)
BambooToTheFuture

Offline Offline

Posts: 10081


I'll Tell Ya Now - McGurk Is The New Graham


WWW

Ignore
« on: Thursday, November 22, 2018, 15:09:04 »

With many following suit from the advice of Chrome, Mozilla, et al, we are now on the brink of all websites leaning towards full HTTPS adoption.

It's no secret that Google have been promoting this since around four years ago, with a simple step; to influence website administrator behaviour - for the better. They are now at a point where Chrome72 release is targeted for January 2019 and an expectation of HTTPS page loads to be >85%.

Mozilla have stated they intend to deprecate HTTP eventually, while of course Microsoft and Apple do tend to be slower with browser security adoption but they do update less frequently than the former. However they are sure to enact similar changes too. In fact, I think I'm right in saying that Apple apps must be built using "App Transport Security" (ATS), in order to be accepted on the App Store. For those that aren't aware; ATS prohibits the use of plaintext HTTP - driving adoption of HTTPS.

Why HTTPS, some of you might ask? Well it's fairly simple - users that feel safe on the internet, will interact longer. A safe browsing experience is good for everyone (well everyone except the attackers, DDoS Flooders, Hostile Pinners). HTTPS is fast and there’s no excuses needed for not using SSL/TLS. Static sites need encryption too, which prevent a malicious 3rd party from tracking users or injecting adverts into your site.

While we trust and mostly know the admins of this forum, and we (the user) have our own responsibility not to enter/publish our own sensitive data. We can't be certain that all visitors to the site are genuine/trusting/honest. I'm also realistic about the TEFs position as being a highly targeted site too Wink Even so, this brings me to a question for the TEF;

Will the TEF Lead Admins be updating (via SMF) their certificates and adopting HTTPS?*

A final thought;
Any page not served over HTTPS today is insecure, by definition.

When you browse a non-HTTPS page, someone could inject whatever they want into it. Malware, flash exploits, cred sniffer, and more recently a cryptocurrency miner. Even if you don't submit any private information to the server, an attacker can still make a standard website or blog dangerous, purely because they can do what they want with the traffic.

*Please don't kill me, I think it's a rather sensible query in this day in age with us all still learning. If anything, your insight can help us to learn much more. Thanks, BNS
« Last Edit: Thursday, November 22, 2018, 15:34:24 by bamboonoshoe » Logged


'Incessant Nonsense'

______________________________________________________________

'I'm gonna tell you the secret.
There's a threat, you end it and you don't feel ashamed about enjoying it.
You smell the gunpowder and you see the blood, you know what that means?
It means you're alive. You've won.
You take the heads so that you don't ever forget.'
The Artist Formerly Known as Audrey

Offline Offline

Posts: 19291


?Absolute Calamity!?




Ignore
« Reply #1 on: Thursday, November 22, 2018, 15:27:39 »

I have no idea what you are talking about
Logged
horlock07

Offline Offline

Posts: 18726


Lives in Northern Bastard Outpost




Ignore
« Reply #2 on: Thursday, November 22, 2018, 15:32:48 »

This must be what you all feel like when I start talking about planning........
Logged
Flashheart

« Reply #3 on: Thursday, November 22, 2018, 15:36:06 »

I know what he's talking about, but that's Barry's thang.
Logged
BambooToTheFuture

Offline Offline

Posts: 10081


I'll Tell Ya Now - McGurk Is The New Graham


WWW

Ignore
« Reply #4 on: Thursday, November 22, 2018, 15:36:10 »

This must be what you all feel like when I start talking about planning........

Sorry  Roll Eyes
Logged


'Incessant Nonsense'

______________________________________________________________

'I'm gonna tell you the secret.
There's a threat, you end it and you don't feel ashamed about enjoying it.
You smell the gunpowder and you see the blood, you know what that means?
It means you're alive. You've won.
You take the heads so that you don't ever forget.'
Batch
Not a Batch

Offline Offline

Posts: 55166





Ignore
« Reply #5 on: Thursday, November 22, 2018, 15:37:19 »

I think we should risk injection attacks.

And not only  because my (not)tapatalk app didn't seem to like https.

Logged
BambooToTheFuture

Offline Offline

Posts: 10081


I'll Tell Ya Now - McGurk Is The New Graham


WWW

Ignore
« Reply #6 on: Thursday, November 22, 2018, 15:37:40 »

I know what he's talking about, but that's Barry's thang.

I thought as much, FH.
Logged


'Incessant Nonsense'

______________________________________________________________

'I'm gonna tell you the secret.
There's a threat, you end it and you don't feel ashamed about enjoying it.
You smell the gunpowder and you see the blood, you know what that means?
It means you're alive. You've won.
You take the heads so that you don't ever forget.'
Wobbly Bob

Offline Offline

Posts: 4129





Ignore
« Reply #7 on: Thursday, November 22, 2018, 15:44:06 »

The volume of bollocks talked on here should be enough to deter most malicious intent.

But yeah, can see where Bamboo is coming from,  albeit with a lot of words to get there.  Smiley
Logged

Why don't you knock it off with them negative waves? Why don't you dig how beautiful it is out here? Why don't you say something righteous and hopeful for a change?
Crap!
BambooToTheFuture

Offline Offline

Posts: 10081


I'll Tell Ya Now - McGurk Is The New Graham


WWW

Ignore
« Reply #8 on: Thursday, November 22, 2018, 16:16:29 »

The volume of bollocks talked on here should be enough to deter most malicious intent.

But yeah, can see where Bamboo is coming from,  albeit with a lot of words to get there.  Smiley

I know, I know.  Grin

It is important though. Even if many would disregard.
Logged


'Incessant Nonsense'

______________________________________________________________

'I'm gonna tell you the secret.
There's a threat, you end it and you don't feel ashamed about enjoying it.
You smell the gunpowder and you see the blood, you know what that means?
It means you're alive. You've won.
You take the heads so that you don't ever forget.'
suttonred

Offline Offline

Posts: 12510





Ignore
« Reply #9 on: Thursday, November 22, 2018, 18:27:51 »

Plain http doesnt really bother me as there are no payments etc on here, and it's an extra cost to consider. Anyway any malicious hackers on here would soon get confused and bugger off, they certainly wouldn't be gaining insight or intelligence for their efforts Wink
Logged
Quagmire

Online Online

Posts: 4598





Ignore
« Reply #10 on: Thursday, November 22, 2018, 18:43:35 »


But yeah, can see where Bamboo is coming from,  albeit with a lot of words to get there.  Smiley
Bamboo? With a lot of words? Surely not.  Wink
Logged
BambooToTheFuture

Offline Offline

Posts: 10081


I'll Tell Ya Now - McGurk Is The New Graham


WWW

Ignore
« Reply #11 on: Thursday, November 22, 2018, 19:01:09 »

Plain http doesnt really bother me as there are no payments etc on here, and it's an extra cost to consider. Anyway any malicious hackers on here would soon get confused and bugger off, they certainly wouldn't be gaining insight or intelligence for their efforts Wink

True on confusion but it's not our intelligence they'd be after  Smiley
Logged


'Incessant Nonsense'

______________________________________________________________

'I'm gonna tell you the secret.
There's a threat, you end it and you don't feel ashamed about enjoying it.
You smell the gunpowder and you see the blood, you know what that means?
It means you're alive. You've won.
You take the heads so that you don't ever forget.'
BambooToTheFuture

Offline Offline

Posts: 10081


I'll Tell Ya Now - McGurk Is The New Graham


WWW

Ignore
« Reply #12 on: Thursday, November 22, 2018, 19:02:17 »

Bamboo? With a lot of words? Surely not.  Wink

I have a whey with curds  Grin
Logged


'Incessant Nonsense'

______________________________________________________________

'I'm gonna tell you the secret.
There's a threat, you end it and you don't feel ashamed about enjoying it.
You smell the gunpowder and you see the blood, you know what that means?
It means you're alive. You've won.
You take the heads so that you don't ever forget.'
Barry Scott

Offline Offline

Posts: 9112




« Reply #13 on: Thursday, November 22, 2018, 20:38:01 »

Will the TEF Lead Admins be updating (via SMF) their certificates and adopting HTTPS?*

In all likelihood no.

I'm perhaps quite arrogant/complacent about the whole thing, but fuck it. I suppose in short, I just don't care.

HTTPS is only encrypting data transfer between clients and the server. It won't stop hacking, injection attacks or SMF vulnerabilities. And as nothing sensitive is being transferred, there's no real reason to bother imao.

I might one day, but the server is secure enough (famous last words) to take the only abuse I'm really concerned with.
Logged
BambooToTheFuture

Offline Offline

Posts: 10081


I'll Tell Ya Now - McGurk Is The New Graham


WWW

Ignore
« Reply #14 on: Thursday, November 22, 2018, 21:19:43 »

In all likelihood no.

I'm perhaps quite arrogant/complacent about the whole thing, but fuck it. I suppose in short, I just don't care.

HTTPS is only encrypting data transfer between clients and the server. It won't stop hacking, injection attacks or SMF vulnerabilities. And as nothing sensitive is being transferred, there's no real reason to bother imao.

I might one day but the server is secure enough (famous last words) to take the only abuse I'm really concerned with.

Hacking and penetration (oo-er) will always happen but HTTPS does help to prevent attacks over HTTP. You don't need sensitive information being transferred for someone do do what they like with your traffic, HTTP allows that and freely.

It might be a case of having to though as adoption nears full scale. Why would you be against something securing the site further? Also why no certificate update, they're easy enough to obtain?

I'm not having a go btw, I'm just curious as to why? My only concern is that you seem happy for the site traffic to be diverted anywhere and for any use?

Each to their own. I just thought it was an important matter and the users of the site should be aware. You might not care but you have a duty of care to the users of the site, as a minimum. People scarily don't know enough about this stuff yet are using it every day. On a further note, we could all be being backdoored and not be aware of it.
Logged


'Incessant Nonsense'

______________________________________________________________

'I'm gonna tell you the secret.
There's a threat, you end it and you don't feel ashamed about enjoying it.
You smell the gunpowder and you see the blood, you know what that means?
It means you're alive. You've won.
You take the heads so that you don't ever forget.'
Pages: [1] 2   Go Up
Print
Jump to: