Notice

The forum is in read only mode.

× Keep in mind that suggestions must be within the realm of possibility to be taken seriously.

Posting rules: All registered members can create threads and post to existing ones.

Question Website not secure warning

Start
Prev
1
Next
End

5 years 4 months ago #1 by XaltatunOfAcheron

XaltatunOfAcheron
Topic Author

Posts: 365

Gender: Unknown

Birthdate: Unknown

My browser gives a big, red "Website not secure" warning while logging on. I presume you're aware of it, since it's been a significant topic of discussion in the biz for a while, and it's only going to get worse as the browser manufacturers keep turning the screws on logon security.

Can this be fixed?

5 years 4 months ago #2 by Anne

Anne

Posts: 1411

Gender: Unknown

Birthdate: Unknown

I notice that we're not using https Not sure what that means, or what the owners have to do about a login not secure warning, that isn't showing to me. Then again not using https may obviate that while leaving things unsecure.

Adopt my story: here
Nowhereville discussion

5 years 4 months ago #3 by Sir Lee

Sir Lee

Posts: 3113

Gender: Male

Birthdate: 08 Nov 1966

I asked about that a while ago, when Firefox started giving a small warning. I read a while ago that Chrome would start complaining about it pretty soon, and I guess that's what you have seen. In a nutshell, what the browsers are complaining about is that the site asks for a password but does not implement HTTPS (or, in some other sites, does not implement it properly).
Kristin is aware of it, but doing HTTPS properly is not just a matter of flipping a switch in the server options. Among other things, it requires a digital certificate. There are ways to get one for free, such as Let's Encrypt!, but those have a few shortcomings, such as requiring frequent renewals.
The short answer is... Kristin is looking into it, but until recently it was lower-priority job. Now that Chrome is giving big red warnings, it probably will jump a few places up on the to-do list.

Don't call me "Shirley." You will surely make me surly.

5 years 4 months ago #4 by Kristin Darken

Kristin Darken

Posts: 3898

Gender: Unknown

Birthdate: Unknown

Yes, this is 100% about using http instead of https. Switching over is not 'simple' or 'cheap' despite the insistance of internet 'resources' claiming that everyone should just 'do' it. Here's the thing... the ONLY thing that needs to be secure in any way shape or form on this site is personal account data. Our using http instead of https means that your account data isn't as secure as it could be. However, I can count on a couple hands how many users of this site have actually put in their real names, and ANY address or phone data in their profiles. Yes, there are a few ... but no one is asked for SSN, credit cards, or anything that might make them vulnerable.The data someone might get from IP tracing you might be more detail accurate than what is in most people's account profile.

So... ya... switching to https is not a huge priority. Especially if that priority is going to cost us a several hundred dollars a year for time and certificate costs (either paying a couple hundred for a certificate and spending the time to set it up once a year or getting a free certificate and spending the time four times a year or more to set up to use the free certificate). If the process becomes simpler and/or cheaper? It's priority will rise. If someone points out more critical reasons for us to be secure than just 'everyone else is doing it'... it's priority will rise.

Fate guard you and grant you a Light to brighten your Way.

5 years 4 months ago #5 by Sir Lee

Sir Lee

Posts: 3113

Gender: Male

Birthdate: 08 Nov 1966

The real security problem here is password reuse. It doesn't matter that nobody uses their real name here and that there's not much to be stolen... the problem is that there's an e-mail account associated to each user, and lots of people have only the one e-mail account and use the same password for everything.
So, if this site is hacked, whoever does it can get a juicy list of e-mail/password pairs to try elsewhere.

For the site itself, the problem are the warnings. They might scare away potential visitors.

Don't call me "Shirley." You will surely make me surly.

5 years 4 months ago #6 by Anne

Anne

Posts: 1411

Gender: Unknown

Birthdate: Unknown

Personally, I use a separate e-mail account for my writing. I try to isolate it as much as possible from my rwl. I complain a lot about passwords but I'm fanatical about using separate ones for every site I visit! I also have at least 4 e-mail addys that I use for various purposes.

Adopt my story: here
Nowhereville discussion

5 years 4 months ago #7 by Sir Lee

Sir Lee

Posts: 3113

Gender: Male

Birthdate: 08 Nov 1966

That's a sensible way to do things. Myself, I have not only separate accounts for "real life" and TG-fiction usage, I also have a separate "real life" e-mail for... well, junk. Mostly sites that I want to have a connection to, but tend to stuff my mailbox with wanted things. E-commerce sites, for the most part. This account I keep out of my phone, so I don't get spammed all day long.

Oh, and I use a password manager/generator. My typical password looks somewhat like this: %DH(%¨DVS$GHK(TFVgfjxoui -- a different one for each account and service.

Don't call me "Shirley." You will surely make me surly.

5 years 4 months ago #8 by Anne

Anne

Posts: 1411

Gender: Unknown

Birthdate: Unknown

That is pretty much what I do as well. I have a couple that I use for 'gaming' that is I use them for online games. Then I have one that I use for writing. It should be noted that I do write and post at SOL and make no bones about it here. However, that has in the past attracted at least one somewhat scary stalker. I got about thirty messages one year from someone who thought just because I wrote about something I might want to live it out... No thanks, there are lots of things that are even hot buttons when read about that I have no intention of ever being any part of. 'Erotic' 'spanking' for example is fun to read about, not something I want to do (either giving or receiving ) and that is just one example. I'm not at all confused about my gender, I just happen to appreciate both males and females as partners, but really feel that no one would ever want me in a healthy way.

Adopt my story: here
Nowhereville discussion

5 years 4 months ago #9 by Mister D

Mister D

Posts: 832

Gender: Male

Birthdate: Unknown

There is one friend that was running his own mail-server.

This was for a forum/domain where he was the admin.

One of the experiments that he ran, was to create a new email address for every mailing-list/web-service/online-vendor/etc, that he signed up for.

The emails were specific to that vendor. The example that he showed me was for the supermarket brand called Tesco's. The email that he used was Tesco_Spam @ domain.

He then used this like plumbers blue dye. This is a method for leak tracing. Drop some blue dye in the water tank, let the taps run, and when the water coming out of the tap turns blue, take a UV light, and follow the pipes to see where the leaks are originating.

When he checked each individual email inbox, he could see exactly where they were selling their mailing lists. Even the services where they said that they would not sell them.

I don't remember if he ever published the stats that he got, but he was using this as a method for reducing his attack surfaces for ID theft.

Measure Twice

Start
Prev
1
Next
End

Moderators: WhateleyAdmin, Kristin Darken, E. E. Nalley, elrodw, Nagrij, MageOhki, Astrodragon, NeoMagus, Warren, Morpheus, Wasamon, sleethr, OtherEric, Bek D Corbin, MaLAguA, Souffle Girl, Phoenix Spiritus, Starwolf, DanZilla, Katie_Lyn, Maggie Finson, DrBender

Notice

Question Website not secure warning

Newest Original Timeline Stories

Newest 2nd Gen Stories

Newest Non-Canon Stories

Newest Independent Fiction