https: security for the forums is expired

Status
Not open for further replies.
tortuga

tortuga

Code Historian
Location
Oregon
Occupation
Electrical Design
Greetings forum mods, the security certificate for the forums is expired. When i go to https://forums.mikeholt.com I get an error like:
This server could not prove that it is forums.mikeholt.com; its security certificate expired 218 days ago. This may be caused by a misconfiguration or an attacker intercepting your connection. .....
Click to expand...
I use a free service called https://letsencrypt.org/ to secure webservers that would probably take care of the issue.
 
I just type in forums.mikeholt.com I don't use any https or anything else.

I have it bookmarked on the bar but that is the address- never had an issue with it.
 
Yeah it used to be a big deal but now in 2017 it does not really take much cpu power to encrypt web traffic and it is more secure and its a free service.
 
The bottom line is that when on this forum your traffic is not encrypted. Anyone nefarious sitting in a coffee shop could steal your login info if you're there on public WiFi.
 
Last edited:
:eek:hmy::eek:hmy::eek:hmy::eek:hmy:
well, lets see. everyone logs in, yes? well guess what, your logins are pretty much clear text on the wire, so anyone one sniffing the traffic has your credentials.

the avg joe in starbucky's wont know how to do this.

md5 in jscript is useless ;), hence why a TLS layer using ECDH cipher is the way to go.

so the moral of this story is, use HTTPS for at least the login ! the cert expired in Jan 2017

and yes, the cracker found my password !

login.png
 
My (latest) version of Firefox gives you warnings when it encounters a non-https login. I find that very few boards have secure logins, only those that were recently updated to the latest software.

And on the subject of logging in- why do I have to continually log in while I navigate the site?

-Hal
 
hbiss said:
My (latest) version of Firefox gives you warnings when it encounters a non-https login. I find that very few boards have secure logins, only those that were recently updated to the latest software.

And on the subject of logging in- why do I have to continually log in while I navigate the site?

-Hal
Click to expand...

Did you check "Remember me on this site" or similar when you logged in? That should set an identity cookie in your browser that will remove the need to log in unless that cookie expires or gets cleared.
Some browser settings will inhibit those persistent cookies, causing you to have to keep logging in.
 
how many of you use a password that is also used elsewhere?
hackers are not after your PM's from this site, but having your password and knowing your location (profile) is valuable info ;)

just make sure the password you use here is very different than any other online password you have, and that all your online passwords are different.

but as i noted, the login submission should be done via https. there's no good reason not to.
 
If you log in using the http URL then someone drops a link to an https URL and you click it, you are logged out under https...but still logged in under http.

What needs to be done to fix this would be something like:
1) $5/yr quick ssl on ssls. com
2) write a line in .htaccess that forces https on any request (this covers any old http link dropped, google indexed link, etc = all page loads)
 
Floyd R Turbo said:
If you log in using the http URL then someone drops a link to an https URL and you click it, you are logged out under https...but still logged in under http.

What needs to be done to fix this would be something like:
1) $5/yr quick ssl on ssls. com
2) write a line in .htaccess that forces https on any request (this covers any old http link dropped, google indexed link, etc = all page loads)
Click to expand...

with a small compute you may not want to chew up resources for TLS for all pages, you only need the form submit code to use "https", etc. the content of MH Forums (less profile pages) does not need TLS.
 
I guess I'm not quite following what you're saying, I read your earlier post, but that was a bit over my head to be honest :)

I get what you're saying about the login being secure, but what I'm saying is that if you log in via an https link, and then after you are logged in you just go and change that link to http, that actually will log you out.

So unless I'm mistaken (absolutely possible!) you can't login under a secure connection and then stay logged in under an insecure one.

I'm not sure if I've noticed a speed difference between running a forum on http vs https, but then again, I never really thought to test it. I've just always ran https for good measure since many APIs are starting to require it anymore (affects the ability to use some addons/plugins/mods)
 
^ this above also was my experience when a site with a cert didn't force it, meaning you could load pages under http or https with no warnings. So you could flip back & forth.

If a site doesn't have a cert, I suppose you could try to do this, but my attempts to do so here (on chrome) failed - it would not allow me to log in with https in the address bar...
 
FionaZuppa said:
just make sure the password you use here is very different than any other online password you have, and that all your online passwords are different.

but as i noted, the login submission should be done via https. there's no good reason not to.
Click to expand...

a common browser extension is available to force secure connectons
wherever possible. strongly suggested.

https://www.eff.org/https-everywhere

that, a VPN, and something like 1Password, to manage a
unique password for everyplace you visit, without storing
those passwords in the browser, is about as secure as
you can get without a ton of inconvenience.

as for protecting your privacy at the browser level, there
are a number of browser plugins to help with this, the first
being the choice of browser.

i've long been a fan of chrome, for it's speed, but am changing
over to firefox for the increased security.
 
Status
Not open for further replies.
Top