Suggestion: please make the forum accessible via HTTPS.
I was about to register with my email address but realized it would be transmitted over the Internet in plaintext. Obviously I'd like to share it only with this website. I had to use a disposable email as a temporary workaround.
Cheers.
Post
Sun Feb 19, 2017 11:47 am
#2
Re: HTTPS access
Thanks, temporary13. I'll make a post on the mod board and get back to you on it.
Have a question? Send me a PM! || I have a Patreon page up for REKT now! || People talking in IRC over the past two hours:
Post
Sun Feb 19, 2017 11:58 am
#3
Re: HTTPS access
One does not simply use a "useful" email address for gaming forums.
Post
Sun Feb 19, 2017 11:59 am
#4
Re: HTTPS access
Even worse, our passwords are sent in the clear as well. No good when checking the forums on the airport or from random Internet cafés
old-fashioned
Post
Sun Feb 19, 2017 12:00 pm
#5
Re: HTTPS access
Thats why i have my own internet connection in my pocket all the time
Post
Sun Feb 19, 2017 12:02 pm
#6
Because this is PHPBB, and about as weak as a 3 year old girl.
On top of that, why would you worry about your email address getting known?
Bajillions of spambots are out there already trying every possible combination, if you have an MX record pointing at your domain, which is the only reason one might consider actually "securing" their email address, then you are bound to get thousands of spam mails a month.
Believe me, it's far better to not really worry about your mail address being found, and instead install a good spam filter. Security through obscurity is only useful if you have other layers of security in place.
Re: HTTPS access
Why would one care about email being transmitted in plaintext, infinitely less chance to be intercepted than the site is to be broken and have the email DB stolen.temporary13 wrote:Suggestion: please make the forum accessible via HTTPS.
I was about to register with my email address but realized it would be transmitted over the Internet in plaintext. Obviously I'd like to share it only with this website. I had to use a disposable email as a temporary workaround.
Cheers.
Because this is PHPBB, and about as weak as a 3 year old girl.
On top of that, why would you worry about your email address getting known?
Bajillions of spambots are out there already trying every possible combination, if you have an MX record pointing at your domain, which is the only reason one might consider actually "securing" their email address, then you are bound to get thousands of spam mails a month.
Believe me, it's far better to not really worry about your mail address being found, and instead install a good spam filter. Security through obscurity is only useful if you have other layers of security in place.
<Cuisinart8> apparently without the demon driving him around Silver has the intelligence of a botched lobotomy patient ~ Mar 04 2020
console.log(`What's all ${this} ${Date.now()}`);
console.log(`What's all ${this} ${Date.now()}`);
Post
Sun Feb 19, 2017 12:55 pm
#7
SSL encryption is not security by obscurity, it is the first line of defence for any web application. Running without it is like letting anyone with enough interest to take a copy of your key before locking yourself in at home. You can't really complain about weak locks when they eventually decide to let themselves in to loot the place.
Re: HTTPS access
I would not consider "security by obscurity" a layer of security at all, nor is it particularly useful.Silverware wrote:...Security through obscurity is only useful if you have other layers of security in place.
SSL encryption is not security by obscurity, it is the first line of defence for any web application. Running without it is like letting anyone with enough interest to take a copy of your key before locking yourself in at home. You can't really complain about weak locks when they eventually decide to let themselves in to loot the place.
old-fashioned
Post
Sun Feb 19, 2017 1:03 pm
#8
Re: HTTPS access
But citing "i dont want people to know my email" is strongly implying security by (non known email address) obscurity.
Post
Sun Feb 19, 2017 1:51 pm
#9
Actually, as it is today it's in fact security by obscurity. It's not even that obscure, because the site runs on well-known software. If people know where to look and decide to go intercepting traffic to the site, the secrets are traveling the wires in clear view. I think the site is only fairly secure today because it is a small niche site with not a lot of attention.
Now, I would argue the value of encryption on this site given the kinds of secrets held here. I consider my email address "public" so yes, I agree that securing the site just to protect my email address is a wasted effort. If anyone should hack my account, there really isn't much to steal here. Still, as a software engineer I cringe everytime I see login screens served over unencrypted connections. If Josh can afford the SSL certificate, then he should do it, it will make the site more secure. Heck, it will even give the site better SEO ranking
...on second thought, that would bring more attention to the site the hackers will roll in in waves!
Re: HTTPS access
Keeping private stuff private, does not imply security by obscurity. No, it only implies that people shouldn't get to our account email addresses, or any other private stuff like, say...our passwords, and that is not an unreasonable requirement. How we solve that requirement is another thing. The OP suggest that encryption might be a way to accomplish that. Combined with non-buggy, tight software, it is quite possible to protect our accounts.Cornflakes_91 wrote:But citing "i dont want people to know my email" is strongly implying security by (non known email address) obscurity.
Actually, as it is today it's in fact security by obscurity. It's not even that obscure, because the site runs on well-known software. If people know where to look and decide to go intercepting traffic to the site, the secrets are traveling the wires in clear view. I think the site is only fairly secure today because it is a small niche site with not a lot of attention.
Now, I would argue the value of encryption on this site given the kinds of secrets held here. I consider my email address "public" so yes, I agree that securing the site just to protect my email address is a wasted effort. If anyone should hack my account, there really isn't much to steal here. Still, as a software engineer I cringe everytime I see login screens served over unencrypted connections. If Josh can afford the SSL certificate, then he should do it, it will make the site more secure. Heck, it will even give the site better SEO ranking
...on second thought, that would bring more attention to the site the hackers will roll in in waves!
old-fashioned
Post
Sun Feb 19, 2017 3:05 pm
#10
With a few basic details the amount of data I can acquire about a person is simply staggering, at least to those who cling to an outdated notion of privacy. While I do agree that the argument "you have nothing to hide thus have nothing to fear" is a stupid argument, I do agree with the idea that you cant really do shit about being private in the modern era.
Best you can do is be secure, and for that you want to keep separate, unique, complex (for computers) passwords, change them frequently, and dont store them in any form.
Along with a password, someone should use a second-factor auth, such as a Priv/Pub key pair, and/or an Auth token.
You also need to have a secured server that you are connecting to, regardless how paranoid you are, I can get a wealth of information by watching from the host you are connecting to.
However yes I do agree that Josh should put SSL encryption on, for the SEO ranking. You can get high-quality free SSL signed certs through Let's Encrypt, (https://letsencrypt.org/), which is what I have picked up for my own server. Works really well.
Re: HTTPS access
The idea of so-called "Privacy" is obscurity through obscurity. Simply not knowing a detail about a person is hiding their details from a casual glance, and that's it.plillevold wrote:Keeping private stuff private, does not imply security by obscurity. No, it only implies that people shouldn't get to our account email addresses, or any other private stuff like, say...our passwords, and that is not an unreasonable requirement. How we solve that requirement is another thing. The OP suggest that encryption might be a way to accomplish that. Combined with non-buggy, tight software, it is quite possible to protect our accounts.Cornflakes_91 wrote:But citing "i dont want people to know my email" is strongly implying security by (non known email address) obscurity.
Actually, as it is today it's in fact security by obscurity. It's not even that obscure, because the site runs on well-known software. If people know where to look and decide to go intercepting traffic to the site, the secrets are traveling the wires in clear view. I think the site is only fairly secure today because it is a small niche site with not a lot of attention.
Now, I would argue the value of encryption on this site given the kinds of secrets held here. I consider my email address "public" so yes, I agree that securing the site just to protect my email address is a wasted effort. If anyone should hack my account, there really isn't much to steal here. Still, as a software engineer I cringe everytime I see login screens served over unencrypted connections. If Josh can afford the SSL certificate, then he should do it, it will make the site more secure. Heck, it will even give the site better SEO ranking
...on second thought, that would bring more attention to the site the hackers will roll in in waves!
With a few basic details the amount of data I can acquire about a person is simply staggering, at least to those who cling to an outdated notion of privacy. While I do agree that the argument "you have nothing to hide thus have nothing to fear" is a stupid argument, I do agree with the idea that you cant really do shit about being private in the modern era.
Best you can do is be secure, and for that you want to keep separate, unique, complex (for computers) passwords, change them frequently, and dont store them in any form.
Along with a password, someone should use a second-factor auth, such as a Priv/Pub key pair, and/or an Auth token.
You also need to have a secured server that you are connecting to, regardless how paranoid you are, I can get a wealth of information by watching from the host you are connecting to.
However yes I do agree that Josh should put SSL encryption on, for the SEO ranking. You can get high-quality free SSL signed certs through Let's Encrypt, (https://letsencrypt.org/), which is what I have picked up for my own server. Works really well.
<Cuisinart8> apparently without the demon driving him around Silver has the intelligence of a botched lobotomy patient ~ Mar 04 2020
console.log(`What's all ${this} ${Date.now()}`);
console.log(`What's all ${this} ${Date.now()}`);
Post
Sun Feb 19, 2017 3:17 pm
#11
I don't really get the concern over the email for comparison, but whatever, at least that's data with some relevance.
Re: HTTPS access
Not really sure that's worse. Anyone this paranoid presumably has the sense to not reuse a password that matters on random gaming forums, so there's nothing to lose if that password is compromised.plillevold wrote:Even worse, our passwords are sent in the clear as well. No good when checking the forums on the airport or from random Internet cafés
I don't really get the concern over the email for comparison, but whatever, at least that's data with some relevance.
Post
Sun Feb 19, 2017 3:30 pm
#12
Re: HTTPS access
You would be surprised, the most paranoid of Linux geeks I have met, still reuses his password in the wrong places. This is a dickhead who thinks tor is good... (Tor is evil)Mordakai wrote:Not really sure that's worse. Anyone this paranoid presumably has the sense to not reuse a password that matters on random gaming forums, so there's nothing to lose if that password is compromised.plillevold wrote:Even worse, our passwords are sent in the clear as well. No good when checking the forums on the airport or from random Internet cafés
I don't really get the concern over the email for comparison, but whatever, at least that's data with some relevance.
<Cuisinart8> apparently without the demon driving him around Silver has the intelligence of a botched lobotomy patient ~ Mar 04 2020
console.log(`What's all ${this} ${Date.now()}`);
console.log(`What's all ${this} ${Date.now()}`);
Post
Sun Feb 19, 2017 4:36 pm
#13
Re: HTTPS access
Well, would you consider me paranoid for not showing off my credit card pin code when I pay at the store as well? What's the point with pin codes and passwords if we not at least try to keep them secret? No matter what my password is, the default should be that it doesn't travel unencrypted over the wire. And that requires a SSL secured server in the receiving end.Mordakai wrote:Not really sure that's worse. Anyone this paranoid presumably has the sense to not reuse a password that matters on random gaming forums, so there's nothing to lose if that password is compromised.plillevold wrote:Even worse, our passwords are sent in the clear as well. No good when checking the forums on the airport or from random Internet cafés
.
old-fashioned
Post
Sun Feb 19, 2017 4:54 pm
#14
My point wasn't the keeping passwords secret is pointless, but that the importance of a secure password is no greater than the importance of the thing(s) it can access. If that's your credit card pin, sure, that's bad. Your LT account? Less so.
None of this is saying I wouldn't prefer it be secure, I just wouldn't classify it as a big deal.
Re: HTTPS access
Depends, can your credit card only be used to access gaming discussions with no connection to your money? Comparison isn't really valid.plillevold wrote: Well, would you consider me paranoid for not showing off my credit card pin code when I pay at the store as well? What's the point with pin codes and passwords if we not at least try to keep them secret? No matter what my password is, the default should be that it doesn't travel unencrypted over the wire. And that requires a SSL secured server in the receiving end.
My point wasn't the keeping passwords secret is pointless, but that the importance of a secure password is no greater than the importance of the thing(s) it can access. If that's your credit card pin, sure, that's bad. Your LT account? Less so.
None of this is saying I wouldn't prefer it be secure, I just wouldn't classify it as a big deal.
Post
Sun Feb 19, 2017 5:52 pm
#15
And one of the two valid points made for SSL encryption on here.
Passwords and SEO Ranking :V
Re: HTTPS access
This is the correct point.plillevold wrote:Well, would you consider me paranoid for not showing off my credit card pin code when I pay at the store as well? What's the point with pin codes and passwords if we not at least try to keep them secret? No matter what my password is, the default should be that it doesn't travel unencrypted over the wire. And that requires a SSL secured server in the receiving end.Mordakai wrote:Not really sure that's worse. Anyone this paranoid presumably has the sense to not reuse a password that matters on random gaming forums, so there's nothing to lose if that password is compromised.plillevold wrote:Even worse, our passwords are sent in the clear as well. No good when checking the forums on the airport or from random Internet cafés
.
And one of the two valid points made for SSL encryption on here.
Passwords and SEO Ranking :V
<Cuisinart8> apparently without the demon driving him around Silver has the intelligence of a botched lobotomy patient ~ Mar 04 2020
console.log(`What's all ${this} ${Date.now()}`);
console.log(`What's all ${this} ${Date.now()}`);