Suggestion: please make the forum accessible via HTTPS.

I was about to register with my email address but realized it would be transmitted over the Internet in plaintext. Obviously I'd like to share it only with this website. I had to use a disposable email as a temporary workaround.

Cheers.

Thanks, temporary13. I'll make a post on the mod board and get back to you on it.

One does not simply use a "useful" email address for gaming forums.

Even worse, our passwords are sent in the clear as well. No good when checking the forums on the airport or from random Internet cafés

Thats why i have my own internet connection in my pocket all the time

temporary13 wrote:Suggestion: please make the forum accessible via HTTPS.

I was about to register with my email address but realized it would be transmitted over the Internet in plaintext. Obviously I'd like to share it only with this website. I had to use a disposable email as a temporary workaround.

Cheers.

Why would one care about email being transmitted in plaintext, infinitely less chance to be intercepted than the site is to be broken and have the email DB stolen.
Because this is PHPBB, and about as weak as a 3 year old girl.

On top of that, why would you worry about your email address getting known?
Bajillions of spambots are out there already trying every possible combination, if you have an MX record pointing at your domain, which is the only reason one might consider actually "securing" their email address, then you are bound to get thousands of spam mails a month.

Believe me, it's far better to not really worry about your mail address being found, and instead install a good spam filter. Security through obscurity is only useful if you have other layers of security in place.

Silverware wrote:...Security through obscurity is only useful if you have other layers of security in place.

I would not consider "security by obscurity" a layer of security at all, nor is it particularly useful.
SSL encryption is not security by obscurity, it is the first line of defence for any web application. Running without it is like letting anyone with enough interest to take a copy of your key before locking yourself in at home. You can't really complain about weak locks when they eventually decide to let themselves in to loot the place.

But citing "i dont want people to know my email" is strongly implying security by (non known email address) obscurity.

Cornflakes_91 wrote:But citing "i dont want people to know my email" is strongly implying security by (non known email address) obscurity.

Keeping private stuff private, does not imply security by obscurity. No, it only implies that people shouldn't get to our account email addresses, or any other private stuff like, say...our passwords, and that is not an unreasonable requirement. How we solve that requirement is another thing. The OP suggest that encryption might be a way to accomplish that. Combined with non-buggy, tight software, it is quite possible to protect our accounts.

Actually, as it is today it's in fact security by obscurity. It's not even that obscure, because the site runs on well-known software. If people know where to look and decide to go intercepting traffic to the site, the secrets are traveling the wires in clear view. I think the site is only fairly secure today because it is a small niche site with not a lot of attention.

Now, I would argue the value of encryption on this site given the kinds of secrets held here. I consider my email address "public" so yes, I agree that securing the site just to protect my email address is a wasted effort. If anyone should hack my account, there really isn't much to steal here. Still, as a software engineer I cringe everytime I see login screens served over unencrypted connections. If Josh can afford the SSL certificate, then he should do it, it will make the site more secure. Heck, it will even give the site better SEO ranking

...on second thought, that would bring more attention to the site the hackers will roll in in waves!

plillevold wrote:

Cornflakes_91 wrote:But citing "i dont want people to know my email" is strongly implying security by (non known email address) obscurity.

Keeping private stuff private, does not imply security by obscurity. No, it only implies that people shouldn't get to our account email addresses, or any other private stuff like, say...our passwords, and that is not an unreasonable requirement. How we solve that requirement is another thing. The OP suggest that encryption might be a way to accomplish that. Combined with non-buggy, tight software, it is quite possible to protect our accounts.

Actually, as it is today it's in fact security by obscurity. It's not even that obscure, because the site runs on well-known software. If people know where to look and decide to go intercepting traffic to the site, the secrets are traveling the wires in clear view. I think the site is only fairly secure today because it is a small niche site with not a lot of attention.

Now, I would argue the value of encryption on this site given the kinds of secrets held here. I consider my email address "public" so yes, I agree that securing the site just to protect my email address is a wasted effort. If anyone should hack my account, there really isn't much to steal here. Still, as a software engineer I cringe everytime I see login screens served over unencrypted connections. If Josh can afford the SSL certificate, then he should do it, it will make the site more secure. Heck, it will even give the site better SEO ranking

...on second thought, that would bring more attention to the site the hackers will roll in in waves!

The idea of so-called "Privacy" is obscurity through obscurity. Simply not knowing a detail about a person is hiding their details from a casual glance, and that's it.
With a few basic details the amount of data I can acquire about a person is simply staggering, at least to those who cling to an outdated notion of privacy. While I do agree that the argument "you have nothing to hide thus have nothing to fear" is a stupid argument, I do agree with the idea that you cant really do shit about being private in the modern era.

Best you can do is be secure, and for that you want to keep separate, unique, complex (for computers) passwords, change them frequently, and dont store them in any form.
Along with a password, someone should use a second-factor auth, such as a Priv/Pub key pair, and/or an Auth token.

You also need to have a secured server that you are connecting to, regardless how paranoid you are, I can get a wealth of information by watching from the host you are connecting to.

However yes I do agree that Josh should put SSL encryption on, for the SEO ranking. You can get high-quality free SSL signed certs through Let's Encrypt, (https://letsencrypt.org/), which is what I have picked up for my own server. Works really well.

plillevold wrote:Even worse, our passwords are sent in the clear as well. No good when checking the forums on the airport or from random Internet cafés

Not really sure that's worse. Anyone this paranoid presumably has the sense to not reuse a password that matters on random gaming forums, so there's nothing to lose if that password is compromised.

I don't really get the concern over the email for comparison, but whatever, at least that's data with some relevance.

Mordakai wrote:

plillevold wrote:Even worse, our passwords are sent in the clear as well. No good when checking the forums on the airport or from random Internet cafés

Not really sure that's worse. Anyone this paranoid presumably has the sense to not reuse a password that matters on random gaming forums, so there's nothing to lose if that password is compromised.

I don't really get the concern over the email for comparison, but whatever, at least that's data with some relevance.

You would be surprised, the most paranoid of Linux geeks I have met, still reuses his password in the wrong places. This is a dickhead who thinks tor is good... (Tor is evil)

Mordakai wrote:

plillevold wrote:Even worse, our passwords are sent in the clear as well. No good when checking the forums on the airport or from random Internet cafés

Not really sure that's worse. Anyone this paranoid presumably has the sense to not reuse a password that matters on random gaming forums, so there's nothing to lose if that password is compromised.
.

Well, would you consider me paranoid for not showing off my credit card pin code when I pay at the store as well? What's the point with pin codes and passwords if we not at least try to keep them secret? No matter what my password is, the default should be that it doesn't travel unencrypted over the wire. And that requires a SSL secured server in the receiving end.

plillevold wrote: Well, would you consider me paranoid for not showing off my credit card pin code when I pay at the store as well? What's the point with pin codes and passwords if we not at least try to keep them secret? No matter what my password is, the default should be that it doesn't travel unencrypted over the wire. And that requires a SSL secured server in the receiving end.

Depends, can your credit card only be used to access gaming discussions with no connection to your money? Comparison isn't really valid.

My point wasn't the keeping passwords secret is pointless, but that the importance of a secure password is no greater than the importance of the thing(s) it can access. If that's your credit card pin, sure, that's bad. Your LT account? Less so.

None of this is saying I wouldn't prefer it be secure, I just wouldn't classify it as a big deal.

plillevold wrote:

Mordakai wrote:

plillevold wrote:Even worse, our passwords are sent in the clear as well. No good when checking the forums on the airport or from random Internet cafés

Not really sure that's worse. Anyone this paranoid presumably has the sense to not reuse a password that matters on random gaming forums, so there's nothing to lose if that password is compromised.
.

Well, would you consider me paranoid for not showing off my credit card pin code when I pay at the store as well? What's the point with pin codes and passwords if we not at least try to keep them secret? No matter what my password is, the default should be that it doesn't travel unencrypted over the wire. And that requires a SSL secured server in the receiving end.

This is the correct point.
And one of the two valid points made for SSL encryption on here.

Passwords and SEO Ranking :V