Request: HTTPS encryption for website as default

For talking about LunarNET, the site. Requests, suggestions, complaints, praises, etc. are for this board.
User avatar
Nonononoki
Iluk Crackpot
Posts: 30
Joined: Tue Jul 29, 2014 3:09 pm

Request: HTTPS encryption for website as default

Postby Nonononoki » Fri Oct 26, 2018 9:30 am

EDIT: I just noticed that there is an encrpted version. Most users (including me) probably don't use the https version of this website because it's not the default one. Login and Registering pages can still be accessed without encryption.

I think in the best interest of all users that this website should be properly encrypted. It's extremely risky when everyone can see my password in the login and register page. Certificates are now free via LetsEncypt.

User avatar
Erroneous
Legendary Hero
Posts: 1198
Joined: Mon Jan 13, 2003 3:08 am
Location: Washington, USA
Contact:

Re: Request: HTTPS encryption for website as default

Postby Erroneous » Mon Oct 29, 2018 3:29 pm

While I don't disagree it would be a useful tool to always have when it comes to safety, security, and privacy; I just feel there is a lot of misconceptions being thrown out there that was fed to you or that you may be attempting to feed to everyone because you have seen others do so on other communities you frequent.

Nonononoki wrote:I think in the best interest of all users that this website should be properly encrypted.


Are you aware how encryption works? Do you know the history and purpose of this type of encryption (SSL certificate)? The internet isn't something new, it's been around for decades and has evolved and continues to evolve. The HTTPS protocol was originally exclusive for sites that required a user to input credit card information into a form that submitted that information from client to server. This is or was the only time people would have noticed their URL redirected from HTTP to HTTPS when they used online banking or online shopping. And it was there where this level of encryption was beneficial, but nothing new. You and the rest of the internet mostly used unsecured websites all this time, or at least what the internet thinks of what SSL certification encryption does. But what about all the other encryption's your client and our servers offer unrelated to HTTPS protocols? Such as your password hash type? That in itself is an encryption, in this case we use MD5 encryption to mask passwords stored in the SQL database with the rest of your account information. What about the encryption on your router? Are you using WEP, WPA or WPA2? Do you know what they mean? What the pros and cons of which to use? That there is a difference in level of security each offers? We live in an age of "internet of things", are you aware if your Google Home, Amazon Alexa, Amazon Firestick, Google Chromecast, Nest Thermostat, etc.. is secured? Hackers who know the port number of these devices can get around your router and firewall if these individual devices themselves aren't secured.

I mean face it, if real hackers wanted to get into your at home network or this website, they probably could. Especially via a vulnerability through some device you haven't considered or through a software update a developer/engineer unintentionally created. But I doubt there'd be much demand to attack a site's account's for a video game series that died in 2005.

Nonononoki wrote:It's extremely risky when everyone can see my password in the login and register page.


Your password visibility to everyone has not changed in the time 15 years ago when HTTP was the norm to today with the scare that every site must use HTTPS. It is hashed and salted, to normal eyes these look like a string of random alphanumeric characters compared to what your password actually is. Still I do agree with you an extra level of security is always a good thing, when handled and protected by a group or service you can trust.

Nonononoki wrote:Certificates are now free via LetsEncypt.


Only to site's they support, it's not free or available everywhere, there are restrictions. And the server host company of this site is not on their compatibility list.
https://community.letsencrypt.org/t/web ... crypt/6920

Even still, it all comes down to who to trust to handle your encrpytion and security. And each company has various levels of security, it's not just a simple blanket level that covers everything. With that comes varied price levels offering number of certificates, uptime (higher price tier's offer 100% whereas lower price don't), DDoS attack mitigation/prioritization, types of certifications (image/file uploads may require another), price in general (can we afford it and what frequency will they charge us).

Nonononoki wrote:EDIT: I just noticed that there is an encrpted version. Most users (including me) probably don't use the https version of this website because it's not the default one. Login and Registering pages can still be accessed without encryption.


Luckily, as of this month since HTTPS login's are a hot button this year, the web host company for this site has instilled a basic level SSL certificate self-hosted by them. Except however with this and other changes they implemented to the server/service without GhaleonOne's consent (and rising annual fee's) we technically do have HTTPS login's available, it just needs further configuration on our end to fully support.

While Let's Encrypt is not available for this site as outlined in their support page, there are other free alternatives such as Cloudflare. At some point many of you may have seen this site especially on larger company or service websites when they get DDoS attacked.

There are many things to consider when looking into safety and security, most of the time it comes down to money. Paying for domain names, webspace, websoftware licenses, SSL certificates; and rising fee's for these services. Can we afford it? Where does the money come from? Is there a budget to maintain it for years to come?

I hope this has expanded your mind on the subject. I meant in no way to challenge or attack you but to help you understand all variables involved that the site owner has or will have to consider when implimenting changes as the internet grows. G1 has been a proud owner and fan of this community since 2002, and a lot of things have changed dramatically in the last 16 years of this message board's life. Let's see what the future holds.


Return to “LunarNET”

Who is online

Users browsing this forum: No registered users and 3 guests