Why no secure connection? (SSL)
5 posters
Page 1 of 1
Why no secure connection? (SSL)
I was wondering, why is there no secured SSL-connection available for forumotion.com?
Currently when I log in to your forum, my password is sent to your server totally unencrypted and ready for any eavesdropper or intermediate party to read.
This is especially critical when using for shared networks such as schools, companies and public WiFi hotspots. If there are no plans for supporting SSL then I'd at least expect a warning that says your credentials are sent unencrypted over the Internet, so users can be made aware of this and decide not to login when they are on an untrusted network.
Currently when I log in to your forum, my password is sent to your server totally unencrypted and ready for any eavesdropper or intermediate party to read.
This is especially critical when using for shared networks such as schools, companies and public WiFi hotspots. If there are no plans for supporting SSL then I'd at least expect a warning that says your credentials are sent unencrypted over the Internet, so users can be made aware of this and decide not to login when they are on an untrusted network.
Roob4rb- New Member
- Posts : 14
Reputation : 1
Language : Dutch, English || PHP, Python, Perl
Re: Why no secure connection? (SSL)
Using public networks is always a security issue and not recommended unless it's absolutely secured.
Even with SSL, there is software to get access to the key passed to a user via so-called handshakes and other distinctly exploitative if not even malicious means.
However I'm quite positive that this would be a good thing to do.
Then again, not everyone is aware of the ssl: protocol, yet even what http: even means.
Even with SSL, there is software to get access to the key passed to a user via so-called handshakes and other distinctly exploitative if not even malicious means.
However I'm quite positive that this would be a good thing to do.
Then again, not everyone is aware of the ssl: protocol, yet even what http: even means.
Re: Why no secure connection? (SSL)
There is no 'absolutely secured' network, but HTTPS - just like any other encrypted protocol - was designed to send sensitive information over untrusted networks.Ultron's Vision wrote:Using public networks is always a security issue and not recommended unless it's absolutely secured.
I'm not aware of such software, do you have any references to articles about this? There are no such current exploits known for SSLv2/SSLv3/TLS with proper ciphers, or the entire Internet would be a big chaos of information leakage.Even with SSL, there is software to get access to the key passed to a user via so-called handshakes and other distinctly exploitative if not even malicious means.
It should just be default for a login form, and preferably for the entire site. Redirects from http to https are not rocket science and I'm sure that FM staff has thought about this, just wondering why it currently isn't in place.However I'm quite positive that this would be a good thing to do.
Then again, not everyone is aware of the ssl: protocol, yet even what http: even means.
Roob4rb- New Member
- Posts : 14
Reputation : 1
Language : Dutch, English || PHP, Python, Perl
Re: Why no secure connection? (SSL)
I'm not talking about fetching the key directly out of the SSL-encrypted data, I'm talking about a physical being behind a screen that is using software to gain access to the PC transmitting the data over SSL.
Re: Why no secure connection? (SSL)
Use this one - https://help.forumotion.com/t124548-password-stored-unencrypted#829371
Topic Locked
After rereading both topics, this one will be reopened.
Lost Founder's Password |Forum's Utilities |Report a Forum |General Rules |FAQ |Tricks & Tips
You need one post to send a PM.
You need one post to send a PM.
When your topic has been solved, ensure you mark the topic solved.
Never post your email in public.
Re: Why no secure connection? (SSL)
Well, you can suggest it if you want a SSL connection. There is no answer to a why there is no SSL connection
Edit: To add to this, a SSL connection is required when a website has many online transactions. I don't see a reason for Forumotion to have a SSL connection. Maybe, it was justified if Forumotion was a paid host.
Here i found a suggestion for the same.
https://help.forumotion.com/t90345-ssl-https-on-login?highlight=https
Edit: To add to this, a SSL connection is required when a website has many online transactions. I don't see a reason for Forumotion to have a SSL connection. Maybe, it was justified if Forumotion was a paid host.
Here i found a suggestion for the same.
https://help.forumotion.com/t90345-ssl-https-on-login?highlight=https
Sanket- ForumGuru
- Posts : 48766
Reputation : 2830
Language : English
Location : Mumbai
Re: Why no secure connection? (SSL)
That's not true, a SSL connection is required when sensitive information is sent to/from the server, such as login credentials.a SSL connection is required when a website has many online transactions
When I now login to forumotion.com, my password is sent unencrypted in plaintext over the internet to your server. Anybody capturing that data could see the password of any user, including your own staff account credentials.
Roob4rb- New Member
- Posts : 14
Reputation : 1
Language : Dutch, English || PHP, Python, Perl
Re: Why no secure connection? (SSL)
Read my edited post above.
I did not say SSL was only used when there are only transactions involved. Take the example of facebook or gmail which are big websites, with billions of users, they can afford to have the same. For a free forum, its not really justified.
Show me a example of a free forum with this, then maybe i would vote yes in that suggestion
I did not say SSL was only used when there are only transactions involved. Take the example of facebook or gmail which are big websites, with billions of users, they can afford to have the same. For a free forum, its not really justified.
Show me a example of a free forum with this, then maybe i would vote yes in that suggestion
Sanket- ForumGuru
- Posts : 48766
Reputation : 2830
Language : English
Location : Mumbai
Re: Why no secure connection? (SSL)
A simple SSL-certificate costs about 5-10 euro's per year, this is about the same you'd pay for a domain name.Sanket wrote:Read my edited post above.
I did not say SSL was only used when there are only transactions involved. Take the example of facebook or gmail which are big websites, with billions of users, they can afford to have the same. For a free forum, its not really justified.
If you would order a wildcard SSL-certificate (*.forumotion.com) all your users with *.forumotion.com hostnames could use the same certificate and benefit from the added security, this would be a bit more expensive but still it would be a lot of added service.
I don't think you understand what my issue is at all. All passwords of all your users/staff/etc are now sent unencrypted over the internet. Without any warning whatsoever. Why would you need an example of a free forum with an SSL connection to convince you of the fact that your connection-security is currently non-existant?Show me a example of a free forum with this, then maybe i would vote yes in that suggestion
Last edited by Sanket on June 11th 2013, 3:22 pm; edited 1 time in total (Reason for editing : Removed Bold)
Roob4rb- New Member
- Posts : 14
Reputation : 1
Language : Dutch, English || PHP, Python, Perl
Re: Why no secure connection? (SSL)
So you have a suggestion section to provide the inputs on how much a SSL connection costs. This is a support section, where we answer to problems that are faced on the forum. This is a suggestion & not a problem.
Do you have anymore questions?
Please don't use bold or color. Please keep to the default text. This is reserved for the staff for moderation. |
Expensive, yes thats what I said.If you would order a wildcard SSL-certificate (*.forumotion.com) all your users with *.forumotion.com hostnames could use the same certificate and benefit from the added security, this would be a bit more expensive but still it would be a lot of added service.
Do you have anymore questions?
Last edited by Sanket on June 11th 2013, 3:27 pm; edited 1 time in total
Sanket- ForumGuru
- Posts : 48766
Reputation : 2830
Language : English
Location : Mumbai
Re: Why no secure connection? (SSL)
Roob4rb wrote:
I don't think you understand what my issue is at all. All passwords of all your users/staff/etc are now sent unencrypted over the internet. Without any warning whatsoever. Why would you need an example of a free forum with an SSL connection to convince you of the fact that your connection-security is currently non-existant?
Roob4rb with all due respect.
Who cares. you are rambling on like a mad man, i had told you the other day when you was talking about almost the same thing you can create a post in the suggestions section.
forumotion has been like this since the beginning. along with many other host and services paid or free on the web.. i mean i am not trying to sound bitter but this is becoming very annoying and have been getting complaints for potential flaming. i do not see it going that far and am trying to be as fair as i can
All i can tell you once again is that if you feel that unconformable on how forumotion or any other service send information over the web, then do not use that service. And by all means, please do feel to suggest this in the suggestions section. I mean i really do not know what you expect us to do here. This is something that etoxic the owner of forumotion would have to change. we have no control over this here.
for what it's worth we have answered all we can on this matter.
kirk- Forumaster
- Posts : 11037
Reputation : 653
Language : English,Vulcan,Klingon, Romulan,& Gorn
Re: Why no secure connection? (SSL)
It is actually an issue with the current implementation of the forum, namely that my password is sent unencrypted over the internet!
If you need consultation of how to order/implement/configure this on your server then I'd gladly help, this is what I do for a living. But please don't be so difficult about a security measure that costs a few bucks per year and provides your entire userbase with much more added security.
(Also, could you please stop with micromanaging what I do with formatting, links, etc, this is highly anti-productive I'm trying to help you by bringing serious security issues under your attention, and all you do is try to find rules that are broken or policy that does not match what I'm typing.)
If you need consultation of how to order/implement/configure this on your server then I'd gladly help, this is what I do for a living. But please don't be so difficult about a security measure that costs a few bucks per year and provides your entire userbase with much more added security.
(Also, could you please stop with micromanaging what I do with formatting, links, etc, this is highly anti-productive I'm trying to help you by bringing serious security issues under your attention, and all you do is try to find rules that are broken or policy that does not match what I'm typing.)
Roob4rb- New Member
- Posts : 14
Reputation : 1
Language : Dutch, English || PHP, Python, Perl
Re: Why no secure connection? (SSL)
So i understand the whole point of this, sorry but there is nothing more we could do other than pointing you in the right direction since you are trying to solicit your services here.
Thread is Locked.
Thread is Locked.
Sanket- ForumGuru
- Posts : 48766
Reputation : 2830
Language : English
Location : Mumbai
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum