PhysicsForums and SSL, HTTPS

[Crake]

Hey there,

I noticed recently that PhysicsForums doesn't use HTTPS, not even in the login/registration pages. I find it to be a major flaw and something that should be addressed to protect the privacy/security of PF members.

Is there a reason for not using HTTPS? Or perhaps it's coming in the next updates?

 

[Borek]

Changing only part of the site to https is not going to change much.

Greg wants to upgrade the forum, unfortunately, it is not clear which engine to choose. As long as it is not clear, next version of PF is in limbo.

 

[jhae2.718]

The NSA/CSS already has all of your personal information on file.

 

[Greg Bernhardt]

HTTPS is not supported by this software.

 

[jedishrfu]

facebook and google use https urls so its definitely a good idea.

 

[D H]

facebook and google use https urls so its definitely a good idea.

I. Just. Can't. Resist:

The NSA/CSS already has all of your personal information on file.

 

[D H]

Getting serious, that this site does not user https means your password should be different from that used on more secure systems, and from other unsecured systems as well. It never hurts to be too paranoid when it comes to computer security.

Even with a supposedly secured site, it's a good idea to read the sad saga of Mat Honan: http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/.

 

[jedishrfu]

The sad thing is that what happened to Matt Honan can happen to any of us no matter what we do. HTTPS makes it more difficult to hack and co-opt a site. Beyond that there are other things that may need to be fixed to make PF more secure.

Also in Matt's case and in others there was a human element of social engineering that completed the hack.

 

[Crake]

Changing only part of the site to https is not going to change much.

Greg wants to upgrade the forum, unfortunately, it is not clear which engine to choose. As long as it is not clear, next version of PF is in limbo.

Well, changing only part of the site to https (the login part) might/will protect a users password. I bet some people here use the same password for several sites. One guy with wireshark and ...

 

[Crake]

Getting serious, that this site does not user https means your password should be different from that used on more secure systems, and from other unsecured systems as well. It never hurts to be too paranoid when it comes to computer security.

Even with a supposedly secured site, it's a good idea to read the sad saga of Mat Honan: http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/.

That's a big story! 4 pages... Thanks for the light though, didn't know about it.

 

[jhae2.718]

Getting serious, that this site does not user https means your password should be different from that used on more secure systems, and from other unsecured systems as well. It never hurts to be too paranoid when it comes to computer security.

Going one further, you should use a different password for each site you have an account on.

 

[Crake]

Going one further, you should use a different password for each site you have an account on.

Yes. That is true. Sites should, however, have an https version, one that supports forward secrecy.