• Please review our updated Terms and Rules here
  • Exhibitor application for VCF West 2022 is now open! If you are interested in exhibiting, please fill out the form here.
  • Here are the results of the VCF East 2022 Post Event Survey: Survey Results

HTTPS not working properly on here

retro-pc_user

Veteran Member
Joined
Oct 13, 2017
Messages
692
Location
SE Michigan, USA
Don't know if this is a known bug or not, but, the HTTPS for this site isn't working whatsoever.

Here's what it looks like:
 

Attachments

  • VCFed-HTTPS.jpg
    VCFed-HTTPS.jpg
    9.3 KB · Views: 1

SomeGuy

Veteran Member
Joined
Jan 2, 2013
Messages
4,143
Location
Marietta, GA
HTTPS is an evil blight on the internet designed to intentionally lock out older clients further forcing everyone in to upgrading software and hardware.

Since this forum is about vintage computing, locking out such users would be be the wrong thing to do.

- Posted from Windows 95.
 

commodorejohn

Veteran Member
Joined
Jul 6, 2010
Messages
3,135
Location
California, USA
HTTPS is an evil blight on the internet designed to intentionally lock out older clients further forcing everyone in to upgrading software and hardware.

Since this forum is about vintage computing, locking out such users would be be the wrong thing to do.

- Posted from Windows 95.
^ What he said.
 

mbbrutman

Associate Cat Herder
Staff member
Joined
May 3, 2003
Messages
6,236
HTTPS is not implemented here. Anything you see today is an accident ...

However, it is on the todo list and I expect it will be implemented soon. It will be optional, not required - you will still be able to use HTTP. (Or at least that is the plan.)

Remember, you are transmitting your userid and password via cookies every time you load a page here when you are signed in. I hope you are using a unique password for this sight, even if we do implement HTTPS.
 

mbbrutman

Associate Cat Herder
Staff member
Joined
May 3, 2003
Messages
6,236
Staying logged in means that you are basically sending a cookie that indicates you are logged in each time you load a page. That cookie is enough to let you make posts under your identity. So while not as bad as sending a password, it's still pretty bad - somebody can impersonate you with just the cookie.

Any machine that sees that request packet can see the cookie. That includes your ISP and anybody sniffing packets if you are using an open WiFi hotspot. Even if you just load a page from this forum while "logged in" without sending the password, you have just given somebody what they need to impersonate you. Sending a password is slightly worse, unless you reuse passwords across multiple forums - then you are really playing with fire.

The short story is that ranting about HTTPS seems to be uninformed. We're not going to break old machines and browsers. But we will encourage people to do their normal activities here using SSL to minimize the risk. And everybody should understand what the risk is and mitigate it properly.
 

glitch

Veteran Member
Joined
Feb 1, 2010
Messages
4,964
Location
Central VA
There are indeed "SSL Strip" proxies, with proper firewall configuration, you can even make them transparent.
 

CP/M User

Veteran Member
Joined
May 2, 2003
Messages
2,980
Location
Back of Burke (Guday!), Australia
Staying logged in means that you are basically sending a cookie that indicates you are logged in each time you load a page. That cookie is enough to let you make posts under your identity. So while not as bad as sending a password, it's still pretty bad - somebody can impersonate you with just the cookie.

Any machine that sees that request packet can see the cookie. That includes your ISP and anybody sniffing packets if you are using an open WiFi hotspot. Even if you just load a page from this forum while "logged in" without sending the password, you have just given somebody what they need to impersonate you. Sending a password is slightly worse, unless you reuse passwords across multiple forums - then you are really playing with fire.

The short story is that ranting about HTTPS seems to be uninformed. We're not going to break old machines and browsers. But we will encourage people to do their normal activities here using SSL to minimize the risk. And everybody should understand what the risk is and mitigate it properly.

That's disturbing news. I have got a WiFi Device, though I keep it disabled.
 

eeguru

Veteran Member
Joined
Mar 14, 2011
Messages
1,618
Location
Atlanta, GA, USA
The short story is that ranting about HTTPS seems to be uninformed. We're not going to break old machines and browsers. But we will encourage people to do their normal activities here using SSL to minimize the risk. And everybody should understand what the risk is and mitigate it properly.

My password is 'mikebizsexyazhel' Is that secure?
 

mbbrutman

Associate Cat Herder
Staff member
Joined
May 3, 2003
Messages
6,236
I can see that we should be looking into other types of security too ... ;-)
 

pearce_jj

Veteran Member
Joined
May 14, 2010
Messages
2,746
Location
UK
There are indeed "SSL Strip" proxies, with proper firewall configuration, you can even make them transparent.

Most corporates do this and resign with self signed certificate. IMHO TLS should be somehow evolved to prevent this.
 
Top