News:

Precision Simulator update 10.173 (24 February 2024) is now available.
Navburo update 13 (23 November 2022) is now available.
NG FMC and More is released.

Main Menu

HTTPS access to aerowinx.com

Started by Jeroen Hoppenbrouwers, Tue, 4 Apr 2017 23:58

Print
Go Down Pages1
User actions

Jeroen Hoppenbrouwers

Tue, 4 Apr 2017 23:58
Hardy,

You may want to inquire at your service provider what a TLS ("HTTPS") certificate would cost. Some web browsers (such as Mozilla Firefox) now are complaining you don't use HTTPS on the login page. It isn't a requirement yet (you can skip the warnings) but it will eventually become "not done".

Typically such a certificate costs $20 or so per year and getting it to work typically is an hour's work if you have a manual of your web server at hand if you do it for the first time.


Hoppie

Mark

#1
Wed, 5 Apr 2017 18:52
I now fully automate my TLS certificates for free (yes! free!) using:
https://letsencrypt.org/

Hardy - what web server are you using? There are scripts/daemons for all the popular ones that automate the TLS certificate very easily.

In all honesty, it's not the 'free' part that matters, it's the ease of use/installation that LetsEncrypt provides.

Edit: I see you're using Apache... easy guide here:
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04

Hardy Heinlin

#2
Wed, 5 Apr 2017 20:36
Do you guys think a hacker would want to read someone's forum password to get access to the forum?

It's much easier to register a new forum account. The register page is public. Everyone can do it who can answer the anti-spam question.

Jeroen Hoppenbrouwers

#3
Wed, 5 Apr 2017 22:48
It's not about security, this particular issue. It's about the Aerowinx web site being increasingly branded as INSECURE!!!!1!!! GET OUT OF HERE!!! by web browsers that are possibly a bit too eager to drive the world to encryption.


Hoppie

Jeroen Hoppenbrouwers

#4
Wed, 5 Apr 2017 22:49
Quote from: Hardy Heinlin on Wed,  5 Apr 2017 20:36
Do you guys think a hacker would want to read someone's forum password to get access to the forum?
No -- he would use the same password to try to get into, say, PayPal. Too many people still use the same login/password basically everywhere. That in itself is not "your" problem, of course.


Hoppie

asboyd

#5
Wed, 5 Apr 2017 22:52
It is not the browser that is the problem Hoppie, it is the paranoid servers within the web that black list forums without https to help boost income for providers (and it is the providers themselves that blacklist those sites without certificates, talk about self serving marketing).... :)
Mycockpit.org has been blacklisted as corrupt/hacked, but only with older browsers such as firefox and opera... Edge and IE still see them as OK (gee wonder why???).....

Cheers,
Alex Boyd... Sydney, Australia

Jeroen Hoppenbrouwers

#6
Thu, 6 Apr 2017 08:15
This particular problem is not a blacklisting one. It's asking for login/password over HTTP.

http://www.pcworld.com/article/3161778/software/chrome-firefox-start-warning-users-when-websites-use-insecure-http-logins.html

I'm not pro or con; just seeing whether "the world" forces us to do something to not stand out too much.


Hoppie
Print
Go Up Pages1
User actions