Enabling HTTPS ?

[warriorcookie]

Quote:

Originally Posted by Coasting

I could see this being useful. Especially on a site where we constantly exchange addresses and phone numbers and potentially other info in PM

Back in february I got a wicked virus and other issues when I accessed the BCAquaria forum.
I ended up with a crypto virus on my computer. All my login info for various emails and my bank accounts were stolen. I had $1990 removed from my bank through an EMT because of the shit put on my laptop they somehow got my login and password for stuff I dont have my computer remember. My email accounts somehow got hacked and were being caught sending out spam. I actually had gotten a virus or something else from visiting that forum a few years back as well. I will NEVER go back on that site.

Then in the summer I got this email from the company the forum is apart of or whatever.

While this sucks big time, to be clear, https would NOT have prevented this. This was a database dump.

[warriorcookie]

Just wanted to clarify, as my previous responses where typed on a touch screen from an airplane...

Do I think https should be employed: whenever possible, yes! But does this mean you can rest easy that your user names, passwords, birthdates, email address and everything else is safe on this forum and any other: absolutely not!

The reality is that maybe a few of the forums will spend the money and upgrade to https, but the vast majority simply cannot or will not, and it only marginally improves one aspect of the many security vulnerabilities that these forums face. The only thing you can rely on is yourself to follow the latest good security practices when it comes to what info you keep online and how you choose usernames and passwords and how often you change them. My information has been stolen once before, but they only got access to a limited amount of information and there was zero overlap with any other website be it banking info or other.

[Myka]

Very interesting warriorcookie! I use the same username and email address on each forum I use, though I have a different password on each forum, and the email I use is not my main email, and doesn't share a password with anything else. Am I doing it "right"? I like this idea of a password manager, I'll have to look into it.

[warriorcookie]

Quote:

Originally Posted by Myka

Very interesting warriorcookie! I use the same username and email address on each forum I use, though I have a different password on each forum, and the email I use is not my main email, and doesn't share a password with anything else. Am I doing it "right"? I like this idea of a password manager, I'll have to look into it.

Yup, that's the way I do it. Keep the info you enter in your profile limited and use a different password for everything. Repeating the email or username is fine.

There's lots of password managers out there. You need to make sure whichever you go with is secure. If it becomes compromised then they have everything. After looking into several, Lastpass was the one I settled on.

[SoloSK71]

Wow, I can't believe the contrast in staff response between here and Reef Central to my question. Myka and Titus, you guys have gained a ton of respect in my books.

Charles

[Samw]

oh interesting. I didn't realize Canreef had been running this long without HTTPS enabled.

Without HTTPS, our login ids and passwords and everything else are sent to the webserver in plain text for anyone between the network endpoints to read with a packet sniffer. Of course, the users most at risk are the ones that use the same id/email and passwords on other websites. That's how many people get hacked.

There are free certificates now such as letsencrypt. I haven't personally used them myself but it looks popular.

Taking a quick scan at some aquarium forums, reef2reef, reefcentral, bcaquaria, plantedtank, etc are all using HTTPS.

[titus]

Hello

The plan is to migrate to Discourse and a lot of code was written to automate generation and rotation using Let's Encrypt, and no I'm not using certbot but written our own custom one. The UAT version was deployed on https://uat.canreef.com. You can see the cert expired on 20 Nov 2022. That's not the issue but the following.

My original plan was to have the following:
https://www.canreef.com/discussion for the discussion forums
https://www.canreef.com/<other stuff> for other stuff

And so I setup an NGINX reverse proxy to do this but there were some issues with Discuss supporting this. That was back in Oct and then I ran into a rabbit hole and then stopped.

I could have gone with the following:
https://www.canreef.com for discussion forum
https://other.canreef.com for other stuff

However doing it this way means we need different DNS alias entries for each incremental feature I want to add. It is not insurmountable as I setup our own DNS server with code as well but it's extra step and I really didn't like the idea of how the DNS look.

Given how far we have gotten I'd rather just finish the work proper.

Titus