HTTPS Mode

[Jon855]

I am uncertain if this has been asked before.

I do not know if this is cost-prohibitive or not. Would [H] consider enforcing HTTPS at all time once an user had logged in instead of the login portion?

I am sure some members may be concerned about "NSA" and others. However, I am not concerned about that - it's just nearly a common-sense, if one login into an account, why wouldn't the entire communication not be encrypted from/to the server/client?

I can see that the forum is basically a public facing site where all minus Genmay are exposed to the general public.

I don't know - thought I'll just toss that out there and see what exactly comes out of it.

Thanks

 

[PCunicorn]

Why?

 

[Jon855]

Why?

Private Messages?

Good Security Practices?

 

[PCunicorn]

Private messages can be read by admins and some mods I believe. And if you are sending confidential info via PM I think you need some lessons in internet security.

Why does HardForum need good security practices? If Kyle is getting ready to buy PayPal, then maybe he should learn. But I doubt he is. When you buy GenMay you get HTTPS, and on all needed sections if the site. Having HTTPS everywhere on a forum is kinda stupid and a waste of time.

 

[Jon855]

Private messages can be read by admins and some mods I believe. And if you are sending confidential info via PM I think you need some lessons in internet security.

Why does HardForum need good security practices? If Kyle is getting ready to buy PayPal, then maybe he should learn. But I doubt he is. When you buy GenMay you get HTTPS, and on all needed sections if the site. Having HTTPS everywhere on a forum is kinda stupid and a waste of time.

1) I know that admins/mods can read PMs if needed. I was just merely pointing out if it's not encrypted at the time when a PM is being sent, then what is stopping from others to intercept that message regardless if it's confidential information or not. People share bunch of conf info on here everyday - perhaps nothing serious but for the sake of argument, addresses and some such things like that. I do have a good security practice.

2) Perhaps it's stupid and a waste of time, which is why I just floated the question here. Some sites have reverted to using HTTPS full-time. I just asked because clearly [H] has SSL certification and why not use it all of the time unless the bandwidth cost or other factor plays into it.

Just merely a curious question more than anything. No need to be so defensive but you do make good points there.

 

[BinarySynapse]

HTTPS requires cryptographic functions. I don't know what the hardware make up for the forums are, but having to add that additional load for 4-5k members may make things more difficult.

Sites that enforce HTTPS have a real need to protect users due to the potential damage that may be incurred if data is obtained and used maliciously (i.e. Facebook identities are real people, Paypal handles people's money) and have spent a substantial amount of money to upgrade their infrastructure to handle the additional workload of performing those cryptography functions. Given the nature of the content and number of active users on this forum It would far more beneficial to attack the database directly than to watch the data streaming in and out.

 

[CrimsonKnight13]

It'd be a great idea if it didn't bog down the servers & eat up a ton of bandwidth. I think that it wouldn't be hard for Kyle & crew to implement it for PMs only if needed.

 

[metril]

I'd like to add my support for HTTPS. Some ISPs are injecting their own ads into pages. This would prevent that or at least make it that much harder.

 

[/usr/home]

IMO any site that has any sort of logins should have HTTPS. Certs are like 10 bucks a year for the lowest ones. There really is no excuse NOT to use HTTPS.

 

[PCunicorn]

I think when you login there should be HTTPS. Thats it. And I think that's already in place.