0
![Not allowed!](http://www.nestreetriders.com/forum/images/buttons/down_dis.png)
![Not allowed!](http://www.nestreetriders.com/forum/images/buttons/up_dis.png)
The links in "Reply to thread" emails are all plain http so Firefox doesn't know that I'm logged in when I click them. It's no big deal but it would be an improvement if those links were https. Thanks!
There's also the small detail that the site isn't available via HTTPS... Fix your firefox.
It gets only a B rating from SSL Labs so it's not perfect but it is available via https
https://www.ssllabs.com/ssltest/anal...reetriders.com
Bah, chrome's insistence of hiding parts of the url plus giving it a Not Secure status made me think it was forcing a non-ssl connection.
Let's say you log into an https website. All the data sent back and forth is secure from being snooped on or spoofed. One of the items that you got back from that website was a cookie so you don't need to provide your login credentials for every single page that you try to view. That cookie identifies you to the website so it will let you in and let you post as aldend123. Now say someone tricks you into going back to that website using an http url, perhaps by sending you an email message with links in it. Your cookie is now sent "in the clear" which is a security risk. Anyone who can see that cookie can become aldend123. So most modern browsers will refuse to send cookies that they got using https over a cleartext connection. It's clearly NBD for a website where people yak about motorcycles, guns, and Donald Trump, but it's a good idea to get in the habit of using https as much as possible because it's substantially more secure than http.
https://en.wikipedia.org/wiki/HTTP_cookie#Secure_cookie
HTTPs is definitely enabled but we don't force it because then all of the non-secure content ever posted (hotlinked images, etc) throws up warnings in most modern browsers because it's mixed-security content. Right now the reason Chrome says it's insecure on HTTPs is that all of the internal images and shit (smileys, post icons, background images) are all http. That part changes if I turn on https site-wide but then we still have the external content problem.
I can't make the URLs in the notification emails HTTPs without doing so site-wide. It's been quite a while since I gave any serious consideration to forcing HTTPs on this site, maybe it's time to do so again.
-Josh || Forum Rules || Stop. Think. Post.
I just logged out, navigated to HTTPS url, logged in, then switched to HTTP and it still works fine. Am I missing something? I know the browsers have gotten super obnoxious with trying to intentionally blur the lines. I'll defer to admin for whether the site is configured to use a secure cookie as authentication, but I'm not sure it is. Or it's cached locally from my login.
Can't you put a rewrite rule on the webserver to transpose HTTP url's to HTTPS? Although I guess it'd need to be more narrowly restricted to embedded content. And might end up breaking stuff that doesn't offer HTTPS.
Meh, what for? Placating people who just finished a Sec+ class? Although I thought some of the search engines were using it as part of their SEO ranking.
nedirtriders.com
I see the problem now. I'm guessing my local auth expired. When I go to the HTTP page, it does not think I'm logged in. Flip over to HTTPS and I'm logged in.
nedirtriders.com
To make the web safer, albeit in a small way. I gotta say, when I made what seems like a very obvious suggestion given that it's 2020 I didn't anticipate that I'd get snarked on by not one but two people who clearly don't understand how the web works.
Next time I think of some way to make the site safer I'll just save the hassle and STFU instead.
It does not make the web safer in any way. It just placates people who see a lock and think all is good. Given I can get certs for damn near anything without any shred of evidence that I actually have control of said element, it's a false sense of trust. ...add in the fun of Apple deciding to do an end run around standard bodies and just declaring certs longer than one year will defacto be untrusted, meh.
The good news is that the email that notified me of Kurlon's "HTTPS isn't perfect so it sucks and I hate it" rant used "https://" links so I can post this without having to log in. That makes the site more convenient to use and is much appreciated.
Thank you Frankenstein!
Sorry, I interpreted "It does not make the web safer in any way" as "it sucks". My bad.
But honestly, if need an informed opinion on whether HTTPS is useful or not, I don't think I'll turn to the guy who told me "There's also the small detail that the site isn't available via HTTPS... Fix your firefox."
That and if I remember right, this site did not offer HTTPS at all until very recently. I want to say within the past year.
It's just like so many other people in cybersec who demand all security with no consideration for risk/trade-offs/layered approach etc, and then act like 'people just don't care about security at all' when they get any dissension.
The original point that email links are HTTP and they won't work if you logged in via HTTPS is still valid though. Ends up being essentially a bug, regardless of the security implications.
nedirtriders.com
+1 vote for removing http and forcing mixed content. port 80 should not be used except for 301 redirect