SSL

To keep abreast of site changes, or to post a question, idea or suggestion for the website.

Moderators: carlson1, Keith B, Charles L. Cotton

User avatar

Topic author
tbrown
Senior Member
Posts in topic: 2
Posts: 1685
Joined: Thu Mar 17, 2011 4:47 pm

SSL

#1

Post by tbrown »

Does anybody else have trouble using the https version of the forum? It tells me the certificate is invalid.
sent to you from my safe space in the hill country
User avatar

Charles L. Cotton
Site Admin
Posts in topic: 3
Posts: 17787
Joined: Wed Dec 22, 2004 9:31 pm
Location: Friendswood, TX
Contact:

Re: SSL

#2

Post by Charles L. Cotton »

tbrown wrote:Does anybody else have trouble using the https version of the forum? It tells me the certificate is invalid.
There is no SSL on the Forum since it doesn't take data. If you are using the latest Firefox, it has what Mozzilla calls a "feature," that is actually an pain! I just deactivated mine last Friday.

Chas.
User avatar

Topic author
tbrown
Senior Member
Posts in topic: 2
Posts: 1685
Joined: Thu Mar 17, 2011 4:47 pm

Re: SSL

#3

Post by tbrown »

Thank you for the quick reply. I recently got the warning about username/password not being secure. I'll add an exception for the site.
sent to you from my safe space in the hill country

skeathley
Senior Member
Posts in topic: 2
Posts: 328
Joined: Tue Feb 11, 2014 8:29 am
Location: McKinney, TX
Contact:

Re: SSL

#4

Post by skeathley »

In the web industry (from which I am retired), it is cosidered a best practice to use a secure connection for all login pages, as someone with a network sniffer could get passwords, log in, and leave a lot of spam messages with links. Not a danger, but hours of time to delete, change credentials, etc.

In addition, many SEO professionals believe that Google gives more weight to sites using a certificate, which improves their rankings.

If you accidentally use https to address a website that does not use a certificate, you will actually hit the server default certificate, which is self-signed. That encryption is valid, but since the Authority is invalid, you will get a security warning.

It is now considered a smart practice to secure all pages on all sites with a certificate, just to avoid all the problems, and potentially improve search engine rankings.

S
Texas LTC Instructor / RSO / SSC
Viet Nam Veteran: 25th Infantry, Cu Chi
https://mckinneyfirearmstraining.com

uthornsfan
Senior Member
Posts in topic: 1
Posts: 490
Joined: Sun Jan 30, 2011 11:13 pm
Location: Austin, TX

Re: SSL

#5

Post by uthornsfan »

Chas,

It is fairly important that the site uses SSL. If anyone sends their password and the site doesn't default to SSl those passwords can get intercepted in plain text.

The industry is moving toward every site needing/requiring SSL.
User avatar

tx mountaineer
Member
Posts in topic: 1
Posts: 50
Joined: Fri Jan 29, 2010 10:52 pm
Location: Clear Lake

Re: SSL

#6

Post by tx mountaineer »

Charles L. Cotton wrote:
tbrown wrote:Does anybody else have trouble using the https version of the forum? It tells me the certificate is invalid.
There is no SSL on the Forum since it doesn't take data. If you are using the latest Firefox, it has what Mozzilla calls a "feature," that is actually an pain! I just deactivated mine last Friday.

Chas.
:iagree:

cyphur
Senior Member
Posts in topic: 2
Posts: 1334
Joined: Fri Jun 23, 2006 10:02 am
Location: DFW, Tx

Re: SSL

#7

Post by cyphur »

No cert also means there is no way to ensure you are where you think you are. It is not hard to spoof a website like this and inject a bad link via a XSS attack. Every login page should be secured with SSL. Most users do not use unique credentials for each website, which means their credentials are in jeopardy every time they log in.

Certs are good. As long as they aren't from Symantec or any of their sub-CAs.
User avatar

ScottDLS
Senior Member
Posts in topic: 1
Posts: 5052
Joined: Sun Jun 26, 2005 1:04 am
Location: DFW Area, TX

Re: SSL

#8

Post by ScottDLS »

:iagree:

+1.

I understand why SSL is a pain, but for that effort there are benefits. On the other hand, I'm not complaining as I'm not the one going to the trouble of hosting a really good forum. And I really like the emoji's.
4/13/1996 Completed CHL Class, 4/16/1996 Fingerprints, Affidavits, and Application Mailed, 10/4/1996 Received CHL, renewed 1998, 2002, 2006, 2011, 2016...). "ATF... Uhhh...heh...heh....Alcohol, tobacco, and GUNS!! Cool!!!!"
User avatar

allisji
Senior Member
Posts in topic: 1
Posts: 969
Joined: Fri Sep 25, 2015 10:44 am
Location: Seabrook

Re: SSL

#9

Post by allisji »

cyphur wrote:No cert also means there is no way to ensure you are where you think you are. It is not hard to spoof a website like this and inject a bad link via a XSS attack. Every login page should be secured with SSL. Most users do not use unique credentials for each website, which means their credentials are in jeopardy every time they log in.

Certs are good. As long as they aren't from Symantec or any of their sub-CAs.
just changed my password to a totally unique one. hopefully I can remember it next time I want to log on.

:tiphat:
LTC since 2015
I have contacted my state legislators urging support of Constitutional Carry Legislation HB 1927

cyphur
Senior Member
Posts in topic: 2
Posts: 1334
Joined: Fri Jun 23, 2006 10:02 am
Location: DFW, Tx

Re: SSL

#10

Post by cyphur »

allisji wrote:
cyphur wrote:No cert also means there is no way to ensure you are where you think you are. It is not hard to spoof a website like this and inject a bad link via a XSS attack. Every login page should be secured with SSL. Most users do not use unique credentials for each website, which means their credentials are in jeopardy every time they log in.

Certs are good. As long as they aren't from Symantec or any of their sub-CAs.
just changed my password to a totally unique one. hopefully I can remember it next time I want to log on.

:tiphat:
Look into a password manager like LastPass. Problem solved.
User avatar

The Annoyed Man
Senior Member
Posts in topic: 2
Posts: 26789
Joined: Wed Jan 16, 2008 12:59 pm
Location: North Richland Hills, Texas
Contact:

Re: SSL

#11

Post by The Annoyed Man »

cyphur wrote:
allisji wrote:
cyphur wrote:No cert also means there is no way to ensure you are where you think you are. It is not hard to spoof a website like this and inject a bad link via a XSS attack. Every login page should be secured with SSL. Most users do not use unique credentials for each website, which means their credentials are in jeopardy every time they log in.

Certs are good. As long as they aren't from Symantec or any of their sub-CAs.
just changed my password to a totally unique one. hopefully I can remember it next time I want to log on.

:tiphat:
Look into a password manager like LastPass. Problem solved.
Love LastPass.
“Hard times create strong men. Strong men create good times. Good times create weak men. And, weak men create hard times.”

― G. Michael Hopf, "Those Who Remain"

#TINVOWOOT

strogg
Senior Member
Posts in topic: 1
Posts: 912
Joined: Wed Mar 29, 2017 1:51 pm
Location: DFW (Denton County)

Re: SSL

#12

Post by strogg »

I'm a roboform man myself. It's seemingly more secure because it's not as popular, but it doesn't support 2FA.

I vote that the admins enable SSL on this website. Granted I'm good enough to use a unique super random password for this site, not everyone does. Regardless, cost shouldn't be considered an issue thanks to https://letsencrypt.org/

casp625
Senior Member
Posts in topic: 1
Posts: 671
Joined: Sun Jan 04, 2015 9:24 pm

Re: SSL

#13

Post by casp625 »

uthornsfan wrote:Chas,

It is fairly important that the site uses SSL. If anyone sends their password and the site doesn't default to SSl those passwords can get intercepted in plain text.

The industry is moving toward every site needing/requiring SSL.
I ran WireShark just to see what was going on. Logged into TexasCHLForum and sure enough, there was my password in plain text. Now the password I use here is completely unique and never used anywhere else.

skeathley
Senior Member
Posts in topic: 2
Posts: 328
Joined: Tue Feb 11, 2014 8:29 am
Location: McKinney, TX
Contact:

Re: SSL

#14

Post by skeathley »

Enabling SSL is not as simple as clicking a button. There are several steps, and it requires a dedicated IP, which may not be part of their hosting deal. The forum probably uses an IP shared with dozens of other websites. Also, if every graphic is not addressed by https, browsers will throw "mixed content" errors.

S
Texas LTC Instructor / RSO / SSC
Viet Nam Veteran: 25th Infantry, Cu Chi
https://mckinneyfirearmstraining.com
User avatar

Charles L. Cotton
Site Admin
Posts in topic: 3
Posts: 17787
Joined: Wed Dec 22, 2004 9:31 pm
Location: Friendswood, TX
Contact:

Re: SSL

#15

Post by Charles L. Cotton »

I'll check with our web host about an SSL.

Chas.
Post Reply

Return to “Site Announcements, Questions & Suggestions”