Why is the Murga Forum not https ?

[purple379]

I think the subject line explains what I am curious about

[Flash]

What can I say? It's just not.

It's up to John Murga. I do think the login process may be encrypted, or protected from eavesdropping in some way.

[Moose On The Loose]

I think the subject line explains what I am curious about

I don't think there is any real need for HTTPS.
This comment can be read by anyone who cares to so there is no good reason to make it secure.

It looks to me, looking at the page source that the password travels unprotected. Thus it is not good to use the same password as elsewhere.

There is a trick that uses JavaScript to make a password effectively encrypted. Not even that is being done.

The trick for those who care is:
Each time the form is sent, it comes with a hashing key.
The keys don't repeat.
The JavaScript applies the hash before submitting the form.
The receiving site knows how to undo the hash but this is kept secret.

[belham2]

I think the subject line explains what I am curious about

I don't think there is any real need for HTTPS.

Hey Moose,

I think you're missing the forest for the trees No one I know on murga cares one bit about comments, or passwords, or their account. The big worry is the literally thousands of scripts, gz. files and such that are populated throughout the murga site and are hosted on the same server the forum is. We all download the things, and they are far more populous than people who upload their stuff to secure download sites. I'm fairly sure, no, I'm positive, John isn't spending the coin to have separate servers--especially a data-hardened server (which is where all that stuff should be residing, but it is not). Still to this day, people will say "oh, that's what md5 sums and such are for..." nope, not even close by a country mile. That stuff is about file integrity, and nothing to do with security. That fact of the matter is, many downloads from this forum could be getting re-directed and the receiver would never know. That's what https guards against, and it is the main reason this conversation should be discussed more. It also guards against getting spoofed when logging in and out or murga, like having crap deposited on your rig/computer.

Problem is, like I said, the coin is not going to be spent for it to happen. Plus, everyone thinks a little bit like the hapless blokes at Equifax: it couldn't possibly happen here, in Murga land. Just no way.....

[Flash]

As far as I know, John Murga pays for this forum out of his own pocket. He might be open to suggestions if we'd all contribute something to make the improvement worth his while.

[Mike Walsh]

As far as I know, John Murga pays for this forum out of his own pocket. He might be open to suggestions if we'd all contribute something to make the improvement worth his while.

^^^ +1!! Touchè.....


Mike.

[belham2]

As far as I know, John Murga pays for this forum out of his own pocket. He might be open to suggestions if we'd all contribute something to make the improvement worth his while.

Any possibility you could open a dialog with John and:

1) see if he'd be willing to have the forum moved to "https" (if he doesn't want to be bothered with it, need t know that ahead of time), and;

2) if he is willing, can he ask and get a figure put on how much he'd want? It's not a question of costs, as if it murga and associated sites were mine, I'd had them up on https early "last" year at no cost. This is about whether John wants it done and will take the steps and planning and commit to the changes being done. If he has to actually hire someone, they ask him to put it out there, and come up with a $$$$ they would charge him to move everything to "https". Then convey this information to us here.


I have had a few sites at businesses moved over the past few years to "https", the cost is the hours involved in doing it and testing it. Thus John's gotta want to do it and be committed to it. Getting a new SSL certificate (cost is about ~$15) is first thing required, and then that's it. Structuring things on the host side, converting all (not just some but all) links on the website to https, set up 301 redirects, etc, etc, and then slowly test it all. But, imho, it is way more than worth. There's no excuse for any site NOT to be https nowadays..and thuis includes the murga family. Google (and others) are rightfully highlighting and publicly scolding site operators who are dragging their heels on this. Eventually, any http site should be banned by all world search providers and all browsers should block them too. There's a reason: https is not 100% foolproof, but it is the best thing in over a decade to have happened for general use of the Internet. People can argue about this till their blue in the face, they simply don't know what they're talking about it they say https is not worth it.

Let us know, Flash, what you find out.

[Moose On The Loose]

I think the subject line explains what I am curious about

I don't think there is any real need for HTTPS.

Hey Moose,

I think you're missing the forest for the trees No one I know on murga cares one bit about comments, or passwords, or their account. The big worry is the literally thousands of scripts, gz. files

So long as passwords are encrypted and not given away, nobody can pretend to be me. This way you would never see a script claimed to be from me that didn't really come from me. This also applies to my random babbling but security on that matters less.