Inclusion of HTTPS support during log in

[zeomal]

Is it possible to include HTTPS support, just for signing into the forum?
Forgive me if this is not possible.
(Or if it's just plain rude - I do not mean it so.)

With the recent NSA snooping revelations, and increasing number of privacy issues, I think it would be a great thing if support for a secure log-in page could be made. The rest of the forum, that wouldn't be required, because it's already publicly visible. However, I would prefer that somebody intercepting my (or anybody's, for that matter) connections finds it very difficult to find out my password, because not everybody uses different passwords for different sites  .

[ciaobaby]

First of all you have to believe that the 'leaked' information about the "No Such Agency" monitoring capability is actually true or even remotely accurate, It wouldn't be the first instance of such "revelations" being total exaggeration 'leaked' by the agencies themselves to promote the level of paranoia in people who already believe the entire World is out to get them, just to see who jumps the highest in a bid to avoid being 'detected', and in doing so 'raise their head above the parapet'. Thus their guilty conscience exposes them far quicker than ANY kind of covert surveillance would do.

[zeomal]

Uh huh.

First of all you have to believe that the 'leaked' information about the "No Such Agency" monitoring capability is actually true or even remotely accurate, It wouldn't be the first instance of such "revelations" being total exaggeration 'leaked' by the agencies themselves to promote the level of paranoia in people who already believe the entire World is out to get them, just to see who jumps the highest in a bid to avoid being 'detected', and in doing so 'raise their head above the parapet'. Thus their guilty conscience exposes them far quicker than ANY kind of covert surveillance would do.

With all due respect, I suppose that the whole of the people who run the Electronic Frontier Foundation and other related groups are part of the agencies' plan to exaggerate the mass surveillance issue? And The Guardian, with all other supporting newspaper from over 50 countries, too, I suppose? Let's also not forget the leaders of a large number of countries who are possibly pretending to be pi**ed? Who can forget the highly respected Free Software Foundation? And what about the kingpin of it all, honorable Edward Snowden, who basically sacrified what could have been a fruitful, happy and peaceful life to expose the so called mass surveillance?

Sorry for the outburst, but I had to say something!

I'd still like to see HTTPS support for the log in. I merely gave the "No Such Agency" as just another reason to support such a feature. Adding that would increase security of one's account.
That's all. Period.

[ciaobaby]

part of the agencies' plan to exaggerate the mass surveillance issue? And The Guardian, with all other supporting newspaper from over 50 countries, too

Albeit unwittingly yes.

The media simply jump on the idea then make it even more sensational, 

Mark Twain - “If you don't read the newspaper, you're uninformed. If you read the newspaper, you're mis-informed.”

William Randolph Hearst is reputed to have said - "Good news doesn't sell newspapers"

Mark Twain (again) - “Never let the truth get in the way of a good story.”  <<< most journalists subscribe to that one.

EVERYBODY love a good conspiracy theory, and just because it is published far and wide and gains poular support does NOT make it fact.


And on the other hand ... If you have nothing to hide ... why even care???

[zeomal]

I don't have anything to hide. But I don't have anything I'd feel like showing anybody either. Also, refer this article:https://chronicle.com/article/Why-Privacy-Matters-Even-if/127461/

In another situation, I wouldn't want somebody else posting something entirely different or highly inappropriate just because they were easily able to obtain my password because there wasn't a secure way to login, would I?

[ciaobaby]

To 'sniff' out your login details an attacker has to intercept communication at YOUR end of the network, which is virtually impossible on a 'wired' connection, and extremely difficult for wireless unless you have your router running as an 'open' or 'unlocked/unsecured' access point, and in all honesty what makes you think that you are even 'important' enough for anybody to even bother? In the grand scheme of things You or I are insignificant, there are FAR more 'high profile' targets to 'crack' who will give the 'crackers' the publicity they think they deserve,

On the NSA.
Spreading F.U.D. (Fear, Uncertainty and Doubt) among the masses is what makes these agencies thrive, and the furore that follows such 'leaks' proves to them they MUST be doing the 'right thing', because anybody who joins in the ensuing clamour is obviously hiding something.

[zeomal]

Ah! Fine...

[sledgehammer_999]

Just to chip in since the forum maintainer hasn't said anything yet. ssl authentication would be good but ssl certificates cost money. Unless we use a self signed certificate, which by itself is fine but modern browsers treat self-signed certificates as really bad. They usually display a special warning page which scares inexperienced users.

[sledgehammer_999]

Also ssl only for signing is that good. Because in the rest of the session you send to the site a special string which is unique and is used to authenticate(in very very simple words). This string can be stolen by a third party and be used to impersonate. However, this can be done only for the current session(until you log out or the cookie expires) and for this forum. So even if you use the same username/password with other sites this string will not work for the other sites.

[zeomal]

Okay!
I understand (at least I think I do  ).

[sledgehammer_999]

[quote="sledgehammer_999"]
Also ssl only for signing isn't that good. Because in the rest of the session you send to the site a special string which is unique and is used to authenticate(in very very simple words). This string can be stolen by a third party and be used to impersonate. However, this can be done only for the current session(until you log out or the cookie expires) and for this forum. So even if you use the same username/password with other sites this string will not work for the other sites.
[/quote]

fixed typo

[TheMachine]

Anyone can get a free SSL cert here: https://www.startssl.com/?app=1 The CA is recognized as valid by all major browsers.

But that shouldn't be necessary at all - I see the forum is behind CloudFlare, unless you're using their free service they also offer free full-site SSL with a CloudFlare-issued cert, so it's just a matter of turning it on. While you're in there you might as well enable some other goodies like IPv6 and SPDY.

For bonus points add a HSTS header so browsers will know to only connect via SSL to the forum and get it into Chrome and Firefox's pre-loaded HSTS list - see http://dev.chromium.org/sts and https://blog.mozilla.org/security/2012/ ... ding-hsts/