(RESOLVED) Will it ever be implemented? HTTPS
Discussion
Order66 said:
Prizam said:
feef said:
Even the AWS management account has two factor auth these days tho.
Yes...IF you set it up / turn it on.DanL said:
Prizam said:
Next year, when GDPR comes in... it will cost them 4% of all revenue across the haymarket group. No if's no buts! Instant fine.
Assuming you're right (I don't know what GDPR is) then that's the motivation to address it from a business perspective. It also tells you they've got a touch under 12 months to get around to it...Becomes enforceable 25 May 2018.
Usget said:
Hadn't realised this was still rumbling on, so I'm checking into the thread for updates.
The messages from James Drake really shock me to be honest. Any IT PM knows that "I don't know" simply isn't an answer. If you don't know, why not? If the Devs won't give you a fixed-by date, why not? What's the blocker? Who can help to resolve it?
If I went into a stakeholder meeting and delivered those updates, I'd be verbally torn a new one.
The bit you're missing is that you're not a stakeholder. In the big picture you're the product, not the customer, and "I don't know" could just as easily be code for "I don't see why I should tell you", or "it's not my responsibility"... The messages from James Drake really shock me to be honest. Any IT PM knows that "I don't know" simply isn't an answer. If you don't know, why not? If the Devs won't give you a fixed-by date, why not? What's the blocker? Who can help to resolve it?
If I went into a stakeholder meeting and delivered those updates, I'd be verbally torn a new one.
DanL said:
Usget said:
Hadn't realised this was still rumbling on, so I'm checking into the thread for updates.
The messages from James Drake really shock me to be honest. Any IT PM knows that "I don't know" simply isn't an answer. If you don't know, why not? If the Devs won't give you a fixed-by date, why not? What's the blocker? Who can help to resolve it?
If I went into a stakeholder meeting and delivered those updates, I'd be verbally torn a new one.
The bit you're missing is that you're not a stakeholder. In the big picture you're the product, not the customer, and "I don't know" could just as easily be code for "I don't see why I should tell you", or "it's not my responsibility"... The messages from James Drake really shock me to be honest. Any IT PM knows that "I don't know" simply isn't an answer. If you don't know, why not? If the Devs won't give you a fixed-by date, why not? What's the blocker? Who can help to resolve it?
If I went into a stakeholder meeting and delivered those updates, I'd be verbally torn a new one.
DanL said:
Usget said:
Hadn't realised this was still rumbling on, so I'm checking into the thread for updates.
The messages from James Drake really shock me to be honest. Any IT PM knows that "I don't know" simply isn't an answer. If you don't know, why not? If the Devs won't give you a fixed-by date, why not? What's the blocker? Who can help to resolve it?
If I went into a stakeholder meeting and delivered those updates, I'd be verbally torn a new one.
The bit you're missing is that you're not a stakeholder. In the big picture you're the product, not the customer, and "I don't know" could just as easily be code for "I don't see why I should tell you", or "it's not my responsibility"... The messages from James Drake really shock me to be honest. Any IT PM knows that "I don't know" simply isn't an answer. If you don't know, why not? If the Devs won't give you a fixed-by date, why not? What's the blocker? Who can help to resolve it?
If I went into a stakeholder meeting and delivered those updates, I'd be verbally torn a new one.
This entire hhtps scenario is beyond a joke now.
It wasn't that long ago that it was possible to look at the cookies this site used and gain login access to the mods forum.
At the very least the PH login page should have been done years ago. It really isn't that difficult - buy a certificate, deploy the keys and redirect http login to https.
My only conclusion is that the 'developers' being churned out of colleges and universities these days don't have a fvcking clue about the underlying transport mechanisms (in fact you only have to look at the sheer volume of html/js that is delivered by many sites these days to fathom that one out - nobody seems to be coding for transport efficiency these days).
I'm gob smacked that Haymarket either won't fund up a few £K to get someone in on contract who could likely fix this in a few days, or take up the offers of help from long standing members within the forums who do this stuff for a living, but still seem to bury their heads pretending it is not an issue.
Stunning incompetence.
Twenty years ago I had a Thawte certified https server running in my bedroom on a 1Mb ADSL line.
FFS - Haymarket - just get it sorted.
(I'm also open to comment about what is stored (un)hashed in the PH forum users DB - MD5 anyone or plain-text?)
It wasn't that long ago that it was possible to look at the cookies this site used and gain login access to the mods forum.
At the very least the PH login page should have been done years ago. It really isn't that difficult - buy a certificate, deploy the keys and redirect http login to https.
My only conclusion is that the 'developers' being churned out of colleges and universities these days don't have a fvcking clue about the underlying transport mechanisms (in fact you only have to look at the sheer volume of html/js that is delivered by many sites these days to fathom that one out - nobody seems to be coding for transport efficiency these days).
I'm gob smacked that Haymarket either won't fund up a few £K to get someone in on contract who could likely fix this in a few days, or take up the offers of help from long standing members within the forums who do this stuff for a living, but still seem to bury their heads pretending it is not an issue.
Stunning incompetence.
Twenty years ago I had a Thawte certified https server running in my bedroom on a 1Mb ADSL line.
FFS - Haymarket - just get it sorted.
(I'm also open to comment about what is stored (un)hashed in the PH forum users DB - MD5 anyone or plain-text?)
Just followed in from the thread in the Lounge.
Lack of SSL is really poor form - the spooks vacuum up ALL internet traffic by default and extract out useful plain text information such as these passwords, as they know they can re-use them elsewhere.
https://en.wikipedia.org/wiki/XKeyscore
Lack of SSL is really poor form - the spooks vacuum up ALL internet traffic by default and extract out useful plain text information such as these passwords, as they know they can re-use them elsewhere.
https://en.wikipedia.org/wiki/XKeyscore
eliot said:
Just followed in from the thread in the Lounge.
Lack of SSL is really poor form - the spooks vacuum up ALL internet traffic by default and extract out useful plain text information such as these passwords, as they know they can re-use them elsewhere.
https://en.wikipedia.org/wiki/XKeyscore
SSL won't stop them if they really want your password(s) unfortunately https://blog.cryptographyengineering.com/2013/12/0...Lack of SSL is really poor form - the spooks vacuum up ALL internet traffic by default and extract out useful plain text information such as these passwords, as they know they can re-use them elsewhere.
https://en.wikipedia.org/wiki/XKeyscore
If three letter agencies want your stuff they're going to get it. I'd be far more concerned about the folks here who check Pistonheads on free Wi-Fi whilst waiting in the airport or McDonalds and who aren't all that IT savvy so use the same password on their email as they do PH.
Sniff the PH username and password and you can see the persons profile.
See the persons profile and you have their email.
If you are reusing passwords and don't have 2FA enabled on your email, game over.
Sniff the PH username and password and you can see the persons profile.
See the persons profile and you have their email.
If you are reusing passwords and don't have 2FA enabled on your email, game over.
0000 said:
TheExcession said:
(I'm also open to comment about what is stored (un)hashed in the PH forum users DB - MD5 anyone or plain-text?)
My money's on plaintext.Let's face it, if they won't discuss it, it's not bcrypt.
Gassing Station | Website Feedback | Top of Page | What's New | My Stuff