(RESOLVED) Will it ever be implemented? HTTPS
Discussion
thebraketester said:
As I have suggested before.
Someone attack the weakness in the system and PM me my password and I will personally drive to haymarket and discuss it with them face to face.
Its not that simple to target an individual. It would be fairly simple to packet sniff some pistonheads logins at a big meeting of users (say a car meet, or "carfest", or the British GP), but to pick you out individual would need a bit more effort - social engineering/physical colocation etc but can be done. Perhaps someone should camp out in the McDonalds closest to the PH techie offices - I'd imagine within minutes you'd have some sort of admin login Someone attack the weakness in the system and PM me my password and I will personally drive to haymarket and discuss it with them face to face.
thebraketester said:
I did download wireshark actually... but i do not have the brain power to work its magic. Nor do I have the desire to actually get peoples passwords.
However it proves the point - within 30 seconds you've found the software to do this - now take it to a PH meet at a coffee shop and you'll have all your mates passwords in minutes.GreigM said:
However it proves the point - within 30 seconds you've found the software to do this - now take it to a PH meet at a coffee shop and you'll have all your mates passwords in minutes.
(Maybe) don't even need to do thatLast time I looked the SQL db would accept a connection from any IP
king shocking. And even more so that it seems to be at the bottom of their priority list to sort.
Yeah.dmsims said:
GreigM said:
However it proves the point - within 30 seconds you've found the software to do this - now take it to a PH meet at a coffee shop and you'll have all your mates passwords in minutes.
(Maybe) don't even need to do thatLast time I looked the SQL db would accept a connection from any IP
feef said:
This is of more interest to me than packet sniffing (as I'm a DBA)
Yes, definitely a bigger issue in terms of overall architecture (although equally as quickly solved) - but seeing is this thread is about the lack of https it is valid to keep picking the packet sniffing scab until they at least put a plaster on it.GreigM said:
feef said:
This is of more interest to me than packet sniffing (as I'm a DBA)
Yes, definitely a bigger issue in terms of overall architecture (although equally as quickly solved) - but seeing is this thread is about the lack of https it is valid to keep picking the packet sniffing scab until they at least put a plaster on it....so back to packet sniffing and HTTPS
All that jazz said:
I'm disappointed that JAMES DRAKE, HEAD OF PISTONHEADS COMMUNITY has not responded and assured the community that HAYMARKET takes the members' privacy, security and personal data very seriously and assure us that https will be in place by the end of this month as stated by his colleague.
Unfortunately life is full of disappointment. I'm personally disappointed about a lot of stuff, although we can agree on the fact that HTTPS should have been prioritised and should have been implemented ages and ages ago. Sadly I'm also disappointed that I have neither the power, knowledge or influence to have made it happen sooner.themanwithnoname said:
Is that the same James Drake who has, on a few occasions, replied to all on emails without using BCC?
More than once.
In one mail thread.
Just saying.
ETA: Then blames the intern.
Nope, that was Ollie, our former Community and Marketing Manager. More than once.
In one mail thread.
Just saying.
ETA: Then blames the intern.
If you're really bored you can read the thread here: http://www.pistonheads.com/gassing/topic.asp?h=0&a...
Dan_1981 said:
It does interest me. I think the lack of response is typical of PH these days.
Oh and I still don't think Racing Pete works at PH anymore.....
I actually agree. I'd love to have been able to respond and give you news of any sort on this matter, but the simple fact is that I don't really have any. I have genuinely been chasing for an update but there just isn't one. Maybe it is a misjudgement on my part, but I assumed that posting yet another update to say "I don't know when this is going to be done" wouldn't go down well.Oh and I still don't think Racing Pete works at PH anymore.....
And FYI Pete no longer works on PH, but is in a more senior Haymarket position with one eye on PH.
All that jazz said:
Be that as it may, but when the Head of the Community actively avoids the topic yet can be seen posting on nearly every other feedback topic, sometimes these measures are needed. Perhaps by shining the spotlight on them and giving them a virtual 'kick up the arse' it will prompt them to actually find out what's happening about it rather than simply ignoring the topic and praying that we all get bored and forget about it (not gonna happen!). Oh and passing the buck with "not my department" isn't going to wash either.
I'm not avoiding it, I've been reading it every day and sharing it regularly with the development folks in order to try and give them a "virtual kick up the arse" as you put it. Regardless of what you think you know, saying that it is not my department isn't passing the buck, it is simply a fact.So, for the avoidance of doubt here is an update.
I have no news on the implementation date of HTTPS. All I know is that the Development team are working on this now. They have not given a completion date. As soon as I have an news the very first thing I'll do is share it with all of you.
It's probably better to give some sort of update rather than remain silent.
I'm not trying to teach you how to suck eggs but I'd be making their life difficult until it was fixed if this was happening where I work.
James Drake said:
I'm not avoiding it, I've been reading it every day and sharing it regularly with the development folks in order to try and give them a "virtual kick up the arse" as you put it. Regardless of what you think you know, saying that it is not my department isn't passing the buck, it is simply a fact.
Perhaps an actual non-virtual kick up the arse would be more effective? Why hasn't this been escalated upwards and the development team been given an order from higher management to fix or clear their desks? Or are there that many other IT/development issues they are all ready working on?I'm not trying to teach you how to suck eggs but I'd be making their life difficult until it was fixed if this was happening where I work.
Edited by AndrewEH1 on Tuesday 24th January 12:02
James Drake said:
I have no news on the implementation date of HTTPS.All I know is that the Development team are working on this now. They have not given a completion date. As soon as I have an news the very first thing I'll do is share it with all of you.
So would it be fair to say that if they are working on this "now" as you claim, it will be implemented by the end of this week? From what I have gathered from other techie members, its implementation is a fairly straight forward process so a whole week would be ample time for even the most useless techie? Who is the head developer now that RacingPete has (apparently) gone?
All that jazz said:
James Drake said:
I have no news on the implementation date of HTTPS.All I know is that the Development team are working on this now. They have not given a completion date. As soon as I have an news the very first thing I'll do is share it with all of you.
So would it be fair to say that if they are working on this "now" as you claim, it will be implemented by the end of this week? From what I have gathered from other techie members, its implementation is a fairly straight forward process so a whole week would be ample time for even the most useless techie? Who is the head developer now that RacingPete has (apparently) gone?
That's not to say they couldn't have prioritised migrating the login page over, which would address the most urgent security concerns..
AndrewEH1 said:
I'm not trying to teach you how to suck eggs but I'd be making their life difficult until it was fixed if this was happening where I work.
Whilst I wouldn't say that we made their lives difficult (not sure how that would have helped anything) we were regularly reminding them and followed the proper chain to escalate the situation.All that jazz said:
So would it be fair to say that if they are working on this "now" as you claim, it will be implemented by the end of this week? From what I have gathered from other techie members, its implementation is a fairly straight forward process so a whole week would be ample time for even the most useless techie?
You can say whatever you like, but I have absolutely no idea how long it will take and nor have the development team given any indication of a completion date. I thought I made this pretty clear in my last post when I said this:James Drake said:
So, for the avoidance of doubt here is an update. I have no news on the implementation date of HTTPS. All I know is that the Development team are working on this now. They have not given a completion date. As soon as I have an news the very first thing I'll do is share it with all of you.
Regarding how straight forward the implementation is, I have absolutely no idea. Also, I'd suggest that gathering information on Web Development from a motoring forum is perhaps an inefficient way to educate yourself on the subject to a degree that you feel that you can draw conclusions like this.All that jazz said:
Agreed. What happened to the January deadline stated by RacingPete?
Maybe they'll still hit it? Maybe they won't hit it? Maybe Pete was mistaken? I thought I'd answered this when I said this:James Drake said:
....I have no news on the implementation date of HTTPS........ As soon as I have an news the very first thing I'll do is share it..... etc etc etc
And as for this comment:rscott said:
Without knowing the inner details of how current content is created (hardcoded urls, etc) it's not possible for someone to definitively state what's involved in changing the entire site to use https. Saying that as someone who has spent the past month working on migrating a bunch of barely maintained legacy sites written in anything from classic ASP to java to PHP over to https...
That's not to say they couldn't have prioritised migrating the login page over, which would address the most urgent security concerns..
How dare you tarnish this forum with such a considered and reasonable post! That's not to say they couldn't have prioritised migrating the login page over, which would address the most urgent security concerns..
SonicShadow said:
It was incredibly short sighted to not address the HTTPS issue when they redesigned the login page recently.
Perhaps, although I imagine that it is far more likely that there was either a technical and / or business reason for not doing so.If there's something the development team are struggling with, perhaps they could ask for help here?
rscott said:
Without knowing the inner details of how current content is created (hardcoded urls, etc) it's not possible for someone to definitively state what's involved in changing the entire site to use https.
It doesn't really matter what the detail is. Even if they're hardcoded URLs everywhere that's trivial to fix. They could even just do the login page first.Gassing Station | Website Feedback | Top of Page | What's New | My Stuff