(RESOLVED) Will it ever be implemented? HTTPS
Discussion
Tonsko said:
Well, if you use the 'What's New' button, it will have been on the front page for a week or so anyway!
The problem is 90% of the population has no idea what https is and why http is so poor in comparison so this thread is probably ignored by most. I'm thinking "PistonHeads forum not secure - change your passwords"GreigM said:
Yep, I got one as well. The irony being the post I had deleted specifically warned people not to do it on a public network.
A note for whoever did the deletion - what we were discussing is not illegal in any way so long as you are doing it on your own wifi (as my deleted post highlighted). This smacks of a cover up rather than deal with the issue being discussed.
Not surprising they deleted a practical demonstration of their incompetence.A note for whoever did the deletion - what we were discussing is not illegal in any way so long as you are doing it on your own wifi (as my deleted post highlighted). This smacks of a cover up rather than deal with the issue being discussed.
James Drake said:
I'm not quite sure how you can say the communication is either non existent or defensive. Whilst we've been inconsistent with replying, we've have been involved in this thread since it started. Any lack of replies are - as I've already said - purely down to a lack of information to share. And as for being defensive, you can't haven't read what I've said.
Going off the way you've apparently removed posts on how to use WireShark I think you've kind of proved my point tbh, at least on the defensive piece.This thread is a masterclass on how not to deal with an issue and how to stuff up how you communicate and connect with your customers - though I appreciate the Haymarket view might be that we're not customers we're the product.
GreigM said:
Yep, I got one as well. The irony being the post I had deleted specifically warned people not to do it on a public network.
A note for whoever did the deletion - what we were discussing is not illegal in any way so long as you are doing it on your own wifi (as my deleted post highlighted). This smacks of a cover up rather than deal with the issue being discussed.
Not playing the Devil's advocate here but, despite the caveat you attached, the link you gave in your post would enable people to do something illegal and they may not have known about the software before! (It does work BTW A note for whoever did the deletion - what we were discussing is not illegal in any way so long as you are doing it on your own wifi (as my deleted post highlighted). This smacks of a cover up rather than deal with the issue being discussed.
)And yes, HM's laid-back attitude about this is not giving us any confidence in their desires to rectify the problem!
dudleybloke said:
Does Tarzan know about this problem?
Try his son?
As executive chairman he may want to know (in layman terms, no techie terms) that Pistonheads has a material risk for:
- Having user details compromised at scale and the legal & reputation ramifications that it would entail
- Risk a significant compliance fine from the regulator for ongoing use of Phonesafe in the way they are using it
Should anyone wish to do this, then I suggest keeping it short, polite and with the material points outlined in such a a way that an exec can understand the risks to the business rather than the technical aspects.
PoleDriver said:
Not playing the Devil's advocate here but, despite the caveat you attached, the link you gave in your post would enable people to do something illegal and they may not have known about the software before! (It does work BTW )
And yes, HM's laid-back attitude about this is not giving us any confidence in their desires to rectify the problem!
I didn't provide any links.)And yes, HM's laid-back attitude about this is not giving us any confidence in their desires to rectify the problem!
Also being devils advocate. Driving a car at >70mph is illegal on the roads, but not on tracks. The act itself is not illegal so long as you do it in the appropriate environment.
People who want to do bad stuff on the internet already know how to do this - it is very basic. This thread was more about educating the non-malicious users of this site about quite how insecure it is.
I'm going to start by saying I'm nothing to do with PH... 
Having done that, I'm going to state my assumptions why this hasn't happened.
HTTPS simply isn't going to be a priority for them, and for two obvious reasons:
1. Lack of HTTPS clearly doesn't limit the forums' popularity, and it's not going to stop new members signing up.
How many members really care about HTTPS for log in? I'm betting close to zero when expressed as a percentage, because most non-IT people don't have a clue what it means. They think of it as being for when you're ordering stuff on line, not logging on to something.
2. Having it isn't going to generate any new revenue.
Put yourself in the position of a product manager - you have an asset that's generating revenue, and you have a limited number of developer days to tinker with the asset. Your directive from above is to increase profitability of the asset, which is best done by getting new members - you'll have some assumption that a certain percentage of users will spend money with you, plus more users should equal more advertising revenue in general, so more members = more money.
You can either make adverts better / slicker / easier to place, improve the look and feel of the site, etc. or fiddle around doing something technical that a handful of geeks (no offence!) have complained about. I hate to break it to you, but I wouldn't be implementing HTTPS as a priority either. Maybe I'd want to do so when Google do flag sites as unsafe if they don't use it, but until then where's the motivation compared to the other stuff?
As for forum members asking for the names of developers, etc. and demanding that heads roll - frankly that's none of your business, and the idea that someone on a forum should have any insight into the business or input into how it's run is laughable. You're not even a paying customer! I'll bet someone's going to say they paid to advertise their car or something, but honestly - we don't individually contribute enough to the bottom line to be important.
So, be realistic - you care about this. It's important to you. You might even be right. However, unless it's a super quick configuration change with the existing hardware and software they have (and I'll bet it isn't or they'd have just done it by now) it's not going to happen any time soon.
Having done that, I'm going to state my assumptions why this hasn't happened.HTTPS simply isn't going to be a priority for them, and for two obvious reasons:
1. Lack of HTTPS clearly doesn't limit the forums' popularity, and it's not going to stop new members signing up.
How many members really care about HTTPS for log in? I'm betting close to zero when expressed as a percentage, because most non-IT people don't have a clue what it means. They think of it as being for when you're ordering stuff on line, not logging on to something.
2. Having it isn't going to generate any new revenue.
Put yourself in the position of a product manager - you have an asset that's generating revenue, and you have a limited number of developer days to tinker with the asset. Your directive from above is to increase profitability of the asset, which is best done by getting new members - you'll have some assumption that a certain percentage of users will spend money with you, plus more users should equal more advertising revenue in general, so more members = more money.
You can either make adverts better / slicker / easier to place, improve the look and feel of the site, etc. or fiddle around doing something technical that a handful of geeks (no offence!) have complained about. I hate to break it to you, but I wouldn't be implementing HTTPS as a priority either. Maybe I'd want to do so when Google do flag sites as unsafe if they don't use it, but until then where's the motivation compared to the other stuff?
As for forum members asking for the names of developers, etc. and demanding that heads roll - frankly that's none of your business, and the idea that someone on a forum should have any insight into the business or input into how it's run is laughable. You're not even a paying customer! I'll bet someone's going to say they paid to advertise their car or something, but honestly - we don't individually contribute enough to the bottom line to be important.
So, be realistic - you care about this. It's important to you. You might even be right. However, unless it's a super quick configuration change with the existing hardware and software they have (and I'll bet it isn't or they'd have just done it by now) it's not going to happen any time soon.
AndrewEH1 said:
Shots fired....AndrewEH1 said:
You didn't post that did you? Someone must have found out your password.
hstewie said:
WinstonWolf said:
thebraketester said:
Well... there is a very easy way to sort it out.... seriously you guys are a joke.
Whats the betting that if i sniffed enough passwords, one of them would be the same as the haymarket AWS account. I could then get in and fix the problem for them.
DanL said:
I'm going to start by saying I'm nothing to do with PH... Having done that, I'm going to state my assumptions why this hasn't happened.
HTTPS simply isn't going to be a priority for them, and for two obvious reasons:
1. Lack of HTTPS clearly doesn't limit the forums' popularity, and it's not going to stop new members signing up.
How many members really care about HTTPS for log in? I'm betting close to zero when expressed as a percentage, because most non-IT people don't have a clue what it means. They think of it as being for when you're ordering stuff on line, not logging on to something.
2. Having it isn't going to generate any new revenue.
Put yourself in the position of a product manager - you have an asset that's generating revenue, and you have a limited number of developer days to tinker with the asset. Your directive from above is to increase profitability of the asset, which is best done by getting new members - you'll have some assumption that a certain percentage of users will spend money with you, plus more users should equal more advertising revenue in general, so more members = more money.
You can either make adverts better / slicker / easier to place, improve the look and feel of the site, etc. or fiddle around doing something technical that a handful of geeks (no offence!) have complained about. I hate to break it to you, but I wouldn't be implementing HTTPS as a priority either. Maybe I'd want to do so when Google do flag sites as unsafe if they don't use it, but until then where's the motivation compared to the other stuff?
As for forum members asking for the names of developers, etc. and demanding that heads roll - frankly that's none of your business, and the idea that someone on a forum should have any insight into the business or input into how it's run is laughable. You're not even a paying customer! I'll bet someone's going to say they paid to advertise their car or something, but honestly - we don't individually contribute enough to the bottom line to be important.
So, be realistic - you care about this. It's important to you. You might even be right. However, unless it's a super quick configuration change with the existing hardware and software they have (and I'll bet it isn't or they'd have just done it by now) it's not going to happen any time soon.
Next year, when GDPR comes in... it will cost them 4% of all revenue across the haymarket group. No if's no buts! Instant fine. Having done that, I'm going to state my assumptions why this hasn't happened.HTTPS simply isn't going to be a priority for them, and for two obvious reasons:
1. Lack of HTTPS clearly doesn't limit the forums' popularity, and it's not going to stop new members signing up.
How many members really care about HTTPS for log in? I'm betting close to zero when expressed as a percentage, because most non-IT people don't have a clue what it means. They think of it as being for when you're ordering stuff on line, not logging on to something.
2. Having it isn't going to generate any new revenue.
Put yourself in the position of a product manager - you have an asset that's generating revenue, and you have a limited number of developer days to tinker with the asset. Your directive from above is to increase profitability of the asset, which is best done by getting new members - you'll have some assumption that a certain percentage of users will spend money with you, plus more users should equal more advertising revenue in general, so more members = more money.
You can either make adverts better / slicker / easier to place, improve the look and feel of the site, etc. or fiddle around doing something technical that a handful of geeks (no offence!) have complained about. I hate to break it to you, but I wouldn't be implementing HTTPS as a priority either. Maybe I'd want to do so when Google do flag sites as unsafe if they don't use it, but until then where's the motivation compared to the other stuff?
As for forum members asking for the names of developers, etc. and demanding that heads roll - frankly that's none of your business, and the idea that someone on a forum should have any insight into the business or input into how it's run is laughable. You're not even a paying customer! I'll bet someone's going to say they paid to advertise their car or something, but honestly - we don't individually contribute enough to the bottom line to be important.
So, be realistic - you care about this. It's important to you. You might even be right. However, unless it's a super quick configuration change with the existing hardware and software they have (and I'll bet it isn't or they'd have just done it by now) it's not going to happen any time soon.
Prizam said:
WinstonWolf said:
thebraketester said:
Well... there is a very easy way to sort it out.... seriously you guys are a joke.
Whats the betting that if i sniffed enough passwords, one of them would be the same as the haymarket AWS account. I could then get in and fix the problem for them.
Prizam said:
feef said:
Even the AWS management account has two factor auth these days tho.
Yes...IF you set it up / turn it on.Prizam said:
Next year, when GDPR comes in... it will cost them 4% of all revenue across the haymarket group. No if's no buts! Instant fine.
Assuming you're right (I don't know what GDPR is) then that's the motivation to address it from a business perspective. It also tells you they've got a touch under 12 months to get around to it...Hadn't realised this was still rumbling on, so I'm checking into the thread for updates.
The messages from James Drake really shock me to be honest. Any IT PM knows that "I don't know" simply isn't an answer. If you don't know, why not? If the Devs won't give you a fixed-by date, why not? What's the blocker? Who can help to resolve it?
If I went into a stakeholder meeting and delivered those updates, I'd be verbally torn a new one.
The messages from James Drake really shock me to be honest. Any IT PM knows that "I don't know" simply isn't an answer. If you don't know, why not? If the Devs won't give you a fixed-by date, why not? What's the blocker? Who can help to resolve it?
If I went into a stakeholder meeting and delivered those updates, I'd be verbally torn a new one.
Gassing Station | Website Feedback | Top of Page | What's New | My Stuff