(RESOLVED) Will it ever be implemented? HTTPS
Discussion
Tankrizzo said:
Daft though really, the ads are all iframed in so I get that they have to have these HTTPS first before the main site else they'll hit the insecure content warning (iframes, yuk!)
But surely any ad company worth its salt can serve both secure and insecure channels? As a test, I just took 5 of the ads from the main site and requested the same ad under HTTPS specifically - each ad is served absolutely fine.
Surely this is trivial to switch over if you're using a centralised ad system? Then you just change IIS or your load balancer to use a HTTPS cert and force all bookmarked insecure requests to bounce to HTTPS, job done.
I suspect this is all Greek to the PH CrewBut surely any ad company worth its salt can serve both secure and insecure channels? As a test, I just took 5 of the ads from the main site and requested the same ad under HTTPS specifically - each ad is served absolutely fine.
Surely this is trivial to switch over if you're using a centralised ad system? Then you just change IIS or your load balancer to use a HTTPS cert and force all bookmarked insecure requests to bounce to HTTPS, job done.
These guys https://letsencrypt.org/ do certificates for free and are having a big drive to get the internet 100% HTTPS.
They are backed by the big browsers who also want 100% HTTPS. Soon (Probably mid to late next year), any logins that are not HTTPS will throw up all sorts of warnings in browsers and rightly so, discourage users from logging on or passing any credential insecurely.
This is not a new thing, has been a project on the go now for years, And should not come as any surprise.
I would cordially suggest that your January implementation does not slip. This really is not a complex site.
They are backed by the big browsers who also want 100% HTTPS. Soon (Probably mid to late next year), any logins that are not HTTPS will throw up all sorts of warnings in browsers and rightly so, discourage users from logging on or passing any credential insecurely.
This is not a new thing, has been a project on the go now for years, And should not come as any surprise.
I would cordially suggest that your January implementation does not slip. This really is not a complex site.
Anyone else get the impression that the 'development team' are currently searching on google 'how to implement https' followed shortly by extensive use of cut and paste.
I personally get the impression that support for the forum is on a wing and prayer - since it's not ad related directly no-one at Haymarket gives a damn. No-one seems to be able respond dynamically; perhaps support has been outsourced to India and requests for fixes are put in a queue; who knows ?
HTTPS is a doddle to install but they're currently blaming the ad team for what I don't know apart from not doing any verification on the ad's they serve so people get pissed off and install ad blockers; I'd say that they were compulsory for surfing PH but that's just me.
Stop finger pointing and get it done.
I personally get the impression that support for the forum is on a wing and prayer - since it's not ad related directly no-one at Haymarket gives a damn. No-one seems to be able respond dynamically; perhaps support has been outsourced to India and requests for fixes are put in a queue; who knows ?
HTTPS is a doddle to install but they're currently blaming the ad team for what I don't know apart from not doing any verification on the ad's they serve so people get pissed off and install ad blockers; I'd say that they were compulsory for surfing PH but that's just me.
Stop finger pointing and get it done.
b
hstewie said:
hstewie said: I think it's a bit naughty to knock the dev team but whoever is supposed to be in charge of communicating with customers does need to take a bit of a look at things.
It is you're right - but then again - PH isn't listening perhaps the development team should also push it upwards. No disrespect to Jack but he's just the latest messenger.I would be interested to see the list of items that PH members suggested many months ago as improvements/developments to the site against which ones had actually been completed.
Bumpity Bump so you don't forget..
https://medium.servertastic.com/google-confirm-chr...
If you like, i could start capturing user login details and posting them here for you?
https://medium.servertastic.com/google-confirm-chr...
If you like, i could start capturing user login details and posting them here for you?
Prizam said:
Bumpity Bump so you don't forget..
https://medium.servertastic.com/google-confirm-chr...
If you like, i could start capturing user login details and posting them here for you?
Well.... that might just get them to listen.https://medium.servertastic.com/google-confirm-chr...
If you like, i could start capturing user login details and posting them here for you?
Prizam said:
Bumpity Bump so you don't forget..
https://medium.servertastic.com/google-confirm-chr...
If you like, i could start capturing user login details and posting them here for you?
If you can snag a PH staff member login they might listen!https://medium.servertastic.com/google-confirm-chr...
If you like, i could start capturing user login details and posting them here for you?
sunbeam alpine said:
Is it a big problem? The login/password combination I use is only for here and the e-mail address linked to it is only used for this site.
It could allow established and legitimate accounts to be used to create scam adverts, for example.Not to mention that many folk still follow the rather bad practice of using the same username and password for multiple sites.
sunbeam alpine said:
Is it a big problem? The login/password combination I use is only for here and the e-mail address linked to it is only used for this site.
Well, if it was HTTPS, it's not just about encryption. There is the 'non-repudiation' aspect of it. By that I mean, I have discovered at least one fake Pistonheads looking login pages hosted on wordpress blogs around the world (was a Brazilian photogrpaher's blog) that have been hacked. When the user enters the username/password it stashes those credentials in a plain text file and redirects the user to the correct PH site. The user thinks they maybe mis-typed their password.This file is there ready for the malicious attacker to harvest at their leisure with no password cracking needed. If PH was running HTTPS, it would be clear to the user that the site was fake, as the login page would not hold the same certificate as PH and thus the user would be told that the site wasn't genuine, and maybe stop another route of credential theft.Edited by Tonsko on Tuesday 20th December 11:23
Gassing Station | Website Feedback | Top of Page | What's New | My Stuff