We hope you enjoy your visit.

You're currently viewing our forum as a guest. This means you are limited to certain areas of the board and there are some features you can't use. If you join our community, you'll be able to access member-only sections, and use many member-only features such as customizing your profile, sending personal messages, and voting in polls. Registration is simple, fast, and completely free.


Join our community!


If you're already a member please log in to your account to access all of our features:

Username:   Password:
Add Reply
SSL certificate?; Security is a must these days
Topic Started: Jan 18 2018, 07:17 AM (845 Views)
Bry.
Member
[ *  *  * ]
For the next update to the ZetaBoards platform, there is one thing that it should really make use of in the days of the modern web... an SSL certificate or in simpler terms, something to make it more secure at least. Everytime I'm on any ZetaBoards forum, Firefox (and Chrome) would complain that the connection to the server is not secure and that sensitive information (such as passwords and emails) could be compromised. I know that Comodo and Let's Encrypt can offer SSL certificates for free but I don't know for sure if this forum software can taken to them, or something else for that matter.

I think that with technology and the internet rapidly evolving as we know it, we really need this when all other forum softwares have it too (heck, even Tapatalk has that too). I mean, what's going to happen if one day, someone's gets their forum hacked or suffers a DoS attack? Just a thought, and I'm hoping it becomes a reality soon enough.
Offline Profile Quote Post Goto Top
 
sugarpuff
Member Avatar
Member
[ *  *  * ]
Good idea. :up:

Another thing that would be good is an auto img resizer. So in the acp there is an option to tick a box,so that any images posted are auto resized to stop the board stretching. Would be handy instead of having to add a code.
Offline Profile Quote Post Goto Top
 
Helena
Member Avatar
M is for Mod

The change to https for logins is in the works, as there is pressure on everyone because of the browser warnings to comply with this internet move. The warnings create the perception that ZetaBoards logins have somehow now become insecure. However, nothing has actually changed to make your login less secure.

Password security is still dependent upon creating a good password and having a good and unique password for the email account attached to your admin accounts.
Online Profile Quote Post Goto Top
 
Bry.
Member
[ *  *  * ]
Okay, good to know. Hope this will be rolled out soon enough :)

So now, we're all spared of the unnecessary paranoia then :P
Offline Profile Quote Post Goto Top
 
Helena
Member Avatar
M is for Mod

Indeed. Its a manufactured crisis. It is important for logins on banking sites, for instance to have the https encryption for user confidence, but not as important for message board communities. Nonetheless, the change is in process of being implemented.
Online Profile Quote Post Goto Top
 
Brobst
Member
[ *  * ]
sugarpuff
Jan 18 2018, 11:29 AM
Another thing that would be good is an auto img resizer. So in the acp there is an option to tick a box,so that any images posted are auto resized to stop the board stretching. Would be handy instead of having to add a code.
This. A thousand times, THIS. :D I feel like I spend way too much time daily resizing photos that are gigantic.
Offline Profile Quote Post Goto Top
 
Tony
Member Avatar
If found, please report missing.

Helena
Jan 18 2018, 02:03 PM
Indeed. Its a manufactured crisis. It is important for logins on banking sites, for instance to have the https encryption for user confidence, but not as important for message board communities. Nonetheless, the change is in process of being implemented.
To further this, Sir Tim himself has issues with https. He regretted it, and prefered they rolled the whole thing in to http. https does not make anything more secure. You as the user need to be diligent with what information you give / use / insert, and where.

This is a good quick read: https://www.w3.org/DesignIssues/Security-NotTheS.html

Browser companies have taken to pushing end users to believe the little green padlock makes everything safe and warm, when in fact it does the opposite. Don't log in to your bank on an open network (school, work, cafe, coffee shop, roaming the streets, e.t.c.,) https or not (data can be deencrypted by people willing to put the effort in (criminals, identity theives, e.t.c.).) Data at both ends (the user and the server) is the most at risk, even with https.

If you are using https, you need to understand why. Just because the s is there, it doesn't mean the appropriate level of encryption is. Free SSL certificates (Let's Encrypt and others) are domain validated certificates. This only shows that the individual with the certificate 'owns' the domain (thus making them ideal for phishing.) DV certificates 'offer' the basic encryption of data, because it is built in to https. They do nothing for securing anything else.

The use of encryption on forums and weblogs e.t.c. is moot, given that the majority of the data you send is publicly viewable (access restrictions notwithstanding.)

Side note for anyone with a good eye, before you point it out: I set https on my weblog due to logged errors, with the way my .htaccess is set up. The same content is provided on both http and https, and comments are public. There is also no way to log in (custom bloggeh for the win!11!1.)

- - -

As an aside, for anyone relying on https everywhere addons, you need to be aware that the switch to https is not automagic™ Only sites on a whitelist will try a secure connection first. This becomes dangerous when users stop diligently checking the address bar, and just assume everything is okay, or the website they connected to doesn't have a secure connection.
Offline Profile Quote Post Goto Top
 
Pete B
Member
[ *  *  *  *  *  *  *  * ]
Tony
Jan 18 2018, 04:56 PM
To further this, Sir Tim himself has issues with https. He regretted it, and prefered they rolled the whole thing in to http. https does not make anything more secure.
I read the article. It seems more like he's disagreeing with the way encryption was introduced, not that encryption itself is useless.

Quote:
 
Don't log in to your bank on an open network (school, work, cafe, coffee shop, roaming the streets, e.t.c.,) https or not (data can be deencrypted by people willing to put the effort in (criminals, identity theives, e.t.c.).) Data at both ends (the user and the server) is the most at risk, even with https.

If the https is useless then surely the open network you're on is the least of your worries?

Quote:
 
The use of encryption on forums and weblogs e.t.c. is moot, given that the majority of the data you send is publicly viewable (access restrictions notwithstanding.)

Eh, I disagree. To log into a ZB you must submit your email address and password in the clear. Best practise is to use a separate password for all your accounts, how many people actually do that? You've just exposed your email-password combination to the world.

Another example could be your birthday. On ZB you can set your birthday to be private on your profile, but you do need to enter the full date for age verification purposes. When you do that update, you've sent your full birthday over the internet, in the clear.

... oh and since ZB introduced Cloudflare, God knows how your data is being routed ...
Offline Profile Quote Post Goto Top
 
1 user reading this topic (1 Guest and 0 Anonymous)
« Previous Topic · Service Discussion and Feedback · Next Topic »
Add Reply