AT needs https

[Vic Vega]

When can we expect this? Other forums are offering it.

 

[Shawn]

Why?

 

[brianmanahan]

anand is too cheap to buy an ssl cert

 

[Ken g6]

Why?

To protect our cleartext passwords.

I wonder if the servers could handle the load, though.

 

[Udgnim]

my AT password is simple and different from my email

 

[Ichinisan]

Seriously. If I log-in while connected to a public network, someone else there could get my password. Even if I don't enter my password, they could intercept the cookie and the stored session ID.

 

[Chaotic42]

HTTPS? We don't even have themes.

 

[Lithium381]

i would love HTTPS! as it is when i'm in public places or at work i connect via VPN so they can't see my shennanigans! especially in P&N!

 

[mikeymikec]

To protect our cleartext passwords.

I wonder if the servers could handle the load, though.

The most likely threat to password security (apart from picking poor passwords) is how the passwords are stored on the server, not how they're transmitted.

Aside from that, this is a forum, not an e-commerce site or an on-line banking site or an e-mail facility. Anyone sharing passwords between this site and any of the types I just mentioned is a complete and utter idiot. So if someone managed to compromise the server's password list, the forum users' responses should be, "oh dear, I'll have to change my password when they've sorted the problem. Isn't life such a drag".

I can think of a number of problems that this site has, and if I maintained the server(s), offering SSL access to the forums would have a priority of "wouldn't that be nice" and "maybe I'll get around to that right around half past never". There's so many more worthwhile things that ought to or have to be done and offering SSL access doesn't really do anything worthwhile.

 

[ViRGE]

To protect our cleartext passwords.

I wonder if the servers could handle the load, though.

Passwords aren't transmitted in the clear. They're encrypted before they're even sent off (and then encrypted again).

 

[Mixolydian]

LOL no.

 

[Ichinisan]

Passwords aren't transmitted in the clear. They're encrypted before they're even sent off (and then encrypted again).

Doesn't matter. Snoops can just capture the whole cookie and keep the login state.

 

[ViRGE]

Doesn't matter. Snoops can just capture the whole cookie and keep the login state.

Yeah, the cookies can be captured, I didn't say otherwise. The comment was about the password; passwords are never passed in the clear in vB.

 

[Red Squirrel]

HTTPS would be super easy to implement, but I've seen plenty of other things that are easy to implement either not get done, or take 5 years to do, so I would not hold my breath.

 

[Vic Vega]

It's hard to believe that a "technical" website which writes IT "articles" (storage, servers, etc) they expect us to take seriously would lack this basic standard in 2013. I would think that would be an embarrassment for the owners.

 

[lxskllr]

Everything should be encrypted. It's good policy, and if nothing else, it helps hide truly sensitive data in a field of noise.

 

[mikeymikec]

It's hard to believe that a "technical" website which writes IT "articles" (storage, servers, etc) they expect us to take seriously would lack this basic standard in 2013. I would think that would be an embarrassment for the owners.

Adding workload (admin time as well as system resources) to provide a pointless service would be the only embarrassing element I can see here.

Everything should be encrypted. It's good policy, and if nothing else, it helps hide truly sensitive data in a field of noise.

I think that if someone was eavesdropping, the fact that packets are heading towards a forum site would be enough clue that there isn't anything interesting going on. Though I suppose that someone could use the private messaging system to communicate non-forum-related (and interesting to the eavesdropper) content, but surely once you establish that, it's easier to go to the people who run the site to enquire about a particular IP address rather than spend time eavesdropping (or penetrate the end user's PC). Either going for the client or the server renders SSL pointless.

 

[Red Squirrel]

It's hard to believe that a "technical" website which writes IT "articles" (storage, servers, etc) they expect us to take seriously would lack this basic standard in 2013. I would think that would be an embarrassment for the owners.

Yeah and let's not forget the weekly "maintenance" LOL. WTF kind of tech site has to go down for half a day? I wonder how much ad revenue has been lost because of all the downtime this place gets.

As for adding workload... LOL. We're talking about a couple hours of work here.

 

[lxskllr]

I think that if someone was eavesdropping, the fact that packets are heading towards a forum site would be enough clue that there isn't anything interesting going on.

Or maybe there is something interesting. Perhaps I'm sending a pm, or maybe I'm using an onsite chatbox. Perhaps that chatbox is pseudo-anonymous. Maybe the whole thing is open, but I don't want real world people of any kind to know my online identity.

There's many reasons to encrypt data. Some are important, and some are trivial, but it's just good practice and policy to encrypt everything.

 

[Crusty]

Passwords aren't transmitted in the clear. They're encrypted before they're even sent off (and then encrypted again).

Only if you have javascript enabled, and even then they aren't encrypted at all, they are simply hashed. Having the hashed password is as good as having the plaintext password if all they want is to gain access to this account.

 

[mikeymikec]

Or maybe there is something interesting. Perhaps I'm sending a pm, or maybe I'm using an onsite chatbox. Perhaps that chatbox is pseudo-anonymous. Maybe the whole thing is open, but I don't want real world people of any kind to know my online identity.

There's many reasons to encrypt data. Some are important, and some are trivial, but it's just good practice and policy to encrypt everything.

I edited my previous post a couple of minutes before you posted, so I've addressed part of what you've said already. As for encrypting everything, when there are enough clues in the packet source and destination information that have to remain unencrypted, "everything" isn't really possible, and IMHO from an eavesdropper POV (insert the usual state-type suspects here depending on your country), those are the important bits. As I said before, if the eavesdropper is more interested after that, then she should go after the source or the target of the data.

There are other organisations (apart from government types) that would possibly be inclined to eavesdrop. The criminal element gets by well enough with easy tricks so eavesdropping largely isn't necessary. The traffic they would really like to get their hands on is the currently encrypted traffic, so they would be looking for a way to break the encryption (again, attacking the user or target end is probably easier than looking for a way to break SSL encryption). Media tactics that I'm aware of have been similar to criminal tactics (the easy ways are often the best).

 

[lxskllr]

...and IMHO from an eavesdropper POV (insert the usual state-type suspects here depending on your country), those are the important bits. As I said before, if the eavesdropper is more interested after that, then she should go after the source or the target of the data.

It doesn't have to be as grandiose as a nation state, or organized crime attack. It might just be a 1337 haxxor in a coffee shop sniffing credentials. Some sites use email as a user name, and combined with a password, that potentially gives you a lot of data for more than that site. You can argue what people should should and shouldn't do regarding password strength, and reusing passwords all day long, but that won't stop people from doing the Wrong Thing®. Encrypting traffic helps protect people from themselves at little cost.

 

[John Connor]

Vpn ftw!

 

[Vic Vega]

Adding workload (admin time as well as system resources) to provide a pointless service would be the only embarrassing element I can see here.

Well, no one here has accused you of being worth listening to. Your post shows a fundamental lack of understanding.

 

[mikeymikec]

Well, no one here has accused you of being worth listening to. Your post shows a fundamental lack of understanding.

Enlighten me.