Account login Security change - Page 3 - Escape Trailer Owners Community

Go Back   Escape Trailer Owners Community > Escape Community > Forum Help | Announcements | Suggestion Box
Click Here to Login
Reply
 
Thread Tools Display Modes
 
Old 01-05-2017, 09:55 AM   #21
Senior Member
 
rbryan4's Avatar
 
Join Date: Jun 2014
Location: San Antonio, Texas
Trailer: 2015 19 "Past Tents", 2015 F150 Ecoboost
Posts: 5,828
Quote:
Originally Posted by Defenestrator View Post
Good to see it's going to https for the login page. Is there any reason not to just go to HTTPS for all pages? That seems like it would be both easier and more secure.
Well, not easier, since the key infrastructure would require some expansion. But, using HTTPS across the entire web would definitely be more secure.

Many attacks on the web consist of simply bulk monitoring and collection of unencrypted web traffic, and then later analysis for exploitation. An encrypted web means the bulk traffic collection would become irrelevant.
__________________

__________________
"You can't buy happiness, but you can buy an RV. And that is pretty close."
rbryan4 is offline   Reply With Quote
Old 01-05-2017, 04:38 PM   #22
Junior Member
 
Join Date: Sep 2016
Location: Redwood City, California
Trailer: 2017 Escape 19 (future)
Posts: 18
I'm very aware of what HTTPS requires (and does not require) on the server side - that's why I mentioned it seems like it would be easier. Cloudflare is already set up to handle SSL for *.escapeforum.org and all the Social Knowledge boards combined wouldn't put a noticeable amount of load on their infrastructure. On the vBulletin side, it seems like less work to just switch everything to https instead of doing custom work to have only some pages encrypted.
__________________

Defenestrator is offline   Reply With Quote
Old 01-05-2017, 05:16 PM   #23
Senior Member
 
Join Date: Dec 2012
Location: Edmonton, Alberta
Trailer: 1979 Boler B1700
Posts: 7,782
Quote:
Originally Posted by Brian B-P View Post
... the login challenge page (presented to a user who tries to post after being timed out, or to a user who simply has not logged in and tries something requiring a logged-in session) is still not secure; I doubt this is what the forum's administrators would intend.
The login challenge page is secured now, too.

The User CP page and some of the pages under it are now secure, but still the Edit Email & Password page (in which you enter your current and new passwords and e-mail addresses) is not secure (at least by default... see below). Like some others, I don't understand the piecemeal approach, but I assume that the administrators will take care of this one, too... and hopefully systematically review content under the User CP.

Amusingly, if you manually enter the transport in the URL (that is, type "HTTPS://" in front of "/www.escapeforum.org/forums/profile.php?do=editpassword") you can get the site to start providing this page (and presumably others) securely. Of course it would not be reasonable to expect users to manually trigger secure transport of individual pages.
__________________

Brian B-P is online now   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off






» Virginia Campgrounds

Reviews provided by



All times are GMT -5. The time now is 07:53 PM.


Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Copyright 2012 Social Knowledge, LLC All Rights Reserved.