Account login Security change

[rbryan4]

Good to see it's going to https for the login page. Is there any reason not to just go to HTTPS for all pages? That seems like it would be both easier and more secure.

Well, not easier, since the key infrastructure would require some expansion. But, using HTTPS across the entire web would definitely be more secure.

Many attacks on the web consist of simply bulk monitoring and collection of unencrypted web traffic, and then later analysis for exploitation. An encrypted web means the bulk traffic collection would become irrelevant.

 

[Defenestrator]

I'm very aware of what HTTPS requires (and does not require) on the server side - that's why I mentioned it seems like it would be easier. Cloudflare is already set up to handle SSL for *.escapeforum.org and all the Social Knowledge boards combined wouldn't put a noticeable amount of load on their infrastructure. On the vBulletin side, it seems like less work to just switch everything to https instead of doing custom work to have only some pages encrypted.

 

[Brian B-P]

... the login challenge page (presented to a user who tries to post after being timed out, or to a user who simply has not logged in and tries something requiring a logged-in session) is still not secure; I doubt this is what the forum's administrators would intend.

The login challenge page is secured now, too.

The User CP page and some of the pages under it are now secure, but still the Edit Email & Password page (in which you enter your current and new passwords and e-mail addresses) is not secure (at least by default... see below). Like some others, I don't understand the piecemeal approach, but I assume that the administrators will take care of this one, too... and hopefully systematically review content under the User CP.

Amusingly, if you manually enter the transport in the URL (that is, type "HTTPS://" in front of "/www.escapeforum.org/forums/profile.php?do=editpassword") you can get the site to start providing this page (and presumably others) securely. Of course it would not be reasonable to expect users to manually trigger secure transport of individual pages.