Started by prissi, November 22, 2015, 07:39:52 PM
0 Members and 1 Guest are viewing this topic.
Quote from: prissi on November 22, 2015, 07:39:52 PMCurrently https:/forum.simutrans.com leads to an non https interesting entry page (probably the 404 for this server?)
Quote from: Ters on November 22, 2015, 08:47:14 PMI'm also a bit surprised that they give out certificates for free and so easily, when it was my understanding that proving that one really is who one says, is very complicated in order to be trustworthy. If this really is trustworthy, every other CA should be out of business in an instance.
Quote from: Isaac.Eiland-Hall on November 22, 2015, 09:31:22 PMWhen https was first rolled out, it was envisioned for rare events - a credit card purchase, for example. But these days, we've realized that any site that requires a password should use it. The philosophy is that this latter usage is more important - that it doesn't so much matter who the server is, but rather to provide a secure connection. Also, it's not a good way of preventing attacks on the web - that certificate authorities don't have the resources or methods to keep track of who is illegitimate.
Quote from: prissi on November 22, 2015, 10:50:37 PMThe script needs root access, because in order to get the automatic certificate, the must access the web server settings, save files in /etc (the certifiacte key), and (most important) to automatically prove your control the server for the free (because automatic) free certificate you have to show a specific file with a specific message to the server of the CA.
Quote from: Ters on November 23, 2015, 06:26:13 AMIf all you need is to encrypt the communication without caring who is on the other side, you can just use self-signed certificates. However, without confirmation that the other side isn't someone else, encryption is pointless.
Quote from: prissi on November 22, 2015, 10:50:37 PMAbout the beta static: You do not have to wait (at least according the the magazine), you can just download the software from git directly. (Means of course that there must be git in the server.)
Quote from: DrSuperGood on November 22, 2015, 09:37:55 PMDoes one need such security? Yes your Simutrans account might be compromised, the hackers might do... Uhhh... Post naughty messages with it!As far as I am aware this site is and should not be dealing with very sensitive information , the kind of information that requires decent security.I would advise enabling https for people who want to feel secure, but beyond that no further actions with http still used. Maybe put up a banner if people use http recommending the "more secure" https protocol but more than that really is not needed.The worst case scenario would probably be the compromise of an admin account giving advertisement robots a free run at the site until the server owners manually override the account. This would be solved with https since the admins and mods should know of that and be using it over the then "obsolete" http.
Quote from: Isaac.Eiland-Hall on November 23, 2015, 02:35:02 PMAnd self-signed certificates pop up a warning in the browser that scares people.
Quote from: Isaac.Eiland-Hall on November 23, 2015, 02:35:02 PMAnd encryption is not pointless: http://arstechnica.com/business/2011/03/https-is-more-secure-so-why-isnt-the-web-using-it/
Quote from: Isaac.Eiland-Hall on November 23, 2015, 02:35:02 PMMany users reuse passwords across multiple sites. It's quite possible that someone might reuse a banking password that got captured and used. Your worst case scenario is most definitely not the worst case scenario by any means. I frankly don't feel like trying to write up a real worst case scenario, but there are lots of personal details in the database that would not do well to be exposed. And nevermind someone logging in as admin and putting ads or making posts, but how about deleting all of the forum?And nobody has suggested the forcible use of https, nor will it be done; at least certainly not in the foreseeable future.