HTTPS

[runfrodorun]

Quote:

Originally Posted by Ultramaroon

Meh. Don't use this password for anything else and don't post anything you don't want the whole world to see.

Problem solved.

There's more you can do without HTTPS than just steal info. HTTPS guarantees that only the server can decrypt the message to it, and only the particular client can decrypt the message from the server. Without that guarantee, then anyone can intercept messages coming back from the server to you and modify them and you would not know.

So for example, I just met up with somebody from the forums last night. It could have been a gang that fed me a false location and phone number by intercepting my request to the server to load the message that he gave me and modified it before it was displayed on my screen, and then stabbed me and took my car after meeting up somewhere. Extreme example, but there are creative people that could probably find a successful way to take advantage of members.

Historically there have been many, many creative abuses of sites that do not use HTTPS and they vary vastly beyond stealing passwords.

[Skeneypoo]

VPNs and Password Managers for the win. I don't have any duplicate passwords, it's beautiful.

That said, I agree. Should be HTTPS.

[Ultramaroon]

Quote:

Originally Posted by runfrodorun

Historically there have been many, many creative abuses of sites that do not use HTTPS and they vary vastly beyond stealing passwords.

It's always the damn Russians.

[Gunman]

fwiw I use the https everywhere plugin, and ssl on my own NAS.

I agree, anything with a password should use https.

[KR-S]

I actually had this same concern a year ago when this was brought up on the thread concerning the hack on JB Autosport's network.

I ran Wireshark (on a private network of course - NEVER on a public network) to see if I could sniff my password from the packets. Interestingly, what I found was that the password was still somehow encrypted. Maybe this was due to other factors I wasn't aware about, but I was pretty surprised.

I think HTTPS is a good idea, but with that said, a lot of people don't really see this as an issue since for them, it's just a forum account with no personal information. As long as people aren't reusing passwords, they should be fine.

[kb3dow]

Looks like this issue is still not resolved. Looks like this site may not be managed on a continual basis - perhaps someone set it up and then its running purely on user posts to forums.

[finch1750]

Quote:

Originally Posted by kb3dow

Looks like this issue is still not resolved. Looks like this site may not be managed on a continual basis - perhaps someone set it up and then its running purely on user posts to forums.

There are like 2 active mods left, but really if it is that large a concern a PM to the admin and main mod @ichitaka05 would probably go farther then a thread that may not get checked (until now that I tagged a mod)

[ichitaka05]

Quote:

Originally Posted by finch1750

There are like 2 active mods left, but really if it is that large a concern a PM to the admin and main mod @ichitaka05 would probably go farther then a thread that may not get checked (until now that I tagged a mod)

Yeah... sadly, I don’t have much power over this part. Admin Hachiroku or other admin FT-HS do those kind of things.

[Tcoat]

Quote:

Originally Posted by kb3dow

Looks like this issue is still not resolved. Looks like this site may not be managed on a continual basis - perhaps someone set it up and then its running purely on user posts to forums.

And the person hiding behind a new user name instead of using their normal one is worried about it? Paranoid much?

[kb3dow]

Quote:

Originally Posted by Tcoat

And the person hiding behind a new user name instead of using their normal one is worried about it? Paranoid much?

Well everyone here has a pseudonym so you dont have to be sarcastic about me hiding behind a new user name. When I login using firefox it warns the password is not encrypted, and https does not work. I agree that there is nothing confidential here and I don't use common passwords on different sites - so it is not a show stopper

[Tcoat]

Quote:

Originally Posted by kb3dow

Well everyone here has a pseudonym so you dont have to be sarcastic about me hiding behind a new user name. When I login using firefox it warns the password is not encrypted, and https does not work. I agree that there is nothing confidential here and I don't use common passwords on different sites - so it is not a show stopper

The point is that the rest of us have only one.

[ScoobsMcGee]

To be fair, a poorly managed HTTPS site doesn't offer that much more security than plain text, while increasing the complexity. SSL or TLSv1.0 encryption isn't too difficult to attack given the proper circumstances. Unless Hachi or FT-HS go all-in on properly locking down and maintaining the site, simply getting a cert and enabling HTTPS is setting things up to break once that cert expires. Not much else.