Separate names with a comma.
Discussion in 'Feedback & Help' started by Scottishgifts4u, Oct 22, 2017.
....that the UK business Forums website would be prefixed by https by this time
Just saying like...
For starters, logins and password changes are being made over plain HTTP.
And as a website operator, UKBF has a responsibility to send their user's credentials securely over the internet rather than in plain text for anybody to view. I'm sure a more tech savvy person such as yourself doesn't use the same credentials at multiple websites but you might be surprised just how many people do!
Mike is absolutely right!
Where is UKBF sending users' credentials?
It's not a forum's job to protect people from their own stupidity / ignorance / lack of basic technical nous / complete disregard for common sense.
Yes... to their servers, via every other device the connection hops through.
I disagree, I think UKBF have a moral obligation to protect their user's data. In fact what you're saying goes against the general consensus when running a website.
Ask anybody in security, or even any good developer, how to deal with passwords - the bare minimum is you send over an encrypted connection and one-way hash at rest.
I'm curious, do you think it would be alright if you found out UKBF passwords were being stored in plain text too?
I think you overestimate the average understanding of these things, people aren't stupid they just aren't aware of the consequences of using the same password in multiple places. Not everybody can be educated in security but UKBF's developers/sysadmins should be, they're the professionals and have a responsibility to protect UKBF's user data. It's their job after all, it's what they're being paid for.
I've owned and run large forums. All major forum software stores passwords in encrypted form, not plain text.
But if UKBF stored passwords in plain text I'd continue to use UKBF if satsified with the level of risk to me represented by any breach.
Forum operators don't transmit plain text passwords anywhere. Users transmit them. And it's time users got a bit more clued up about security. We aren't helping them by wrapping them in cotton wool.
Right, there's a reason those passwords are hashed before being stored. The same reason why it's important to run your website over HTTPS. What good is hashing the password at rest if it's in plain view between the visitor and your server?
That's a bit of a selfish attitude IMO. I'd be quite fine for UKBF to leak my password too but I think we speak for probably 25% of users here if that, and the average understanding of password security will be higher here at UKBF than most websites. The rest of the users are at risk of having accounts hijacked elsewhere if their UKBF password is leaked.
We don't really have a choice (if we want to use UKBF), connecting over HTTPS presents us with a '502 Bad gateway' error. I would choose to connect over HTTPS but UKBF doesn't currently make that possible, so it's HTTP or nothing.
Well somebody has to educate them. I think the best route is simply to encrypt all connections on behalf of users, but if UKBF are too stubborn to do that then perhaps they should put a massive warning on their sign up page "YOUR PASSWORD IS TRANSMITTED IN PLAIN TEXT. PLEASE CHOOSE A UNIQUE PASSWORD WHICH ISN'T USED ON OTHER WEBSITES.". If not that, then how else are users going to be educated in security?
I think there's a more basic question than "Why use HTTPS?" and that question is "Why NOT use HTTPS?" There is little to no downside and a lot of upside. I'm pretty sure UKBF have posted somewhere that they're in the process of upgrading to HTTPS, they're just taking their sweet time, so I have to assume they agree with the popular opinion on HTTPS.
I agree. Write an article or two maybe?
But the people who lack common sense don't read these articles. They need to feel the pain to learn the lesson.
Anybody who needs to be told that is beyond help.
I agree. It's not difficult to implement https. My point is that it's not the forum's job to protect people who have a major shortage of common sense.
If you're interested in educating them then ... don't protect them or they'll never learn! A cheaper, easier and more helpful option is to show a notice to every user (just once) that they have to click to dismiss. The notice can tell them simply that it's stupid to use the same pw in multiple locations ... so go and bloody change it now!
I can see where you're coming from. And to support your point of view, nobody knows what's happening with their password once the HTTPS connection is terminated. The password could be stored in plain text, an attacker could be sat on the server intercepting POST parameters, the CloudFlare<->origin connection could be plain HTTP, etc.
I suppose it's a joint responsibility - both the website operator and website users should be following best security practises. However I think the key point is that the website operator should be a professional in this area, it's their job to know this stuff, and therefore it reflects more poorly on them when basic security isn't followed.
I do think this stuff should be taught during school ICT lessons - using password managers and two-factor authentication.
No argument there. But it's not the operator's "responsibility". If you don't like how they run their site, you take your "business" elsewhere.
It's increasingly the case that people are not taking even basic responsibility for their actions. Everything is always somebody else's fault. We as a society are increasingly screwing these people up further with our well meaning attempts to protect them from their own stupidity. I, for one, am not in favour.
Don't talk to me about ICT in schools - it's complete and utter boll*cks. I coached my 12 y/o to do the GCSE Computing (considered more difficult than ICT). We covered the entire syllabus in a few weeks between Feb and June and he passed the exam with an A*. So I'm very familiar with the Computing syllabus. There's nothing there about how to configure a router, install a printer driver, run an anti-virus scan. Nothing useful! In fact, they actually teach you a lot of wrong stuff and groom you to give data away, to get exploited by large corporates, to not stay secure! It's amazing. I had to double teach him stuff - "this is the real answer and ... here is the bullsh*t you need to put on your answer paper to get marks. "
It's not much better at A level I can tell you. The Cambridge exam board modified their Computer Science A level syllabus for 2017. There's just one single modication in the syllabus - they now require students to know what malware is. That's pretty much it! Seriously. Right up to last year you could get an A* at A level without knowing what malware means! (Syllabus - modification is on page 36)
Nah, we can't trust schools to teach IT. In fact, schools should be banned from teaching anything to do with IT, they are that useless!
Could say schools should be banned from teaching at all - but that would be another thread.
Despite IT departments trying to coach their staff about security, despite sites that warn people to have unique passwords, despite so called secure two stage login requiring mobile phone codes, people still often choose to go their own way.
I do not mind making money on it, really I do not.
The same mistakes being made this year as 20 years ago even by some of those who have fallen victim to viruses, hacks, identity fraud and loss of computers.
30 million plus working people in this country, way too many ignore security when it comes to computers. Yet are let loose with computers.
Will these same people lock their vehicles? Yes. Will they lock their front door of the house? Yes.
Will they ignore computer security? Way too often.
I'm sure that UKBF loses traffic already because of the lack of HTTPS. Isn't that a prime reason for Sift to 'take the responsibility' and implement HTTPS? It's a business site that, presumably, makes money. Discouraging visitors who may make good fodder for the advertisers doesn't exactly show a clear understanding of ROI.
I don't think they do.
Agreed, of course they don't. HTTPS quite rightly is a big thing for those 'in the know', those people that take security on the web seriously. But for the rest of the general population, they probably don't even know what HTTP is (nevermind HTTPS). For most people, as long as Google answers their query or they can get to the website they want, they don't care and don't want to care.
And as for the scaremongering about how Google will flag sites as 'not secure' in the search bar, lots of people will be blind to that too. I've got a reasonably large portfolio of domains, all of which have a landing page with a 'This domain is for sale' statement and a contact form. The amount of messages I get through the contact forms trying to order stuff from the domains previous use is unbelievable. There's a real blindness that seems to kick in when using the internet.
Lol - its not just when using the internet.
Used to have a warehouse unit, pallets of boxes all over the back and shelving of items at the front.
We had people coming in asking if we did cars - as in servicing and repair. Very much not looking like a garage and they'd come in the front door, look at the shelving and boxes then ask.
Amused me - they had to pass a garage to come to our front door. An obvious, big doors open, ramps visible, cars driving in and out few thousand square foot garage.
It wasn't until this was brought up in another thread a few months I even thought to look if the site was https or not. I'm using Edge right now and the address bar begins: ukbusinessformuns.co.uk - no http or www anything.