You would have thought...

Discussion in 'Feedback & Help' started by Scottishgifts4u, Oct 22, 2017.

  1. Scottishgifts4u

    Scottishgifts4u UKBF Newcomer Free Member

    16 3
    ....that the UK business Forums website would be prefixed by https by this time ;)

    Just saying like...
     
    Posted: Oct 22, 2017 By: Scottishgifts4u Member since: Jul 6, 2017
    #1
  2. Clinton

    Clinton UKBF Big Shot Full Member

    3,469 1,138
    Why https?
     
    Posted: Oct 22, 2017 By: Clinton Member since: Jan 17, 2010
    #2
  3. Mike Hayes

    Mike Hayes UKBF Enthusiast Full Member

    794 189
    For starters, logins and password changes are being made over plain HTTP.
     
    Posted: Oct 22, 2017 By: Mike Hayes Member since: Jan 7, 2016
    #3
  4. Clinton

    Clinton UKBF Big Shot Full Member

    3,469 1,138
    And?
     
    Posted: Oct 22, 2017 By: Clinton Member since: Jan 17, 2010
    #4
  5. Mike Hayes

    Mike Hayes UKBF Enthusiast Full Member

    794 189
    And as a website operator, UKBF has a responsibility to send their user's credentials securely over the internet rather than in plain text for anybody to view. I'm sure a more tech savvy person such as yourself doesn't use the same credentials at multiple websites but you might be surprised just how many people do!
     
    Posted: Oct 22, 2017 By: Mike Hayes Member since: Jan 7, 2016
    #5
  6. Enterweb

    Enterweb UKBF Newcomer Free Member

    2 1
    Mike is absolutely right! :cool:
     
    Posted: Oct 22, 2017 By: Enterweb Member since: Oct 22, 2017
    #6
  7. Clinton

    Clinton UKBF Big Shot Full Member

    3,469 1,138
    Where is UKBF sending users' credentials?

    It's not a forum's job to protect people from their own stupidity / ignorance / lack of basic technical nous / complete disregard for common sense.
     
    Posted: Oct 22, 2017 By: Clinton Member since: Jan 17, 2010
    #7
  8. Mike Hayes

    Mike Hayes UKBF Enthusiast Full Member

    794 189
    Yes... to their servers, via every other device the connection hops through.

    I disagree, I think UKBF have a moral obligation to protect their user's data. In fact what you're saying goes against the general consensus when running a website.

    Ask anybody in security, or even any good developer, how to deal with passwords - the bare minimum is you send over an encrypted connection and one-way hash at rest.

    I'm curious, do you think it would be alright if you found out UKBF passwords were being stored in plain text too?

    I think you overestimate the average understanding of these things, people aren't stupid they just aren't aware of the consequences of using the same password in multiple places. Not everybody can be educated in security but UKBF's developers/sysadmins should be, they're the professionals and have a responsibility to protect UKBF's user data. It's their job after all, it's what they're being paid for.
     
    Last edited: Oct 22, 2017
    Posted: Oct 22, 2017 By: Mike Hayes Member since: Jan 7, 2016
    #8
  9. Clinton

    Clinton UKBF Big Shot Full Member

    3,469 1,138
    I've owned and run large forums. All major forum software stores passwords in encrypted form, not plain text.

    But if UKBF stored passwords in plain text I'd continue to use UKBF if satsified with the level of risk to me represented by any breach.

    Forum operators don't transmit plain text passwords anywhere. Users transmit them. And it's time users got a bit more clued up about security. We aren't helping them by wrapping them in cotton wool.
     
    Posted: Oct 22, 2017 By: Clinton Member since: Jan 17, 2010
    #9
  10. Mike Hayes

    Mike Hayes UKBF Enthusiast Full Member

    794 189
    Right, there's a reason those passwords are hashed before being stored. The same reason why it's important to run your website over HTTPS. What good is hashing the password at rest if it's in plain view between the visitor and your server?

    That's a bit of a selfish attitude IMO. I'd be quite fine for UKBF to leak my password too but I think we speak for probably 25% of users here if that, and the average understanding of password security will be higher here at UKBF than most websites. The rest of the users are at risk of having accounts hijacked elsewhere if their UKBF password is leaked.

    We don't really have a choice (if we want to use UKBF), connecting over HTTPS presents us with a '502 Bad gateway' error. I would choose to connect over HTTPS but UKBF doesn't currently make that possible, so it's HTTP or nothing.

    Well somebody has to educate them. I think the best route is simply to encrypt all connections on behalf of users, but if UKBF are too stubborn to do that then perhaps they should put a massive warning on their sign up page "YOUR PASSWORD IS TRANSMITTED IN PLAIN TEXT. PLEASE CHOOSE A UNIQUE PASSWORD WHICH ISN'T USED ON OTHER WEBSITES.". If not that, then how else are users going to be educated in security?

    I think there's a more basic question than "Why use HTTPS?" and that question is "Why NOT use HTTPS?" There is little to no downside and a lot of upside. I'm pretty sure UKBF have posted somewhere that they're in the process of upgrading to HTTPS, they're just taking their sweet time, so I have to assume they agree with the popular opinion on HTTPS.
     
    Posted: Oct 22, 2017 By: Mike Hayes Member since: Jan 7, 2016
    #10
  11. Clinton

    Clinton UKBF Big Shot Full Member

    3,469 1,138
    I agree. Write an article or two maybe?

    But the people who lack common sense don't read these articles. They need to feel the pain to learn the lesson.

    Anybody who needs to be told that is beyond help.

    I agree. It's not difficult to implement https. My point is that it's not the forum's job to protect people who have a major shortage of common sense.

    If you're interested in educating them then ... don't protect them or they'll never learn! A cheaper, easier and more helpful option is to show a notice to every user (just once) that they have to click to dismiss. The notice can tell them simply that it's stupid to use the same pw in multiple locations ... so go and bloody change it now!
     
    Last edited: Oct 22, 2017
    Posted: Oct 22, 2017 By: Clinton Member since: Jan 17, 2010
    #11
  12. Mike Hayes

    Mike Hayes UKBF Enthusiast Full Member

    794 189
    I can see where you're coming from. And to support your point of view, nobody knows what's happening with their password once the HTTPS connection is terminated. The password could be stored in plain text, an attacker could be sat on the server intercepting POST parameters, the CloudFlare<->origin connection could be plain HTTP, etc.

    I suppose it's a joint responsibility - both the website operator and website users should be following best security practises. However I think the key point is that the website operator should be a professional in this area, it's their job to know this stuff, and therefore it reflects more poorly on them when basic security isn't followed.

    I do think this stuff should be taught during school ICT lessons - using password managers and two-factor authentication.
     
    Posted: Oct 22, 2017 By: Mike Hayes Member since: Jan 7, 2016
    #12
  13. Clinton

    Clinton UKBF Big Shot Full Member

    3,469 1,138
    No argument there. But it's not the operator's "responsibility". If you don't like how they run their site, you take your "business" elsewhere.

    It's increasingly the case that people are not taking even basic responsibility for their actions. Everything is always somebody else's fault. We as a society are increasingly screwing these people up further with our well meaning attempts to protect them from their own stupidity. I, for one, am not in favour.

    Don't talk to me about ICT in schools - it's complete and utter boll*cks. I coached my 12 y/o to do the GCSE Computing (considered more difficult than ICT). We covered the entire syllabus in a few weeks between Feb and June and he passed the exam with an A*. So I'm very familiar with the Computing syllabus. There's nothing there about how to configure a router, install a printer driver, run an anti-virus scan. Nothing useful! In fact, they actually teach you a lot of wrong stuff and groom you to give data away, to get exploited by large corporates, to not stay secure! It's amazing. I had to double teach him stuff - "this is the real answer and ... here is the bullsh*t you need to put on your answer paper to get marks. "

    It's not much better at A level I can tell you. The Cambridge exam board modified their Computer Science A level syllabus for 2017. There's just one single modication in the syllabus - they now require students to know what malware is. That's pretty much it! Seriously. Right up to last year you could get an A* at A level without knowing what malware means! (Syllabus - modification is on page 36)

    Nah, we can't trust schools to teach IT. In fact, schools should be banned from teaching anything to do with IT, they are that useless!
     
    Posted: Oct 22, 2017 By: Clinton Member since: Jan 17, 2010
    #13
  14. Mr D

    Mr D UKBF Legend Free Member

    9,759 1,018
    Could say schools should be banned from teaching at all - but that would be another thread.

    Despite IT departments trying to coach their staff about security, despite sites that warn people to have unique passwords, despite so called secure two stage login requiring mobile phone codes, people still often choose to go their own way.

    I do not mind making money on it, really I do not.
    The same mistakes being made this year as 20 years ago even by some of those who have fallen victim to viruses, hacks, identity fraud and loss of computers.

    30 million plus working people in this country, way too many ignore security when it comes to computers. Yet are let loose with computers.
    Will these same people lock their vehicles? Yes. Will they lock their front door of the house? Yes.
    Will they ignore computer security? Way too often.
     
    Posted: Oct 22, 2017 By: Mr D Member since: Feb 12, 2017
    #14
  15. ffox

    ffox UKBF Regular Free Member

    1,125 193
    And

    I'm sure that UKBF loses traffic already because of the lack of HTTPS. Isn't that a prime reason for Sift to 'take the responsibility' and implement HTTPS? It's a business site that, presumably, makes money. Discouraging visitors who may make good fodder for the advertisers doesn't exactly show a clear understanding of ROI.
     
    Posted: Oct 22, 2017 By: ffox Member since: Mar 11, 2004
    #15
  16. Clinton

    Clinton UKBF Big Shot Full Member

    3,469 1,138
    I don't think they do.
     
    Posted: Oct 22, 2017 By: Clinton Member since: Jan 17, 2010
    #16
  17. Scott@KarmaContent

    [email protected] UKBF Enthusiast Full Member

    742 317
    Agreed, of course they don't. HTTPS quite rightly is a big thing for those 'in the know', those people that take security on the web seriously. But for the rest of the general population, they probably don't even know what HTTP is (nevermind HTTPS). For most people, as long as Google answers their query or they can get to the website they want, they don't care and don't want to care.
     
    Posted: Oct 22, 2017 By: [email protected] Member since: Jun 24, 2014
    #17
  18. Scott@KarmaContent

    [email protected] UKBF Enthusiast Full Member

    742 317
    And as for the scaremongering about how Google will flag sites as 'not secure' in the search bar, lots of people will be blind to that too. I've got a reasonably large portfolio of domains, all of which have a landing page with a 'This domain is for sale' statement and a contact form. The amount of messages I get through the contact forms trying to order stuff from the domains previous use is unbelievable. There's a real blindness that seems to kick in when using the internet.
     
    Posted: Oct 22, 2017 By: [email protected] Member since: Jun 24, 2014
    #18
  19. Mr D

    Mr D UKBF Legend Free Member

    9,759 1,018
    Lol - its not just when using the internet.
    Used to have a warehouse unit, pallets of boxes all over the back and shelving of items at the front.
    We had people coming in asking if we did cars - as in servicing and repair. Very much not looking like a garage and they'd come in the front door, look at the shelving and boxes then ask.
    Amused me - they had to pass a garage to come to our front door. An obvious, big doors open, ramps visible, cars driving in and out few thousand square foot garage.
     
    Posted: Oct 22, 2017 By: Mr D Member since: Feb 12, 2017
    #19
  20. fisicx

    fisicx It's Major Clanger! Staff Member

    29,205 8,619
    It wasn't until this was brought up in another thread a few months I even thought to look if the site was https or not. I'm using Edge right now and the address bar begins: ukbusinessformuns.co.uk - no http or www anything.
     
    Posted: Oct 23, 2017 By: fisicx Member since: Sep 12, 2006
    #20