Why no https?

[YouTellMe]

Due to the nature of this site, personal and technical security are of the utmost priority. Given what we found out with the Snowden releases, is that the government IS reading traffic to webistes. So it shocks me to find that ECCIE has not enabled SSL everywhere. What this means for you non techies out there, is that anyone with a network sniffer between your browser and ECCIE's servers can see exactly what you are posting, as it is not encrypted. If ECCIE decides to turn on SSL, then all of that traffic is encrypted.

Givent he costs of SSL certs are so low, my basic question is WHY isn't ECCIE using it by default? Everyone one of our identities, conversations, etc are at risk.

[FoulRon]

Probably for the same reason they don't have a robots.txt file.

[Gotyour6]

Anyone can see what you are writing on here anyway.
It's a public forum.

Set up Privoxy or hamachi if you wear tinfoil

[PhantomofTheOpera]

Better yet, use TOR.

[DangedDragon]

You could also use a VPN connection to another part of the USA, so it appears your traffic is located in another area. Your traffic from your PC to the VPN server would be unreadable...

Cyberghost's free option works fairly well for most things.

[GneissGuy]

Quote:

Originally Posted by Gotyour6

Anyone can see what you are writing on here anyway.
It's a public forum.

Set up Privoxy or hamachi if you wear tinfoil

Without https, snoops can see your passwords, and any PM's you send. They can also see which posts you read. They can also see your IP address.

In this case, "snoops" includes

• Anyone within WiFi range if you're on a public hotspot, including hotels.
• Your ISP
• Anyone with access (legal or illegal) to the network at any one of the links in the internet between you and the website you're going to.
• Anyone with a bogus WiFi hotspot you connect to. These are getting common at places like restaurants, airports, etc.

[jframe2]

@ the OP- things are only at risk if you allow your Tech/Comm security to be lax.

What can anyone prove using information from a Fantasy site, with people using fake names, and writing fiction? Nothing! Now if your Security is lax, it may lead to other problems, but that is on you the Hobbiest.

HTTPS is absolutely justified and required in certain internet scenarios and transactions, but this does not have to be one of them.

Be more concerned with one's own local vulnerabilities on their own computer.

[ravishme]

The general thinking is that https should be the default everywhere, since people leak clues about themselves in lots of not-including-credit-card-number web activity that puts them at risk from criminals, et alia. All websites should really be using TLS all the time, especially considering the overhead isn't all that high and certificates can range from inexpensive to free (the latter in fairly restrictive cases, but still).

All sites using user/password credential SHOULD use HTTPS, period.

Using VPN or whatever alone isn't enough, security benefits enormously from having layers, since every layer tends to be somewhat permeable.

jframe2, you are seriously on the wrong end of things at the moment, since every one of your four sentences is essentially wrong.

* Things are always at risk, even if your security is robust
* Lots of things can be inferred about people from what people write, even if the idea is that security doesn't matter, which obviously isn't correct on Eccie.
* HTTPS is absolutely justified in almost all cases, there are few circumstances where it isn't, and Eccie isn't one of them.
* HTTPS protect against vulnerabilities of a certain class on the network, which has nothing to do with your own computer, and which isn't fully addressed by VPNs.

[guynmotion]

Quote:

Originally Posted by ravishme

The general thinking is that https should be the default everywhere, since people leak clues about themselves in lots of not-including-credit-card-number web activity that puts them at risk from criminals, et alia. All websites should really be using TLS all the time, especially considering the overhead isn't all that high and certificates can range from inexpensive to free (the latter in fairly restrictive cases, but still).

All sites using user/password credential SHOULD use HTTPS, period.

Using VPN or whatever alone isn't enough, security benefits enormously from having layers, since every layer tends to be somewhat permeable.

jframe2, you are seriously on the wrong end of things at the moment, since every one of your four sentences is essentially wrong.

* Things are always at risk, even if your security is robust
* Lots of things can be inferred about people from what people write, even if the idea is that security doesn't matter, which obviously isn't correct on Eccie.
* HTTPS is absolutely justified in almost all cases, there are few circumstances where it isn't, and Eccie isn't one of them.
* HTTPS protect against vulnerabilities of a certain class on the network, which has nothing to do with your own computer, and which isn't fully addressed by VPNs.

Right on. The login function alone warrants using HTTPS. I wish a site admin would chime in on this.

[want2c]

Quote:

Originally Posted by Gotyour6

Anyone can see what you are writing on here anyway.
It's a public forum.

Set up Privoxy or hamachi if you wear tinfoil

Https at sign in but Http for the rest of the site

[Aliased]

Quote:

Originally Posted by guynmotion

Right on. The login function alone warrants using HTTPS. I wish a site admin would chime in on this.

It's really beyond irresponsible at this point to not require this sensitive server to require a TLS connection. I mean the technology is only ~18 years old now, and it amounts to flipping a bit in most server applications. Why is this not being done? Are they looking for a competitor to fill this trivially-remedied security void?