HTTPS removed - passwords unsafe

[Nes4life]

I'd like to ask what is being done to add HTTPS back to the forum?

I understand there was an issue a while back but completely removing HTTPS means that anyone entering their password into the site on a public wifi or network is essentially broadcasting their login details to everyone on that network (packet sniffers are trivial to install and use). Think about that next time you're in StarBucks, at an airport or a train station!

I know this isn't a banking site but I'm sure there's a good number of people reusing a common password that would get you into their email account for example. If you're such a person please read: https://grynersec.com/choosing-secure-memorable-passwords/

This forum is awesome but let's make it secure. I've now made the announcement but it would've been a nice courtesy if someone on the admin team had done so when HTTPS was removed and left as a sticky warning at the top of the site (apologies if this was explained somewhere but I've missed it).

EDIT: Found the thread where I believe HTTPS was removed to resolve the issue. Let's get a proper fix in. http://www.ukvac.com/forum/security-warning-on-mozilla-mac_topic356801.html

Nes4life2019-07-22 09:20:21

 

[devtty0]

For adding trusted, free certificates https://letsencrypt.org/ works well, and is well established now

 

[bobbydilley]

or using Cloudflare would allow you to use HTTPS from client to cloudflare (simply a change of nameservers and it's setup automatically, and no setup on the webserver), and would cache the static parts of the site on their CDN so might even make it a bit more snappy.

 

[Stevros]

Or you could just stay logged in?

 

[bobbydilley]

Leaving the site as http doesn’t just effect username/password plain text logins, it opens up other problems such as MITM attacks allowing public WiFi etc. to insert adverts, cryptominers, popups etc.

 

[r-type]

Is there any news on this subject? - Be good to get things locked down properly.

 

[Nes4life]

https://doesmysiteneedhttps.com

Please sort this out. Please.
No, seriously.Nes4life2019-10-24 20:44:51

 

[digweed]

^^ this

 

[chunksin]

If setting up letsencrypt/certbot is too much of a hassle, how about https://comodosslstore.com/uk/positivessl.aspx - £22 for 4 years, I'll offer to pay if that helps!

 

[funhouse]

I see a new 'Secure Site' logo on the left bottom side of the front page but clicking for me goes to:

File Not Found

The requested URL /vulnerability-scanner-verification/www.ukvac.com was not found on this server.

Are we headed for HTTPS sometime soon?

 

[Nes4life]

Admins, it's now 2020. Please have someone spend an hour on this and turn HTTPS back on.
It's free (or cheap) to do and it's easy. I did it for a friend's site in under half an hour with just the free tools supplied by the domain host.

Bringing security and peace of mind to the 5000+ members of UKVac is well worth it.

 

[LAZORIAN]

+1 for this. It's only a matter of time before my workplace stop vac from running, then how am I gonna surf the forum while at work? Also, security is something to not compromise on I reckon.

 

[Nes4life]

Admins, please can you respond to this thread?
Any sort of update would be very welcome

 

[DanP]

Hi guys,

Look we know this needs doing. We will get round to it but currently our time is 100% taken with maintaining the site (which trust me is not trivial) and working on the migration to a new forum (which is a massive task). We all have real jobs and kids, we're not just sitting on our backsides ignoring you, we're working at our real jobs, fixing this site, ferrying kids around, etc. We'd love to be able to devote our time exclusively to this but that's just not feasible for now.

Please bear with us, we're doing the best we can and eod that's all we can do. We understand and share your concerns and we do appreciate you pointing any issues like this out.

Cheers,

Dan

 

[L_____E_____T]

Not to add undue pressure but the site today auto downloaded a .SWF file on Chrome for me that was deemed unsafe.

This was after a fresh wipe of Chrome, and happened once I signed in here. Windows 10 deemed it unsafe so I don't think this is a regular cookie.

But granted, I am not a web developer etc.

Very much understand the time constraints (I'm in the same boat myself) but I thought this looked new.

L_____E_____T2020-02-11 12:45:46

 

[Alpha1]

SSL will come back once we've done the forum migration. Which is being worked on. For now if this is a concern use a unique password for VAC.

 

[Eddhorse]

I also get the SWF flash file download which i decline.
Not sure where that is coming from.

Either way keep up the great work on the site anyways guys

 

[big10p]

I only get this issue on this thread, due to the non-working video link (I assume).
big10p2020-02-12 12:03:04

 

[Eddhorse]

Ah yes thats the one, makes sense.

The link is https://www.youtube.com/v/VKxcw4MGXxg

And the file downloading is "VKxcw4MGXxg.swf"

So the filename is similar. Needs to use the Youtube tags i guess instead of the iframe tag?
Eddhorse2020-02-12 12:17:19

 

[L_____E_____T]

Here is a safe link: https://www.youtube.com/watch?v=VKxcw4MGXxg

Odd thing is, I had a .SWF download before landing on this thread - I then came to report it here.

Sounds like it's innocent but like I said I'm not a web developer, just wanted to flag it in case.