HTTPS

Axi5

Hi All,

Any chance of us getting HTTPs here on PolyCount, I know there was a discussion of it before and that it was held off for a while but I've just had a not-so-friendly reminder of one of my accounts being compromised a few minutes ago. I'm trying to work out where this attack have come from, it's definitely not here, but I figured I'd re-spark the desire to get HTTPS working here so that no one faces a man-in-the-middle attack like I could potentially have just been a victim of.

Cheers

Eric Chadwick

Nope. No reason to set it up here.

We could get a certificate but we actually have nothing to transmit encrypted. There is zero point. Passwords you say? They are never sent in cleartext to begin with.

Also, HTTPS prevents caching things, which would suck for an image-heavy site.

If we were handling financial data, sure. But we're not.

Axi5

In that case what are the passwords sent in? The common consensus of security professionals seems to be: Send any credentials via an SSL encryption. I understand that Polycount is just a forum and it's hardly like logging into a bank account but as the following link will describe, password re-use and other factors could reduce security for this sites users: https://blog.mozilla.org/tanvi/2016/01/28/no-more-passwords-over-http-please/

As for the caching issue, that's been resolved since 2010 on most modern browsers. This stackoverflow link has sources from the browser release notes themselves:
https://stackoverflow.com/questions/174348/will-web-browsers-cache-content-over-https

This should also be worth a scroll through:
http://blog.httpwatch.com/2011/01/28/top-7-myths-about-https/

If you have more resources that I'm unaware of, please show me, otherwise I think it's worth investigating further.

Eric Chadwick

Why do you want it? Are you really using the same password for multiple sites?

Axi5

Eric Chadwick said:

Why do you want it? Are you really using the same password for multiple sites?

Not anymore, since earlier. I had a password that I reused only for sites I didn't care about being compromised. Decided that was still stupid so I stopped that too.

There's a few reasons:

1. It's just more secure for every user whether they're on or off this site, that's never a bad thing.
2.  Google's Search Engine punishes websites that don't have HTTPs Maybe you're happy with the current population though, I think it's fine but it could drop in future if it appears less and less on Google.
3. While polycount is primarily just a forum, some members do use this site to pick up freelance jobs and keep up their client image. Having their account compromised could leave them out of work for a short time or make them appear less reputable.

In regards to #3 I probably sound paranoid and I can understand that would be an easy standpoint to take against this, but then network security specialists exist for a reason.