Results 1 to 6 of 6
Like Tree5Likes
  • 4 Post By Andy
  • 1 Post By speleomike

Thread: Site security

  1. #1
    Junior Member
    Join Date
    May 2011

    Site security

    Gene Cafe Coffee Roaster $850 - Free Beans Free Freight
    Hi Andy,

    Could you please fix the log in security? For some reason the username / password fields aren't encrypted (your browser will tell you this when you go to log in), so passwords are potentially available to be discovered by third parties (i.e. bots) who are so inclined. Not so fussed about the forum login, but when it doubles as the beanbay login with personal details it's not ideal. Should be HTTPS, not HTTP.

    Couldn't find a more appropriate forum to post in.


  2. #2
    CoffeeSnobs Owner Andy's Avatar
    Join Date
    Mar 2004
    Blog Entries
    Yep, for 14 years the site has been HTTP and it was never a problem, now suddenly some browsers are having a hissy fit.

    The gotcha is that the forum software doesn't support HTTPS and if we enable it on the logon page it will just drop back to HTTP on the next click and your browser will sook again. A later version of the forum software does support HTTPS but it won't upgrade from this version. We are working on a custom upgrade but it's taking some time.

    Messy indeed.

    It's all a storm in a tea cup though. We don't keep any financial information and typically have only the same amount of information as your local phone book does. Your phone book listing is blasted all over the internet and delivered to everyone's door, at least ours is hidden behind a logon and the password is encrypted on our server.

    We have never held any interesting information. PayPal payments are HTTPS encrypted as are EFT bank payments.

    Username and email address are the only things in the forum.
    Username, real name, email address and postal address are the only things kept in BeanBay.

    I bet you share way more information in your Facebook/Linkedin/twitter/insert everything else here!

    Punchline is, I view it as very low risk, nothing interesting to see here and when we can change to SSL/HTTPS to stop browsers complaining we will.

    Besides, HTTPS is also insecure but it makes people feel better.

  3. #3
    Junior Member
    Join Date
    May 2011
    Thanks Andy, good to know you're working on it.

  4. #4
    Senior Member speleomike's Avatar
    Join Date
    Nov 2005
    Hi all

    The upgrade will be probably be required quite soon. Already from last October 2017 password fields in http are being marked as "insecure" and from July 2018 Chrome will mark all http only pages as insecure. Eventually Chrome, Firefox and the other browsers will prevent users entering passwords in http sites. The entire world is moving to https. The Forum software should support this, it should be a change to the web server only and a cert. However it not familiar with this Forum software and it may indeed have some problems as Andy suggested.

    The problem is that some users use a common password across sites. Even if CoffeeSnobs does not have anything of value some silly users will use the same password for a more important site. The other thing is that https will prevent content being modified between the server and the user thus limiting. Google will also lower rankings for non https sites.

    I run a dozen websites and have shifted several over to https using Lets Encrypt more than a year or so ago as I knew I'd have the same problem - browsers will warn users about http only sites.

    zeezaw likes this.

  5. #5
    Junior Member
    Join Date
    Apr 2016
    Wellington, NZ
    Quote Originally Posted by speleomike View Post
    The problem is that some users use a common password across sites.
    You can't protect against stupid.

  6. #6
    Senior Member
    Join Date
    Sep 2017
    Behmor Brazen - $249 - Free Freight
    If you have trouble remembering different pw's over different sites, get something like Dashlane which can keep everything together, create random pw for you, analyse your current autocomplete cache and give you feedback on how good they are, how often you use the same pw etc, etc (it is quite an eye opening experience how much information it can extract from your browser cache) from sites you haven't visited in years.

    It is free providing you don't want more convenient features (cloud based replication of pw's for all your devices)

    So if the bad guys get one of your pw's they don't have any leverage on any of your other sites which they will try (Apple, Amazon, Ebay, Gmail etc)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts