• Greetings Guest, Having Login Issues? Check this thread!
  • Hail Guest!,
    Please take a moment to read this post reminding you all of the importance of Account Security.

Feedback Stratics not secure

DevilsOwn

Stratics Legend
Governor
Alumni
Stratics Veteran
Stratics Legend
not sure how long it's been this way, a week or more that I'm sure of, can you guys fix this, please?
notsecure.JPG
 

Nexus

Site Support
Administrator
Moderator
Professional
Stratics Veteran
Stratics Legend
Wiki Moderator
UNLEASHED
Nothing has changed, except web browsers are now pushing out notifications of when a site doesn't use SSL. We are planning to switch to SSL soon, but even then any linked images from outside sources will cause it to say the same thing. It kind of leaves our hands tied, if we want to have it show secure we'll have to disable linking of external images, and links, something we're not really comfortable doing considering how much this is done.
 

petemage

Certifiable
Stratics Veteran
not sure how long it's been this way, a week or more that I'm sure of, can you guys fix this, please?
View attachment 63362
It's just what the message reads. Your connection is sending your password in plaintext through the internet. So basically everybody along the path can read/steal it. That is not the biggest threat when you are at home, but rather when you use a third party network like your hotel's wifi, the airport's wifi, school or work computers or just some nerdy friends wifi while visiting him. Like mentioned, it's easier at home, but still kids/husband/wife free to get your password.

Adding SSL protects you from all of them. Thus browsers are pushing for it. It's a good thing. It's frankly easy to setup SSL nowadays and to protect your users at that front.

The real question you should ask yourself: What's my Stratics password worth? Do I use the same password somewhere else? (google, mail, skype, etc.). What's the impact if someone gets to know it? If they can only login to your Stratics with it, I would say you don't have to worry at all :D
 
Last edited:

Nexus

Site Support
Administrator
Moderator
Professional
Stratics Veteran
Stratics Legend
Wiki Moderator
UNLEASHED
It's just what the message reads. Your connection is sending your password in plaintext through the internet. So basically everybody along the path can read/steal it. That is not the biggest threat when you are at home, but rather when you use a third party network like your hotel's wifi, the airport's wifi, school or work computers or just some nerdy friends wifi while visiting him. Like mentioned, it's easier at home, but still kids/husband/wife free to get your password.

Adding SSL protects you from all of them. Thus browsers are pushing for it. It's a good thing. It's frankly easy to setup SSL nowadays and to protect your users at that front.

The real question you should ask yourself: What's my Stratics password worth? Do I use the same password somewhere else? (google, mail, skype, etc.). What's the impact if someone gets to know it? If they can only login to your Stratics with it, I would say you don't have to worry at all :D
If it makes you feel better, the Passwords are encrypted in the DB :p
 

DJAd

Stratics Legend
Stratics Veteran
Stratics Legend
OMG my stratics password "might" be vunrable. C'mon is this really an issue!?
 

BrianFreud

Lore Keeper, Wiki Maker, & Doer of Crazy Things
Professional
Stratics Veteran
Wiki Moderator
Campaign Supporter
Wiki Editor
Blame Google; they made the decision last fall to have Chrome be rather aggressive in the schedule for this - see for example Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017 and Google to slap warnings on non-HTTPS sites . At the time they decided to do it, a good part of the security community thought Google was being a bit too aggressive in scheduling/doing this, but Google decided to go ahead anyhow. (That's at least partially why you seen so many sites switch to https since the fall.)
 

petemage

Certifiable
Stratics Veteran
Blame Google for making the internet a safer place :D

I don't see why Stratics has such aversion on SSL, but I've been into that discussion once too often.
 

petemage

Certifiable
Stratics Veteran
If it makes you feel better, the Passwords are encrypted in the DB :p
Nah, I wouldn't be as half as worried about you guys than I would be about those randos in Hotels or other semi-public networks ;)
 

Nexus

Site Support
Administrator
Moderator
Professional
Stratics Veteran
Stratics Legend
Wiki Moderator
UNLEASHED
Blame Google for making the internet a safer place :D

I don't see why Stratics has such aversion on SSL, but I've been into that discussion once too often.
It's not really an aversion.... part of it is every time it's been tried posts similar to this pop up and false claims, rumors, or general paranoia crop up and the result was having SSL Enabled was reversed. In this it is sort of the opposite instead of getting a notice that "portions" of the site weren't secure when Stratics was running SSL thanks to external links etc. Now you get them because we're not running SSL.

Secondly cost, which was a consideration in the past as SSL Certificates until recently weren't exactly cheap, and to keep overhead down it wasn't considered a priority since any type of financial transaction (Subs and Donations) go through Paypal which is Secure. Not having one didn't pose any kind of limitations but that is changing, Apple, and Google are pushing SSL and other browsers and companies are following suit, we do plan to switch over to SSL and when we do like it or not people are going to have to accept it even with the notice that portions might not be secure thanks to still the external linked images etc.
 

petemage

Certifiable
Stratics Veteran
It's not really an aversion.... part of it is every time it's been tried posts similar to this pop up and false claims, rumors, or general paranoia crop up and the result was having SSL Enabled was reversed. In this it is sort of the opposite instead of getting a notice that "portions" of the site weren't secure when Stratics was running SSL thanks to external links etc. Now you get them because we're not running SSL.
But objectively there is a huge difference between "Sending all passwords/messages in cleartext over the network" and "getting an annoying little notification about external links not loading". I guess it comes down to what you really want. Do you want to do what you can to protect your users, or are you just trying to make the feel comfortable while they really are not. The argument you bring here is really "No matter what we do users will complain" while totally dismissing there is a huge difference in the both cases you pointed out.


Secondly cost, which was a consideration in the past as SSL Certificates until recently weren't exactly cheap, and to keep overhead down it wasn't considered a priority since any type of financial transaction (Subs and Donations) go through Paypal which is Secure. Not having one didn't pose any kind of limitations but that is changing, Apple, and Google are pushing SSL and other browsers and companies are following suit, we do plan to switch over to SSL and when we do like it or not people are going to have to accept it even with the notice that portions might not be secure thanks to still the external linked images etc.
I'm buying single site SSL for $100 a year, wildcard certificates for $200 a year. Since LetsEncrypt you even get single domain certificates for free, although I keep buying certificates when it comes to the things that earn my paycheck.

Not having one posed totally one limitation: Password transmitted in cleartext. But I feel like talking to a wall somehow when it comes to SSL, password security and Stratics.
 

petemage

Certifiable
Stratics Veteran
OMG my stratics password "might" be vunrable. C'mon is this really an issue!?
Only when you are on those site of the internet where they use a single password for everything :p I hope you are not!
 

Tina Small

Stratics Legend
Stratics Veteran
Stratics Legend
We are planning to switch to SSL soon, but even then any linked images from outside sources will cause it to say the same thing.
Is there any new information yet on when you expect to switch to SSL?
 
Top