Adirondack Forum  
Rules Membership Donations and Online Store Adkhighpeaks Foundation ADKhighpeaks Forums ADKhighpeaks Wiki Disclaimer

Go Back   Adirondack Forum > The Adirondack Forum > General Adirondack Discussion
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Search this Thread Display Modes
Old 05-19-2018, 06:34 AM   #1
Kevin7
Member
 
Join Date: Jul 2015
Posts: 60
Forum Login Security Problem?

I'm getting a message that the login to the forum is not secure.
Is there a real problem here, and is it being addressed?
Kevin7 is offline   Reply With Quote
Old 05-19-2018, 07:32 AM   #2
Trail Boss
Member
 
Trail Boss's Avatar
 
Join Date: Nov 2010
Posts: 891
Not me.

What is generating the message you are seeing?

What browser are you using? Does it have any security-oriented plugins? Plugins of any kind? Anti-virus software?
__________________
Looking for views!
Trail Boss is offline   Reply With Quote
Old 05-19-2018, 10:12 AM   #3
DSettahr
ɹǝqɯǝɯ
 
DSettahr's Avatar
 
Join Date: May 2007
Posts: 4,462
I've gotten similar messages on ADKHighPeaks when I've logged in in the past, but never here.
DSettahr is offline   Reply With Quote
Old 05-19-2018, 11:09 AM   #4
Woodly
Member
 
Join Date: Jan 2018
Location: SNY
Posts: 146
I'm not getting one
Woodly is offline   Reply With Quote
Old 05-19-2018, 11:34 AM   #5
DSettahr
ɹǝqɯǝɯ
 
DSettahr's Avatar
 
Join Date: May 2007
Posts: 4,462
Here's what I see when I log into ADKHighPeaks:



Clicking on "learn more" leads to this link: https://support.mozilla.org/en-US/kb...urce=inproduct

When I try to visit https://www.adkhighpeaks.com/forums/ I see this:



Clicking on "learn more" here leads to this: https://support.mozilla.org/en-US/kb...ot-secure-mean
DSettahr is offline   Reply With Quote
Old 05-19-2018, 11:39 AM   #6
DSettahr
ɹǝqɯǝɯ
 
DSettahr's Avatar
 
Join Date: May 2007
Posts: 4,462
I just checked, and I do actually get similar error messages for ADKForum also. I guess it's been a while since I logged out/logged back in here.
DSettahr is offline   Reply With Quote
Old 05-19-2018, 01:48 PM   #7
Trail Boss
Member
 
Trail Boss's Avatar
 
Join Date: Nov 2010
Posts: 891
Maybe the browser is carping because neither site uses HTTPS (i.e. encrypted HTTP). Therefore the contents of all packets travel "in the clear" and can be intercepted and read (including passwords).

Up until now, most browsers indicate when you've connected to a site employing HTTPS by displaying some sort of symbol (such as a padlock) in the address bar.

Most sites have switched to using HTTPS so, in the near future, Google Chrome will operate the other way 'round, namely it'll indicate sites that don't use HTTPS ... like this one and ADKHighPeaks.

Perhaps Firefox is ahead of the curve and now actively preventing connection to sites still using HTTP?
__________________
Looking for views!
Trail Boss is offline   Reply With Quote
Old 05-19-2018, 05:38 PM   #8
Terasec
Member
 
Terasec's Avatar
 
Join Date: Oct 2016
Posts: 118
Quote:
Originally Posted by DSettahr View Post
Here's what I see when I log into ADKHighPeaks:



Clicking on "learn more" leads to this link: https://support.mozilla.org/en-US/kb...urce=inproduct

When I try to visit https://www.adkhighpeaks.com/forums/ I see this:



Clicking on "learn more" here leads to this: https://support.mozilla.org/en-US/kb...ot-secure-mean
That security message is usually from a lack of or expired security certificate
Up to site admin to update certificates with browsers

And how long is that password?
Terasec is offline   Reply With Quote
Old 05-19-2018, 06:34 PM   #9
Trail Boss
Member
 
Trail Boss's Avatar
 
Join Date: Nov 2010
Posts: 891
Quote:
Originally Posted by Terasec View Post
That security message is usually from a lack of or expired security certificate
Up to site admin to update certificates with browsers
If you have the two sites bookmarked, check the URLs. Both sites use HTTP, not HTTPS, therefore they don't require security certificates.

That'll probably have to change in the near future to avoid seeing worrisome icons and messages. Starting July 2018, Chrome will identify all non-HTTPS sites.
https://security.googleblog.com/2018...e-to-stay.html

Firefox started doing this earlier in the year.
https://www.pcworld.com/article/3161...tp-logins.html
__________________
Looking for views!
Trail Boss is offline   Reply With Quote
Old 05-19-2018, 07:12 PM   #10
wiiawiwb
Member
 
wiiawiwb's Avatar
 
Join Date: Oct 2007
Posts: 587
Any reason ADKforum.com isn't using the latest and greatest protocol?
wiiawiwb is offline   Reply With Quote
Old 05-19-2018, 07:29 PM   #11
Justin
Moving along
 
Join Date: May 2006
Posts: 6,055
Quote:
Originally Posted by wiiawiwb View Post
Any reason ADKforum.com isn't using the latest and greatest protocol?
It’s a bit outdated for sure, has been for several years now. After all these years sharing photos here is still a process & a bit of a pain in the ass, and I’m sure it is one of the reasons why many adkforum members prefer to share their photos & adventures on Facebook instead (myself included), where sharing photos with friends, family, and fellow Adirondack & outdoor enthusiasts is much easier & more enjoyable.
Justin is offline   Reply With Quote
Old 05-19-2018, 07:43 PM   #12
peskypup
Member
 
peskypup's Avatar
 
Join Date: Nov 2012
Location: NJ / Brant Lake
Posts: 196
An SSL certificate (which would solve the issue) can cost $50+/year. There are some really cheap ones out there ($6/year from Comodo), but I've always been suspicious of how much security they provide and whether they'd get rid of the security alerts newer browsers show. When I've been buying them in the past, it's always been for business clients (and always someone else paying the bill) so we always get the more expensive, business-grade certificate.
peskypup is offline   Reply With Quote
Old 05-19-2018, 09:09 PM   #13
Trail Boss
Member
 
Trail Boss's Avatar
 
Join Date: Nov 2010
Posts: 891
Let's Encrypt is a Certificate Authority (CA) providing free certificates.
https://letsencrypt.org/

They expire quickly (90 days?) so (to avoid the administrative headache of repeated renewals) you use a bot to do them for you. https://certbot.eff.org/
__________________
Looking for views!
Trail Boss is offline   Reply With Quote
Old 05-20-2018, 03:16 AM   #14
Lonehiker
Member
 
Join Date: Jan 2011
Location: Dolgeville
Posts: 68
And why do people get redirected to the MyFileStore website on the first try attempting to access this site.

Last edited by Lonehiker; 05-21-2018 at 03:26 AM..
Lonehiker is offline   Reply With Quote
Old 05-20-2018, 05:55 AM   #15
debmonster
No Ramen Allowed
 
debmonster's Avatar
 
Join Date: Nov 2009
Location: New York, NY
Posts: 119
I've noticed that the MyFileShare website comes up the first time I try to connect every day. Seems like a different forum had the same problem: http://www.stromtrooper.com/rules-fo.../121913?page=1
debmonster is offline   Reply With Quote
Old 05-20-2018, 03:38 PM   #16
Kevin7
Member
 
Join Date: Jul 2015
Posts: 60
I'm using Firefox and get the same security warning message as DSettahr posted when logging into this forum.
Kevin7 is offline   Reply With Quote
Old 06-14-2018, 09:05 PM   #17
Harvey44
Member
 
Harvey44's Avatar
 
Join Date: Jun 2006
Location: North River
Posts: 155
Google (who has basically forced this issue) has declared that you will be seeing these messages everywhere by Oct 1.

SSL was built to encrypt credit card info and until Google decided it was "necessary" for all about 2 years ago, it only used in ecommerce applications.
__________________
NYSB: NYSkiBlog.com
Harvey44 is offline   Reply With Quote
Old 06-14-2018, 11:04 PM   #18
Trail Boss
Member
 
Trail Boss's Avatar
 
Join Date: Nov 2010
Posts: 891
It's no longer SSL (invented by Netscape) but TLS. Consider TLS 1.0 to be SSL 3.1, except not really (for one it's not backward compatible).

HTTP transmits/receives everything "in the clear". So when you login to ADKForum (which still uses unencrypted HTTP), your username and password are visible within the communications stream. Intercepting the stream and reading it is all too easy.

HTTPS is the HTTP protocol running through an encrypted "tunnel" ... where the encryption technique is TLS. Everything you transmit/receive is encrypted (including username/password to a web-site). If you intercept the communications stream all you get is goobledegook. Security is a valuable feature for any transaction, not just e-commerce.

Encryption is only half the story. It's not difficult to impersonate (spoof) a web-site that merely uses unencrypted HTTP. You may think you're browsing web-site X but it may have been spoofed and you're actually browsing web-site Y which is a malicious site (i.e. click its login button and ... you download ransomware or cryptocurrency mining software).

HTTPS requires the web-site to acquire a security certificate from a Certificate Authority. It's like having a passport which serves to properly identify you. This is a tremendous improvement because it makes it far more challenging to spoof a site that uses HTTPS. It reduces the risk of being spoofed and is a significant driver, over the last few years, to convert the web to using HTTPS.

In fact, so many sites have changed to using HTTPS that now it's no longer informative for a browser to identify the sites using it but, rather, to identify the sites NOT using it. It's the sites that still use plain vanilla HTTP that are the potential security risks. That's what Firefox does and what Chrome will do (alert you when a site isn't using HTTPS).
__________________
Looking for views!
Trail Boss is offline   Reply With Quote
Old 06-15-2018, 06:42 AM   #19
Harvey44
Member
 
Harvey44's Avatar
 
Join Date: Jun 2006
Location: North River
Posts: 155
Quote:
Originally Posted by Trail Boss View Post
In fact, so many sites have changed to using HTTPS that now it's no longer informative for a browser to identify the sites using it but, rather, to identify the sites NOT using it. It's the sites that still use plain vanilla HTTP that are the potential security risks. That's what Firefox does and what Chrome will do (alert you when a site isn't using HTTPS).
That describes the change happening on 10/1. HTTPS will be fully accepted as normal, HTTP as substandard.
__________________
NYSB: NYSkiBlog.com
Harvey44 is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 01:43 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.

DISCLAIMER: Use of these forums, and information found herein, is at your own risk. Use of this site by members and non-members alike is only granted by the adkhighpeak.com administration provided the terms and conditions found in the FULL DISCLAIMER have been read. Continued use of this site implies that you have read, understood and agree to the terms and conditions of this site. Any questions can be directed to the Administrator of this site.