|
Post by Sassicat on Apr 28, 2017 11:39:08 GMT
Is there anyway that the settings for this website can be altered to ensure a secure connection - so that we get the padlock symbol in the address bar? This morning I used this site (http://communitytranslation.freeforums.net) with Firefox web browser and I was a bit surprised (and slightly alarmed) to be advised that the website is not secure and that information isn't encrypted, which is a concern as it means that passwords/email addresses etc. can be viewed in transit which might not be good for us (and compromise our email accounts etc.). The padlock isn't visible either if I use Safari web browser. However, if I go into my account to change my password, then the padlock does appear in the address bar, so it would appear appear that it's possible to make this website secure. The reason I looked into it is that a friend wants to sign up, but he can't access the website, and I suspect this may because his web browser won't let him connect to non-secure websites. I've attached screen shots of the security messages I get when using Firefox, which hopefully gives more precise details and explains the situation fully. Thanks for your help with this. Sassi SaveSaveSaveSaveSaveSave
|
|
|
Post by Camden Ferguson on Apr 28, 2017 12:16:45 GMT
My computer never alerted me to that; quizzical. If it's possible, we can see what we can do. Ultimately, that might be beyond us and be within Proboards itself.
|
|
|
Post by aria487 on Apr 28, 2017 14:26:58 GMT
I doubt it falls within these forums admins' powers, but it's worth a check from them in their own ProBoards panel. If it's not paid, I highly recommend it.( JoThelan ) One can always use a plugin like HTTPSEverywhere (For Chromium engine and for Firefox) Comodo Dragon, one of the most strict and secure web browsers, has manual HTTPS enforcement, but still opens HTTP websites. I doubt there would be any browser that doesn't let you open HTTP websites just for that reason, at least not on PC.(Tor browser also opened HTTP last time I tried, about some years has passed!) What browser is your friend using, on what system, and does he have a security software installed? Which?
|
|
|
Post by idle on Apr 28, 2017 14:37:14 GMT
I'm afraid that security around http and https and how browsers deal with them keeps changing quite fast these days and the situation is quite confusing. So everyone's experience might be different based on operating systems, browsers and their versions (most likely the newer the version of the browser, the more likely it is to complain). I'm not an expert though, I just have people around me who know more about it than I do.
|
|
|
Post by JoThelan on Apr 28, 2017 15:47:09 GMT
Hmm, that is really strange Sassicat. I have never had that issue with Proboards before. So I tried logging into the site on Firefox just now and didn't have any problems. In fact, https did show up in my URL bar. I'll do some research and see what I can find.
|
|
|
Post by JoThelan on Apr 28, 2017 19:24:13 GMT
Ok, I did some research and Proboards uses https for log in and registration. They are in the process of turning all pages to https this year. Most websites use https for pages that are transmitting information requiring security, so Proboards is pretty standard in that area. I'm not sure why you got an http page when logging in, since that is not in accordance with normal Proboards procedures. Sassicat
|
|
|
Post by Sassicat on Apr 29, 2017 8:49:16 GMT
Hi Thanks so much for all your help and thoughts on this. Your answers have been very helpful. 1) Firstly can I explain that when I was using Firebox to login - I was alerted to the situation because beside the address bar, on the browser, there was an exclamation mark (see screen shot below). 2) Good to hear that Proboards are moving to https for all boards. I guess my concern is that when I'm logged in to this website, if my email address is visible to other users on this site, it will be visible in transit. (is this possible?) I'm bit paranoid about security. 18 months ago our telephone provider (TalkTalk in the UK) was hacked 3 times in the same year - with various bits of our personal information being stolen - which has caused us all sorts of problems. 2) Thanks for highlighting the difference between http and httpsWhen I sent my friend the web address I simply copied the address from my web browser's address bar and removed the letters at the end after the / (which usually works!). Because I was logged into the site the url ended up as: http://communitytranslation.freeforums.net rather than: https://communitytranslation.freeforums.net This may explain the reason my friend couldn't access the website - although if I log out and go to: http://communitytranslation.freeforums.net I get to the website with no problem and have the option to register and login in. I will ask him to try and sign up at: communitytranslation.freeforums.netand see if it makes a difference! 3) Apart from that I will have to ask further about why my friend couldn't access the website. I think his son set up his computer for him, as he's not very I.T. literate. He's probably using Windows, on a newish system. As a Mac user myself, I don't know very much about Windows to be able to advise. Thanks once again for all your help - it's very much appreciated, and apologies for taking up so much of your time. Sassi
|
|
|
Post by SussexSoleil on Apr 29, 2017 13:54:26 GMT
I guess my concern is that when I'm logged in to this website, if my email address is visible to other users on this site, it will be visible in transit. (is this possible?) I'm bit paranoid about security. 18 months ago our telephone provider (TalkTalk in the UK) was hacked 3 times in the same year - with various bits of our personal information being stolen - which has caused us all sorts of problems. Good questions Sassicat . I was going to respond to all your questions, but JoThelan has given you the facts about ProBoards. HTTPS implements an encrypted channel of communication between your client browser (Chrome/Firefox/IE/whatever) and the website server (freeformums.net). In less technical terms, all the data is made to look like garbage, as it is transmitted across the internet. Only the server can initiate such a connection, because it holds the private encryption key, necessary to decode the data you send. You cannot force it from your end. Encryption is particularly important to mask passwords, which is why ProBoards has to use HTTPS for registration and sign on, otherwise anyone could capture your password, impersonate you and have access to all your information, even when it is not being transmitted. For any commercial activity it is also important to mask payment details in transit: credit cards, bank accounts, etc. Hence you should always look for the padlock icon before entering any such information on a merchant's webpage, although that is not the case here, as no money changes hands. So you are correct, your email address is vulnerable on Communitytranslation. Although we have given details elsewhere ( Email security) of how not to reveal your email address to other forum Members, the moderators can still see it, and if I was looking at your profile now, your email address would be transmitted in clear over the internet and could be seen by anyone with the necessary hardware/software. If you are using SmartCAT, your email address can be seen by the admin(s) there too, although SmartCAT uses HTTPS throughout. But for anyone concerned about email address security, the key is to treat all email addresses as disposable. You cannot trust anyone to keep your email address secure, from friends whose address books get hacked, to large corporations. I regularly receive loads of spam sent to the unique mail addresses I have set up for BMW, Toyota, Groupon ... and probably TalkTalk too, if I was a customer of their's. Actually, getting all this spam is great for security, because when I see the same email come in for more than one address, I know that it is fraudulent and can delete it without even opening it. In fact, I have got a block of disposable email addresses set up especially for the moderators of this site - if any of you want one, just PM me. To recap on an important security message: HTTPS only helps to protect data in transit. It does not mean your data is secure when it reaches the website. And frankly, I wouldn't trust my data on any free website (ProBoards, DuoLingo, Facebook ...), whether they use HTTPS or not. The fact is that you have no contract with the providers of the said websites, so you have no financial sanction over them for any damage they may cause you, other than the general duty of care they owe to any member of the public.
|
|
|
Post by aria487 on Apr 29, 2017 18:09:54 GMT
...2) Thanks for highlighting the difference between http and httpsWhen I sent my friend the web address I simply copied the address from my web browser's address bar and removed the letters at the end after the / (which usually works!). Because I was logged into the site the url ended up as: http://communitytranslation.freeforums.net rather than: https://communitytranslation.freeforums.net This may explain the reason my friend couldn't access the website - although if I log out and go to: http://communitytranslation.freeforums.net I get to the website with no problem and have the option to register and login in. I will ask him to try and sign up at: communitytranslation.freeforums.netand see if it makes a difference! 3) Apart from that I will have to ask further about why my friend couldn't access the website. I think his son set up his computer for him, as he's not very I.T. literate. He's probably using Windows, on a newish system. As a Mac user myself, I don't know very much about Windows to be able to advise. Thanks once again for all your help - it's very much appreciated, and apologies for taking up so much of your time. Sassi 2- So ProBoards do have HTTPS for their specific forums, CT can also be loaded in HTTPS, I wasn't expecting the site to let you access HTTP when there's an encrypted connection.(Funny I mentioned Comodo earlier, this HTTPS license is verified by Comodo) 3- I'm highly suspicious of these configurations picking on HTTP. Maybe it's caused by a badware and doesn't have anything to do with security? Only the server can initiate such a connection, because it holds the private encryption key, necessary to decode the data you send. You cannot force it from your end. Can you help me understand the function of these HTTPS enforcement tools? Are these useless? I remember being skeptical of HTTPSEverywhere, but Comodo also has its own enforcement plugin.
|
|
|
Post by SussexSoleil on Apr 29, 2017 20:44:12 GMT
Only the server can initiate such a connection, because it holds the private encryption key, necessary to decode the data you send. You cannot force it from your end. Can you help me understand the function of these HTTPS enforcement tools? Are these useless? I remember being skeptical of HTTPSEverywhere, but Comodo also has its own enforcement plugin. Skeptical? A snippet from the HTTPSEverywhere FAQ: "HTTPSEverywhere depends entirely on the security features of the individual web sites that you use; it activates those security features, but it can't create them if they don't already exist. If you use a site not supported by HTTPS Everywhere or a site that provides some information in an insecure way, HTTPS Everywhere can't provide additional protection for your use of that site."
This is basically the same message as you quoted me as saying above, just more specific to what HTTPSEverywhere can and cannot do. All that HTTPSEverywhere does is ensure that, where a website offers both http:// and https:// servers, the connection is made over the https:// link rather than accidentally picking up the unencrypted service. Since ProBoards does not yet offer an HTTPS connection for most parts of this website, it is not going to enhance anyone's security by using it. (At least I hope that is correct. I am not an industry expert in internet protocols, nor am I familiar with these add-on tools and plug-ins, mainly because I think they are about as effective as wearing garlic to ward off vampires and I wouldn't let them near my computer.)
|
|
|
Post by aria487 on Apr 30, 2017 6:16:45 GMT
Can you help me understand the function of these HTTPS enforcement tools? Are these useless? I remember being skeptical of HTTPSEverywhere, but Comodo also has its own enforcement plugin. Skeptical? A snippet from the HTTPSEverywhere FAQ: "HTTPSEverywhere depends entirely on the security features of the individual web sites that you use; it activates those security features, but it can't create them if they don't already exist. If you use a site not supported by HTTPS Everywhere or a site that provides some information in an insecure way, HTTPS Everywhere can't provide additional protection for your use of that site."
This is basically the same message as you quoted me as saying above, just more specific to what HTTPSEverywhere can and cannot do. All that HTTPSEverywhere does is ensure that, where a website offers both http:// and https:// servers, the connection is made over the https:// link rather than accidentally picking up the unencrypted service. Since ProBoards does not yet offer an HTTPS connection for most parts of this website, it is not going to enhance anyone's security by using it. (At least I hope that is correct. I am not an industry expert in internet protocols, nor am I familiar with these add-on tools and plug-ins, mainly because I think they are about as effective as wearing garlic to ward off vampires and I wouldn't let them near my computer.) My memory tells me I'd already read such thing (I can't remember clearly when or where), so, I agree and thank you for explaining! (And as you've quoted something I could find with a simple search, I feel like an idiot! It's just that I've been too caught up in things I didn't even try running a search before bothering you, sorry!) And I'd never hope garlic would work against vampires!
|
|
|
Post by Sassicat on May 2, 2017 15:31:42 GMT
Hi everyone
Thanks again for all your help, information and excellent explanations.
Just to update I've found out why my friend can't sign into Community Translation. I saw him today and because his grandchildren often use his computer, his internet provider account is set up so that it can't access any social media, or forums. So that explains that!
Ciao e grazie
|
|
|
Post by JoThelan on May 2, 2017 21:43:32 GMT
Ah, that's good to know! Is it possible for him to get his provider to make exceptions for specific sites? Sassicat
|
|