TLS/SSL-Encryption

[Karim]

I appreciate all the effort that went in this site and community.

While registering I couldn't help but notice that the registration form is transmitted in clear text (i.e. without encryption like TLS/SSL; that little lock in the browser is not shown). I felt uncomfortable because the password would have been transmitted in clear text too.
When I switched to https://fire-serpent.com I got a certificate warning but, otherwise it worked. This implies that the current certificate is not trusted (propapbly self-signed).
There are proper SSL-certificates available for free at https://letsencrypt.org.

If needed, I'd be more than happy to help to improve this.

[Mystress]

 
Yeah I am old school. Used to be SSL was only for banks and others who take financial info. That stuff is all handled by paypal or direct to me, so I did not consider it necessary.  At some point I pressed a wrong button on the WHM and those warnings started showing up, dunno how to turn them off. The membership management system itself, password robot is very secure and no-one has access to the member list but me.  The login info is typically only sent once, unless someone asks me to remind them. Kind of a needle in a haystack I think?

  The emails are unencrypted, because I just could not think of why anyone would go to the trouble of stealing that info, or what good it would do them. FST kinda flies under the radar in most respects. As those who have tried to recommend it to friends have discovered, it is kind of invisible to those it is not meant for.  Goddess has it handled.

  You are the first to ever comment on unencrypted emails being an issue. Could be others feel the same. We can take a poll.

  I have installed free certificates on a few of my sites, including this one, I thought? They tend to expire quickly and keeping up with that is just one more thing on an already overloaded plate. 

[Karim]

Good ol' times
During registration the information is sent once, but during every other login the password is transmitted in cleartext too. Since most people have lousy password habits (i.e. using the same password over and over) there is some incentive to steal passwords generally: who knows if the password of some user here also works for his paypal account?
And now consider who can read the traffic: anybody whos public wifi we use, our internet provider, any carrier whos router the packets cross and some secret services.
Today in the technical community SSL is pretty much the default because of this.


As for emails being unecrypted, thats actually not what i meant by my first post.
The issue there is, that the password is written in cleartext on the server. Todays best practice is to use salted hashes to store passwords.
In case that people forget their passwords there would be the possibility of requesting a new one, instead of a retransmisison of the password via mail.

I am aware that I am adding to your plate, but since I work in that field i felt the need to the mention it. If you need help with technical issues like that, I'd be happy to help.

[Mystress]

The issue there is, that the password is written in cleartext on the server.

   No, I have seen the password file and the passwords are encrypted. Htaccess standard.

  A few years back I tried to update this site, to html5 and css3. I kept getting a nagging feeling it was wrong. Then I looked at my browser statistics and discovered a significant number of members are still using old old tech like iexplore8.  I really don't know how they manage... but then I am still using Eudora mail. If other students are concerned then I will ssl the thing. I would like a licence that covers my whole vps but I hose a few sites of friends.

since I work in that field i felt the need to the mention it.

  So, your work makes you professionally paranoid and you are triggered to release that?

[Karim]

Technically speaking Htaccess provides authentication, that is only users with the appropriate credentials can access the ressource on the server. The passwords themselves however are readable by the server. I got a mail with my password in it after registration, so the server can access the password in cleartext.
Todays best practice concerning the password storage involves using a one-way-function (hash-function) and storing only the hash of the password. In that case the server itself can't access the password, but can only verify that an input matches the stored hash by hashing the input (ideally a so-called salted hash is used to prevent attacks with precomputed hashes of known passwords).


Browser compatibility is a huge issue, I feel your pain.

Maybe there's some amount of  work-induced paranoia involved
Maybe also expectations about how things should be or the wish to help

Thank you for reacting so promptly.

[Mystress]

  I appreciate your advice.

I just had to get to it in my own time. ADD focus management. Some days my brain refuses to be technical. I did set for all the domain emails to be encrypted a few months later.  Turned out to be quite simple.   

  I did not quite understand what you meant by this:

Since most people have lousy password habits (i.e. using the same password over and over) there is some incentive to steal passwords generally: who knows if the password of some user here also works for his paypal account?

Until google chrome popped up a warning one day about some of my passwords showing up in a pirated passwords list. Ah! the light comes on... 

However, none of the passwords were actually mine. They were all default passwords like are used to login to test web software:  testing, admin,  etc. FST remains secure, Goddess has it handled.

Now even more secure, as you suggested. A server upgrade offers an automatic, free ssl cert system.  I am having it activated on all my accounts.
  No fees and no maintenance is the solution I needed. Goddess provides, yay!

Newer browsers were throwing warnings, it is bad PR. 

  The only reason I did not get you to help is a strict policy that only grads can help with backend stuff. No spoilers!
   Thanks again.