1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. Greetings Guest!!

    In order to combat SPAM on the forums, all users are required to have a minimum of 2 posts before they can submit links in any post or thread.

    Dismiss Notice
  3. The Broadsword team is seeking alternative castle designs! Learn more and discuss here!
    Dismiss Notice
  4. Broadsword is hosting a 20th Anniversary Party for UO this September! Learn more here. Will you be there, Guest?
    Dismiss Notice
  5. Greetings Guest, Having Login Issues? Check this thread!
    Dismiss Notice

Feedback Stratics not secure

Discussion in 'Stratics Help and Suggestions' started by DevilsOwn, Mar 8, 2017.

  1. DevilsOwn

    DevilsOwn Stratics Legend
    Governor Stratics Veteran Alumni Stratics Legend

    Joined:
    Oct 27, 2003
    Messages:
    8,985
    Likes Received:
    433
    not sure how long it's been this way, a week or more that I'm sure of, can you guys fix this, please?
    notsecure.JPG
     
    Capt. Lucky likes this.
  2. nexus

    nexus Site Support
    Administrator Moderator Professional Stratics Veteran Wiki Moderator Stratics Legend

    Joined:
    Oct 1, 2006
    Messages:
    5,921
    Likes Received:
    2,302
    Nothing has changed, except web browsers are now pushing out notifications of when a site doesn't use SSL. We are planning to switch to SSL soon, but even then any linked images from outside sources will cause it to say the same thing. It kind of leaves our hands tied, if we want to have it show secure we'll have to disable linking of external images, and links, something we're not really comfortable doing considering how much this is done.
     
  3. petemage

    petemage Sage

    Joined:
    Oct 6, 2013
    Messages:
    711
    Likes Received:
    515
    It's just what the message reads. Your connection is sending your password in plaintext through the internet. So basically everybody along the path can read/steal it. That is not the biggest threat when you are at home, but rather when you use a third party network like your hotel's wifi, the airport's wifi, school or work computers or just some nerdy friends wifi while visiting him. Like mentioned, it's easier at home, but still kids/husband/wife free to get your password.

    Adding SSL protects you from all of them. Thus browsers are pushing for it. It's a good thing. It's frankly easy to setup SSL nowadays and to protect your users at that front.

    The real question you should ask yourself: What's my Stratics password worth? Do I use the same password somewhere else? (google, mail, skype, etc.). What's the impact if someone gets to know it? If they can only login to your Stratics with it, I would say you don't have to worry at all :D
     
    #3 petemage, Mar 8, 2017
    Last edited: Mar 8, 2017
  4. nexus

    nexus Site Support
    Administrator Moderator Professional Stratics Veteran Wiki Moderator Stratics Legend

    Joined:
    Oct 1, 2006
    Messages:
    5,921
    Likes Received:
    2,302
    If it makes you feel better, the Passwords are encrypted in the DB :p
     
  5. DJAd

    DJAd Stratics Legend
    Stratics Veteran

    Joined:
    Aug 17, 2007
    Messages:
    8,420
    Likes Received:
    4,057
    OMG my stratics password "might" be vunrable. C'mon is this really an issue!?
     
  6. BrianFreud

    BrianFreud Lead Wiki Mod & Doer of Crazy Things
    Professional Wiki Editor Wiki Moderator Campaign Supporter

    Joined:
    Oct 2, 2013
    Messages:
    7,991
    Likes Received:
    3,500
    Blame Google; they made the decision last fall to have Chrome be rather aggressive in the schedule for this - see for example Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017 and Google to slap warnings on non-HTTPS sites . At the time they decided to do it, a good part of the security community thought Google was being a bit too aggressive in scheduling/doing this, but Google decided to go ahead anyhow. (That's at least partially why you seen so many sites switch to https since the fall.)
     
  7. petemage

    petemage Sage

    Joined:
    Oct 6, 2013
    Messages:
    711
    Likes Received:
    515
    Blame Google for making the internet a safer place :D

    I don't see why Stratics has such aversion on SSL, but I've been into that discussion once too often.
     
  8. petemage

    petemage Sage

    Joined:
    Oct 6, 2013
    Messages:
    711
    Likes Received:
    515
    Nah, I wouldn't be as half as worried about you guys than I would be about those randos in Hotels or other semi-public networks ;)
     
  9. nexus

    nexus Site Support
    Administrator Moderator Professional Stratics Veteran Wiki Moderator Stratics Legend

    Joined:
    Oct 1, 2006
    Messages:
    5,921
    Likes Received:
    2,302
    It's not really an aversion.... part of it is every time it's been tried posts similar to this pop up and false claims, rumors, or general paranoia crop up and the result was having SSL Enabled was reversed. In this it is sort of the opposite instead of getting a notice that "portions" of the site weren't secure when Stratics was running SSL thanks to external links etc. Now you get them because we're not running SSL.

    Secondly cost, which was a consideration in the past as SSL Certificates until recently weren't exactly cheap, and to keep overhead down it wasn't considered a priority since any type of financial transaction (Subs and Donations) go through Paypal which is Secure. Not having one didn't pose any kind of limitations but that is changing, Apple, and Google are pushing SSL and other browsers and companies are following suit, we do plan to switch over to SSL and when we do like it or not people are going to have to accept it even with the notice that portions might not be secure thanks to still the external linked images etc.
     
  10. petemage

    petemage Sage

    Joined:
    Oct 6, 2013
    Messages:
    711
    Likes Received:
    515
    But objectively there is a huge difference between "Sending all passwords/messages in cleartext over the network" and "getting an annoying little notification about external links not loading". I guess it comes down to what you really want. Do you want to do what you can to protect your users, or are you just trying to make the feel comfortable while they really are not. The argument you bring here is really "No matter what we do users will complain" while totally dismissing there is a huge difference in the both cases you pointed out.


    I'm buying single site SSL for $100 a year, wildcard certificates for $200 a year. Since LetsEncrypt you even get single domain certificates for free, although I keep buying certificates when it comes to the things that earn my paycheck.

    Not having one posed totally one limitation: Password transmitted in cleartext. But I feel like talking to a wall somehow when it comes to SSL, password security and Stratics.
     
  11. petemage

    petemage Sage

    Joined:
    Oct 6, 2013
    Messages:
    711
    Likes Received:
    515
    Only when you are on those site of the internet where they use a single password for everything :p I hope you are not!
     
  12. Capt. Lucky

    Capt. Lucky Crazed Zealot

    Joined:
    Apr 18, 2014
    Messages:
    3,334
    Likes Received:
    2,779
    Doh... just created a new thread
     
  13. Tina Small

    Tina Small Stratics Legend
    Stratics Veteran 4H

    Joined:
    May 12, 2008
    Messages:
    7,617
    Likes Received:
    1,992
    Is there any new information yet on when you expect to switch to SSL?