Account login Security change

Janet H

Administrator
Staff member
Messages
981
Location
Pacific NW
I wanted to let you know that in the next day or so you may see a small change to the site login screen. This is being done as we add an extra layer of security to usernames and passwords. The login pages, registration page and pages where you might update your account login info will be behind an https url rather than the usual http url.

This change is being made to stay current with recommended security practices and not in response to any problem with the site or accounts.

HTTPS adds security in several ways; verifying that the site is the one a server is supposed to be talking to and by preventing tampering by 3rd parties. It stops Man-in-the-middle attacks, improving security for both the site and for those logging in.

This should not impact your usual browsing experience. You will still login, still tick the remember me box, etc. The location of the login button has changed however and the page looks a bit different. :)
 
I wanted to let you know that in the next day or so you may see a small change to the site login screen. This is being done as we add an extra layer of security to usernames and passwords. The login pages, registration page and pages where you might update your account login info will be behind an https url rather than the usual http url.

This change is being made to stay current with recommended security practices and not in response to any problem with the site or accounts.

HTTPS adds security in several ways; verifying that the site is the one a server is supposed to be talking to and by preventing tampering by 3rd parties. It stops Man-in-the-middle attacks, improving security for both the site and for those logging in.

This should not impact your usual browsing experience. You will still login, still tick the remember me box, etc. The location of the login button has changed however and the page looks a bit different. :)

Err, this isn't technically true. If you can spoof the HTTPS certificate, then a MITM attack can still work. I know this is possible because Lightspeed Systems uses this technique to decrypt google searches made by students in a multitude of schools around the globe (In order to monitor google searches for key terms, eg things related to terrorism or suicide etc). (Since Google forces HTTPS connections during searches now).
 
Last edited:
Err, this isn't technically true. If you can spoof the HTTPS certificate, then a MITM attack can still work. I know this is possible because Lightspeed Systems uses this technique to decrypt google searches made by students in a multitude of schools around the globe (In order to monitor google searches for key terms, eg things related to terrorism or suicide etc). (Since Google forces HTTPS connections during searches now).

Depends on how the cert is being verified.

Honestly tho, the entire site should be on HTTPS, not just the login page.
 
Depends on how the cert is being verified.

Honestly tho, the entire site should be on HTTPS, not just the login page.

+1 agreed. Though if I had to guess, it's probably more expensive? lol. I'm not experienced with web hosting whatsoever, so I don't know if HTTPS or HTTP is more computationally or financially expensive to use.
 
+1 agreed. Though if I had to guess, it's probably more expensive? lol. I'm not experienced with web hosting whatsoever, so I don't know if HTTPS or HTTP is more computationally or financially expensive to use.

Marginally more computationally expensive because it has to encrypt/decrypt, but it's negligible since it's a small amount of data.
 
I will have to avoid using the forum if it goes full SSL... Sorry, but I depend very heavily upon cached content and have made it a point to avoid websites that use HTTPS in places that it's just not needed.
 
Guess you didn't realize some people have limited bandwidth in this day and age? I only get 20GB a month max, and plenty of people still depend on dial-up because the monopolies everyone loves to support wont provide service to last mile users. I tend to get a cache hit on squid of about 8GB/month, so that's 8GB/month that I don't get docked on my monthly quota. The more websites that go to HTTPS, the fewer that can be cached on my proxy. IMO, it's stupid to think every single thing must be a secure link, because it's not truly secure. Nice to have the logon as secure, but beyond that, it's pointless.
 
Guess you didn't realize some people have limited bandwidth in this day and age? I only get 20GB a month max, and plenty of people still depend on dial-up because the monopolies everyone loves to support wont provide service to last mile users. I tend to get a cache hit on squid of about 8GB/month, so that's 8GB/month that I don't get docked on my monthly quota. The more websites that go to HTTPS, the fewer that can be cached on my proxy. IMO, it's stupid to think every single thing must be a secure link, because it's not truly secure. Nice to have the logon as secure, but beyond that, it's pointless.

I would rather have SSL all throughout.
 
Back
Top Bottom