Unknown_User Posted October 25, 2015 Posted October 25, 2015 In the latest version of Firefox(dev), HTTP webpage with login form will get a warning icon. I can connect to https://www.loverslab.com, so why not switching to HTTPS? https://ma.ttias.be/firefox-nightly-starts-marking-login-forms-in-http-as-insecure/
dje34 Posted October 25, 2015 Posted October 25, 2015 You have the right to ask, and you have the right to know. To be honest I don't think undercover FBI agents would like to see https here. Ok, enough kidding... Actually I don't think it is a priority for the mods and admins. And I agree it is unfortunate.
pinky6225 Posted October 25, 2015 Posted October 25, 2015 Its explained why not in http://www.loverslab.com/topic/44613-full-ssl-https-support-for-the-entire-forum/
Unknown_User Posted October 25, 2015 Author Posted October 25, 2015 Its explained why not in http://www.loverslab.com/topic/44613-full-ssl-https-support-for-the-entire-forum/Ok I read them, and here's what I thought: 1. Even you're using HTTPS for login page, attacker *can* steal your session cookie to login your account because here is not encrypted. 2. > "SSL/TLS takes more CPU and memory resources, more network traffic" a. CPU usage will rise on server and client!? Seriously? Is this website running on stone-era computer(e.g., DOS, Win95)? There's no major difference in CPU/Memory usage. Also you can host HTTPS website in tiny PC(256MB memory). b. "more network traffic" <--- "more" you say? I don't think so. (from my experience of networking) c. "since encrypted traffic is incompressible by definition" Sure, you shouldn't use compression in HTTPS(because of attack). But you can use CloudFlare to create passive cache, to reduce your network traffic(recommend). 3. > "and the certs cost money" Talking about "cost" buying SSL certificate, don't worry. Search "Let's Encrypt". It's free. You don't have to buy cert anymore. 4. Attacker can compromise files which user is downloading, because it's not encrypted. Alice <----(send modified sexlab.rar) {Attacker} (true sexlab.rar)<-----LoversLab === SSL Report: loverslab.com https://www.ssllabs.com/ssltest/analyze.html?d=loverslab.com&s=72.14.176.189&latest
pinky6225 Posted October 25, 2015 Posted October 25, 2015 You'd probably have more luck starting with "Why HTTPS" since as ashal points out in that thread other than the potential of using same login/pass on this site and another site where you enter important information there is no important information here to protect The technical argument is interesting but it doesn't answer the main question of why its needed/not needed
Recommended Posts
Archived
This topic is now archived and is closed to further replies.