2 replies to this topic

[resveratrol_guy]

What would it take to force this on everyone (which in 2015 is just common sense, as opposed to obnoxious)? This website is way too valuable and we simply have too much to lose if some hacker organization wants to take us for a ride. Frankly, with medical representations at stake, we should force 128-bit passwords, but I'd settle for just HTTPS.

 

If we're going to do this, then there are also the questions of TLS version and also security certificate maintenance, which is nonzero cost and requires some expertise. I'll leave that to the admins here to decide.

 

Edited by resveratrol_guy, 17 March 2015 - 12:31 AM.

[Antonio2014]

Well, we aren't managing a lot of money nor are we storing highly valuable research data. We also don't generally use real names here nor we store bank data. Probably we don't have that much to lose in case of attack nor are profitable to crackers.

[resveratrol_guy]

Well, we aren't managing a lot of money nor are we storing highly valuable research data. We also don't generally use real names here nor we store bank data. Probably we don't have that much to lose in case of attack nor are profitable to crackers.

 

I disagree. This is a society in some sense. Imagine what we would lose if Longecity suddenly disappeared, especially if backups were also destroyed, or equivalently, if it had not been backed up for a long time. And some people deface websites just to be jerks. Frankly, we're sitting ducks.

 

There are also more subtle and nefarious ways in which this could hurt us. Imagine, for example, if someone commandeered a popular user's account, and made them recommend toxic drugs or products. This would be a great way to earn money fraudulently, at the expense of our health and our members' reputations. As long as we're passing around unencrypted login credentials, we're exposed to this. It's just a matter of time.