• Log in with Facebook Log in with Twitter Log In with Google      Sign In    
  • Create Account
  LongeCity
              Advocacy & Research for Unlimited Lifespans

Photo
* * * * - 1 votes

Isn't it time for an upgrade to HTTPS?

https security

  • Please log in to reply
9 replies to this topic

#1 Sciencyst

  • Guest
  • 272 posts
  • 43
  • Location:The Claustrum

Posted 15 June 2017 - 07:00 AM


In the day and age of big brother, big data, and widespread kiddy-scripters, isn't it a good idea to switch to HTTPS? It used to be rather expensive, but a cert can be as cheap as free for desktop users.

Why does Longecity still use HTTP when it's insecure, and what can be done to change this?


  • Agree x 1

#2 Oakman

  • Location:CO

Posted 15 June 2017 - 03:03 PM

I'll bite. Just why does this site need HTTPS? Just because? Or is there information being posted that requires such security?


  • Good Point x 2
  • Disagree x 1

#3 hippocamelus

  • Guest
  • 3 posts
  • 4
  • Location:Canada

Posted 17 July 2017 - 11:04 PM

Every site benefits from HTTPS:

 

 - It prevents malicious content being injected into the regular content.  Hacked advertising networks have caused a lot of damage.

 - Google punishes unencrypted sites by lowering their search result ratings.

 - HTTP/2 allows faster page loads, and most browsers require https in order to use it

 - It's free and easy via https://letsencrypt.org *

 

For Longecity in particular:

 

 - Many people are posting about their personal health conditions.  In professional settings, the need for security and privacy of health-related data is already well-understood, and often legally mandated.

 - There are plenty of posts here about experimental treatments which could get the posters in trouble with local authorities, employers, or health insurance agencies if their activities were linked to their identities.

 

I've mostly moved away from Longecity and use Reddit now, because I'm waiting for them to fix this issue.  (I would prefer to use Longecity, but Reddit protects my privacy by providing https)

 

 

* Longecity engineers: would you like some outside help setting up letsencrypt.org certificates?


Edited by hippocamelus, 17 July 2017 - 11:10 PM.

  • Agree x 3
  • Good Point x 1

#4 Adamzski

  • Guest
  • 676 posts
  • 58
  • Location:South Korea

Posted 18 July 2017 - 06:45 AM

I can help its what I do 16-36hrs of the day and yeah just the risk of people in coffee shops getting their cleartext passwords captured is enough.

 

Not enough for me to stop using the site but I would not login over any public network. Who knows, people could just be collecting credentials for social engineering or even drug companies or some group could resurect long gone high post count members to spread disinformation.

 

Also just picked a single advertised version of a part of the hosting stack and it is EOL from Dec 2015. Maybe this site needs some kind of sups.


  • Informative x 1
  • Cheerful x 1

#5 caliban

  • Admin, Advisor, Director
  • 9,154 posts
  • 587
  • Location:UK

Posted 24 August 2017 - 11:43 PM

Not just criticism, but offers to help. Thanks! That makes all the difference.   

 

You are right that an SSL certificate was long overdue. We have often considered it in the past and then something else always took priority and we were worried that things might break. 

 

For now- fingers crossed- the implementation seems to have gone ok - login and donations should now work over https. 

Thanks to our great host at canaca.com for making this possible! 

 

We are still in trial mode - can I tap into the helpfulness above and ask that you please alert us to any errors you might spot?   

 


  • Cheerful x 1
  • like x 1

#6 hippocamelus

  • Guest
  • 3 posts
  • 4
  • Location:Canada

Posted 25 August 2017 - 12:40 AM

​Nice!  This is great!

​Forum pages seem to be already useable when I change URLs to be https: so that's nice,

 

You probably already know that the image paths and especially javascript source URLs need to be updated, in order to make the browser warnings go away.

​Your server's SSL settings need a couple of improvements, you can see are a bunch of recommendations here:

https://www.ssllabs....d=longecity.org

​^ Despite the negative rating on that page, this is honestly a great start!


Edited by hippocamelus, 25 August 2017 - 12:41 AM.

  • Informative x 2

#7 caliban

  • Admin, Advisor, Director
  • 9,154 posts
  • 587
  • Location:UK

Posted 25 August 2017 - 03:52 PM

Unfortunately, as the SSL changes percolate through the cache serious problems have emerged.

 

Although the issues revolve around "secure connections" there is no need to be concerned about site security, this is just a techinal problem.

 

It may help to clear your browser cache and cookies, but there will likely be further outages.

  

sorry for the inconvenience!   



#8 InvictusVivus

  • Guest
  • 4 posts
  • 2
  • Location:Bern

Posted 09 October 2017 - 06:12 AM

Hello to all!

Logging in over an insecure, eg, non-SSl connection, allows the theft of your password and user name by every computer that detail passes through, including but not limited to, your own ISP. Identity theft and impersonation is practised in fora as well as in other places.

I do hope that SSL in its latest secure implementation will be available for logins and posting here very soon.

Wishing a very good day to all   :)



#9 Ego

  • Guest
  • 4 posts
  • 2
  • Location:Austria

Posted 14 February 2018 - 03:17 PM

Hey,

Due to the fact that this thread already contains an ongoing discussion regarding the use of TLS based encryption on LongeCity, I thought I'd post the following in here.

There have already been a few good arguments thrown around for why this site should not just support, but actually enforce properly encrypted connections for all users. This is currently not the case though may actually be necessary in the coming months.

You see, Alphabet, one of the main backers behind Chromium, a project on which the majority of currently used internet browsers have been based, has announced that they would not continue to trust Symantec issued certificates after Symantec has on multiple occasions issued and handled certificates in a manner that some may ascribe to incompetence, while others have actually attributed it to intentional malice. Either way, because of this, it has been announced that by April 2018, websites using Symantec certificates, as well as those using certificates that utilize Symantec as their so called "root-of-trust", will be labeled as insecure via the to many familiar red warning site Chrome and other browsers throw up when visiting a site using a faulty certificate.

This would be the case for LongeCity, as it currently relies on a certificate by GeoTrust, ironically not to be trusted anymore by April.

Furthermore, Google, one of Alphabet subsidiaries, has stated way back in 2014, that enforcing TLS does indeed benefit a sites ranking on their search engine in a not insignificant way.

Adding to that, the Chromium Project already has been discussing their next step towards a fully encrypted net, openly discussing plans to mark any non encrypted site with a red warning label next to the URL in the future.

Now, this is an issue that, sooner or later, will have to be addressed in one form or another. And with the Chromium changes in April, there is a somewhat fixed deadline to address this.

That is why, as others have already done in this thread, I'd also recommend the usage of Let's Encrypt. It provides free, secure and compatible certificates, as well as an easy automated process for almost any web server via certbot. Essentially, it is a "set it and forget it" solution, configured within minutes.

Sources:

https://www.theregis...ate_apocalypse/

https://webmasters.g...ing-signal.html

https://www.chromium...p-as-non-secure

https://certbot.eff.org/

As others have done, I would also be willing to offer assistance, it so required.

Bye,

Ego



#10 caliban

  • Admin, Advisor, Director
  • 9,154 posts
  • 587
  • Location:UK

Posted 31 March 2018 - 09:33 PM

I think we FINALLY managed to solve this!!! 

 

A big "thank you!!" to our wonderful hosts at CANACA.com!

 

SSL should now be enabled across the site. 

 

There may still be issues arising, (and hardcoded links to update). 

 

If you notice anything broken or unusual, please let us know!   

 

Attached File  lcsecur.jpg   3.98KB   1 downloads







Also tagged with one or more of these keywords: https, security

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users