Re: http - how secure is it?
 

Then you need better software.
Alt names are not new, so restricting them to just one will always have been a ridiculous thing to do.

---------- Post added at 16:14 ---------- Previous post was at 16:09 ----------

Generally, very little, but then I havent said it anything about that.
My point has clearly been that its not always necessary, and browsers mislead people with their FUD & warnings.
Benefit wise, their is the obvious one of not having to deal with certificates, possibly speed on very old devices, other than that, not much really.

Re: http - how secure is it?
 

Thank you for the reply Mike.

So are you saying that there is a higher risk of browsing/downloading content from a site that does not use https?

---------- Post added at 17:44 ---------- Previous post was at 17:42 ----------

But you're saying is that it makes little difference to site users as to whether the site has https?

Re: http - how secure is it?
 

any site can be exploited which in turn could compromise your devices no matter what protocol it uses HTTP, HTTPS, FTP, NNTP and so on

Re: http - how secure is it?
 

My Tec * has gone back to uni, won't say what she said when it was happening on kespasky , put on work around ,as she could not see any information hold by cf that couldn't be found easily . * Doing a PhD in some that l have no idea what it intails by is about programming. She and some others are coming for Thanksgiving ,still not happy about going back and fore yet:angel:

But I just think its silly to block HTTP.. Its just scare mongering when we have been using HTTP all along and have been fine.....

This message on tapeheads speaks loudly of this

www.tapeheads.net/showthread.php?t=59798

Although he does have an SSL cert now but not many use it.

Re: http - how secure is it?
 

Generally, that would be the case. Technically, the site will be slower, but you probably wont notice.
The most issues you would get are if your browser is old(er) and cannot handle the later SSL (TLS) versions that are now in use.

Most sites (inc CF) now disable SSLv2, SSLv3, and TLS 1.0.
Indeed, most modern browsers dont support them now either.
TLS 1.1 & 1.2 are the most common (1.1 is old now, but most sites still support it).

TLS 1.3 is the latest version, but is still not supported by many sites.

We are perfectly aware of what you think.
Its not, and you're wrong, and pretty much everyone will move to using it.
Regardless of the FUD, and whether its always strictly necessary, there are no significant downsides to using it.

http hasnt been an option here since Jan 2018, and that wont ever change.

Re: http - how secure is it?
 

No, HTTPS does not mean the contents (or the coding/backend security) of the site is any more secure than a site without HTTPS, they are two separate things completely.

HTTPS means that the data sent between your browser & the website is encrypted so no one else can snoop on it or tamper with it before it gets to you.

I would be wary of completing any form on a site with just HTTP as anything you put in is sent back to the server in text exactly as you put on the form. HTTPS will encrypt this.

---------- Post added at 12:07 ---------- Previous post was at 11:54 ----------

What absolute nonsense, there is no scare mongering about HTTPS.
HTTP is in no way secure, everything is sent in plain text, whereas HTTPS encrypts data, it's as simple as that.

As for that post you link to on tapeheads, I really don't know what to say.
First goes on about "compromise of your computer" well if your computer is compromised, HTTPS will not help you!

"At Tapeheads, everything you send and everything you receive is handled in plain, unencrypted text." well yes, if you don't use HTTPS then everything is transmitted & received unencrypted.

"We don't run a secure connection to users because we don't need to" so why do they have HTTPS as well now, and why are they not redirecting HTTP to HTTPS?

"Enabling an https connection adds overhead and complexity that's just not of any benefit whatsoever to anyone." No it doesn't, get a certificate (can be got for free) add it to your hosting, and setup an HTTP to HTTPS redirect, and it's a benefit to everyone

"The only possible ramification of this is that if a user is subject to a man-in-the-middle exploit, their login might be compromised" So they don't care if your login details get stolen whilst logging in, great site! one to stay away from!

And finally "secure connections break this version of vBulletin" Um, so update your software, easy!

Re: http - how secure is it?
 

Thank you for your reply.

Basically, what you are saying, if I am correct, is that there is no increased risk by just downloading/streaming from a site which does not have https.

Re: http - how secure is it?
 

To Paul,
It takes a long time for big companies to update stuff especially in my arena. It's only the inbuilt CSR generation that's like that, we can use the underlying tools to put more names in. The issue though is the change to needing the main site name in the Alt DNS list


To Rillington
The risk is that the site may not be the one you think it is as part of HTTPS is authenticating the site as well as encrypting the data. True not many people carefully check certificates but you could.

Re: http - how secure is it?
 

HTTPS does not guarantee the contents of the site is safe, nor that the what they do with any data is safe, e.g. storing passwords as plain text.

I could go & create a site now, get a certificate and make sure it's only accessible via HTTPS, and fill it with "dodgy" downloads for you to get, which could then infect your PC.

This is where your anti-virus/anti-malware software & common sense comes into play.

The increased risk of an HTTP only site is that (with the right skills & willing) someone could see anything you put into a form, or see exactly what you are looking at & downloading. HTTPS prevents this as the communications between you & the website are encrypted.

But for any website at all, if you're concerned about downloading anything, simply don't, or search around & try to verify that it's safe.

Re: http - how secure is it?
 

It doesnt help when certificate issuers change things.

One of Lets Encrypt's intermediate certificates expires imminently, and thats causing some issues. :(

Re: http - how secure is it?
 

And this is why I would never put anything into a site which does not have https.

For me, the issue is whether there is any addition risk simply by visiting a site which does not have https because as soon as you visit any website you are downloading content, and from what you have indicated, there is no difference as all https does is encrypt data sent between user and site and vice versa to stop sone else from seeing what you are doing and what data is being transferred. Correct?

Re: http - how secure is it?
 

Bascically yes, the contents could be malicious though. Just because it uses HTTPS does not mean you are safe at all.

Re: http - how secure is it?
 

Thank you for the clarification.

Re: http - how secure is it?
 

and am i right that regardless of whether a site is 'secure' or 'not secure', you are downloading content onto your hard-drive just by visiting the site and there is no difference regarding safety if you choose to save the content you download rather than getting rid of it by clearing your browsing data.