forum  general

ssl certs?2 weeks

Hey,

Not to be a nerd, but FantasyFeeder does not protect our community with an SSL certificate.

What this means is that the government, your ISP, and any other actors with less benign intentions can see everything sent/received from this website. For instance: do not use your FF password anywhere else.

Just a heads up for the community. Your privacy could be at risk if you do not use a unique password for this site.

ssl certs?2 weeks

I understand your concerns however that's not the case, the vast majority of the website is ssl protected. There's just two sections that were still working on, videos and chat. Passwords are protected. Your browser should automatically be directed to use https in the relevant sections but if not just ensure you have https in the browser address bar.

ssl certs?2 weeks

Good to know Hiccupx! I already knew about the https:// but I guess I am nerdy and check these things!

Loving that rather this query being directed to the site owner or admin for them to clarify and reassure. Drama llama post needed to be made first.

Protect the community by spreading fear and uncertainty!!!! Not at all needed.

Big love for FF!!!

ssl certs?2 weeks

c00kie:
Protect the community by spreading fear and uncertainty!!!! Not at all needed.

Big love for FF!!!


Big love for FF here, too!!! Would not say something if I did not care for our community.

Agree that fear is not needed, but that people should know that they should treat their FF password as something inherently compromised if entered insecurely.

FWIW https redirect is not automatic for my Mac using either Firefox or Opera.

ssl certs?2 weeks

HTTPS doesn't appear to be the default on Android's stock browser either.

ssl certs?2 weeks

hiccupx:
I understand your concerns however that's not the case, the vast majority of the website is ssl protected. There's just two sections that were still working on, videos and chat. Passwords are protected. Your browser should automatically be directed to use https in the relevant sections but if not just ensure you have https in the browser address bar.


That's just it, though.. There is an SSL certificate, but you have not rewritten your web server config rules to redirect all plain HTTP requests to HTTPS, which is making it almost pointless. Any regular request made does not default to HTTPS, so almost everyone is unprotected. Even if fantasyfeeder.com were in the HTTPSEverywhere addon's list, you would still need to depend on everyone to have it installed. The only solution here is to force the redirect on all requests like all other sites have done.

We're not even getting into any other security problems like the hashing algorithm used for passwords, and I'm sure there are a lot of issues on a typical LAMP stack like this, but redirecting to HTTPS is a must.