Please add SSL to the forum

Discuss new features and functions
Evan
Posts: 4
Joined: 29 Mar 2017

Post by Evan • 29 Mar 2017, 11:49

Hello,

Just registered to the forum and the browser warned me that the connection is not encrypted. Hence the passwords and login credentials are sent in plain form over the internet.

Please secure the server with SSL to minimize security breaches.

Thank you

therube
Posts: 70
Joined: 8 May 2006

Post by therube • 29 Mar 2017, 16:49

(Just to point out...

That [Firefox] warning is... eh.
A non-secure login has always been & will always be, insecure.
There is nothing new, changed, or unexpected in that respect.
It is only that now it is specifically being pointed out to [Mozilla] users.

And with that, supposedly there are no "performance" reasons not to use SSL, as SSL should in fact be faster, as its able to use speedy [SPDY].

And supposedly [& of this part I know nothing] one can get "free" certificates, self-signing, or some such...

So theoretically, these days, there should be no reason not to use SSL.)

User avatar
Zenju
Site Admin
Posts: 4123
Joined: 9 Dec 2007

Post by Zenju • 29 Mar 2017, 19:40

SSL certificates are a rip-off IMHO considering their gratuitous costs and are a yet another way to make easy money with practially zero effort for the providers. (I'm not talking about EV certificates, which require at least some effort, but then demand royal payment...) Self-signing won't help to get rid of Mozilla's warning, obviously, because there is no validation from a reputable authority. So essentially it's one more software tax to pay, similar to the de facto mandatory code signing.

Anyway, all of this is not your problem. I already own an SSL certificate for freefilesync.org, but it's just not being used currently. Perhaps it's time to activate it, if only for the forum.

User avatar
Plerry
Posts: 349
Joined: 22 Aug 2012

Post by Plerry • 30 Mar 2017, 10:22

Activating https would already do the trick of no longer having interceptable, unencrypted data traversing the Internet.
The purpose of the certificate (if any) if to assure the identity of the server being contacted.

The "problem" of using https but not having a (proper) certificate is that most modern browsers will still complain/warn about not being able to verify the identity of the server, and will discourage the user to continue.
Apparently this "scares" some users.

For the FreeFileSync site I personally don't care much about encryption. The information that is shared here is in my view not privacy sensitive. Obviously, I use unique user credentials for each and every site I subscribe to, so I even see little opportunity for harm if my FFS forum login-data would be intercepted.

User avatar
Zenju
Site Admin
Posts: 4123
Joined: 9 Dec 2007

Post by Zenju • 30 Mar 2017, 20:35

SSL is now active. Please let me know if something broke.

zerocool
Posts: 1
Joined: 4 Apr 2017

Post by zerocool • 04 Apr 2017, 03:00

I joined just to say that I'm impressed this happened so quickly.