Wetlook World Forum

Message # 79312.2.1.1.1.1.1.1

Subject: Re:site security

Date: Wed 11/12/19 00:27:26 GMT

Name: AnthonyX

Email: anthonyx@jowc.net

Website:

By Malvineous - mrnemesis@ntlworld.com Tue 10/12/19 23:01:57 GMT

Website:

Most forums do have logins — this one is a rare exception.

Even informative sites like Wikipedia support logins — hobby sites like mine are an outdated notion (and so often, they look like they never left the 90s!) People now post their photos, videos, public discussion, private dicussion, commentary and life experiences on public service websites instead of their own homepage or through e-mail. (This is a whole philosophical debate unto itself: should material be grouped by site according to subject or data format?)

I have no great philosophical problem with switching my site to HTTPS-only, but it does cause your browser history to clog up with “duplicate” URLs. I don’t know off-hand if there is a threat from the theft of analytics cookies that are widely used: the ones that now result in so many sites being openly hostile to visitors, sometimes to the extent that I simply walk away. Insult to injury …

As for sites with external payment processors: yes, HTTPS is more important on the payment processor site, but for lay person who does not understand the technology, they have more peace of mind if their whole experience with that site is secure. Who knows what data is received from the payment processor into a session that can be entered by stealing the session cookie. (Even trying the session to an IP at the server end is no use if the thief is on Wi-Fi behind the same NAT gateway as you.)

That site talking about Google de-listing non-HTTPS sites looked pretty suspect to me (it stank of clickbait/nutter), and it certainly did not happen on the date reported. As far as I’m concerned, I’ll cross that bridge if my site really does stop being listed in search results.

By MK - wamtec@comcast.net Tue 10/12/19 22:07:25 GMT

Website:

>I can see being HTTP-only being a problem in the commercial space, but this is a hobby site.

I would agree that SSL is needed for Banking and other sites which involve sensitive data.....but as you said, this forum is not a commercial site and is run as a hobby site, so why do the Browser companies attach a stigma and label this site as "Unsecure" , when there is nothing at risk here.

In a zoo which has dangerous animals, the public need to know that the wild animals are caged and the public is protected. In a public park where they have non dangerous animals like ducks in the pond there is no need to post notices warning the public that they may be unsafe because there are ducks in a duck pond. So why do Google and other Browser  companies place the stigma label of "unsecure site" on low risk hobby sites such as this one. Stigmatizing sites as "unsecure" when there is no need for a higher level security on those sites....is merely a marketing tactic to discourage people from visiting those sites and to encourage people to patronize those sites that have SSL and will kiss the ring of those who run the domain companies.

Google is almost a monopoly these days....and if they came out with a scheme that says every website has to install a banner that says "I love Google" or else their site will be de-listed from their search engine....we would all have no choice but to comply.

As a lay person, it seems redundant to me that websites selling products are required to have SSL otherwise they get de-ranked or de-listed....when the payment systems they use all link to external payment systems on other servers that ARE secure. Why do we need SSL...because by law we are not allowed to maintain the customers private data on our server anyway.....because U.S. and EU regulations state that we are not allowed to have the customers data on our servers.....and only the banks and companies who do the cc processing are allowed to maintain customer data on their servers which are already secure (at least until the next time they get hacked...but that is their problem not ours).

By Malvineous - mrnemesis@ntlworld.com Tue 10/12/19 21:12:14 GMT

Website:

SSL certificates range all the way from expensive down to free. SAN certificates (that cover two or more separate domains or hosts) are pricey, but a standard single-host domain validation certificate (that simply proves that you are on the site you think you are) is cheap. (The job of a certificate is really to ensure that you are on the site you think you are, which combines your trust in the operating system vendor and the integrity of your computer along with a reputable agency to affirm the reliability of the identity the site presents to you. Once you are past this stage, you then establish a secure connection. Self-signed certificates still give you a secure connection, but it could be to anyone anywhere.)

However, with an industry-standard Let’s Encrypt, the certificate is free and the renewal is automated, so if your hosting provider offers that (as mine does) it is simply a matter of ticking a box to enable HTTPS, and job done, no further cost. Whether Let’s Encrypt is a valid and trustworthy service could be a matter of debate, but it’s industry-standard and ticks the boxes as far as Google is concerned.

The more expensive certificates get you increased levels of organisational validation, where the certification authority validates that the certificate request itself was authorised to the genuine company. For many businesses, this is not necessary, but this service increases trust level in businesses likely to be impersonated, such as banks and merchant services. (These used to be the green bar certificates, but browsers have redesigned the way trust level is presented in recent years too many times to keep track of.)

I’ve been dealing with SSL certificates for years, and standard ones have always been cheap in all my dealings with them — I think the idea that they are expensive is either a misconception, or a reflection of years past.

Personally, my site runs non-HTTP mostly, because I don’t want to suggest that there is anything that eavesdroppers could take (I don’t even set cookies, and there is no tracking or analytics). However, HTTPS is active and some circumstances I advertise links as HTTPS just to offer a bit of reassurance. Google still returns my site in search results despite it being non-HTTPS. It’s very specialist though, so I have no competitors to fight against; I can see being HTTP-only being a problem in the commercial space, but this is a hobby site.

By MK - wamtec@comcast.net Tue 10/12/19 20:03:04 GMT

Website:

https://seo-hacker.com/google-adopt-https/

So this really is a racket.....you either buy an expensive SSL certificate for your site every year.....or else you disappear from Google searches.

This is more about generating fees for the Domain registration industry, than it is about security.

MK

By MK - wamtec@comcast.net Tue 10/12/19 19:48:48 GMT

Website:

FYI....this forum is no different.....it comes up on my browser as an unsecure site as well...because the SSL certificate has expired...

I think that SSL certificates are somewhat of a scam that is perpetrated on webmasters and is a means to gouge webmasters with more fees....because the annual fees to renew a SSL certificate are expensive.....and the browser industry punishes webmasters who do not pay those extra SSL fees by flagging their sites as "unsecure" in their browsers.

It's no different to the mafia  insisting you buy an expensive special badge for your store...and if you don't....then you are targeted for persecution.

As Miguel said...so long as the site connects to a secure server for payment processing....which all paysites do, then having an SSL cert on your main site seems superfluous to me....but then again...I am not a techie....this is just my lay person's opinon....i.e. SSL certs are a "racket" designed to generate extra bucks for the Domain registration companies.

By MiguelWarsaw - Tue 10/12/19 09:09:20 GMT

Website:

By JP - pjn967@hotmail.com Tue 10/12/19 03:43:05 GMT

Website: