Sure. Let's take a step back to information you already know and let me build on that.Lumpy Burgertushie wrote: ↑Thu Feb 02, 2017 10:08 pm It is still only securing information during transfer. what is the point of securing html and css when the browser requests it for a normal page load? Isn't the sensitive info, whatever that might be, only transferred when the form is submitted ? It is usually only one way is it not?
robert
Because if you are an admin and someone intercepts your login data or session cookies/data after you've logged in that person now has your entire user database, private messages and so on.Lumpy Burgertushie wrote: ↑Thu Feb 02, 2017 10:08 pmIsn't the sensitive info, whatever that might be, only transferred when the form is submitted ? It is usually only one way is it not?
This isn't true either: phpBB checks the session against the IPv4 address, so it would be invalidated unless the attacker is within the same block. Also I don't know how an administrator is able to access PMs - if you're refering to exporting the database then I have to say: good luck with one that easily eats 4 GiB in a backup file.digitaltoast wrote: ↑Thu Feb 02, 2017 10:28 pmif you are an admin and someone intercepts your login data or session cookies/data after you've logged in that person now has your entire user database, private messages and so on
You might want to check here. Paul points to an extension created by phpBB for this issue.Seibertron wrote: ↑Fri Feb 03, 2017 8:18 am Now, if I can just figure out how to handle external images that users post in their topic replies so that the mixed content doesn't throw an error.
How about the server load compared between http and https?Techie-Micheal wrote: ↑Thu Feb 02, 2017 10:22 pm[...] to see just how faster HTTPS is compared to HTTP. The benefits far outweigh any reasons to not have HTTPS everywhere.
The "cost" of encrypting that first connection is negligible - around 5ms (0.005 seconds) and around 1% increase in CPU.
Hmmm, I'm on flaky rural broadband and I get disconnected about 3 times a day; twice so far today, and I get completely different IP blocks 94.9.66.x and 94.12.191.xAmigoJack wrote: ↑Fri Feb 03, 2017 8:01 amThis isn't true either: phpBB checks the session against the IPv4 address, so it would be invalidated unless the attacker is within the same block.digitaltoast wrote: ↑Thu Feb 02, 2017 10:28 pmif you are an admin and someone intercepts your login data or session cookies/data after you've logged in that person now has your entire user database, private messages and so on
Why? Straight to "database backup" in ACP, run a backup, select for download - should take a matter of minutes with a broadband connection.
yeah and have done for a while
In a typical MitM attack, they would be. The "coffee house attack" would have the attacker egress from the same internet connection as the victim, giving the attacker and the victim the same IP address.AmigoJack wrote: ↑Fri Feb 03, 2017 8:01 amThis isn't true either: phpBB checks the session against the IPv4 address, so it would be invalidated unless the attacker is within the same block.digitaltoast wrote: ↑Thu Feb 02, 2017 10:28 pmif you are an admin and someone intercepts your login data or session cookies/data after you've logged in that person now has your entire user database, private messages and so on
Just reading an Android news article which includes their view that your site should keep an http version for old old tablets and PCs but have an https version for those who sneer at httpBut we also need to be legacy compatible. We want someone with an old Android tablet or one they bought that doesn't have Google's software available to be able to visit using a browser that can't use certificates or might have difficulty rendering sites that have them. If you visit http://www.androidcentral.com (notice the use of http versus https) you'll see the info icon. You can click on that icon and it will tell you that your connection isn't secured.
Many sites are this way, so be sure to update all your bookmarks to use the https address!
Chrome isn't the only browser that helps make sure you're safe on the web. Microsoft, Mozilla, Apple and everyone else wants your experience to be the best it can be so you keep using their products. But Chrome gives plenty of details to help you know what's going on and we want to make sure you know how to find them.
Not only that: it'd be inconsistent. If you don't want to serve HTTP then don't listen to HTTP requests at all. That would be a better idea for websites whose only response is a redirect to a HTTPS location.
Yes, of course: HTTPS is a solution to a problem which should be avoided in the first place: using administrator credentials thru a third party network. Given all the VPN and cloud usage I wonder if even a fraction of users understand that they're prone to this scenario as well.Techie-Micheal wrote: ↑Sat Feb 04, 2017 5:03 amThe "coffee house attack" would have the attacker egress from the same internet connection as the victim
Creating the backup is not bound to the broadband connection. And PHP timeouts either. Have you actually tried to do that on the given size, or are you just assuming?digitaltoast wrote: ↑Fri Feb 03, 2017 2:19 pmshould take a matter of minutes with a broadband connection.
The usability factor would be significantly reduced. There is nothing wrong from a security standpoint to have the redirect from HTTP to HTTPS. I, and many other security practitioners encourage having that redirect.
Sorry, but I disagree. It's like having a phone number that people know and don't have to update or change any behavior to continue using the service.
Let's back up. TLS serves two main roles: encryption in transit and integrity checking.AmigoJack wrote: ↑Sun Feb 05, 2017 11:28 amYes, of course: HTTPS is a solution to a problem which should be avoided in the first place: using administrator credentials thru a third party network. Given all the VPN and cloud usage I wonder if even a fraction of users understand that they're prone to this scenario as well.Techie-Micheal wrote: ↑Sat Feb 04, 2017 5:03 amThe "coffee house attack" would have the attacker egress from the same internet connection as the victim
Even if your website has completely static content, TLS provides the ability to prevent someone from injecting malicious or misleading content.an attacker can inject in to the request stream as well as the response stream and manipulate the content that the browser is sending (and receiving)