Author |
|
10-Feb-2014 8:52:01 PM
|
Is there any chance of getting SSL and secure passwords for the site?
|
11-Feb-2014 10:23:30 AM
|
+1
|
11-Feb-2014 10:27:46 AM
|
Why?
|
11-Feb-2014 10:40:44 AM
|
You can try sending Mike (the website developer) a PM or email if you want - he's the only person who would be able to answer that.
|
11-Feb-2014 12:35:33 PM
|
I'd guess not. Getting a cert worth using costs money and I can't imagine the advertising if covering the costs as is.
Then there's a bunch of overhead in managing the cert, etc.
Given how low value a chockstone login is, I can't see snooping being a real issue.
|
11-Feb-2014 1:35:57 PM
|
bunch of reasons most of which won't make a lot of sense unless you do IT security for a living, I guess the most accessible answer goes something like this.
Most people reuse the same passwords for a majority of things. They shouldn't, it's bad etc etc but they do. So in the interests of not feeding the "bad guys (tm)" any more valid passwords that will work across a variety of logins, it's best if we can prevent it. It's not hard to prevent it and almost any site worth the name these days does authentication via an encrypted mechanism for that reason.
Re the costs, somewhat valid, but personally i'd be happy to accept a chockstone self signed cert for the purpose. Yes it will pop up a security alert saying it's not a big verisign / thwate certificate that cost a lot of money but equally it will go someway to helping enhance the security.
Other concerns include traffic analysis and a bunch of other potential privacy issues which I admit are somewhat esoteric but still relevant.
|
11-Feb-2014 1:50:08 PM
|
Having worked support somewhere they thought a self signed cert would do, the volume of support requests involved is insane and unless you actually check the cert it doesn't prevent MITM. While it works for peeps that understand, for those that don't it makes them make life hell for the support staff.
In some other contexts (eg. router to router certs inside an organisation or group thereof) I've actually argued for a local signing authority as we were better equipped to verify the requests than verisign etc but was shouted down.
|
11-Feb-2014 2:00:26 PM
|
Given this site is effectively supported and maintained on a volunteer basis I would suggest it very unlikely that something like this would be feasible given the extra work requirement and financial cost.
|
11-Feb-2014 2:31:00 PM
|
What about a special Chockstone decoder ring. I'm not sure exactly how/if it'll work though I reckon It'd look stylish and be a great talking point while going shirtless at your local crag/drain. Men/women would want you and men/women would want to be you.
Be that as it may, and you new people take note, the first rule of Chocky is we don't talk about climbing! The second rule of Chockstone is we don't talk about climbing and the third rule of Chocky is something really important but I can't remember exactly what it was. I think it involved a stuffed buffalo and a pitching wedge but I can't be sure...
|
11-Feb-2014 3:51:16 PM
|
Sounds like the internet equivalent of numbly sport climbing . ...
Hey, we do all these weird things that are not really recommended, and we would like the system changed so we can just keep doing what we do rather then what we should do .....
Maybe you all should just have a chockstone specific password .....
|
11-Feb-2014 4:08:26 PM
|
On 11/02/2014 Macciza wrote:
>Sounds like the internet equivalent of numbly sport climbing . ...
not at all, but seeing as that's your pet dead horse to flog, by all means draw the comparison.
>Hey, we do all these weird things that are not really recommended, and
>we would like the system changed so we can just keep doing what we do rather
>then what we should do .....
>
>Maybe you all should just have a chockstone specific password .....
ofcourse everyone should, but that's not the only concern here. Even if it was the only concern, it's a valid one and given how trivial it is to fix, ie enable ssl and put a self signed cert on it, it's not a reason not to do it.
To aj's point, he's right having browser warnings about the cert does often confuse / cause problems, but it's better then nothing if finances are that tight / problematic.
|
11-Feb-2014 5:09:40 PM
|
On 11/02/2014 Macciza wrote:
>Sounds like the internet equivalent of numbly sport climbing . ...
>
Nah Chockstones technology is the internet equivalent of climbing on rigid stem Friends with home sewn slings.
This post is like your climbing partner gently suggesting that you can get C4s for a pretty good price these days, maybe you should have a look some time...?
|
11-Feb-2014 5:15:58 PM
|
On one hand, it's just Chockstone, no one cares unless someone hacks a prominent account to post out of character ethical opinions for laughs.
On the other hand, isn't my Chockstone password the same as the password I use for.... Brb changing password
|
11-Feb-2014 5:36:55 PM
|
Surely if you care, cough up the $70 or so (per year) that a certificate would cost and no doubt the admin would implement it.
Yes, and don't reuse your passwords, I use msecure to manage my passwords.
|
12-Feb-2014 10:29:44 AM
|
On 11/02/2014 strerror wrote:
>Most people reuse the same passwords for a majority of things. They shouldn't,
>it's bad etc etc but they do. So in the interests of not feeding the "bad
>guys (tm)" any more valid passwords that will work across a variety of
>logins, it's best if we can prevent it. It's not hard to prevent it and
>almost any site worth the name these days does authentication via an encrypted
>mechanism for that reason.
In this day and age if you don't know about password fraud it's your own fault - definitely not the responsibility of an internet forum manager.
I've used the same 6 letter password for most forums & websites i'm not bothered by being hacked - noone's outed me or admitted adultry or abused anyone on my behalf.
Anything worth keeping secure I change every 3 months or so and keep a copy in my desk drawer. If you want access to my bank details - break into my office... my desk is the one on the left when you walk past reception....
|
12-Feb-2014 10:45:13 AM
|
I have a few of pages of passwords in my desk drawer too; 8 passwords a line, 80 lines to a page. Have fun.
|
13-Feb-2014 9:07:49 AM
|
Your passwords are encrypted, so even I can't tell what they are.
|
14-Feb-2014 2:06:54 PM
|
Encouraging the non-tech savy public to ignore security warnings for self-signed certificates is not a good idea.
For my money we should follow ODH's lead and just post the most offensive content we can - that way if our account gets hacked at least it can't get any worse ;)
|
14-Feb-2014 2:37:48 PM
|
On 14/02/2014 ambyeok wrote:
>(snip)
>For my money we should follow ODH's lead and just post the most offensive
>content we can - that way if our account gets hacked at least it can't
>get any worse ;)
I laughed at that!
Although it has a grain of truth, Chockstone is super-very-mild when compared to many other sites for offensive content...
Congratulations to the Site Moderators for keeping it that way!
If anyone ever hacks my login, then it may only get better?
Heh, heh, heh.
|
24-Feb-2014 10:14:49 AM
|
Turns out that if you're on an (unpatched) Apple device SSL is massively broken anyway: https://gotofail.com/
Whoops.
|