Website now HTTPS (SSL) only

troj

Tech Support
Staff member
I've just tweaked some knobs to make this site SSL only. The change should be pretty much transparent to you, unless you're like me and actually look to see if a site is SSL or not.

The reason for the change is that implementing SSL is just a good practice, in addition newer to versions of web browsers complaining loudly when you enter passwords on non-SSL sites.

If you encounter problems, let one of us know and I'll take a look.

You may now return to your regularly scheduled bullet-related programming.

-Kevin
 
  • Like
Reactions: Ian

fiver

Well-Known Member
bullet related?
I'm gonna be up all night trying to figure out what SSL means.
super speed lightning?
super sonic lead?
super stupid lawyers.?
come on man work with me here.
 

troj

Tech Support
Staff member
To clarify a bit of what Brad said (he's close, but a bit off), SSL (Secure Sockets Layer) is a way of encrypting traffic between two systems - in this case, your browser and the server. It makes eavesdropping on what's being sent more difficult -- nothing is impossible (it's all but a given that the governments have the ability to break SSL encryption).

These days, it's considered a good practice to encrypt all Internet traffic. In addition, some browsers (and more will likely start to do so in the future) will complain if you use passwords on sites that aren't using encryption.

What this doesn't mean is that anything changed on the site itself. The data on the site isn't encrypted - if someone breaks into the site (egads, I don't need that nightmare), they can get whatever they want. The forum software does encrypt passwords, but with modern computers, a lot of passwords can be cracked pretty quickly via brute-force attacks if you have the password hashes (encrypted passwords). You all use a unique password on each site, right? (If the answer to that question was "No," you need to change your habits. :eek:)

Oh, and Brad's lucky - $30 for an SSL certificate that's good for two years is a pretty good deal. Not that long ago, certificates were $300 and up a year.

-Kevin
 

fiver

Well-Known Member
well I kind of understand it now.

I don't know why anyone would want my password.
if they really wanna make a post on a casting or reloading website they could just set up an account in like 5 minutes.
 

Brad

Benevolent Overlord and site owner
Staff member
What I don't like is the concept of not using the same password for multiple sites, making them difficult to figure out, but don't write them down.

Holy crap Kevin, I'm lucky to remember the 3 I need for work much less a password for sites I might visit every few months.
 

troj

Tech Support
Staff member
well I kind of understand it now.

I don't know why anyone would want my password.
if they really wanna make a post on a casting or reloading website they could just set up an account in like 5 minutes.

They hope to collect information to use to worm their way into resources that matter more, such as financial systems. Many people reuse passwords.

What I don't like is the concept of not using the same password for multiple sites, making them difficult to figure out, but don't write them down.

Holy crap Kevin, I'm lucky to remember the 3 I need for work much less a password for sites I might visit every few months.

There's an app for that. I currently have over 200 different passwords; no way I can remember them. I have an app on my phone that encrypts them and requires a password to get into.

-Kevin
 

Rick

Moderator
Staff member
I do re-use passwords on some things such as forums like this one but never for such things as bank accounts. Each bank account has it's own kinda long convoluted separate log in info that's never used anywhere else. In addition I change those passwords 2-3 times a year. Not trusting a dumb phone app with that info I write it down long hand and include the dates so I know the notes are the current info.

Now if I could just remember where the hell those notes are. :confused:
 

KeithB

Resident Half Fast Machinist
While I was working at a university they required you to change your password every three months. You could steal half the passwords simply by reading the post-it notes on the monitors as you walked past somebody's desk. You could crack a lot of the rest of them because people selected a simple password and just added a 1, 2, etc. after every change cycle. I could tell you how many quarters I worked at the university simply by the number I appended to my password.

Their biggest problem then wasn't people breaking into other people's accounts, it was malicious attacks via email attachments; for a while they banned traffic from certain free email hosts (hotmail was one I remember).

But now most of their system problems came from stupid, gullible but not malicious people. No matter how many times IT would tell folks that they would NEVER ask for their password or any personal information in an email I still get notices from IT about the newest phishing scams and how a certain number of users have fallen prey by responding to an email telling them their account was screwed up and IT needed their password and employee ID# to correct things.
 

troj

Tech Support
Staff member
While I was working at a university they required you to change your password every three months. You could steal half the passwords simply by reading the post-it notes on the monitors as you walked past somebody's desk. You could crack a lot of the rest of them because people selected a simple password and just added a 1, 2, etc. after every change cycle. I could tell you how many quarters I worked at the university simply by the number I appended to my password.

There's a lot of current research that shows that making people change their passwords, especially frequently, leads to less security. Why? Because of exactly the examples you cite - patterns, passwords written down, etc.

There's a researcher who went to work for the FTC a couple years ago specifically with hope of turning around the FTC's advocation of frequent password changes. She has gained some traction on the topic.

-Kevin
 

fiver

Well-Known Member
whats funny is I don't pick my Pin numbers they send me a new one every time my debit card changes.
somehow it always ends up being something like 4801 for 4315 or 2235 and I still forget it from time to time then I end up standing at the gas pump trying to remember what gun my pin number is.
 

KeithB

Resident Half Fast Machinist
Guns, computers, etc. - you can improve all the technology but not all the people.