https

Discussion in 'Support' started by Gast86, Oct 18, 2020.

  1. Gast86

    Gast86 Orc Soldier

  2. ParodyKnaveBob

    ParodyKnaveBob Thaumaturge

    In my experience, XenForo tends to accidentally log you out pretty regularly on https. It'd be nice if XF fixed that old bug, but I don't know these things anymore.
     
    Sir Veza likes this.
  3. If you log into some website you have to enter your credentials (username/mail-address and password usually). Then those credentials are sent to the server to check and to load the "internal" page. The thing with not-secured website communication is that your credentials are transmitted in plain text, so each and every router on the internet that is responsible for sending/forwarding your requests to the actual server can read your credentials. While most routers don't bother with this fact and just forward, in theory a whole lot of people (hackers), (intelligence) agencies (NSA, probably China through any used Huawei hardware, etc), and other groups (e.g. your ISP) could steal your credentials if the connection isn't secured.

    If the connection is established via https your browser ensures that the connection is indeed encrypted and therefore secured against eavesdropping (though, I can't guarantee that NSA or other agencies don't have a backdoor to this protocol). While a secured connection isn't necessary to log into some website, it definitely is advisable. Though, if no secured connection is available or - given ParodyKnaveBob's experience is still valid and I think I observed this at some point too - the connection isn't stable, you can still log in via a not-secured connection, you just have to keep in mind that ALL data can be stolen. So better:
    • NOT use your unique identifies (mail address, phone number) too often or they will eventually be part in large data collections (meaning more spam and more hacker attacks to your accounts)
    • NOT use passwords that you use for other services or your other accounts might get hacked easily (I mean if this forum account gets hacked who really cares, but if the same password secures your mail account and your mail account gets hacked, all of your other accounts that got registered with this mail address could subsequently be hacked, too. And if the same password secures your facebook account the situation isn't much better or do you want some hacker to post something on your facebook account)
    • especially NOT use your mail address and the password that secures your mail account in combination to log into some other unsecured service!!! If you did, definitely change your mail account's password (and every other password to services that used the same password)! This forum account can keep the password as it might have already been leaked, but at least your mail account should be as secure as possible
    • if possible, activate Multi-factor authentication (one-time passwords, FIDO, etc) so that even this account can't be abused by others. (but again, this forum isn't really essential, so you might just not do so for convenience reasons)
    • I don't know whether this might be the case, but eventually you shouldn't use 3rd-party logins on not-secured connections (e.g. your facebook credentials for some forum account or the like). Those 3rd-parties usually should ensure that their logins are secured whether or not the service you are actually connecting to is, but in theory it is up to the 3rd-party
    That you land on a not-secured forum page is due to the fact that the devs chose to link the http-version on their home page (probably because of said unstable https-connections).
     
    Last edited: Nov 6, 2020

Share This Page