Large Scale Central

login not secure notice bothers me

Hey y’all;

This login not secure notice bothers me. And apparently there is no https option.

I feel like there is some kind of question I should ask about the thing but my brain won’t come up with it right now. That this bothers me is as far as it will got.

Guess it is self evident I logged in anyway even with this bothering me.

LSC by Forrest Wood, on Flickr

lsc2 by Forrest Wood, on Flickr

Yea, Firefox did an upgrade and every site I visit is apparently not secure, even my company’s server.

But, I didn’t get that warning this time, it just logged me in.

Bob, didja fix sumptin?

I understand computer programs are supposed to be rational but from this side of the screen a lot of it looks like random arbitrary happenstance.

Yup - That warning came along with the latest Firefox upgrade. It doesn’t concern me for this site. If I were banking here, or storing any sensitive personal information, then it would.

It means that Bob uses the simple HTTP protocol, not the secure HTTPS protocol on the log-in screen. In order to implement HTTPS (which isn’t needed for LSC in my opinion) Bob would need to pay an annual fee to a certificate authority in order to have a security certificate that the browser would recognize as valid. This would add more management time and expense to his volunteer operation.

EDIT to add: The consequence of a non-secure log in is that if someone were monitoring your internet packets (not simple, but possible) they would be able to see your password in clear text. Not too many people are going to bother to go through what it takes to log in as you so they can trash your reputation with oddball posts.

**Daktah John said:**Not too many people are going to bother to go through what it takes to log in as you so they can trash your reputation with oddball posts.

There is that, probably not going to happen unless there is some kind of sanity issue. And also in this is that’s why you don’t use your train password for your bank account!

I don’t know what it is about these machines, but computer things pretty much instantly stress me out and that’s been going on since the 1980s.

I can trash my reputation with oddball posts all by myself.

Programmers never cease to aggravate me. They take something that is working fine, and add new “features” to it, so it doesn’t work like it used to. Lately, I haven’t been able to read some of my mail on my smartphone, because of the new features that came in the latest update. I don’t give a spit about the new colour coding in my in box, I just want to see and be able to read all of my mail. What do I tell my boss when I don’t respond to his email? Oh, your mail is colour coded so pretty that I cannot open it??!

Forrest Scott Wood said:

And also in this is that’s why you don’t use your train password for your bank account!

What Forest said is the real danger. Don’t use the same password or account name here as on your critical accounts. I would take that a step further and say don’t use the same pattern of password.

ie. Cheesburger123&*(

Cheesburger456&*(

Instead use a completely different style: ^#@5746346bjvjbibui

Not as easy to remember but it will keep the bk**** from easily getting into your other accounts.

Most thieves get your e-mail and work off of what they know to guess your password. Once they are in your e-mail they can see where you bank or make purchases. They can then request “Forgot User name” or “temporary password”. Even if you use different passwords on different accounts a pattern will help them guess more of your passwords.

Non-essential (sorry Bob) websites like LSC should be used with a disposable e-mail address that has no connection to your regular e-mail that you use for banking and other critical accounts.

Oh, like the way I have most non essential email go to my AOL account, but the critical stuff goes to my other account? Ok.

What Boomer said.

In today’s internet, NO site that requires a password should be WITHOUT HTTPS encryption.

Needs to be updated… should be a simple thing for Bob to turn on. (although he may have to pay for an SSL certificate)

Greg

But I am not doing any financial transactions here, so why would it need to be encrypted? So someone who somehow is monitoring my internet traffic cant read when I type “shut up Rooster”?

Greg Elmassian said:

What Boomer said.

In today’s internet, NO site that requires a password should be WITHOUT HTTPS encryption.

Needs to be updated… should be a simple thing for Bob to turn on. (although he may have to pay for an SSL certificate)

Greg

Yes, there is a cost involved that I need to work around. As a test I set up a self-signed certificate, and that gives an even scarier warning, so I removed it.

Daktah John said:

Yup - That warning came along with the latest Firefox upgrade. It doesn’t concern me for this site. If I were banking here, or storing any sensitive personal information, then it would.

It means that Bob uses the simple HTTP protocol, not the secure HTTPS protocol on the log-in screen. In order to implement HTTPS (which isn’t needed for LSC in my opinion) Bob would need to pay an annual fee to a certificate authority in order to have a security certificate that the browser would recognize as valid. This would add more management time and expense to his volunteer operation.

EDIT to add: The consequence of a non-secure log in is that if someone were monitoring your internet packets (not simple, but possible) they would be able to see your password in clear text. Not too many people are going to bother to go through what it takes to log in as you so they can trash your reputation with oddball posts.

There has been a lot of chatter about this latest “feature” of FF in various forums I read. Everyone is annoyed about it because it forces sites like LSC (or, worse, tiny sites) to spend a couple hundred dollars a year just to get around a scary message that the gang at FF seems to think is necessary.

The funny thing is, after logging in a few times the warning went away. I don’t see it anymore.

I’m buying a certificate for my site… $28 a year for 3 years. About $50 for my ISP to add the certificate to my site.

It’s not so expensive nowadays. I use Joomla on my site, about 40 seconds to enable once certificate is in place.

It’s not hundreds of dollars.

Greg

BD

While I admire your attempt to “stick it to the man” by writing your own certificate I stayed at a Holiday Inn Express last night and I think I can fix this computer security thing for free.

Ahh yes all better now…

Hmmm I wonder if this same method might be applied to other problem areas…

Yes, self-signed certificates are not traceable to a root authority, translation: “not official”…

I can offer my vendor to Bob if he cannot find a good deal.

Certificates used used to cost a lot, but it was sort of a scam, there’s no reason they have to, they have been getting cheaper every year.

Greg

I don’t get the warning when I Microsoft edge on my laptop but do when I use Firefox on my desktop.

So may be a Firefox thing as suggested earlier.

I have a generic password for all my hobby sites but others for my business sites.

Graeme Price said:

I don’t get the warning when I Microsoft edge on my laptop but do when I use Firefox on my desktop.

So may be a Firefox thing as suggested earlier.

I have a generic password for all my hobby sites but others for my business sites.

This “fix” was added to Firefox 52.0

“Added user warnings for non-secure HTTP pages with logins. Firefox now displays a “This connection is not secure” message when users click into the username and password fields on pages that don’t use HTTPS.”

Oh, so instead of fixing the other issues, they had to fix something that wasn’t broken…sounds about right.

David Maynard said:

Oh, so instead of fixing the other issues, they had to fix something that wasn’t broken…sounds about right.

Exactly!(http://largescalecentral.com/externals/tinymce/plugins/emoticons/img/smiley-wink.gif)