Where's HTTP SSL on Hexus?

[tfboy]

It seems that I now have to log in with an insecured connection. OK, chances of that being sniffed are small, but surely, at least logging in should be done via a secure page?
I've tried, but https redirects to http only.

[virtuo]

I think something will have to be done soon with GDPR looming

[DR]

It's coming we have a load of things in the work, including a new site, and forum.

[Dashers]

Setup OpenVPN or use a SSH tunnel to connect to your home router when on an insecure connection. No more worries about unencrypted web-sites.

[Bagnaj97]

Setup OpenVPN or use a SSH tunnel to connect to your home router when on an insecure connection. No more worries about unencrypted web-sites.

SSH tunnel to your home router only encrypts the data between your current location and home router. The connection between your home router and unencrypted web-sites is still unencrypted.

[Dashers]

So? Paranoid about UK Gov snooping on your Hexus opinions?

[Bagnaj97]

So? Paranoid about UK Gov snooping on your Hexus opinions?

Not at all, just that your suggestion doesn't give you "No more worries about unencrypted web-sites." as there's still an unencrypted link between you and the endpoint.

[tfboy]

I'm not so worried about my PC to home router connection as it's wired and any wireless is encrypted anyway with authentication.

It's not the end of the world not having SSL, but seems a best practice thing and as everyone appears to be doing it, I was curious if it was an error, omission or something planned in the near future

[ik9000]

Yeah I must admit I wondered why at least the log-in wasn't https, and maybe the acccount info pages too.

It's coming we have a load of things in the work, including a new site, and forum.

A new site and forum? Interesting, but please don't break the forum. Having dotted round a few music forums in the last week this site is head and shoulders better than a good number out there when it comes to both format and function.

So? Paranoid about UK Gov snooping on your Hexus opinions?

I think they have bigger things on their hands right now though tbh. Screening text is a doddle, they'll get through this site in no time with the tech they'll have available. But if they really care what my views are on Asus false advertising the P7H55M-USB3 and whether a circular runway is feasible then they can go for it.

[Dashers]

Not at all, just that your suggestion doesn't give you "No more worries about unencrypted web-sites." as there's still an unencrypted link between you and the endpoint.

Indeed they may still be unencrypted, but there's no need to worry about that when on a trusted line.

[Splash]

Indeed they may still be unencrypted, but there's no need to worry about that when on a trusted line.

As soon as your connection leaves the network that you control those it's an untrusted network. The internet is a leper colony, and sending credentials in plaintext should be highly discouraged - you wouldn't login to your online banking over HTTP from your home network, would you?

[Dashers]

As soon as your connection leaves the network that you control those it's an untrusted network. The internet is a leper colony, and sending credentials in plaintext should be highly discouraged - you wouldn't login to your online banking over HTTP from your home network, would you?

You're changing the goal-posts. This was talking about accessing unencrypted web-sites like Hexus on an open or "untrusted" network.

I'd trust my ISP not to be interested in doing deep-packet-inspection to harvest my passwords for unsecured web-sites more than the government not to coerce CAs to allow them to intercept "secure" channels.

[jimbouk]

It's coming we have a load of things in the work, including a new site, and forum.

Sounds exciting, looking forward to it

[scaryjim]

... I'd trust my ISP not to be interested in doing deep-packet-inspection ...

And when the traffic leaves your ISPs control? The internet isn't like an end-to-end courier service. You send the request to your ISP, and they basically just give it to the first person they meet who's going in the right direction. And that happens all the way down the line until it hits the destination. Your ISP have no control whatsoever past their own endpoints, and ANYONE could end up carrying the data. And you'll never be completely sure who's handled it.

[Splash]

You don't need DPI to sniff traffic sent plaintext. Traffic sent over HTTP is sent plaintext.

I repeat: the I tenet is a leper colony. If you're interested enough to VPN to your home connection I'm amazed that you're not all for SSL(well, TLS) encrypted logins.

[Dashers]

And when the traffic leaves your ISPs control? The internet isn't like an end-to-end courier service. You send the request to your ISP, and they basically just give it to the first person they meet who's going in the right direction. And that happens all the way down the line until it hits the destination. Your ISP have no control whatsoever past their own endpoints, and ANYONE could end up carrying the data. And you'll never be completely sure who's handled it.

"My ISP"/"random telehouse handling mindboggling amounts of low-latency switching".

Yes, anyone of the switching houses and backbones that furnish the Internet will have your delicate vulnerable packets.

They are not in the habit of sniffing packets randomly for passwords due to the shear volume of data that is handled.

And remember, we're still talking about low-value sites such as Hexus and not your Internet banking.

You don't need DPI to sniff traffic sent plaintext. Traffic sent over HTTP is sent plaintext.

I repeat: the I tenet is a leper colony. If you're interested enough to VPN to your home connection I'm amazed that you're not all for SSL(well, TLS) encrypted logins.

This is factually incorrect. You entirely do need DPI to sniff the content of packets. That's exactly what DPI is - inspecting the content of the packet instead of just the IP header. Your password is a HTTP POST which is very much high up that old network stack.