Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsGeekzoneSSL connection now default for Geekzone PM
freitasm

BDFL - Memuneh
80652 posts

Uber Geek
+1 received by user: 41045

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

#93594 24-Nov-2011 18:00
Send private message

I have switched the PM pages (message composing, reading and listing) to accept SSL connections by default, and switch to SSL on non-secure requests.

Many reasons for that. You will know why, no need to ask.




Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
codyc1515
1598 posts

Uber Geek
Inactive user


  #549794 25-Nov-2011 09:44
Send private message

Why is it not possible to have site wide SSL? The login page is in SSL, this means that virtually everything else can be too (except, maybe, ads).



freitasm

BDFL - Memuneh
80652 posts

Uber Geek
+1 received by user: 41045

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #549795 25-Nov-2011 09:45
Send private message

There, you answered your question.

Think about. It's not all our content. There are sometimes third party content such as speedtest images that will make your browser throw a tantrum for mixed content.

Also, why bother with SSL for a whole site if there's nothing sensitive in those other areas?
 




Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 

codyc1515
1598 posts

Uber Geek
Inactive user


  #549798 25-Nov-2011 09:47
Send private message

Its the question of session jacking. Maybe make it a feature for subscribers only?



freitasm

BDFL - Memuneh
80652 posts

Uber Geek
+1 received by user: 41045

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #549803 25-Nov-2011 09:50
Send private message

I've edited your post. No need to quote a full post just above yours.

Answering your question, what can be achieved with session hijacking really? Impersonating someone on a forum? It's not as bad as impersonating someone on your banking site.

For that we already have the IP Change option in your profile. If we detect your session is being used from a different IP address we will terminate it. You can also easily click the link in your profile page to terminate ALL existing session, for all browsers.





Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 

codyc1515
1598 posts

Uber Geek
Inactive user


  #549806 25-Nov-2011 09:51
Send private message

Not if your in a Cafe and all share the same external IP.

freitasm

BDFL - Memuneh
80652 posts

Uber Geek
+1 received by user: 41045

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #549808 25-Nov-2011 09:53
Send private message

*le sigh*

You can just logout as soon as you're done, and anyone else using the same session will be logged out too.

Using SSL site wide would impact our revenue. There's an obvious problem there - we can't run a site full time with no revenue.




Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 

 
 
 
 

Shop on-line at New World now for your groceries (affiliate link).
freitasm

BDFL - Memuneh
80652 posts

Uber Geek
+1 received by user: 41045

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #549812 25-Nov-2011 09:55
Send private message

Also, instead of focusing on how this make things better for people relying on Geekzone PM to communicate (transactions between members, employee confidentiality) you worry about something that would have less impact...





Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 

codyc1515
1598 posts

Uber Geek
Inactive user


  #549817 25-Nov-2011 09:59
Send private message

The whole performance impact thing has been proven wrong for quite some time now:

"In January this year (2010), Gmail switched to using HTTPS for everything by default. Previously it had been introduced as an option, but now all of our users use HTTPS to secure their email between their browsers and Google, all the time. In order to do this we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that."

As for revenues I'm not quite sure how that comes into it if its just for Subscribers. What I'm getting at is that someone could go into a Cafe have their session jacked on an ordinary page and send PMs as that user, without them knowing (most likely).

freitasm

BDFL - Memuneh
80652 posts

Uber Geek
+1 received by user: 41045

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #549819 25-Nov-2011 10:01
Send private message

If you read the thread again you will see I never mentioned the performance card, as I am well aware of the impact or non-impact of it. Please don't put words in my mouth.

As for "for subscribers only", I'm sorry but we work on priorities here. The subscriber uptake is too low, and people have already said that even $5 a month is "too expensive". Not very supporting is it?





Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 

Ragnor
8279 posts

Uber Geek
+1 received by user: 585

Trusted

  #550154 26-Nov-2011 05:14
Send private message

codyc1515:  

What I'm getting at is that someone could go into a Cafe have their session jacked on an ordinary page and send PMs as that user, without them knowing (most likely).


If you are going to use shared/public internet you would send all traffic over a vpn and use your home, work/work/hosts connection to avoid any man in the middle session jacking for all sites.






codyc1515
1598 posts

Uber Geek
Inactive user


  #550401 26-Nov-2011 19:44
Send private message

Ragnor:
codyc1515:  

What I'm getting at is that someone could go into a Cafe have their session jacked on an ordinary page and send PMs as that user, without them knowing (most likely).


If you are going to use shared/public internet you would send all traffic over a vpn and use your home, work/work/hosts connection to avoid any man in the middle session jacking for all sites.

Not everybody knows this though and its a waste of bandwidth.

 
 
 
 

Want to support Geekzone and browse the site without the ads? Subscribe to Geekzone now (monthly, annual and lifetime options).
freitasm

BDFL - Memuneh
80652 posts

Uber Geek
+1 received by user: 41045

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #550402 26-Nov-2011 19:45
Send private message

In such case I doubt they would know or worry about session hijacking either...





Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 

Regs
4066 posts

Uber Geek
+1 received by user: 206

Trusted
Snowflake

  #550404 26-Nov-2011 19:58
Send private message

freitasm: In such case I doubt they would know or worry about session hijacking either...




LOL. +1 




Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

codyc1515
1598 posts

Uber Geek
Inactive user


  #550408 26-Nov-2011 20:14
Send private message

freitasm: In such case I doubt they would know or worry about session hijacking either...


In which case they should be protected, no?

freitasm

BDFL - Memuneh
80652 posts

Uber Geek
+1 received by user: 41045

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #550409 26-Nov-2011 20:15
Send private message

Sure. Are you paying their subscription? Because I am sure they don't care enough to pay for one. 

As I said, it comes down to priorities, planning, costs. Should we just close the site because some people won't pay for a subscription, and having SSL means ads are going to be harder to deliver, just because  some idiot may impersonate someone on a non-commerce site?







Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright