Sign in to follow this  
Followers 0

HTTPS sessions active for Tier 2 subscribers

86 posts in this topic

Posted

We're happy to announce that we've added SSL sessions for Tier 2 ad free subscribers. Currently this is only active on the main news site, the forums will follow shortly.

 

Even more reason to subscribe :p

 

Inevitable answers to questions:

 

Q: Why isn't it available for everyone

A: Because most of our ad partners don't support SSL delivery.

 

Q: Why not look for a different advertiser?

A: The certificate wasn't free, nor the work to implement it; therefore a Tier 2 adfree perk.

 

Enjoy!

8 people like this

Share this post


Link to post
Share on other sites

Posted

NSA resistance + 1.

7 people like this

Share this post


Link to post
Share on other sites

Posted

Awesome thanks to all involved :) 

Share this post


Link to post
Share on other sites

Posted

Should we be redirected automatically to https or do we need to specify it?

Share this post


Link to post
Share on other sites

Posted

So when is the login going to post via SSL vs how it currently sends which is just http in clear text for username and password

post-14624-0-51669400-1376051453.png

Its a forum, its a news site - I don't really see any need for anything to be SSL --- OTHER THAN when I send my password ;)

7 people like this

Share this post


Link to post
Share on other sites

Posted

im not seeing any https: on the main news site. when i manually type in https://www.neowin.net it seems to work but i dont see any other SSL cert info. what am i missing?

Share this post


Link to post
Share on other sites

Posted

So when is the login going to post via SSL vs how it currently sends which is just http in clear text for username and password

attachicon.gifpasswordinclear.png

Its a forum, its a news site - I don't really see any need for anything to be SSL --- OTHER THAN when I send my password ;)

 

@Neobond

 

Yeah, can we get SSL for EVERYONE when it sends the username and password on the login? a POST over SSL won't mess with the advertisements.

1 person likes this

Share this post


Link to post
Share on other sites

Posted

Implying it isn't stored in plain text in the DB...lol

Share this post


Link to post
Share on other sites

Posted

SSL certificates is expensive, what C.A issuer that neowin will use?

 

 

 

Because most of our ad partners don't support SSL delivery.

Theres was ad blocking services that actively listing ad-server certificates so their users can put those certificates into "Untrusted" or "Revoked" categories,

which effectively prevent any known SSL ads.

Knowing this most ads services won't bother to obtaining SSL certificates.

Share this post


Link to post
Share on other sites

Posted

So only a B, you seem to have some chain issues

https://www.ssllabs.com/ssltest/analyze.html?d=www.neowin.net&s=74.204.71.246

Seems you did not install the intermediate CA bundle??

https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=AR1372&actp=LIST&viewlocale=en_US

Please Note: On June 27th, 2010 Thawte upgraded its root hierachy to 2048bit RSA Keys to enhance the security of all SSL products. As a part of this upgrade, all newly issued certificates now require the installation of the new Primary and Secondary Intermediate CA's along with your SSL certificate. These new Intermediate CA's MUST be installed in order for your SSL certificate to be fully trusted in all browsers.

This causes an issue with firefox on the cert

post-14624-0-66352800-1376053582.png

1 person likes this

Share this post


Link to post
Share on other sites

Posted

SSL certificates is expensive, what C.A issuer that neowin will use?

 

They're not expensive..  you can get chained certs that work wit most modern browsers for  < 60 bucks a year, otherwise root certs are around 80 bucks + (can be found cheaper on deals..)   SSL is cheaper than a data breach and hell, i would have helped pitch in for a cert if it meant everyone got it, SSL for subs is.. lame..

 

looks like it is a chained cert.

 

hell, godaddy has a chained cert without all the extras for like 5 bucks

 

http://www.godaddy.com/compare/gdcompare3_ssl.aspx?isc=dssl027&utm_source=MSN&utm_medium=cpc&utm_term=cheap%20ssl&utm_content=2400118724&utm_campaign=8936109240&ef_id=USaBHwAAAQUOWoSL:20130809130902:s

 

Premium feature worthy? not sure why anyone would go direct with thawt though, but they do have a large reseller network, so hopefully neowin didn't pay full retail for a chained.

Share this post


Link to post
Share on other sites

Posted

SSL for subs is.. lame..

 

+9001

1 person likes this

Share this post


Link to post
Share on other sites

Posted

So really what your saying is that only the people that pay for Tier 2 Subs are worth protecting for passwords sending ?? and not the people that come on here and helps others for free?

 

Great!

2 people like this

Share this post


Link to post
Share on other sites

Posted

So really what your saying is that only the people that pay for Tier 2 Subs are worth protecting for passwords sending ?? and not the people that come on here and helps others for free?

 

Great!

I thought passwords already have some kind of protection and that SSL is just adding another layer?

Share this post


Link to post
Share on other sites

Posted

I thought passwords already have some kind of protection and that SSL is just adding another layer?

 

as budman says they are sent in Cleartext

Share this post


Link to post
Share on other sites

Posted

as budman says they are sent in Cleartext

Yeah, but wouldn't someone have to compromise ones PC or the Hosts Pc in order for that to be a matter?

Share this post


Link to post
Share on other sites

Posted

It always amazes me when people complain about how someone else runs THEIR free service.  

How about contributing to the sites monetary needs if you have such a problem with it? You may provide support to others for free, but to feed the monster they need virgin blood and that ****s expensive and can't be paid for with computer advice.

Neobond explained why it's not available to everyone, quit your bitchin...

8 people like this

Share this post


Link to post
Share on other sites

Posted

Yeah, but wouldn't someone have to compromise ones PC or the Hosts Pc in order for that to be a matter?

If they have a router or other network device running between the server and your PC, no.

Share this post


Link to post
Share on other sites

Posted

If they have a router or other network device running between the server and your PC, no.

Ah well then I don't see the fuss about not having SSL logins then :p

Share this post


Link to post
Share on other sites

Posted

There was a thread a long time ago about the login posting being in clear text.. If I recall back then it was mentioned that it would be fixed when ssl was setup.

Well it seems that have setup ssl.. There is no need to encrypt the whole site.. sorry but I don't need my viewing of news articles or forum post to be encrypted. Nor do I need the stuff I am sending in a post that will be public encrypted.

What I would like is my password not to be sent in clear text. They have the ssl in place, all they need to do is change the posting from http to https and we are all good.

They can still require that you be a sub if you want the whole site via https, ads or no ads. But changing http to https in the post string for your login seems like a no brainer if the ssl cert has already been paid for and active.

Currently even if viewing the site view https, when I go to login the post in the html command is vis http.. So going to be sent in clear - even if everything else your viewing is via https -- the actual post of the username and password is still only http..

edit: For those that do not understand the issue. No your pc does not have to be compromised for someone to sniff your username and password.. So example your on a wireless network, anyone on that wireless network could see your traffic so could see your neowin username and password.

Now could they just hijack your cookie and auth as you that way - possible have not looked into the issue that deep, nor do I care too.

At any point between your PC and the neowin server it would be possible to see this traffic in the clear and get your username and password. I doubt that it is of much concern, but come on the ssl is there -- just change the post to https and this can discussion is over.

Even if your viewing gmail over http, when you go to login the post is https

  <form novalidate id="gaia_loginform" action="https://accounts.google.com/ServiceLoginAuth" method="post">
  <input type="hidden" 
<form action="http://www.neowin.net/forum/index.php?app=core&amp;module=global&amp;section=login&amp;do=process" method="post" id='login'>
Simple change of a couple lines of code to https vs http and issue goes away now that they have ssl in place.
7 people like this

Share this post


Link to post
Share on other sites

Posted

It always amazes me when people complain about how someone else runs THEIR free service.  

How about contributing to the sites monetary needs if you have such a problem with it? You may provide support to others for free, but to feed the monster they need virgin blood and that ****s expensive and can't be paid for with computer advice.

Neobond explained why it's not available to everyone, quit your bitchin...

 

 

Neobond already knows i will be tier two soon anyway lol

1 person likes this

Share this post


Link to post
Share on other sites

Posted

Ah well then I don't see the fuss about not having SSL logins then :p

Public WiFi Hotspot = everyone instantly has your username and password. You should never, ever send your password unencrypted over a network that can possibly be used by others. I use Facebook login instead, which is secure.

1 person likes this

Share this post


Link to post
Share on other sites

Posted

Public WiFi Hotspot = everyone instantly has your username and password. You should never, ever send your password unencrypted over a network that can possibly be used by others. I use Facebook login instead, which is secure.

So there's even an alternative... :p

1 person likes this

Share this post


Link to post
Share on other sites

Posted

Public WiFi Hotspot = everyone instantly has your username and password. You should never, ever send your password unencrypted over a network that can possibly be used by others. I use Facebook login instead, which is secure.

What about tor or a proxy is that still unencrypted? I remember proxies can be encrypted but I don't know about tor :/

Share this post


Link to post
Share on other sites

Posted

What about tor or a proxy is that still unencrypted? I remember proxies can be encrypted but I don't know about tor :/

if the proxy support SSL Pass-Thru, https connection is no problem.

Some proxies doesn't support that however.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.