Sign in to follow this  
Followers 0
boogerjones

Neowin needs HTTPS login from main, not just forums

64 posts in this topic

We already have a certificate, price isn't really the issue here

Sorry, just saw other people mentioning cheap $4/month certificates, and I decided I would mention a free one.

 

But really, the only ways you would be able to have HTTPS logins everywhere, would be to serve an iframe in the popup (kind of bad), or just redirect to the full login page.

Share this post


Link to post
Share on other sites

FWIW, you can access Neowin over HTTPS:  https://www.neowin.net/

Share this post


Link to post
Share on other sites

Do self-signed certificates get along well with browser security? If the browser doesn't trust a certificate's issuer, then it inherintly does not trust the certificate. Self-signed certificates are their own issuer, which causes issues for situations like this.

 

First time the browser will give you a warning but after that you can add the self-signed to your trusted list and you are okay and wont see the nag screen anymore but it will add free security. Depends on the key lenght of course, if the server is really as strained as some are saying it would be easier to buy one with lower key lenght rahter than wasting time for a self-signed.

Share this post


Link to post
Share on other sites

FWIW, you can access Neowin over HTTPS:  https://www.neowin.net/

That's a subscriber-only feature, otherwise we lose out on ad revenue

Share this post


Link to post
Share on other sites

FWIW, you can access Neowin over HTTPS:  https://www.neowin.net/

 

That's a subscriber-only feature, otherwise we lose out on ad revenue

 

Not sure if anyone noticed, but https://neowin.net throws up an error, because the certificate being served in return only matches https://www.neowin.net You may want to take a look and fix that.

Share this post


Link to post
Share on other sites

Just to point out what every other staff member has said already. ONLY Tier 2 (ad free) subscribers get full HTTPS browsing on Neowin, this is because none of our advertisers support ad display through HTTPS. It's one of the things I will be addressing when I go to San Francisco later this year with our main advertiser, because it does work for all the "big" sites out there (Facebook, Twitter, Google sites etc).

2 people like this

Share this post


Link to post
Share on other sites

StartCom gives free SSL certificates through https://www.startssl.com.

Never knew there was free ssl certificates, thanks though!

1 person likes this

Share this post


Link to post
Share on other sites

Some prick sniffed my password at a school computer lab. Is there any way for Neowin to get a secure logon? I know these things cost money, but it's such an easy target for any jackass with a computer. Hell, even a self-generated certificate (not from Thawte, Verisign, etc) would at least give some of us the option of using it.

When you use a pc/network that is not under your control, it is far easier for these things to happen. Let this be a lesson for you and learn from it. use a strong random password, even for a forum account, and like tiddlie stated, that neowin isn't a "Finacial institition".

 

Share this post


Link to post
Share on other sites

When you use a pc/network that is not under your control, it is far easier for these things to happen. Let this be a lesson for you and learn from it. use a strong random password, even for a forum account, and like tiddlie stated, that neowin isn't a "Finacial institition".

 

I do not think that it is very constructive and helpful to stick another person's nose in it and effectively say "see what you've done?". Not being a financial institution does not excuse a web site from taking appropriate and reasonable measures to ensure safety and security of its users' data, both in-flight and at rest. I commend Neowin for securing my login data and for striving even further than that by wanting to secure the login form itself. Let this be an example to other communities. And no, Neobond did not pay an exorbitant amount of money to me to say this.

Share this post


Link to post
Share on other sites

TLS + TACK by default would be good.

1 person likes this

Share this post


Link to post
Share on other sites

I do not think that it is very constructive and helpful to stick another person's nose in it and effectively say "see what you've done?". Not being a financial institution does not excuse a web site from taking appropriate and reasonable measures to ensure safety and security of its users' data, both in-flight and at rest. I commend Neowin for securing my login data and for striving even further than that by wanting to secure the login form itself. Let this be an example to other communities. And no, Neobond did not pay an exorbitant amount of money to me to say this.

Well, I guess it'll be encrypted for all eventually. Bets you are glad this topic was revived? :)

Share this post


Link to post
Share on other sites

Well, I guess it'll be encrypted for all eventually. Bets you are glad this topic was revived? :)

 

If reviving this topic leads to greater security of Neowin users' data while remaining commercially sustainable for Neobond et al to operate, then yes, I am glad.

Share this post


Link to post
Share on other sites

IRC now has SSL support, on port 6697

1 person likes this

Share this post


Link to post
Share on other sites

IRC now has SSL support, on port 6697

Cool, I'd use it if I wasn't, well, banned.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.