Neowin needs HTTPS login from main, not just forums

[gohpep]

We already have a certificate, price isn't really the issue here

Sorry, just saw other people mentioning cheap $4/month certificates, and I decided I would mention a free one.

 

But really, the only ways you would be able to have HTTPS logins everywhere, would be to serve an iframe in the popup (kind of bad), or just redirect to the full login page.

[Argi]

FWIW, you can access Neowin over HTTPS:  https://www.neowin.net/

[Alwaysonacoffebreak]

Do self-signed certificates get along well with browser security? If the browser doesn't trust a certificate's issuer, then it inherintly does not trust the certificate. Self-signed certificates are their own issuer, which causes issues for situations like this.

 

First time the browser will give you a warning but after that you can add the self-signed to your trusted list and you are okay and wont see the nag screen anymore but it will add free security. Depends on the key lenght of course, if the server is really as strained as some are saying it would be easier to buy one with lower key lenght rahter than wasting time for a self-signed.

[DaveLegg Developer]

FWIW, you can access Neowin over HTTPS:  https://www.neowin.net/

That's a subscriber-only feature, otherwise we lose out on ad revenue

[vanx]

FWIW, you can access Neowin over HTTPS:  https://www.neowin.net/

 

That's a subscriber-only feature, otherwise we lose out on ad revenue

 

Not sure if anyone noticed, but https://neowin.net throws up an error, because the certificate being served in return only matches https://www.neowin.net You may want to take a look and fix that.

[Steven P. Administrators]

Just to point out what every other staff member has said already. ONLY Tier 2 (ad free) subscribers get full HTTPS browsing on Neowin, this is because none of our advertisers support ad display through HTTPS. It's one of the things I will be addressing when I go to San Francisco later this year with our main advertiser, because it does work for all the "big" sites out there (Facebook, Twitter, Google sites etc).

[nabz0r Veteran]

StartCom gives free SSL certificates through https://www.startssl.com.

Never knew there was free ssl certificates, thanks though!

[soldier1st]

Some prick sniffed my password at a school computer lab. Is there any way for Neowin to get a secure logon? I know these things cost money, but it's such an easy target for any jackass with a computer. Hell, even a self-generated certificate (not from Thawte, Verisign, etc) would at least give some of us the option of using it.

When you use a pc/network that is not under your control, it is far easier for these things to happen. Let this be a lesson for you and learn from it. use a strong random password, even for a forum account, and like tiddlie stated, that neowin isn't a "Finacial institition".

 

[vanx]

When you use a pc/network that is not under your control, it is far easier for these things to happen. Let this be a lesson for you and learn from it. use a strong random password, even for a forum account, and like tiddlie stated, that neowin isn't a "Finacial institition".

 

I do not think that it is very constructive and helpful to stick another person's nose in it and effectively say "see what you've done?". Not being a financial institution does not excuse a web site from taking appropriate and reasonable measures to ensure safety and security of its users' data, both in-flight and at rest. I commend Neowin for securing my login data and for striving even further than that by wanting to secure the login form itself. Let this be an example to other communities. And no, Neobond did not pay an exorbitant amount of money to me to say this.

[tiagosilva29]

TLS + TACK by default would be good.

[LimeMaster]

I do not think that it is very constructive and helpful to stick another person's nose in it and effectively say "see what you've done?". Not being a financial institution does not excuse a web site from taking appropriate and reasonable measures to ensure safety and security of its users' data, both in-flight and at rest. I commend Neowin for securing my login data and for striving even further than that by wanting to secure the login form itself. Let this be an example to other communities. And no, Neobond did not pay an exorbitant amount of money to me to say this.

Well, I guess it'll be encrypted for all eventually. Bets you are glad this topic was revived? :)

[vanx]

Well, I guess it'll be encrypted for all eventually. Bets you are glad this topic was revived? :)

 

If reviving this topic leads to greater security of Neowin users' data while remaining commercially sustainable for Neobond et al to operate, then yes, I am glad.

[DaveLegg Developer]

IRC now has SSL support, on port 6697

[tiagosilva29]

IRC now has SSL support, on port 6697

Cool, I'd use it if I wasn't, well, banned.