Results 1 to 3 of 3

Thread: Security

  1. #1
    Fuel Injected!
    Join Date
    Feb 2012
    Posts
    99

    Security

    My browser thinks this forum is insecure, as does my password manager. Is anyone aware of this and maybe working on it?

  2. #2
    Administrator
    Join Date
    May 2011
    Location
    Lakes Region, NH
    Age
    53
    Posts
    3,684
    I apologize for missing this question. It's a good one and it deserves an answer.

    This website uses traditional HTTP protocol rather than secure HTTPS protocol. This means any information sent to or from the site is sent in plain text. If someone were to use a tool to monitor the traffic going from the site to an individual's computer that third person would be able to read everything clearly. Private or sensitive information exchanged with the site could be discovered by someone watching from the outside.

    For many years the decision to use HTTP or HTTPS protocol on websites was based on the type of information being sent. Medical records, financial information, and personally identifying information were sent via HTTPS protocol while "Regular information" such as the local bus schedule or the menu from a restaraunt was sent via insecure HTTP protocol. The idea was that there was little value in someone stealing or tracking this information.

    Recently thinking has changed. First, bad guys who can see plain text traffic to and from a website can see usernames and passwords sent and received. If the user has decided to use the same username and password on multiple websites, a bad guy could gain access to those same sites. It is bad practice to use the same credentials across multiple sites. It is very bad practice to reuse credentials that are used to access sensitive information. Second, bad guys can use redirects to send a user unwanted ads or links to malicious sites. This type of attack would not be a site wide problem. This would only affect specific users targeted by bad guys. Third, there is growing concern that sites and internet providers are monitoring, gathering, and selling information about our browsing habits. (I actually have some personal anecdotes about targeted ads showing up after a conversation within microphone range of a cell phone.) In 2018 Google released Chrome 68 which clearly pointed out when a website is using HTTP instead of HTTPS to help ensure people know when the information they are exchanging is visible to an outside party. These days it's extremely common for internet tools to flag "insecure" sites. This is a good move and overall and is helping move more sites toward HTTPS protocol.

    Gearhead-efi is volunteer maintained and funded out of pocket. It was started as a place to exchange information about cars and computers and whatever among folks who are interested in cars and computers and whatever. Sort of an internet version of hanging out in the parking lot. The forum doesn't require anyone to provide sensitive information in order to join. Most of the information here is available to non-members (downloading files, viewing attachments, and posting comments / questions requires an active membership). We do not track users in any way. We offer to "remember your login" which leaves a very simple cookie in your browser so you don't have to log in with each visit. This is completely optional and can be disabled. There are options here for "private" messages. They are private in the sense that they are not shared with everyone on the site, unlike a forum post.

    We do plan to switch the site to HTTPS. Switching would increase the cost of the site and the time required to maintain it but it can be done. There haven't been many concerns raised here or in pm's / email so it hasn't been high priority. But maybe folks just aren't saying anything. If it seems like enough people are concerned then I'll have to see about tightening security and changing protocol.

    In the meantime, if you would like to improve security for yourself I would recommend using a dedicated email and password that are only for gearhead-efi. If you have selected a username that is common across forums, consider using a unique username. If you have sensitive information to exchange with another forum member consider using a secure tool rather than PM's. Also consider changing your password at regular intervals and unchecking "remember me" in your browser.

    Here's some more reading about HTTP vs HTTPS:
    https://www.cloudflare.com/learning/...tp-not-secure/

    There are ways to make browsing more secure in general and to make visiting HTTP sites more secure. Using a private VPN and DNS are two tools that can obfuscate the sites you visit from prying eyes. Here's one article that can help you get started:
    https://techcrunch.com/2018/12/25/cy...ely-privately/

  3. #3
    Fuel Injected!
    Join Date
    Feb 2012
    Posts
    99
    Gotcha. I didn't realize there was significant cost or effort required to use https. Thanks for the explanation.

Similar Threads

  1. Getr security updates for Windows XP.
    By historystamp in forum TunerPro Tuning Talk
    Replies: 1
    Last Post: 09-24-2015, 02:12 PM
  2. Pass Code for Security keys
    By EagleMark in forum Fuel Injection Writeups Articles and How to New and Old
    Replies: 0
    Last Post: 03-20-2011, 09:36 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •