Tactical Command :: View topic - HTTPS for TacComms

Tactical Command http://www.tacticalwargames.net/taccmd/

HTTPS for TacComms http://www.tacticalwargames.net/taccmd/viewtopic.php?f=42&t=29673	Page 1 of 1

Author:	Jianaran [ Fri May 22, 2015 6:47 am ]
Post subject:	HTTPS for TacComms
TacComms is one of the few sites that I visit that still doesn't offer HTTPS connections. Even though I doubt there's anything particularly sensitive being discussed here (maybe some people send bank accounts in PMs after trades/sales?), I still feel pretty uncomfortable connecting to HTTP websites. CS, any plans to do anything about this? I realise it might not be your highest priority, but IMO internet connections should be encrypted wherever possible.

Author:	CyberShadow [ Fri May 22, 2015 7:28 am ]
Post subject:	Re: HTTPS for TacComms
At this point, there are no plans for secure server capability. The problem with this is that it requires additional cost for secure certificatation, which needs to be renewed, plus the administration and setting up on the server end of things, and its something else that could go wrong. When the full site is more the way that I want it to be, then its possible, and additional features may even require it. I get that no-one really wants non-encrypted web comms, but aside from passwords (which shouldnt be the same anyway) I cant see a pressing need at this time.

Author:	Kyrt [ Fri May 22, 2015 2:30 pm ]
Post subject:	Re: HTTPS for TacComms
Hi CS, did you know that you can set up an SSL proxy for free via cloudflare? You can use their signed SSL cert, then just set up a self-signed one at your end (ie free). Or, you can even set it up so that it will do SSL from the browser to their servers, then HTTP from their servers to yours. Slightly less secure, but no configuration at all.

Author:	CyberShadow [ Sat May 23, 2015 6:53 am ]
Post subject:	Re: HTTPS for TacComms
I did not.... But, I am still not convinced that its something that we NEED right now... Do we?

Author:	mordoten [ Sat May 23, 2015 3:55 pm ]
Post subject:	Re: HTTPS for TacComms
Nope. We need lots of people playing tournaments and doing playtests for lists in development....

Author:	Kyrt [ Sat May 23, 2015 9:49 pm ]
Post subject:	Re: HTTPS for TacComms
It's my personal opinion that a site should never be set up to send login credentials in plain text, not because it bothers me myself but mostly to protect the 99% of people who don't look out for these things when they use open wifi. All the other risks are I think highly unlikely to be problems (man in the middle attacks etc) and nobody is going to be sending credit card details on the site (I hope!). I myself know enough to make my own choice about whether to use the site, what information to keep in PMs, what password to use etc but I think it's good practice to consider that most people just assume the site is secure with their password.

Author:	Jianaran [ Sat May 23, 2015 11:29 pm ]
Post subject:	Re: HTTPS for TacComms
Basically what Kyrt said. Not using HTTPS is only really defensible if you assume every user knows how easy it is for an attacker to sit on their network and skim their username/password, along with anything they send through PMs etc. Realistically, a lot of the TacComms userbase won't know this, and those that don't are probably also the people most likely to reuse user/password combinations across multiple sites. I'm not a website admin, so I have no idea how hard it is to set up SSL certificates (seems like Kyrt knows something about this, though). I would expect that it's reasonably easy, and certainly well documented. Given the potential risks, I'd say that it's well worth spending the time to set up (assuming there aren't large costs involved). I don't like to volunteer others, but maybe you could ask Kyrt or someone for assistance implementing HTTPS if you don't have the time or experience?

Author:	Irisado [ Mon May 25, 2015 1:42 pm ]
Post subject:	Re: HTTPS for TacComms
I don't think that https is necessary for a forum like this. I've been on plenty of forums which don't use it, and nothing untoward has ever happened. Just take sensible precautions about the information which you share here is my advice.

Author:	CyberShadow [ Mon May 25, 2015 2:22 pm ]
Post subject:	Re: HTTPS for TacComms
Thanks for your comments guys. I am going to file this under 'nice, non-priority'. It will be added to the list and I will look into the facility for these boards running over https, and the process for implimenting it at the server level.

Author:	adam77 [ Tue May 26, 2015 12:42 am ]
Post subject:	Re: HTTPS for TacComms
note that it is likely only a matter of time (perhaps a long time)... at some point browsers could stop supporting non-encrypted connections. https://blog.mozilla.org/security/2015/ ... cure-http/

Page 1 of 1	All times are UTC [ DST ]
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/