Jump to content


Photo
- - - - -

HTTPS Default?

HTTPS login security

  • Please log in to reply
7 replies to this topic

#1 knasser2

knasser2

    Competent Normal

  • HERO Member
  • 112 posts

Posted 02 June 2017 - 11:09 AM

Hi,

 

Whenever I come to the forum the default is to use HTTP for login. This is less secure and I also get a flurry of drop down warnings in the login text fields. I end up manually clicking in the address bar and editing it to point at HTTPS every time I log in. It's not a big deal but is mildly annoying. However, more importantly it would be better for site security if it defaulted to HTTPS.

 

Any reason this isn't done?

 

K.


A GM has the most difficult job of all. It is to crush players' dreams, characters and hearts whilst making them believe you are unbiased and character deaths are their failure rather than your success.


#2 IndianaJoe3

IndianaJoe3

    Mad Hero System Genius

  • HERO Member
  • 2,817 posts

Posted 02 June 2017 - 06:39 PM

This isn't a site-specific solution, but you might want to look into a browser extension called HTTPS Everywhere.



#3 Simon

Simon

    Administrator

  • Administrators
  • 12,494 posts

Posted 03 June 2017 - 05:56 AM

Login information is submitted via HTTPS.


I am but mad north by northwest.  When the wind is southerly, I know a hawk from a handsaw.


#4 knasser2

knasser2

    Competent Normal

  • HERO Member
  • 112 posts

Posted 05 June 2017 - 04:38 AM

Login information is submitted via HTTPS.

 

Ah. Looking into it more closely, I see that the form submits to a HTTPS URL. Not sure if you are aware of it but because the page itself is not HTTPS, Firefox is flagging up dire warnings on your site:

 

hero_forum_non_https.png

 

Anyway, it caused me to raise this. Don't know if helpful.

 

Peace and coolness,

 

K.


A GM has the most difficult job of all. It is to crush players' dreams, characters and hearts whilst making them believe you are unbiased and character deaths are their failure rather than your success.


#5 Greywind

Greywind

    Triple Millennial Master

  • HERO Member
  • 10,343 posts

Posted 05 June 2017 - 12:30 PM

I use Firefox. Have for years. I've never seen that warning.


  • TheNaga likes this

With your shield or on it.

 

"The laws of celestial mechanics dictate that when two objects collide, there is always damage of a collateral nature." ~ Prof. Moriarty, Sherlock Holmes: A Game of Shadows

"It's like switching from an action thriller RIGHT when it all goes to hell and you don't know if they live and someone walks in and changes the channel to Gilmore Girls." ~ my Muse about my writing. :)

Avatar courtesy John T.

 

Greywind's Characters

Snippets

Business Unfinished

Reaffirmation Day


#6 Simon

Simon

    Administrator

  • Administrators
  • 12,494 posts

Posted 05 June 2017 - 12:32 PM

He has a plugin/extension running which is not smart enough to pick up on the form's action (where it actually sends the data).

 

Of course the form is _pulled_ over HTTP -- it's a popup dialog/div within the site.  The main part is where it sends the data, which (as stated and verified) is over HTTPS.


I am but mad north by northwest.  When the wind is southerly, I know a hawk from a handsaw.


#7 Christopher

Christopher

    Awesome Programmer

  • HERO Member
  • 8,844 posts

Posted 17 June 2017 - 04:56 PM

I get a warning when I click into the Password box only:
https://support.mozi...warning-firefox

 

Could it be some Java Script doing automatic postbacks in the background? I know it should not do so with Password boxes. But maybe validation of valid character input?



#8 Simon

Simon

    Administrator

  • Administrators
  • 12,494 posts

Posted 17 June 2017 - 05:46 PM

In a word: no.

I am but mad north by northwest.  When the wind is southerly, I know a hawk from a handsaw.