USASG should change from HTTP to HTTPS. Logging in to an HTTP URL is not secure. The upgrade is not expensive or complicated.

OM.

Agreed,

The whole site should be changed to use HTTS / TLS not just the login page.


USASG should change from HTTP to HTTPS. Logging in to an HTTP URL is not secure. The upgrade is not expensive or complicated.

OM.

Registration for the site should move away from GoDaddy as well and make it an anonymous registration. Tomorrow's senate bill could make life hard for ISG and USG site owners. The site may be in Europe, but the Feds can commandeer the domain name.

Agreed,

The whole site should be changed to use HTTS / TLS not just the login page.Doubly agreed. It's even becoming common on mainstream /"vanilla" sites. Any movement on this with the new hosting arrangement?

Registration for the site should move away from GoDaddy as well and make it an anonymous registration. Tomorrow's senate bill could make life hard for ISG and USG site owners. The site may be in Europe, but the Feds can commandeer the domain name.Registration for www.usasexguide.nl is not with godaddy. Registration for www.usasexguide.info was with go daddy.


Agreed,

The whole site should be changed to use HTTS / TLS not just the login page.We are getting a certificate because a bunch of you guys keep saying this and there is some serious, probably well founded paranoia out there but why? You are not sending any personal info. No credit cards, no phone numbers, nothing but what is publicly available. The purpose of secure socket is to encrypt the personal information you may send, think credit card numbers, phone numbers, SSN, not posts that are going to be public from the very beginning.

If you're worried about your IP addy until then use a VPN.

I came to this section just to post about SSL, its good you guys are on top of it. Also though, your Google ranking will be helped too.

Registration for www.usasexguide.nl is not with godaddy. Registration for www.usasexguide.info was with go daddy.

We are getting a certificate because a bunch of you guys keep saying this and there is some serious, probably well founded paranoia out there but why? You are not sending any personal info. No credit cards, no phone numbers, nothing but what is publicly available. The purpose of secure socket is to encrypt the personal information you may send, think credit card numbers, phone numbers, SSN, not posts that are going to be public from the very beginning.

If you're worried about your IP addy until then use a VPN.Yes, a VPN can help a little bit but even so, the traffic is unencrypted for part of its journey. Can you trust every ISP between the client and the server? Remember that there's a lot of valuable information flying around. It's not just login details but also what you view, what you search, your PMs. Combine all this with an IP address or even browser characteristics and you can start painting a pretty good picture.

It's good that you'll be rolling out encryption. Then, the entire conversation is encrypted between the user's browser and USASG, no worries about anyone in between.

Wait, you think that the local police in your area are going to be able to hack into our servers or intercept our traffic and pull your PM's with a packet sniffer?

You guys are not DPR, and these are blow jobs not Silk Road.

A2

Almost 4 years since OP and https is by now standard on even basic websites totally free through https://letsencrypt.org/.

I'm not advertising their company or anything, they are a non-profit automated service that was put together to try to get as much of the internet on https as possible.

Please can you guys make this site HTTPS.

https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-20-04

I think you guys are using Apache on Ubuntu, so these instructions should work for you. They have instructions for other version of Ubuntu too. It would be really nice to get SSL going on this site, and with LetsEncrypt, you can get and renew your certs for free using certbot as described in the tutorial above.

It's just poor management to keep using http at this point. No there's no credit cards, etc, but the information that can be gleaned, even if you're using a VPN can be catastrophic. I'd be more than happy to offer services to get you encrypted for free. Let's encrypt is free, guys here would do the work for free. It's very straight forward and I imagine site admins who manage to keep this place running would have more than enough skill to do it. Thanks for all you do guys!

Why does the site still not support https? That should be the minimum. Also wondering about you retaining IP addresses and other client details.

We don't do HTTPS for that very reason, we don't retain any info beyond the email you sign up with and if you're using an email account that's tied to you in the real world well Momma always said "Stupid is as stupid does." What exactly do we need to encrypt? Everything on this forum is forward facing.

Next time why not address the issues you have with me in a PM? It's Admin2

A2

Reading this thread.

An Admin talks about HTTPS would need to log IP addresses to enable. Well, I assume there are multiple solutions by now, many vpn provideres use a no log / no disk / only in RAM solutions. I would assume a simple ram disk would get you there. As others have described, getting a valid certificate can be free.

But the big issues are why you should do HTTPS.

If you are not a member, and you visit the site, the the browsers say "DANGER" and the prospect says "NEXT".

So membership will be extremely stunted.

If you want to enforce better personal security, maybe you have configured the browser to only visit HTTPS sites.

An HTTP site's traffic is too easy to review and interrogate, HTTPS is ubiquitous.

Even the login credentials are not encrypted, yikes.

The juice IS worth the squeeze to implement.