DIY Electric Car Forums banner

1 - 18 of 18 Posts

·
Registered
Joined
·
6 Posts
Discussion Starter #1
Your security measures are in not very effective. You've overlooked the most basic one that NEEDS to be implemented. HTTPS!!!

I cannot believe you want me to send a very secure password over an unencrypted connection on the internet. I want to participate in your forums and such, as well as access the wealth of information here, but I want to do it securely please. I really cannot believe you have such tough policies on passwords and yet don't offer an SSL connection to send it in. Complete waste of time.

Also, after reading the stickies: For those that have issues remembering long passwords that they change from time to time, get a master password managment plug-in for your browser - 1 password to manage all your sites' username and passwords (make sure it's GPL v1, 2 or 3 *and* has good reviews if you cannot read computer speak. Folks that can read computer speak will read the code and make sure it's safe and stays safe for you to use as long as you keep it updated)
 

·
Administrator
Joined
·
6,156 Posts
Hi Karen
I will go the opposite - we already have far too much security!
Why should I have to jump though loops -

There is nothing on the site that anybody can steal - why bother locking it up like the Tower of London?
 

·
Registered
Joined
·
2,170 Posts
karen has a fair point. Might be some technical/cost hurdles for some operations out there with virtual hosting but the whole of the web is going that direction.

Not using it even comes with performance penalties.

I'm sure symantec and geotrust et al have something set up so you don't have to pay full price for every single domain at vscopehost.

edit: plus I think there are some "free" ssl options out there, that don't raise a big red flag in the browser, for now.

but I can live with duncans suggestion too :) till the browsers stop letting you do it.
 

·
Registered
Joined
·
6 Posts
Discussion Starter #4
Hi Karen
I will go the opposite - we already have far too much security!
Why should I have to jump though loops -

There is nothing on the site that anybody can steal - why bother locking it up like the Tower of London?
Your site not allowing https (even self-signed would work) essentially sends all our passwords un-encrypted to your forum servers. Having worked in IT for years, I know people often use the same password for a lot of stuff...

Not having https is essentially the same as saying your pin number out loud while you enter it everytime you use a bank machine, and hoping no one hears it.

With regards to nothing on the site that anybody can steal- There sure looks to me to be a wealth of resources that I would imagine could take years to re-compile. I've already accessed a lot of it for about a year until recently when I needed to register to see an attachment. When I made the account and realized that the my password was being sent to your website without encryption I tried to find the attachment somewhere else before I finally relented because it is nowhere else.

I'm sad that you don't value the technical information on this site. It's been a great resource for me with my 1991 s15 gmc EV. Recently my ElCon PFC2500 stopped charging my batteries and ya'll are the only ones that have schematics for it for me to consider a repair.

Also stored and valued is everyone's passwords which we know most people use across many platforms even using the same account names
 

·
Registered
Joined
·
2,170 Posts
This site may have changed hands from inception, i.e. we have a semi-responsive tech person that weighs in now, but also the reverse dns is to a company with all sorts of generic domain names.

If it is owned by a company who is/was in the business of shared hosting then they might need to update their way of doing things (the standard way of multiple dns on one ip and mapping requested domain applications doesn't work that way w/ssl/tls.). Maybe they already have addressed it and just need to enable it for this domain.

If it is still an individual they can just go to a godaddy, 1&1, or whatever and get a package with ssl for cheap for this domain, unless the current hosting provider is extra terrible. There will be some downtime for the migration though.

edit, more options, I've only mucked about w/godaddy and 1&1 though. godaddy is nice for "one stop shopping" though since they are a certificate CA. (apparently this site can't count to 10 though...)
http://www.top10bestwebsitehosting....Rh6IWUxG_86ozVabjG9vC4QsCx0PPyTwaAmN0EALw_wcB
 

·
Registered
Joined
·
1,478 Posts
Howdy Karen and Welcome to the forum.

i'm one of the people who traced the TCCH charger circuits and posted them here, and as far as i'm concerned they were not done for profit but were intended for use by members of this site, who are the main diy users of these chargers. i can't stop someone from 'stealing' that work, but if i cared i wouldn't have posted them. It was a lot of time and effort, but that is what open source projects are all about. As a linux user i'm all about open source--live and learn and pass it on.

i'm with Duncan--i don't care about all the BS protectionism. i could show you an easy way to have a unique password for every forum you want to join, but i don't want to give away that technique. It's very simple and a smart gal such as yourself should be able to figure something out. Using the same password for everything is just lazy and stupid, imho...
 

·
Registered
Joined
·
2,170 Posts
This isn't about protectionism as in preventing legitimate usage. It is about ensuring the integrity of the site and of the experience of the users who visit it.

Do I really need to explain what ssl/tls is?!?

chrome and friends WILL be deterring traffic from non secure sites in the near future.

edit: I assume what karen means by "steal" is take away, as in not leave the original. i.e. take someones password and delete their post history and put up ads for who knows what, or contact other members and pretend to be you, or a lot of "tricks" you probably haven't even considered. And for the more stupid among us, they will have access to lots of email accounts as well, and all that information.

edit2: pls don't use self signed cert, that just conditions people to do the stupid thing and will still cost you traffic.
 

·
Registered
Joined
·
5,028 Posts
I agree that any site like this, which requires a login, should use HTTPS.

On the other hand, it can be done very poorly, making the situation worse in some ways. Another forum operator (who also uses the vBulletin software) decided to encrypt only the login page, protecting the password transfer but making for a really awkward login sequence.

I suppose you get what you pay for, so I have no demands or expectations. On the other hand, I don't use the same password for any two web-based services. :rolleyes:
 

·
Registered
Joined
·
2,170 Posts
On the other hand, it can be done very poorly, making the situation worse in some ways. Another forum operator (who also uses the vBulletin software) decided to encrypt only the login page, protecting the password transfer but making for a really awkward login sequence.
A lot of shared hosting sites have a generic ssl site address (that doesn't match your domain name, but still maps to it), for no additional cost. It won't help with chrome/google/??? deterring traffic from your site, but it does address the immediate concern of password protection.

jesus, 364 cookies in use from 30 domains?!?! WTF vscopehost? (friends, do yourself a favor and do NOT look at the network tab, it is contacting like 50 servers, 3 out of 194 of those calls are done securely...)

edit: found original announcement http://www.diyelectriccar.com/forums/showthread.php/important-announcement-98898.html
Yah so not a personal interest in DIY per-se but still gonna lose traffic if you don't do something fairly quickly. I mean I know we aren't a bimmerfest.com, but we aint a vultusforum.com either, but all your sites are going to be affected.

This is like textbook unprotected promiscuity...
 

·
Registered
Joined
·
6 Posts
Discussion Starter #10 (Edited)
I'd gladly donate something as a contribution to what I get from this site in maintaining my own personal DIY EV truck and also the help I got for fixing my leaf's DC-DC converter/charging problem.

I'm sure if everyone chipped in a few bucks a year we could all rally enough to pay for the server - Could an admin look into how much it would cost and setup a donation page with a total required yearly?

Perhaps a forum wide vote to see if enough people are interested, detailing why it should be done, and if folks are all willing to chip in?

dcb: Yeah, my ublock and script blocker are blocking more than 56% of the page typically when I visit the site... HTTPS everywhere wasn't even allowing me to enter the site without creating an exemption... (edit- yeah, I agree with you. Self signed certificates do cost traffic. It's best to pay the few bucks a year for the proper certificate service.) (2nd edit: you nailed it - it's about protecting the user experience, and preserving the content! it has a lot of irreplacable really useful content!)

kennybobby: I am 100% opposed to intellectual property rights (and property rights too for that matter) and run arch (manjaro) linux, as well as debian on my phone (nexus 6) - I hear ya. What I was getting at is if someone were to either hack the admin's password or destroy data on the forums, not as in capitalize on it. (edit 3: oh, i use software to generate my passwords and keep them under check with a master password. I just wasn't able to do it with this site because it lacks the security for my browser to even easily navigate here, let alone sign up for it) - cheers -
 

·
Registered
Joined
·
2,170 Posts
edit, scratch that, only 600 sites claimed owned by verticlescope, not 600 million... that is a *little* more manageable for a <50 people company.

still not having ssl is on them will affect their search results and traffic. They need to own this though.
 

·
Administrator
Joined
·
368 Posts
Hey Guys

HTTPs is been something we've wanted to add for awhile, but as it's main benefit is blocking a MIM attack (Man in the Middle), where someone intercepts what you are typing, as you type it. Since most everything is being typed to a public forum that can be read by anyone and we have zero eCommerce going on, it's been something that was back-burnered a couple of times.

We are in the process of implementing HTTPS on sites, but it's still in testing phase. It's not as easy as just flipping a switch, as it changes the way basic communication is done in a system that has run for a long time without it, and so far every time we've activated it, something new has broken down. First it was images, then ads, then the PM system, etc. We're still at it though. Not allowed to give an official ETA

Also want to mention that while it's not implemented on the front side of the forum, the inner workings of site do have HTTPS activated and always have

Kevin
 

·
Registered
Joined
·
2,170 Posts
Thx Kevin!

fyi, if the https stuff is too disruptive for the original business model, pls give us the oppty to take over/purchase the site name and contents.

FWIW while it is an interesting study in monetization techniques, I probably wouldn't carry that forward personally, at least not to that degree, so it would have to be priced accordingly.

but I'm gonna go dark for a while, this is a whole lot of loose ends. I'll watch this thread in email.
 

·
Administrator
Joined
·
368 Posts
Ok thanks for the feedback. Again no official ETA for implementation however it is in the works.

Fergus
 

·
Administrator
Joined
·
368 Posts
Thanks for that, karenmcd. Our people already have something in the works so we'll let them do it as planned. There's still no ETA on when this will be done but we'll keep you guys posted.

Thank you for your continued patience and understanding on this.


Cheers,
Nate
 

·
Administrator
Joined
·
368 Posts
It's in late stage testing at the moment, and will most likely need to wait for a server migration we have lined up.

Testing has been time consuming, as every time it's been turned on in a test environment, something new breaks. PM's, Ads, youtube videos, etc. So far, nothing insurmountable but still taxing in man hours

Kevin
 
1 - 18 of 18 Posts
Top