Website via SSL / HTTPS

[djkouza]

Not sure how I never noticed this, but the website is defaulted to http, and seems that trying https results in an error.  I'm at the airport currently, and will check again later. I'd be more than happy to help in getting the site setup with an SSL certificate.

[mtbikernate]

Is that necessary for anything?


Will it cost anything?


It has not been on our priority list in the past - it's never been discussed as being important.

[Hocky]

The only real benefit that it offers is to prevent plain text passing of passwords. The rest of the data being plain text is kind of irrelevant since it is being posted to a public forum, anyway.

[djkouza]

The only real benefit that it offers is to prevent plain text passing of passwords. The rest of the data being plain text is kind of irrelevant since it is being posted to a public forum, anyway.

This, I think I only noticed it because I was logging in from the airport and always am extra sure that when on public WiFi I use SSL for EVERYTHING.  Basically you can get a cert for free (though some browsers may complain about it)  I think GoDaddy they are like $60/year or something.


 As Hocky said, the main concern is that when you login to the Forum your password is being transmitted as Plain text, so anyone who is on the same Network with you could fairly easily capture that network traffic and have you username and password.  While we may not care about someone getting our HMBA.org password, I would bet some coin that many people use the same password for other things too.


I think the biggest thing is just checking how difficult it is to setup SSL with the current webhost. 


Here is one site which I've used for Free Certs that is reputable. https://www.startssl.com/?app=1


In the end I'd say if it's not too hard to setup on the hosting provider side (typically it's a 5 minute setup if not less)  I'd say it's a good thing to have.

[mtbikernate]

There is a board meeting tomorrow night. I will bring this topic up. I think our hosing service offers ssl but I will have to check pricing. That would probably be the easiest but I will explore the free options, too.

You are correct that it's a rare person who uses different passwords for every website.

[Dave Tozer]

Might want to get a new "service". 

[mtbikernate]

Our hosTing provider doesn't offer SSL certificates.  It pretty much requires you to get one from a third party.  Since the startssl website provides Level 1 certificates for free, I went ahead and registered for one and should be able to install it either tonight or tomorrow.


Thanks for the suggestion.

[djkouza]

    Awesome.  Thanks!

[mtbikernate]

Got the security certificate installed.  The verification went through sooner than I expected.


It's created some hiccups with content embedded elsewhere on the site, so I'm dealing with those.  I got the trail status indicators fixed and displaying on pages viewed with https protocol.  Right now I'm trying to get the trail guide content fixed.


Some of the content may wind up being not viewable if you're using a secure connection.  We'll have to see how that pans out.

[Steve King]

Check it out (https).  We're now secure!  Nate rocks!
 
https://www.hmba.org/smf/index.php

[djkouza]

Check it out (https).  We're now secure!  Nate rocks!
 
https://www.hmba.org/smf/index.php

Yeah!!  +100  very quick turn around to getting the SSL installed.  Thanks Nate!