Security certificate expired?

Socializing and general posts on wide-ranging topics. Remember, it's Poststructural!
User avatar
Peter Duggan
Posts: 3223
Joined: Tue Aug 30, 2011 5:39 pm
antispam: No
Please enter the next number in sequence: 8
Tell us something.: I'm not registering, I'm trying to edit my profile! The field “Tell us something.” is too short, a minimum of 100 characters is required.
Location: Kinlochleven
Contact:

Re: Security certificate expired?

Post by Peter Duggan »

Nanohedron wrote:I've never seen much reason to use Active Topics, and I usually leave it alone.
Since it's pretty well the only way for anyone with an across-the-board interest (multiple forums) to monitor recent activity from one place, it's my default and basically sole gateway to C&F and I've never understood how anyone manages without it unless they're literally only interested in flutes, uilleann pipes or whatever!
And we in dreams behold the Hebrides.

Master of nine?
User avatar
Nanohedron
Moderatorer
Posts: 38212
Joined: Wed Dec 18, 2002 6:00 pm
antispam: No
Please enter the next number in sequence: 8
Tell us something.: Been a fluter, citternist, and uilleann piper; committed now to the way of the harp.

Oh, yeah: also a mod here, not a spammer. A matter of opinion, perhaps.
Location: Lefse country

Re: Security certificate expired?

Post by Nanohedron »

Peter Duggan wrote:
Nanohedron wrote:I've never seen much reason to use Active Topics, and I usually leave it alone.
Since it's pretty well the only way for anyone with an across-the-board interest (multiple forums) to monitor recent activity from one place, it's my default and basically sole gateway to C&F and I've never understood how anyone manages without it unless they're literally only interested in flutes, uilleann pipes or whatever!
Here's how it works for me: I start from the Index Page, because it already tells me if there's activity. True, it's nonspecific; I'll only know that Forum X has at least one new post. So I open the Forum X page, which for me is rather like opening a package, and the first thing I take in is the lay of the land. Same with threads. I might even learn something from seeing the timing of new posts in the context of their surroundings, which can be useful in informing a mod's judgment in certain circumstances. Seldom as that might be, it's still information, and the more information I have at a glance, the better I like it.

I suppose you could call it a panoramic approach, for lack of a better word...
"If you take music out of this world, you will have nothing but a ball of fire." - Tribal musician
Tunborough
Posts: 1419
Joined: Sun Dec 05, 2010 2:59 pm
antispam: No
Please enter the next number in sequence: 10
Location: Southwestern Ontario

Re: Security certificate expired?

Post by Tunborough »

Nanohedron wrote:So am I to understand that even though Active Topics is HTTP, in this case it doesn't matter, because the login was via HTTPS and that covers everything?
No, not exactly. Using HTTPS for the login page encrypts only the login, protecting your password. If you then switch to HTTP for browsing, be it through Active Topics at search.php?search_id=active_topics, or the index page at index.php, or whatever, then your browsing is not encrypted; anyone else on the coffee shop WiFi can watch the deepest wisdom of C&F go by if they have the necessary software.
User avatar
Nanohedron
Moderatorer
Posts: 38212
Joined: Wed Dec 18, 2002 6:00 pm
antispam: No
Please enter the next number in sequence: 8
Tell us something.: Been a fluter, citternist, and uilleann piper; committed now to the way of the harp.

Oh, yeah: also a mod here, not a spammer. A matter of opinion, perhaps.
Location: Lefse country

Re: Security certificate expired?

Post by Nanohedron »

Okay, got it. Thanks.
Tunborough wrote:... [then] anyone else on the coffee shop WiFi can watch the deepest wisdom of C&F go by if they have the necessary software.
Casting our bread upon the waters, eh? Hmm. An enviable bounty plus free marketing ... I can picture the spammers now.
"If you take music out of this world, you will have nothing but a ball of fire." - Tribal musician
Tor
Posts: 399
Joined: Wed Jun 06, 2012 6:23 am
antispam: No
Please enter the next number in sequence: 8
Location: Europe and Japan

Re: Security certificate expired?

Post by Tor »

Tunborough wrote:Turns out, you can login via HTTPS, at https://forums.chiffandfipple.com/ucp.php?mode=login, then continue your browsing via HTTP, at search.php?search_id=active_topics, and still be logged in. This keeps your password secret, but avoids the problem with the missing avatars, for what it's worth.
Unfortunately it's not entirely safe. It does protect your plain-text password, but when you're logged in there's a cookie sent from your computer to the server, and with HTTP that one's in plaintext too. It's not as problematic as with the password, because anyone with nearly zero knowledge could get your login credentials by watching your password with the simplest of tools, while they would have to be slightly more sophisticated to see how to (mis-)use your cookie (not that it's difficult: Copy it and let your browser serve it - and you're "me" - the tricky part is to understand how to copy it into your browser's cookie jar).

So yes, logging in with HTTPS and continuing with HTTP is far better than only HTTP, but it doesn't protect you from the dedicated ones. Only from the rabble. Which is probably fine for C&F, *except* for the moderators - you guys should use HTTPS all the time, if someone gets hold of your login (or already-logged in session, as it were, with the cookie approach), they can do lots of damage, e.g. sabotage, banning people left and right, maybe they could even ban other moderators.
User avatar
Nanohedron
Moderatorer
Posts: 38212
Joined: Wed Dec 18, 2002 6:00 pm
antispam: No
Please enter the next number in sequence: 8
Tell us something.: Been a fluter, citternist, and uilleann piper; committed now to the way of the harp.

Oh, yeah: also a mod here, not a spammer. A matter of opinion, perhaps.
Location: Lefse country

Re: Security certificate expired?

Post by Nanohedron »

Tor wrote:So yes, logging in with HTTPS and continuing with HTTP is far better than only HTTP, but it doesn't protect you from the dedicated ones. Only from the rabble. Which is probably fine for C&F, *except* for the moderators - you guys should use HTTPS all the time, if someone gets hold of your login (or already-logged in session, as it were, with the cookie approach), they can do lots of damage, e.g. sabotage, banning people left and right, maybe they could even ban other moderators.
Thanks. I will definitely bear this in mind.
"If you take music out of this world, you will have nothing but a ball of fire." - Tribal musician
Post Reply