Results 1 to 11 of 11

Thread: Not secure

  1. #1
    Join Date
    Oct 2008
    Location
    Cambridge
    Posts
    747

    Not secure

    What is up with the firewall on this site, coming up not secure!!!!!!!!!!

  2. #2
    Join Date
    Jul 2009
    Location
    Manchester
    Posts
    1,098
    You will only need a secure site if you are making an online purchase. Anything you post on here can be viewed by the public, hence "not secure". Don't put your bank or credit card details on a post and you'll be as (in)secure as everyone else who uses this site.
    BSA Super10 addict, other BSA's inc GoldstarSE, Original (Diana) Mod75's, Diana Mod5, HW80's, SAM 11K... All sorted!

  3. #3
    Join Date
    Dec 2007
    Location
    Malta, sometimes London
    Posts
    5,881
    Quote Originally Posted by Jenny Dipple View Post
    What is up with the firewall on this site, coming up not secure!!!!!!!!!!
    No idea, it's not letting me out!
    **WANTED**: WEBLEY PATRIOT MUZZLE END; Any Diana/Original mod.50 parts, especially OPEN SIGHTS

  4. #4
    Join Date
    Aug 2008
    Location
    Ashford
    Posts
    1,222
    dodgy config on the webserver.

    It's only using HTTPS for some bit of the site, not all pages & elements, so chrome flags the whole site as insecure.
    Feel free to use https://www.airgunbbs.com/ if you want the fully secured version, though it wont load right in the browser.

    Given there's no payment portal and very little in the way of personal data it likely doesn't matter.

  5. #5
    Join Date
    Jul 2006
    Location
    London, UK
    Posts
    5,063
    I don't really agree with the "no payment so no need to secure site". As the site is not encrypted, it is much easier harvest ALL the log-ins, passwords and user name (some of which may be in use elsewhere), emails, town (as required by AGBBS) and other personal information.

    The BBC, for example, uses HTTPS protocol, because that is the expected standard these days. It's full of public information, so why bother?

    Let's say somebody was hooked into your wi-fi, they could see every non-secured site you visit, like this one. They could also in theory access your log-in details and use them maliciously. Not likely but possible.

    It is also much easier to redirect users to an "imposter" site when using non secure HTTP.
    It's cheap and easy to secure a site these days, so why not do it?

    That's why I log out of this site when I am not accessing NAG or sales...


  6. #6
    Join Date
    Jul 2008
    Location
    Hollesley, near Woodbridge
    Posts
    2,796
    Quote Originally Posted by rogb View Post
    Let's say somebody was hooked into your wi-fi, they could see every non-secured site you visit, like this one. They could also in theory access your log-in details and use them maliciously. Not likely but possible
    I would hope that you are changing the default settings on your WiFi, creating a complex key and hiding the SSD so only those who know the key and SSID can connect
    Custom BSA S10 .22 PAX Phoenix Mk 2 .22 Custom Titan Manitou .22 (JB BP) HW77 .22 FWB Sport Mk1 .22 Sharp Ace .22 Crossman 600 .22 Berretta 92 .20 Desert Eagle .177

  7. #7
    Join Date
    Jul 2006
    Location
    London, UK
    Posts
    5,063
    Quote Originally Posted by MartynB View Post
    I would hope that you are changing the default settings on your WiFi, creating a complex key and hiding the SSD so only those who know the key and SSID can connect
    99% of users who don't have any idea how ( or why to) do this, a savvy person could still hack into WPA/WPA2 with some handy tips from your friend YouTube.
    https://www.youtube.com/watch?v=Fynh7oP9Lio

    At least if pages accessed are SSL encrypted, only IP addresses can be seen.
    To the OP, this has nothing to do with firewalls That "protects" your computer but not the wifi router.

    If you watch this, you will understand why I have tape over my laptop webcam. It's so easy, it's scary!
    https://www.youtube.com/watch?v=-0ofQsAwF2I
    Last edited by rogb; 08-12-2018 at 11:08 AM.


  8. #8
    BEESA's Avatar
    BEESA is offline A Man walks in to a bar.....
    Join Date
    Feb 2005
    Location
    Edgware/North London
    Posts
    3,476
    I used to get that message to ! I now log in through Firefox and now no warning at all
    Don

  9. #9
    Join Date
    Aug 2008
    Location
    Ashford
    Posts
    1,222
    Quote Originally Posted by BEESA View Post
    I used to get that message to ! I now log in through Firefox and now no warning at all
    Don
    That's because Firefox only warns is the page is completely insecure, Chrome flags a whole page as insecure if there is at least one insecure element in the page as it leave the secure elements vulnerable to known exploits.

    Not sure why all the links redirect back to plain HTTP either. As I said originally, bit of dodgy config.
    Certainly could be improved by the site admins, the SSL implementation isn't great for the secure side either.
    Report here: https://www.ssllabs.com/ssltest/anal...=airgunbbs.com

  10. #10
    Join Date
    Jul 2006
    Location
    London, UK
    Posts
    5,063
    Quote Originally Posted by Solvo View Post
    That's because Firefox only warns is the page is completely insecure, Chrome flags a whole page as insecure if there is at least one insecure element in the page as it leave the secure elements vulnerable to known exploits.

    Not sure why all the links redirect back to plain HTTP either. As I said originally, bit of dodgy config.
    Certainly could be improved by the site admins, the SSL implementation isn't great for the secure side either.
    Report here: https://www.ssllabs.com/ssltest/anal...=airgunbbs.com
    https://www.openssl.org/

    It's free. There's no reason, assuming it's compatible with AGBBS server (Apache), not to use it. Sys admins please take note. Thank you


  11. #11
    Join Date
    Aug 2008
    Location
    Ashford
    Posts
    1,222
    Quote Originally Posted by rogb View Post
    https://www.openssl.org/

    It's free. There's no reason, assuming it's compatible with AGBBS server (Apache), not to use it. Sys admins please take note. Thank you
    I'm not sure why you're linking me OpenSSL.
    As I mentioned earlier, you can connect to the BBS via HTTPS, it just fails to load correctly and automatically redirects to an HTTP connection when you change page. This implies that although the site has SSL configured for something, it is not configured for all subpages and/or resources.

    The SSL report i linked proved the SSL is partially functional, though the B score is somewhat less than perfect and the fact the connection continually drops to HTTP shows the admins need to make a few changes.

    On a side note, Yes OpenSSL works with Apache, everything web related *should* be built for the most popular web server.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •