rd_ab_penman
Member
I have noticed that more and more pen turning / wood sites are making their sites more secure by upgrading with HTTPS.
Why not make API site more secure?
Les
Why not make API site more secure?
Les
HTTPS
- Thread starter rd_ab_penman
- Start date
Signed-In Members Don't See This Ad
Signed-In Members Don't See This Ad
TellicoTurning
Member
Firefox tells me everytime I log in that this is an unsecure log in....
rd_ab_penman
Member
Yes, IAP is an unsecured site.
Les
Les
That project is underway, but I wanted to wait until after the bash. I've been working some long days, so it hasn't happened yet. We also have a few things installed that are going to break with https, and I want to make sure I am able to fix them quickly.
Since we don't process any financial transactions, I don't think it's critical, but I agree it's annoying to see the box pop up and tell you.
ed4copies
Local Chapter Manager
Financial transactions ie donations, are handled through Paypal, so there is no doubt your donations are safe!! (I"m sure this was the major concern)
edstreet
Member
Many make the claim that PayPal is secure therefore my site does not have to be. They can't be further from the truth. It is very possible to leech data from unsecured sites and use as a launch pad for a good many things like identity theft. It's easier when the site is unsecured. Layered security offers t he best protection and even against PayPal and banks it helps in the grand scheme of things. When you see the back end of merchant processing and the liability sides you really understand at that point why it's a very good idea to secure your site. By merchants processing in not referring to linking PayPal to your website but am rendering to processing charges at the banks end.
Sent from my SAMSUNG-SM-T377A using Tapatalk
Sent from my SAMSUNG-SM-T377A using Tapatalk
walshjp17
Member
IIRC (and it has been many years since I last dealt with InfoSec), on an unsecured site your passwords are passed to the IAP server in the clear - that is, unencrypted. Assuming you use the same password for other sites (not a good idea) you could be compromising your laptop/PC/Mac/smartphone/tablet, etc.
edstreet
Member
Not only your password but bio which is causes a chain reaction for identity theft. The setup is called DDE, dynamic data exchange. App A communications with the browser and sucks data from your usage. Encrypted sites helps retard that exchange but will not block it. Security is an onion, it's in layers and layers and layers. Peel the onion and you gain access unauthorized and illegally. Browser companies are becoming more militant (rightly so to) about adding more layers of the onion. Also keep in mind they get request for data from users and are under a gag order about disclosing the volumes of request. This is exactly why google and Apple encrypted the services so they are unable to grant that access. The final issue is the piedmont tools were stolen and also sold to foreign nationals which allows them free access to your devices. Better reasons still to encrypt and watch security.
Besides what harm will you be doing by adding layers of security, I see a ton more benefits than anything bad or negative, just need to get the crowd who snubs noses at the notion to wake up and see reality.
Besides what harm will you be doing by adding layers of security, I see a ton more benefits than anything bad or negative, just need to get the crowd who snubs noses at the notion to wake up and see reality.
jttheclockman
Member
Welcome to the new world:biggrin::biggrin: How many web site that sell their wares are secured to that point where they can not be hacked??? How many times are we bombarded by ads that contain tracking info?? How many times do you go to the store and pull out that card to make your purchase and not knowing who or what is recording you?? How many times do you step out the front door and not know who is watching?? The list goes on and on. At some point you have to trust someone. We can not live in a bubble. The world is evolving. For every new security feature added a way to break it is developed. We just have to try to be more diligent and aware of what we do. Try not to be so complacent of your surroundings and that includes entering and exiting forums or web sites. Do not put all your eggs in one basket is a good axiom to follow.
Since this thread is about SSL at IAP, I have to make the connection that you're claiming that I'm snubbing my nose at security. That's false. The implication that I don't care isn't correct. It hasn't happened yet because I am trying to fully understand what things SSL will break and develop a plan to fix them. Lots of things in life are great ideas, but it's important to understand the unintended consequences and have a plan to mitigate them.
edstreet
Member
Not at all. Was not directed at anyone.
See this. http://www.businessinsider.com/inte...orth-korea-china-nuclear-mikko-hypponen2017-3
See this. http://www.businessinsider.com/inte...orth-korea-china-nuclear-mikko-hypponen2017-3
RileyD
Member
BackyardSmokin
Member
This SSL thing is a real PITA.
I control about 200 servers with various applications on them and many of the applications are so old that they do not support the only allowed version of SSL that is allowed by standards now (All of my servers are behind at least 6 firewalls and have no internet access). However, our security team is ready to hit the kill switch on these servers and we are constantly having to remind them and the executive team of the possible financial impact if the servers were powered off.
All I can say is keep up the good work and if you have a test server that you are doing everything on looks into the Qualys web server scan to help keep you ahead of the curve in the future when it comes to security and vulnerabilities (for some reason many companies treat these Qualys scans as the end all and be all of the vulnerabilities).
I control about 200 servers with various applications on them and many of the applications are so old that they do not support the only allowed version of SSL that is allowed by standards now (All of my servers are behind at least 6 firewalls and have no internet access). However, our security team is ready to hit the kill switch on these servers and we are constantly having to remind them and the executive team of the possible financial impact if the servers were powered off.
All I can say is keep up the good work and if you have a test server that you are doing everything on looks into the Qualys web server scan to help keep you ahead of the curve in the future when it comes to security and vulnerabilities (for some reason many companies treat these Qualys scans as the end all and be all of the vulnerabilities).
Last edited: