[Technology] NSC "not secure"

Bozza · Oct 26, 2018

Nottseagull said:
Are you being sarcastic? I need to know because if not, I need to switch to different device.

Yes, I am being sarcastic.

Sorry - I'm very busy with work, so I'll be brief - please don't take it as I'm being rude...

NSC is no less secure than it has ever been. The padlock / insecure thing merely states that the site is not running in HTTPS mode, which secures the data from your browser to the server in both directions. NSC has never run in this mode.

Google, in their self-appointed role as policeman of the internet, decided all sites should run in this mode and they now alert users if sites do not. Some other browsers have done likewise.

This means many sites that really do not need this level of protection, as you exchange no data with them at all, run under HTTPS.

However, in order to follow considered best practice, I fully intend to implement HTTPS on NSC, it's just.a matter of finding the time to do so, along with a whole heap of other things I need to do, as per the current sticky, which I'm leaving in place to shame me into action at some point.

NSC does run on vBulletin 4 which is old technology, but so do thousands and thousands of forums worldwide. I've always kept the site patched up with latest security releases for the software that sits behind it. I wouldn't trust vBulletin with my banking transactions, but for posting bollocks about football, it does just fine.

It is a medium-term aim to look at other alternatives - Xenforo would be the most likely destination - but that's a serious piece of work given the huge amounts of data that exist on here now.

Bozza · Oct 26, 2018

dadams2k11 said:
I don't mind having a snoop and finding the vulnerabilities if I have the permission [MENTION=6886]Bozza[/MENTION]?

Fill your boots.

father_and_son · Oct 26, 2018

Bozza said:
NSC does run on vBulletin 4 which is old technology, but so do thousands and thousands of forums worldwide. I've always kept the site patched up with latest security releases for the software that sits behind it. I wouldn't trust vBulletin with my banking transactions, but for posting bollocks about football, it does just fine.

How very dare you!

We do not post bollocks about football... we post insightful and technically accurate information and opinion about football. We post bollocks about everything else.

Albalbion · Oct 26, 2018

Bold Seagull said:
I thought the recent film about them getting it made was excellent with John Sessions doing a brilliant Arthur Lowe. That's just one of those timeless comic lines.

I sqw this! Thought it was brilliant!

Superphil · Oct 26, 2018

It's all about Google trying to own the internet. Millions of people don't use Chrome, and Google doesn't like this. Millions of sites don't have HTTPS, I understand those using browsers other than Chrome don't get this message.

Edit, just checked on Edge and Explorer, no security messages.

Audax · Oct 26, 2018

Bozza said:
Yes, I am being sarcastic.

And I probably deserved it, too

. Full disclosure here: I work for a company where https is absolutely required, and security is of paramount importance. Including on our forums, even though the forums themselves don't carry any more sensitive data than this forum does. So I'm probably more sensitive to this than maybe I should be. Having said that, though, you'd be surprised at exactly what an attacker can do with an insecure site. For example, without https being available I absolutely *will not* visit NSC when connected to a public wifi, as the lack of encryption exposes a risk of a man-in-the-middle attack.

It is worth keeping in mind that sites like this can (and have in the past) be used as sources for information. Look up "Credential Stuffing" as a concept - in a nutshell, it's essentially where data obtained from insecure site A is then used to target more-secure site B. Site B itself is often only a target as a stepping stone on to another target (for example, if you can compromise someone's mobile phone account, you can then in some cases compromise their two factor auth for banks who allow that to be done via SMS codes).

I honestly don't think NSC does hold anything that could lead to compromising accounts on other sites, however it does still hold data about us as individuals, and what we do on this site, and that data should be kept as secure as possible.

Bozza said:
It is a medium-term aim to look at other alternatives - Xenforo would be the most likely destination - but that's a serious piece of work given the huge amounts of data that exist on here now.

I'd recommend taking a very serious look at whether the open source (free) version of Vanilla will meet your needs. It's a strong platform, with a strong plugins community behind it. And I know that it is routinely security checked and kept updated. As much as vB 4 still receives security patches, it's an absolute dinosaur piece of software and new attack vectors are being found for it constantly.

Stat Brother · Oct 26, 2018

father_and_son said:
How very dare you!

We do not post bollocks about football... we post insightful and technically accurate information and opinion about football. We post bollocks about everything else.

Wait...what... this is a football forum.

Oh wow I got that very wrong.

Guy Fawkes · Oct 26, 2018

Stat Brother said:
Wait...what... this is a football forum.

Oh wow I got that very wrong.

Yes it is, haven't you seen the threads on the NFL?

Got something to say or just want fewer pesky ads? Join us... 😊

[Technology] NSC "not secure"

More options

Bozza

You can change this

Bozza

You can change this

father_and_son

Well-known member

Albalbion

Well-known member

Superphil

Dismember

Audax

Boing boing boing...

Stat Brother

Well-known member

Guy Fawkes

The voice of treason

Share this page

Forum statistics

Online statistics

Newest members

Share this page