A more secure STF

Wear your anorak proudly here! The place to discuss website & forum developments, administration, wish-lists, bugs, abuse etc

Moderator: frenzarin

admin
Site Admin
Posts: 2534
Joined: 20 Sep 2004 21:49

A more secure STF

Post by admin » 19 Nov 2014 15:54

You will have gathered from the Snowden revelations et al that all internet communications are being systematically trawled by security services within and without the law without warrant or oversight. This has compromised the details of perfectly innocent people without cause.

Historically most web browsing transmission has been done in plain text. The main exception were 'secure transactions' with banks and online merchants when credit card and other sensitive details were encrypted before being exchanged. Otherwise anybody between you and the webserver could easily read what was being transmitted including usernames and passwords.

The outcry has resulted in a shift by the major providers to encrypting all their transmissions with you. You may have noticed that Google address bar, for example, now reads https://google.co.uk with a green lock (depending on your browser) instead of the simple http://google.co.uk.

Today STF offers the option of identical secure transmission. Just click the green padlock that appears at the top of the page next to TOWN FORUM in the menu bar. That will shift you to the secure STF website.

Don't do this if you are running an old version of Internet Explorer on Windows XP or similar. Microsoft refuse to support this facility on their old machines for servers, like ours, using SNI. You will get horrible red warnings. If you do have an old PC please plan to move to a more secure browser and operating system soon if you wish to continue browsing the world wide web safely. At present you are doing the net equivalent of the ton on a motorbike without a helmet!

Many more websites will go secure from next summer onwards when free and easy encryption becomes available for website operators from https://www.letsencrypt.org/. We will probably make secure connection mandatory around that time too.

Admin

Annie.
Posts: 2070
Joined: 11 May 2012 17:48

Re: A more secure STF

Post by Annie. » 19 Nov 2014 16:05

I normally have mine on responsive blue, this doesn't seem to have the padlock,although I can see it others, how do I get it to stay on the classic or whichever is the best one?

Not sure I have made sense? :lol:

admin
Site Admin
Posts: 2534
Joined: 20 Sep 2004 21:49

Re: A more secure STF

Post by admin » 19 Nov 2014 17:13

Responsive Blue & Responsive Green both now have the padlock secure option. Classic & Basic is for the chop soon so that won't get done.

You are a hard taskmistress Annie :)

Admin

Annie.
Posts: 2070
Joined: 11 May 2012 17:48

Re: A more secure STF

Post by Annie. » 19 Nov 2014 18:17

Thank you :lol:
However, I have the padlock against the Town Forum in the headings, but not in (my god knows what you call it ) - Search Bar?

admin
Site Admin
Posts: 2534
Joined: 20 Sep 2004 21:49

Re: A more secure STF

Post by admin » 19 Nov 2014 18:33

The padlock in the menu is the way to get to the secure site - its the address bar (https://syd.....) which indicates you have arrived. If in doubt click on the padlock.

I agree it isn't very intuitive. Its a bodge because of the 4% with XP using IE8 or earlier can't handle this mode of working otherwise I would just default to https and it would be easier and secure for everyone.

Admin

Annie.
Posts: 2070
Joined: 11 May 2012 17:48

Re: A more secure STF

Post by Annie. » 19 Nov 2014 18:43

Keh? :lol:

Ok, I,ll just click the padlock, I don't understand the rest!

mosy
Posts: 3809
Joined: 21 Sep 2007 20:28
Location: London

Re: A more secure STF

Post by mosy » 19 Nov 2014 23:25

I'm confused. As it's a public forum, so anything we write is in any case public knowledge, as also are our computer details easily/openly found, so what does the encryption protect?

Does it protect our personal registration details, held by you?
Does it keep our private messages private?

I suppose if someone could hack my password, they'd get access to my above two personal items. Does this mean By George she's got it, i.e. that using https keeps our password safe and all data "behind" it?

Incidentally, I'm using Responsive Grey and can see the green padlock clearly :)

admin
Site Admin
Posts: 2534
Joined: 20 Sep 2004 21:49

Re: A more secure STF

Post by admin » 19 Nov 2014 23:45

Mosy,

Probably the most important protection of your username and password. Without encryption it is relatively simple for anyone between you and our server to intercept. This includes your ISP and any public wifi operator you may use.

Many people use the same password across many services. These may include PayPal or eBay which are valuable accounts to takeover. (BTW your password is encrypted on our server so I can't discover it).

Finally encryption protects you from 'man in the middle' attacks. Yep, I know that's a bit sexist so I will leave you to Google the details.

Admin

Rachael
Posts: 2420
Joined: 23 Jan 2010 13:42
Location: Sydenham / Forest Hill Intersection

Re: A more secure STF

Post by Rachael » 20 Nov 2014 07:11

I have clicked on the green padlock and see the grey padlock in my address / search bar when on the board index, when viewing the new posts lists, and on this page as I'm writing this post, but not when I am viewing a thread.

admin
Site Admin
Posts: 2534
Joined: 20 Sep 2004 21:49

Re: A more secure STF

Post by admin » 20 Nov 2014 09:31

Rachael,

I'm not seeing that. What i do see is if you go to a thread that contains an image from another (insecure) site then the padlock on, say, Chrome will turn grey indicating the presence of insecure content but the page stays at https://. Does this explain it? If not can you give me a sequence to see the issue?

Also if you follow, say, one of Tim's link to another thread then he will probably have referenced the http:// version so you lose the security. I can force this back to secure but only at the cost of red flagging users with vintage browsers. I may have to grit my teeth and do that.

Hence can I ask people to try the secure version and report back any redflagging with this information:

1) OS (Windows XP ....)
2) Browser (Internet Explorer 8 ...)

Any input welcome.

Admin

Rachael
Posts: 2420
Joined: 23 Jan 2010 13:42
Location: Sydenham / Forest Hill Intersection

Re: A more secure STF

Post by Rachael » 20 Nov 2014 09:51

Okay, I've looked into this a bit closer. I'm using Safari and it seems to be an oddity in how it displays the page address. Sometimes the little grey padlock disappears from the address / search box, but if I click on the page address to view it in detail (Safari doesn't show this as default. For example, wherever I am in this website, the address bar just shows 'sydenham.org.uk', but if I select that, I get the full address for the specific page I'm on.) the address still starts with https so is still secure.

admin
Site Admin
Posts: 2534
Joined: 20 Sep 2004 21:49

Re: A more secure STF

Post by admin » 20 Nov 2014 10:24

Oh good. Nothing to worry about there then.

I've been thinking about this overnight and have pretty much decided that from April 1st 2015 STF & ST will only support SNI compliant browsers. That is ALL modern browsers. The main issue is with folks using Internet Explorer 8 or earlier on Windows XP or earlier. That's around 4% of users. However, IE8 users on Windows 7 are OK as are Chrome and Firefox users on XP.

A list of SNI compliant browsers which XP/IE8 users can upgrade to can be found here: http://en.wikipedia.org/wiki/Server_Nam ... ers.5B6.5D

The April 1st date represents the anniversary of when Microsoft dropped support for XP/IE8 and would have given a 12 month grace to move to a safe place. Indeed it might be a public service to disrupt their browsing experience to encourage them to belatedly rejoin this millennium.

This includes Lewisham Council whose last budget cut presentation at the Sydenham Assembly was given on XP kit. Are they paying Microsoft ransomware for extended support? Or exposing our vital IT services to the risk of doing the same to our Russian mafia friends exploiting the published unpatched vulnerabilities?

I think we should know.

Admin

EDIT: April 1st has been brought forward to January 2nd.

JRobinson
Posts: 1102
Joined: 5 Jan 2010 12:40
Location: De Frene Rd

Re: A more secure STF

Post by JRobinson » 21 Nov 2014 17:07

I work for a London borough council, and we're still using IE8 and win XP (on laptops initially installed with Win7!)
we're in the process of going to virtual desktops (across the whole council) with upgrades to Win7, IE9, and MS Office 2013! (we're still on MS office 2003).
I do get a certificate error when I attempt to go to the secure sight, but if I click through (which is not recomended by MS) then I do get to the secure forum

admin
Site Admin
Posts: 2534
Joined: 20 Sep 2004 21:49

Re: A more secure STF

Post by admin » 21 Nov 2014 17:55

JRobinson wrote:I work for a London borough council, and we're still using IE8 and win XP (on laptops initially installed with Win7!)
we're in the process of going to virtual desktops (across the whole council) with upgrades to Win7, IE9, and MS Office 2013!
The mind boggles! Do they actually forbid you from using a safer, faster and better browser (Chrome or Firefox)?
Are they hoping to complete the transition before April 1st when MS hike their XP ransomware prices even more?

Not a good way to spend council taxpayers' money when services are being cut. Especially as they should be planning the Win10 upgrade which is just around the corner unless they are thinking about going open source.

Admin

JRobinson
Posts: 1102
Joined: 5 Jan 2010 12:40
Location: De Frene Rd

Re: A more secure STF

Post by JRobinson » 26 Nov 2014 11:13

go live date is Dec 8th.
it is something that has been planned for at least 2 years - there are lots of back office systems that are old, and bespoke, and still need to all talk to each other in the correct way...
google Chrome is available on request, with a supporting business case!

the whole thing should save (a vast amount of) money in the future. faster upgrades done only once on a server, less frequent desktop hardware upgrades, better licencing control, etc, etc.

Tim Lund
Posts: 6667
Joined: 13 Mar 2008 18:10
Location: Silverdale

Re: A more secure STF

Post by Tim Lund » 26 Nov 2014 13:33

admin wrote:
JRobinson wrote:I work for a London borough council, and we're still using IE8 and win XP (on laptops initially installed with Win7!)
we're in the process of going to virtual desktops (across the whole council) with upgrades to Win7, IE9, and MS Office 2013!
The mind boggles! Do they actually forbid you from using a safer, faster and better browser (Chrome or Firefox)?
Are they hoping to complete the transition before April 1st when MS hike their XP ransomware prices even more?

Not a good way to spend council taxpayers' money when services are being cut. Especially as they should be planning the Win10 upgrade which is just around the corner unless they are thinking about going open source.

Admin
It happens in the private sector too!

JRobinson
Posts: 1102
Joined: 5 Jan 2010 12:40
Location: De Frene Rd

Re: A more secure STF

Post by JRobinson » 27 Nov 2014 10:22

because of the applications that I use, I now have a new laptop, running Win7, however it doesn't have some of the old software installed, so I had to log into the virtual server, and use the old XP virtual desktop to get me into the current system to access the documents that I require to do my job - jeez what a faff!

admin
Site Admin
Posts: 2534
Joined: 20 Sep 2004 21:49

Re: A more secure STF

Post by admin » 2 Jan 2015 14:32

Just to say today I have moved the whole forum to SSL - it should redirect automatically.

People with browsers that do not support secure SNI connections will have issues. This mainly effects IE8 and earlier Internet Explorer users on Windows XP or earlier. These are no longer supported. Users of these retired browsers should switch to Firefox or Chrome. Better still, move to a supported secure operating system.

I have also retired two old forum 'styles': Classic Desktop & Basic Mobile. These have been superseded by the current responsive styles which work on desktops, phones and tablets.

Admin

Robin Orton
Posts: 3185
Joined: 9 Sep 2008 07:30
Location: London SE26

Re: A more secure STF

Post by Robin Orton » 2 Jan 2015 17:26

Whenever I open a posting, I now get a little pop-up at the bottom of the page saying 'Only secure content is displayed' and am asked whether I want to 'show all content'. What's the right answer? Or, alternatively, can I make the pop-up not pop up?

admin
Site Admin
Posts: 2534
Joined: 20 Sep 2004 21:49

Re: A more secure STF

Post by admin » 2 Jan 2015 20:29

Robin,

This is a function of the browser you are using and a setting thereof. The simple answer is 'yes'. The pages delivered from STF are secure. However, other stuff such as images may come from elsewhere and are not encrypted, hence the warning. Nothing to worry about.

What OS/browser are you using?

Admin

Post Reply