A more secure STF

Wear your anorak proudly here! The place to discuss website & forum developments, administration, wish-lists, bugs, abuse etc
admin
Site Admin
Posts: 2575
Joined: 20 Sep 2004 21:49

A more secure STF

Post by admin »

You will have gathered from the Snowden revelations et al that all internet communications are being systematically trawled by security services within and without the law without warrant or oversight. This has compromised the details of perfectly innocent people without cause.

Historically most web browsing transmission has been done in plain text. The main exception were 'secure transactions' with banks and online merchants when credit card and other sensitive details were encrypted before being exchanged. Otherwise anybody between you and the webserver could easily read what was being transmitted including usernames and passwords.

The outcry has resulted in a shift by the major providers to encrypting all their transmissions with you. You may have noticed that Google address bar, for example, now reads https://google.co.uk with a green lock (depending on your browser) instead of the simple http://google.co.uk.

Today STF offers the option of identical secure transmission. Just click the green padlock that appears at the top of the page next to TOWN FORUM in the menu bar. That will shift you to the secure STF website.

Don't do this if you are running an old version of Internet Explorer on Windows XP or similar. Microsoft refuse to support this facility on their old machines for servers, like ours, using SNI. You will get horrible red warnings. If you do have an old PC please plan to move to a more secure browser and operating system soon if you wish to continue browsing the world wide web safely. At present you are doing the net equivalent of the ton on a motorbike without a helmet!

Many more websites will go secure from next summer onwards when free and easy encryption becomes available for website operators from https://www.letsencrypt.org/. We will probably make secure connection mandatory around that time too.

Admin
Annie.
Posts: 2070
Joined: 11 May 2012 17:48

Re: A more secure STF

Post by Annie. »

I normally have mine on responsive blue, this doesn't seem to have the padlock,although I can see it others, how do I get it to stay on the classic or whichever is the best one?

Not sure I have made sense? :lol:
admin
Site Admin
Posts: 2575
Joined: 20 Sep 2004 21:49

Re: A more secure STF

Post by admin »

Responsive Blue & Responsive Green both now have the padlock secure option. Classic & Basic is for the chop soon so that won't get done.

You are a hard taskmistress Annie :)

Admin
Annie.
Posts: 2070
Joined: 11 May 2012 17:48

Re: A more secure STF

Post by Annie. »

Thank you :lol:
However, I have the padlock against the Town Forum in the headings, but not in (my god knows what you call it ) - Search Bar?
admin
Site Admin
Posts: 2575
Joined: 20 Sep 2004 21:49

Re: A more secure STF

Post by admin »

The padlock in the menu is the way to get to the secure site - its the address bar (https://syd.....) which indicates you have arrived. If in doubt click on the padlock.

I agree it isn't very intuitive. Its a bodge because of the 4% with XP using IE8 or earlier can't handle this mode of working otherwise I would just default to https and it would be easier and secure for everyone.

Admin
Annie.
Posts: 2070
Joined: 11 May 2012 17:48

Re: A more secure STF

Post by Annie. »

Keh? :lol:

Ok, I,ll just click the padlock, I don't understand the rest!
mosy
Posts: 4111
Joined: 21 Sep 2007 20:28
Location: London

Re: A more secure STF

Post by mosy »

I'm confused. As it's a public forum, so anything we write is in any case public knowledge, as also are our computer details easily/openly found, so what does the encryption protect?

Does it protect our personal registration details, held by you?
Does it keep our private messages private?

I suppose if someone could hack my password, they'd get access to my above two personal items. Does this mean By George she's got it, i.e. that using https keeps our password safe and all data "behind" it?

Incidentally, I'm using Responsive Grey and can see the green padlock clearly :)
admin
Site Admin
Posts: 2575
Joined: 20 Sep 2004 21:49

Re: A more secure STF

Post by admin »

Mosy,

Probably the most important protection of your username and password. Without encryption it is relatively simple for anyone between you and our server to intercept. This includes your ISP and any public wifi operator you may use.

Many people use the same password across many services. These may include PayPal or eBay which are valuable accounts to takeover. (BTW your password is encrypted on our server so I can't discover it).

Finally encryption protects you from 'man in the middle' attacks. Yep, I know that's a bit sexist so I will leave you to Google the details.

Admin
Rachael
Posts: 2455
Joined: 23 Jan 2010 13:42
Location: Sydenham / Forest Hill Intersection

Re: A more secure STF

Post by Rachael »

I have clicked on the green padlock and see the grey padlock in my address / search bar when on the board index, when viewing the new posts lists, and on this page as I'm writing this post, but not when I am viewing a thread.
admin
Site Admin
Posts: 2575
Joined: 20 Sep 2004 21:49

Re: A more secure STF

Post by admin »

Rachael,

I'm not seeing that. What i do see is if you go to a thread that contains an image from another (insecure) site then the padlock on, say, Chrome will turn grey indicating the presence of insecure content but the page stays at https://. Does this explain it? If not can you give me a sequence to see the issue?

Also if you follow, say, one of Tim's link to another thread then he will probably have referenced the http:// version so you lose the security. I can force this back to secure but only at the cost of red flagging users with vintage browsers. I may have to grit my teeth and do that.

Hence can I ask people to try the secure version and report back any redflagging with this information:

1) OS (Windows XP ....)
2) Browser (Internet Explorer 8 ...)

Any input welcome.

Admin
Rachael
Posts: 2455
Joined: 23 Jan 2010 13:42
Location: Sydenham / Forest Hill Intersection

Re: A more secure STF

Post by Rachael »

Okay, I've looked into this a bit closer. I'm using Safari and it seems to be an oddity in how it displays the page address. Sometimes the little grey padlock disappears from the address / search box, but if I click on the page address to view it in detail (Safari doesn't show this as default. For example, wherever I am in this website, the address bar just shows 'sydenham.org.uk', but if I select that, I get the full address for the specific page I'm on.) the address still starts with https so is still secure.
admin
Site Admin
Posts: 2575
Joined: 20 Sep 2004 21:49

Re: A more secure STF

Post by admin »

Oh good. Nothing to worry about there then.

I've been thinking about this overnight and have pretty much decided that from April 1st 2015 STF & ST will only support SNI compliant browsers. That is ALL modern browsers. The main issue is with folks using Internet Explorer 8 or earlier on Windows XP or earlier. That's around 4% of users. However, IE8 users on Windows 7 are OK as are Chrome and Firefox users on XP.

A list of SNI compliant browsers which XP/IE8 users can upgrade to can be found here: http://en.wikipedia.org/wiki/Server_Nam ... ers.5B6.5D

The April 1st date represents the anniversary of when Microsoft dropped support for XP/IE8 and would have given a 12 month grace to move to a safe place. Indeed it might be a public service to disrupt their browsing experience to encourage them to belatedly rejoin this millennium.

This includes Lewisham Council whose last budget cut presentation at the Sydenham Assembly was given on XP kit. Are they paying Microsoft ransomware for extended support? Or exposing our vital IT services to the risk of doing the same to our Russian mafia friends exploiting the published unpatched vulnerabilities?

I think we should know.

Admin

EDIT: April 1st has been brought forward to January 2nd.
JRobinson
Posts: 1104
Joined: 5 Jan 2010 12:40
Location: De Frene Rd

Re: A more secure STF

Post by JRobinson »

I work for a London borough council, and we're still using IE8 and win XP (on laptops initially installed with Win7!)
we're in the process of going to virtual desktops (across the whole council) with upgrades to Win7, IE9, and MS Office 2013! (we're still on MS office 2003).
I do get a certificate error when I attempt to go to the secure sight, but if I click through (which is not recomended by MS) then I do get to the secure forum
admin
Site Admin
Posts: 2575
Joined: 20 Sep 2004 21:49

Re: A more secure STF

Post by admin »

JRobinson wrote:I work for a London borough council, and we're still using IE8 and win XP (on laptops initially installed with Win7!)
we're in the process of going to virtual desktops (across the whole council) with upgrades to Win7, IE9, and MS Office 2013!
The mind boggles! Do they actually forbid you from using a safer, faster and better browser (Chrome or Firefox)?
Are they hoping to complete the transition before April 1st when MS hike their XP ransomware prices even more?

Not a good way to spend council taxpayers' money when services are being cut. Especially as they should be planning the Win10 upgrade which is just around the corner unless they are thinking about going open source.

Admin
JRobinson
Posts: 1104
Joined: 5 Jan 2010 12:40
Location: De Frene Rd

Re: A more secure STF

Post by JRobinson »

go live date is Dec 8th.
it is something that has been planned for at least 2 years - there are lots of back office systems that are old, and bespoke, and still need to all talk to each other in the correct way...
google Chrome is available on request, with a supporting business case!

the whole thing should save (a vast amount of) money in the future. faster upgrades done only once on a server, less frequent desktop hardware upgrades, better licencing control, etc, etc.
Tim Lund
Posts: 6718
Joined: 13 Mar 2008 18:10
Location: Silverdale

Re: A more secure STF

Post by Tim Lund »

admin wrote:
JRobinson wrote:I work for a London borough council, and we're still using IE8 and win XP (on laptops initially installed with Win7!)
we're in the process of going to virtual desktops (across the whole council) with upgrades to Win7, IE9, and MS Office 2013!
The mind boggles! Do they actually forbid you from using a safer, faster and better browser (Chrome or Firefox)?
Are they hoping to complete the transition before April 1st when MS hike their XP ransomware prices even more?

Not a good way to spend council taxpayers' money when services are being cut. Especially as they should be planning the Win10 upgrade which is just around the corner unless they are thinking about going open source.

Admin
It happens in the private sector too!
JRobinson
Posts: 1104
Joined: 5 Jan 2010 12:40
Location: De Frene Rd

Re: A more secure STF

Post by JRobinson »

because of the applications that I use, I now have a new laptop, running Win7, however it doesn't have some of the old software installed, so I had to log into the virtual server, and use the old XP virtual desktop to get me into the current system to access the documents that I require to do my job - jeez what a faff!
admin
Site Admin
Posts: 2575
Joined: 20 Sep 2004 21:49

Re: A more secure STF

Post by admin »

Just to say today I have moved the whole forum to SSL - it should redirect automatically.

People with browsers that do not support secure SNI connections will have issues. This mainly effects IE8 and earlier Internet Explorer users on Windows XP or earlier. These are no longer supported. Users of these retired browsers should switch to Firefox or Chrome. Better still, move to a supported secure operating system.

I have also retired two old forum 'styles': Classic Desktop & Basic Mobile. These have been superseded by the current responsive styles which work on desktops, phones and tablets.

Admin
Robin Orton
Posts: 3380
Joined: 9 Sep 2008 07:30
Location: London SE26

Re: A more secure STF

Post by Robin Orton »

Whenever I open a posting, I now get a little pop-up at the bottom of the page saying 'Only secure content is displayed' and am asked whether I want to 'show all content'. What's the right answer? Or, alternatively, can I make the pop-up not pop up?
admin
Site Admin
Posts: 2575
Joined: 20 Sep 2004 21:49

Re: A more secure STF

Post by admin »

Robin,

This is a function of the browser you are using and a setting thereof. The simple answer is 'yes'. The pages delivered from STF are secure. However, other stuff such as images may come from elsewhere and are not encrypted, hence the warning. Nothing to worry about.

What OS/browser are you using?

Admin
Post Reply