Some pages of this websites forum don't use https

What am I supposed to do with this information? And why post it here?
 
I'm becoming a little weary of this sudden HTTPS adoration as of late to be honest. It's not as if the use of encryption suddenly makes things a whole lot safer per definition, nor does it imply that the usage of the regular (non-encrypted) http protocol suddenly means you're insecure (well... lol ;)).

More seriously: using HTTP doesn't automatically imply that security is at risk.
 
AFAIK, only some images or links are token from external sources that don't use HTTPS, not whole pages of the forum itself.
 
It's not as if the use of encryption suddenly makes things a whole lot safer per definition
When you're running everything encrypted, it helps keep out man-in-the-middle attacks and low hanging fruit like anything using PHP/Wordpress and the far too many easy access things for script kiddies. If someone wants to get you, they're going to get you, but that's not most of us.
 
When you're running everything encrypted, it helps keep out man-in-the-middle attacks
Except that it doesn't. Because faking a certificate isn't rocket science. For example, already in 2013 it got discovered that the French government used fake Google certificates to snoop in on traffic. And there are plenty of reports about rogue CA's which mistakenly (or willingly) gave out the wrong certificates, for example by not demanding that clients proof that they actually own the domain for which they wanted a certificate.

Also: you do realize that it's not exactly hard to get a client (or software product, some refuse to use a centralize certificate store) to trust a certain certificate, right?

All this pushing for encryption does is create a false sense of safety. The website data is encrypted, so everything is safe. Yet... it's not.
 
You're talking about bad cert suppliers and not TLS or https and those suppliers were not ones any responsible site would use and I'm sure they are no longer in that business. Clients deciding to trust any one also is not a fault of ssl or certs. Not giving proof of ownership is an issue for one not using known suppliers but I'm betting your browser never trusted then anyway

On my phone so can't check your French link but as I said if someone with the means wants to get you they will no matter what you do
 
Https is certainly a convenience and encryption a necessity for security, but note that it is the system, libraries, and software around it that gets hacked.
 
Https is certainly a convenience and encryption a necessity for security, but note that it is the system, libraries, and software around it that gets hacked.

If I click on Datapanic's last url, I WILL find manufactured certs bouncing around me (but not from that site)!

Except for the certs (always assuming they're compromised on any site is the only stone-wall option) - the known encryption hacks are done on the handshake or digest protocols. The unknown ones ... maybe not!
 
Back
Top