PFA connection not secure?

[Timm]

I'm getting his message when trying to access PFA.

https://support.mozilla.org/t5/Fix-slowness-crashing-error/What-does-quot-Your-connection-is-not-secure-quot-mean/ta-p/30354

 

 

[johnno]

This is just part of a general push across the Internet to have all websites use the encrypted https protocol which is seen as being more secure than the plain http style.

The various browser software companies have indicated that they will be increasingly focusing attention on non-https sites over time in a campaign to get website owners to change things over. "Not secure" is more about grabbing your attention, sites running http are no less secure than they have been for the last 20 years.

[Tit]

That's just encryption of your connection to the web server. Mitigates eves-dropping. 

[Cars And Coffee Byron Bay]

To srop the Ferrari guys snooping ?

[Timm]

Fair enough...I think I'll just make a specific password for PFA to be safe.

[Coastr]

Fair enough...I think I'll just make a specific password for PFA to be safe.

without nerding out too much - if you are using email / passwords across many sites, you are asking for trouble.  It's like getting all your car, house, shed, business keys cut the same.  Steal one set and you have access to everything.  This is a massive problem and all the encryption in the world means nothing if you share passwords.  

So in a forum site like this the risk is low - about the worst that can happen is someone hijacks your identity, but it can still be used for fraud etc.  eg I steal your identity and sell 'your' car on the forum, send money to acct num xxxxx - using your reputation for fair dealings etc.

there is a site an Aussie security guy put together http://haveibeenpwned.com/ - you enter your email address and it will tell you how many times that email has been in sites that were compromised.  This means that whatever email address/password combination you entered into that site is now essentially in the public domain.  People break into sites, download all the usernames/passwords, decrypt them and post the results online, mainly for bragging rights.  Try going there and see if your main email has been already compromised by a site somewhere.

i urge people to go through the process of signing up for a password service like lastpass or 1password - you create a master password (which you guard carefully) and they will remember all your other passwords for you.  Install the browser extension and it puts the passwords in so you don't have to remember them - you can then make sure the passwords are more secure and less susceptible to a 'dictionary' attack where you just throw lots of word combinations until one sticks.  How many of you have Porsche911 as a password!?

Getting back to https for this site - all that does is secure the communications between your computer/tablet and the pfa server, so that anyone snooping on the line sees gibberish instead of the actual requests (ie doesn't see username/password, but sees random text).  It doesn't make the back end of the site any more secure, that depends on our illustrious host to make sure all the gaps are plugged and everything is up to date.  Google etc are pushing for it mainly because phishing is such an issue, where people spoof the identity of a site and trick people into giving up their logins by sending them a link to a legit-looking but fake site. If everyone has secure certificates for their site it makes phishing easier to detect because the one thing the fake sites can't do is mimic the secure certificates of a site.

happy to answer questions if people have them...this is a big issue with everything being done online nowadays.