No https, but password?

question

#1

Hello,
I like Armory3D!

What I don’t like is the sign up process with password but without encryption.
Normally I use one secure password for all my log ins. But here my password would be exploited.

Please change this.


#2

Yes, come to think of it, since letsencrypt.org has allowed “https:” web-sites to be procured at no cost whatsoever, the owners of this site should indeed, without delay, make this move.


#3

@BlenderViza - Yes, Armory3d.org should be using https. Tough love time here, though, and please keep in mind I’m only trying to help… If you’re using the same password everywhere, then that password most certainly is not secure in the slightest, even with https.

When there’s a security breach on one website, the first thing nefarious people do is to try and use the same email address and password to log in to other websites. If they get in to your email, they’ll typically then try to reset all your other passwords.

Different websites, including the largest sites out there using https, have data breaches all the time. If your password hasn’t been part of one of them yet, it’s only a matter of time. Making sure every website is using https won’t stop it.

If you just want to use one password, then use a password manager that creates long, random passwords for every site, and only use your password to log in to that, preferably using 2 factor authentication wherever you can. Then when a site you use inevitably has a breach, you just change the password to that one site in your password manager. Some password managers like 1password will even tell you when one of your sites has a known breach, and recommend you update it.

Anyway, to reiterate, I completely agree with you that this site should use https. Just be under no illusion that it will protect you if you use the same password everywhere. Security depends on far more than an ssl certificate.


#4

If you read the letsencrypt site, among their justifications – in addition to privacy – is that TLS/SSL provides a way for you to know that the site which you are communicating with, probably is the site that you think it is!

This is an important consideration, whether or not the content of the site is in any way “confidential.”

Criminals like to find a way to “hijack” the DNS domain-name resolution system to redirect traffic to a “clone” of a legitimate site. Crypto security can foil this scheme. As the designers intended, https is now very-quickly becoming “the new normal.”


#5

@blenderviza For the password transparency issue, I actually just login with GitHub. That means that I’m not sending any passwords over HTTP because GitHub uses HTTPS.

Still, I definitely agree that all production sites should be served over HTTPS. @MikeRobinson is right about LetsEncrypt, they are an amazing service that I use for all of my production sites. With HTTPS certificates, though, comes the need to renew them every few months, which, if not automated will be an administrative burden.

All my sites run in Docker, and the certificate generation is completely automatic and handled by my Træfik load balancer. You can also automate certificate renewal without Træfik, if you’re not using Docker for your apps, using acme.sh.

@lubos If you want you could employ me though my organization, Katharos Technology, to setup HTTPS for you on your server.


#6

Message sent, thank you! :slight_smile: