TE website

Can the moderators "EXTEND" the timeout while logged into the TE website?? It seems if it is idle 10mins it logs me off...ridiculous!

Find more posts tagged with

Comments

Verities

YEAH! Can we get an SSL certificate too?

JockVSJock

Verities wrote: »

get an SSL certificate too?

Hear! Hear!

TheFORCE

We are not compliant!

hiddenknight821

VeriSign is overrated anyway. There are cheaper alternatives.

chrisone

If I pay for the SSL cert and maintain it , can I get god rights and part ownership of TE?

636-555-3226

I quadruple the vote for SSL. Let's do a Symantec SSL just for s***s & giggles. My https everywhere extension is bored with this site!

Mike7

hiddenknight821 wrote: »

VeriSign is overrated anyway. There are cheaper alternatives.

Yes on SSL. I can guide TE moderators on how to get recognised SSL certs for free.

DoubleNNs

Mike7 wrote: »

Yes on SSL. I can guide TE moderators on how to get recognised SSL certs for free.

How do you do that?

Mike7

DoubleNNs wrote: »

How do you do that?

A few legit ways, depending on how TE wants it.:D

rob42

With all due respect to the views of other members, I'd be interested to learn the need for SSL on this site?

rob42

shochan wrote: »

Can the moderators "EXTEND" the timeout while logged into the TE website?? It seems if it is idle 10mins it logs me off...ridiculous!

I'm not so sure that this is anything to do with the TE site, but more to do with a local setting issue. My reasoning is, I've never been logged out by this site, no matter how long the idle time.

It sounds like a session cookie issue to me. My banking site will kick me out after a short idle time, and with good reason. Do you use any kind of cookie manager/blocker?

OctalDump

rob42 wrote: »

With all due respect to the views of other members, I'd be interested to learn the need for SSL on this site?

I assume that they are suggesting that TLS/SSL should be used for the login to prevent sniffing of passwords. I think it also provides some protection against session hijacking.

Given how old and creaky this website is, I wonder how many known vulnerabilities it might have.

thomas_

Let's Encrypt offers free 90-day https certs that you can keep on renewing. As for why, unless you like your login details transiting the internet unencrypted, then that's a pretty good reason right there.

rob42

I understand the implied security risks, but on a site like this, first off, what real risk is there? It's not as if we're exchanging details that could undermine either our financial or our personal security. And if people are uninformed enough to use the same login details on here as they do elsewhere, well, more fool them.

Mike7

The bad guys can impersonate your account to post things and get you banned.
HTTPS sites also rank higher in Google search results.

thomas_

What do you consider "login details"? Just the password or password and email? Do you use a unique email address for every website that you have ever signed up for? If not, then they could login and get your email address and then potentially use that to find out more information about you, which could lead to a compromise of your financial or personal security.

NetworkNewb

thomas_ wrote: »

Do you use a unique email address for every website that you have ever signed up for?

Pretty that is most secure way, don't want to have the same login username or accounts used for multiple websites. So yes of course that is what we all do.

rob42

All I can tell you is that I believe that the system I use (for logging into different sites) is as secure a system as I can make it. And, no, I don't use the same email address for different websites. To give away too much detail, on an open forum, about how I do things would be stupid of me.

Maybe this site should have a secure connection, maybe not. I live by many different philosophies, one of which is "When everyone is thinking the same, no one is thinking." ~ John Wooden.

I'm not dissing the idea, I'm just wondering if it's really a necessity.

rob42

https://security.stackexchange.com/questions/65936/downsides-to-using-https

TheFORCE

rob42 wrote: »

All I can tell you is that I believe that the system I use (for logging into different sites) is as secure a system as I can make it. And, no, I don't use the same email address for different websites. To give away too much detail, on an open forum, about how I do things would be stupid of me.

Maybe this site should have a secure connection, maybe not. I live by many different philosophies, one of which is "When everyone is thinking the same, no one is thinking." ~ John Wooden.

I'm not dissing the idea, I'm just wondering if it's really a necessity.

The average online user has 90 different accounts, IT people maybe more, you have 90 different email addresses? There was a saying that Steve Jobs would say to his team, in order for something to look simple, it has to be complex in the back end. Your method is not simple in anyway, it is complex and inefficient to maintain.

What would you rather do, have 100 different accounts in 100 different site with 100 different emails to maintain or have 1 email address associated with 100 different accounts and put the necessary controls for security. Not to mention, a lot of the sites these days ask you for phone numbers and backup email addresses.

There is a reason why SAML and Federated Identity Services came to be, it is easy to maintain, more secure and very friendly to the end user as they provide ease of use, even though they are very complex in the back end. Give it a few more years and you will be logging to all your sites through such services if you are not already doing so.

It surprises me that in a forum that deals with technology we still think that we have nothing to protect.

rob42

Given the breaches of security that happen, that is organisations being careless with the details that are held on there servers with regard to customer email addresses, I'm surprised that anyone with any tech savvy would even think about having one email address for everything.

Which is easier...

1. Hitting one target

2. Hitting 100 targets

If you organise things in the right way it matters not how many different logins you have. Maintenance: zero.

SAML has its own issues and is a system waiting to be exploited.

I'm not trying to pick a fight, I'm just offering a different point of view, bud'

TheFORCE

No fighting man, we just exchanging opinions lol. But to your example, which is easier to use and maintain, 1 account or 100 accounts. When it comes to org level, trust me management do care how many different logins a user has. I've worked on project to reduce this and the drivers were not the fact that users have to remember 100 different accounts, but that IT had to spend huge amount of resources, helpdesk people, overtime, weekend hours etc to maintain those 100 different accounts per employee, as you scale up, you notice more and more the pitfalls of having so many different accounts.
Anyway, a system can be secure, like yours, but it is not efficient because it doesnt scale well, other systems might be efficient but not secure, in the latter, organization would rather make an already efficient system more secure but not to the extend of reducing the already agreed level of efficiency.

JDMurray

TheFORCE wrote: »

The average online user has 90 different accounts, IT people maybe more, you have 90 different email addresses?

I looked into doing this for myself using several different email services, one email account per Web site, each account with an unrelated (random) name, having all the email accounts forward to a single email account (Gmail) for management, and using a password manager (LastPass) to handle the authentication details of each site. It turned out to be a lot more work--and less than a perfect solution--than I had hoped.

Automating this authentication anonymization method is a feature that I would expect to see appearing in an online password manager someday.

rob42

TheFORCE wrote: »

No fighting man, we just exchanging opinions lol. But to your example, which is easier to use and maintain, 1 account or 100 accounts. When it comes to org level, trust me management do care how many different logins a user has. I've worked on project to reduce this and the drivers were not the fact that users have to remember 100 different accounts, but that IT had to spend huge amount of resources, helpdesk people, overtime, weekend hours etc to maintain those 100 different accounts per employee, as you scale up, you notice more and more the pitfalls of having so many different accounts.
Anyway, a system can be secure, like yours, but it is not efficient because it doesnt scale well, other systems might be efficient but not secure, in the latter, organization would rather make an already efficient system more secure but not to the extend of reducing the already agreed level of efficiency.

Cool dude...

I think we may be looking at this from different angles...

I'm talking about having 100 different logins for 100 different sites, not 100 different logins for one site (forgive me if this is not what you're implying). So if a site is compromised, it has a unique login sequence (both the email and the password) and as such that's the only site that's been compromised. If I were using the same email and/or password on all 100 sites, that's 100 sites that I'd need to go and change the details on -- way more hassle!

It's a good debate, b.t.w

TheFORCE

rob42 wrote: »

Cool dude...

I think we may be looking at this from different angles...

I'm talking about having 100 different logins for 100 different sites, not 100 different logins for one site (forgive me if this is not what you're implying). So if a site is compromised, it has a unique login sequence (both the email and the password) and as such that's the only site that's been compromised. If I were using the same email and/or password on all 100 sites, that's 100 sites that I'd need to go and change the details on -- way more hassle!

It's a good debate, b.t.w

So Rob everytime you sign up for a new service, you create a new email(that you have to maintain the password for) and then the login crednetials for the new service with the new password? You see where i am getting at? Your method adds a lot of maintenance effort on the end user. Organization are trying to get away from this because it is efficient and when things are efficient, the shareholders get more money back. Things are going on the direction of automation, do not get stuck doing things manually the old way.

As an example, in the old days(10 years ago lol). You had client-server applications with a unique ID and password. Organization had their own User Access management teams( Now called Identify and Access Management, a discipline within the Infosec world). These teams were usually, 8 or 10 people managing only user access for organization with 500 -1500 users, and probably to the range of 20+ for organization with 5k+ users. Then came SSO and AD integrated applications and these teams slowly reduced their numbers to 3-4 people as now the end user only had to manage 1 account password, their AD account, more recently federated identities. This again is helping reduce the man power and resources needed, because i now can login with my company email to my partners portal. If i am a hospital or a clinic and i deal with another clinic, and have federated services where there is trust, i take away the burden of my partners IT people of creating another account that they have to maintain for an external person. See how that helps? Besides if i am a clinic and i have 20 partners should my own IT team give me 20 different email accounts so i can register on my partners portals? That doesnt make sense, so i expect from my 20 partners to have their security controls and their SSL in place so i can register to their portal with my same email account that i use for all of them.

Your method even though it works, is only for personal user and is not efficient. Yes if one of your accounts gets compromised, your other 99 accounts will not, but you will continue to accumulate email account passwords + passwords for the new services. But if you have the right security in the 100 services you use, such as this site, then you would only need 1 email account and you can continue subscribing to new services without having to create new emails for them.

rob42

I respect your credentials, and yes, I do see what you're saying.

To tell you exactly how my system works, would compromise it, so I'm not going to do that, but trust me, it's low maintenance, for me.

If this site were to be compromise, the email that I've registered here is only good for this site. This means that even if the 'hacker' knows what other sites I use (which is in its self, unlikely) the email address (half of the puzzle) would be useless. Also, it would take me less than 5 mins to come up with a new login and the old login is simply scrapped: neither the email or the password would ever be used anywhere ever again (not by me anyway).

You see, I don't need a team to issue me with emails; I can do it myself. I don't work in an organisation where email addresses have to be issued to me. My system would not work in that situation, which is where you're coming from, right?

That's why I said that I think we're looking at this from different angles; both of which are valid (i.m.h.o).

Many large organisations have been under the impression that they "have the right security" and many have been "hacked" (I say "hacked", but even that phrase is very miss-used, particularly by the press, most of whom don't have a clue about the subject) and the email addresses of customers have been stolen. This would be a huge issue if I had the same email address for my bank, for my web host, for any one of the other on-line services I use, but I don't. So, the only account that can possible be (half) compromised is the one registered with "hacked" organisation.

wd40

interesting discussion,

I do it differently, I use different e-mails for sites of different importance levels.
One e-mail for e-banking, one for training, one for forums, one for sites that I really don't care for etc.

So you reduce the risk a bit and not add too much overhead.

Verities

I find it ironic that a forum that has a huge focus on security related certifications is lacking even the most basic security configuration for a web site. Especially when obtaining a certificate is dirt cheap, almost all browsers accept high ciphers (maybe not IE, but who still uses that?) and TLS 1.2+ protocols, performance connecting to the site is not a factor anymore (OK, maybe if you still use dial up its a factor), and providing basic encryption for sessions.

In any case, I don't think this will change the moderator's minds....sorry to OP for hijacking the thread.

JDMurray

You would be surprised how many older browsers that don't support HTTPS-only Websites are still used worldwide.

And the forum mods do not make site security policy decisions at TE.

Verities

JDMurray wrote: »

You would be surprised how many older browsers that don't support HTTPS-only Websites are still used worldwide.

And the forum mods do not make site security policy decisions at TE.

I would be interested to see a study behind how many people are still using browsers that don't support HTTPS (let's say any that haven't been updated in 10+ years?); I just tried searching for one and came up empty.

I use the term mods as an all encompassing term for those that make decisions around here; I know you're the owner of TE.