Raymond.cc Forum is now more secure - SSL Encryption in Forum Registration and Phone

[Swarup]

Secured websites such as PayPal or online banking websites uses SSL encryption to ensure secure transactions between web servers and browsers. The difference between a normal and an encrypted webpage is the additional S after HTTP which becomes HTTPS. Current version of web browsers has made a change where by when you visit a normal unencrypted webpage, it no longer shows the HTTP. Only when you visit a SSL encrypted page, the web browser will display the HTTPS together with either the lock icon (Internet Explorer and Google Chrome), or Site Identity Button (Firefox) or Security Badge (Opera).

It doesn’t mean that entering your login information on a SSL encrypted page is 100% safe because there is a technique called WEBMITM (web man-in-the-middle) where the attacker is able to steal your sensitive information. Basically the attack will only work if the attacker manage to connect to the same network as you either through wireless or LAN. So make sure you’ve set your wireless router to use WPA2 encryption with a non-dictionary word as password and use a VPN when you have to connect to public Wi-Fi. ...................................

I wouldn’t want to use HTTPS on the whole site because it is slower, consume more bandwidth and puts more load on the server. So the best option is to only use HTTPS on certain important pages such as the registration and phone verification page. This is easily done with a custom vBulletin plugin that hooks a couple of location.

The biggest problem that I went through was the mixed-content of HTTP and HTTPS on a secured page. Although that shouldn’t cause any problems but it triggers a warning message “Internet Explorer blocked this website from displaying content with security certificate error” without a pad lock icon. Opening the secure page with mixed content in Chrome shows a red crossed out HTTPS. Instead of giving people confidence with the SSL encryption, the errors may end up scaring the visitors away.


Phone verification page is secured with 2048 bit RSA/SHA encryption


Forum registration page is also secured and encrypted


................. I hope this update will provide everyone a more peace of mind when registering a new account in forum and performing a one-time phone verification. X-Ray will finally be released soon and am looking into code signing to guarantee to users that they are, in fact, running the code they believe they are running, and that the code was written by the individual or organization that the certificate was issued to. It is a good way to verify that the code being run has not been altered or corrupted, but the code signing process is pretty long and also expensive.


Read the full post here - http://www.raymond.cc/blog/archives/2011/11/08/ssl-encryption-in-forum-registration-and-phone-verification/

I think is a great move and it will keep your personal info mode secure. Guys what do you think about it ?

Thanks Ray.

[Raymond]

I've thought of this before but didn't really put an effort into it.
Thanks to leofelix for his suggestion which made me implement this.
Now I just have to think of where should I insert the seal on the forum and blog.

[tejaswi]

I thought I would give a try and see if https://www.raymond.cc/blog would work... and yes it did but the lay out was not normal and I got a prompt that said that I can always revert back to the non-secure version, i.e., the http://www.raymond.cc/blog version

I was just curious...

PS. I hate that Zombify yourself ad on this blog... It scares me...

Just kiddin...

[Raymond]

There is no point to use HTTPS on the blog as most of the time you'll be viewing content and not sending any sensitive information such as login/password.