Why HTTPS / SSL matters

[Hello_Goodbye]

A couple people have noticed that ECCIE does not provide HTTPS, but a lot of people don't seem to understand what that means. That means that, whenever you are in public and connected to a WIFI network, or anywhere you are connected to a WIFI network that other people are connected to also, anyone is free to jump into your ECCIE account to read your messages, edit your profile, anything. They become you.

Here's an example of me doing it to myself, and it took minimal effort.

[Whisk3yJack]

Https/SSL is very important and very easy to set up. I'm surprised it's not available. Everything we do is sent clear text and can be seen by anyone, interested enough to look.

[tandyscone]

Does that mean that you are going to quit using this site? Lots of people complain about the lack of https on this site, but most people keep using it (myself included). Given that the site has not implemented https in 7 years of existence, I doubt if it is going to be implemented unless people start leaving in droves.

[Guest010218]

Use of the latest versions of TLS/SSL would significantly increase overall security of eccie for both the web server and the users/clients. We need both strong authentication measures in place to identify who is accessing the system (variety of good reasons) and we need strong encryption measures to protect sensitive communications/messages.

Given greatly increased and emerging cyber security threats to exploit both web servers and users, eccie should perform a "cyber risk assessment" and to examine a variety of actions possible to mitigate risk. There are a number of actions that could be taken to enhance security and preclude the ability of unauthorized users and hackers from gaining access to sensitive transactions, messages and viewing of eccie users and staff.

Given the current state of the Internet, there is no need to wait for a precipitating security event at eccie for the administration to start down this path. I understand that eccie administration is reluctant to discuss these sensitive security matters with outsiders and users for valid business reasons; however, it would be reassuring if there was some management statement that eccie continues to assess risk and take prudent actions to protect systems, communications, user data and users from unauthorized users, misuse and attackers.

[tandyscone]

Quote:

Originally Posted by BugleBoy

I understand that eccie administration is reluctant to discuss these sensitive security matters with outsiders and users for valid business reasons; however, it would be reassuring if there was some management statement that eccie continues to assess risk and take prudent actions to protect systems, communications, user data and users from unauthorized users, misuse and attackers.

Wow! You are a lot less cynical than I am. I've always just figured the owners/management of Eccie just don't care about security. It is so easy to implement secure authorization and encrypted browsing the only reason I can imaging for not doing so is simply a lack of concern about it. At least this way, we don't have to worry about how well they have implemented security. We know that there is no security and can act accordingly.

[nmfreak]

Tor with a https_anywhere enabled browser works great, until a shared anonymous exit node IP is blocked by management.

[Unique_Carpenter]

None of that matters if a good IT tech is hunting.
But does anyone really think that a lot of effort is going to be put into an internet hunt for misdemeanor stuff?
Of course, if someone is being hunted for more than misdemeanors, then we're back to a good IT tech being involved.

[nmfreak]

I would still prefer to be generally anonymous, eg being able to use Tor. But alas, ECCIE is currently blocking Tor. Is there anyway to get Tor unblocked?

[Erotiquencounters]

Really the reason people give to unblock Tor are not problems for EECIE, it's the problem of the user, EECIE has to stay transparent, it doesn't want to be seem to be part of any conspiracy, they will protect your credit card and personal info, that's what CCBill is for, everything else you use at your own risk, they don't promise to help you hide your identity. that's up to you, beyond the simple common sense type protocols. I mean how much of the things that you do really amount to a hill of beans anyway to LE for a client, to divorce attorneys maybe a lot, but when you play games that for some have high rewards, except high risk.

also EECIE uses HTTPS in selected areas of the site, you really don't want to use it over a entire site particularly if your showing banners or running scripts being served from a third party server, you'll get those warnings about non secure content every time you load a page with that material on it.

[SATX_RJ]

Type https:// in front of the URL. The page will load with SSL if the site supports it. Just tried it on ECCIE and it works. Look guys. It's a bit paranoid to think someone wants in your ECCIE account. A hacker can get in no matter what even with SSL. There's tools to do it with like SSL strip. Also, the original poster who put the illustrations up, I have no idea what the hell that proves other than shows some IP addresses. Doesn't prove anyone can get into your account. The basic user doesn't have the savvy to do it and again requires hacking tools to steal the session requiring a man-in-the-middle attack. Even in plain text a basic user wouldn't know how to do this. Nothing to be paranoid about. Go jerk off and feel better about it!

[Geeky80]

i could have sworn i tried https a few months ago and it didn't work, but it is working now, except for it's a lot slower, and the search feature doesn't work.