Why doesn't this site use HSTS?

Discussion in 'Site Discussion' started by Rydenan, Jun 15, 2017.

  1. Rydenan

    Rydenan Member

    HTTP Strict Transport Security is a basic precaution, without which it would be trivially easy to steal user information from this site.
    What's more, the Google result for "FA Forums" directs to the HTTP site. Without HSTS, anyone who then logs in without manually switching over to the HTTPS protocol could have their credentials compromised and never be the wiser.
    I almost accidentally did that, which is what prompted me to make this thread.
     
    Hanklerfishy likes this.
  2. jayhusky

    jayhusky Well-Known Member

    The forums are "covered" under FA's SSL cert for HTTPS, but when they were set up, the option for HTTPS was never changed.
    As you may or may not know this is the 3rd forum software the site has employed, but until such a time as they change it, you can use a plugin called HTTPS Everywhere to enforce HTTPS on the forums.

    However I would recommend that if you do this, to disable it on the mainsite, A) because the mainsite enforces HTTPS as long as your account is in Full Security mode, and B) because there are bugs with the plugin and the mainsite which I have reported to the tech staff previously.
     
    Hanklerfishy and -AlphaLupi like this.
  3. -AlphaLupi

    -AlphaLupi The Fennec

    I second using HTTPS Everywhere. Great little plugin.
     
    Hanklerfishy likes this.
  4. jayhusky

    jayhusky Well-Known Member

    I should point out the bug I have reported about the mainsite when using HTTPS Everywhere, occurs mostly when using the site in "Relaxed Security Mode".

    So to summarise quickly.

    Use HTTPS Everywhere for the forums, but disable it on the mainsite.
    Switch your mainsite account from "Relaxed Security Mode" to "Full Security Mode", not only does this enforce HTTPS on ALL pages, but it actually fixes a plethora of small bugs that crop up in the site. I know it sounds weird, but it's true.
     
  5. Rydenan

    Rydenan Member

    Thanks, I know about HTTPS Everywhere; I use it on most of my browsers. But I didn't make this thread because I was worried about myself. As of this moment, it's very easy for a FAF user who's not "in the know" on this stuff to send their credentials over an unencrypted connection. And, as I'm sure you know, there are any number of (very easy) ways to then steal that data.
     
  6. jayhusky

    jayhusky Well-Known Member

    Oh I know, and I have asked before for the forums to be switched to HTTPS, I did get a "it is a planned event" response back however.
     
  7. -AlphaLupi

    -AlphaLupi The Fennec

    I find it kinda humorous that the forums don't force HTTPS while the main site [can], yet the forums have 2-factor authentication while the main site doesn't ¯\_(ツ)_/¯
     
  8. Ketren

    Ketren Member

    Still waiting on my phone; it won't be long, hopefully. Then two-factor would welcomed. I know- I'm a late adopter.
     

Share This Page