Topic: HTTPS for chumby.com and forum

Any plans to start using HTTPS to serve the login sections for chumby.com or the forum.  I just noticed Firefox scolding me for sending my password over an unencrypted link.  I could understand problems with the device using secure connections, but for user-visible parts, I think it would be pretty easy, especially with Let's Encrypt out there.

Re: HTTPS for chumby.com and forum

it's been there.

https://www.chumby.com/account/login

we just need to update the link on the main page.

thanks for the prompt.

on forum, just hit https://forum.chumby.com

Cleaning up any loose bits and bytes.

Re: HTTPS for chumby.com and forum

Sweet!

Re: HTTPS for chumby.com and forum

This will help you stay on HTTPS pages: https://www.eff.org/https-everywhere

Tar, feathers, congress. Some assembly required.

Re: HTTPS for chumby.com and forum

I've got to say, I just don't get the "https everywhere" push.

https everywhere it's warranted.... sure, but it's just a waste of computing power (on both ends) to be encrypting the weather forecast for transmission, or cat pictures... or well "everything".

Cleaning up any loose bits and bytes.

Re: HTTPS for chumby.com and forum

I understand it may not make sense to encrypt cat pictures and weather forecasts, but the point is more about making encryption the norm instead of special case. Most people on the internet are not even aware of the "s" in https when they are on a secure site. Making https the norm helps protect those that don't know any better which in the long run helps us all.

Tar, feathers, congress. Some assembly required.

Re: HTTPS for chumby.com and forum

There's also a lot of MITM attacks; your ISP can insert adverts on the page you're viewing.  Verizon have added tracking cookies to traffic through their network.  Attackers (eg at Starbucks) could insert malware into the web page you're looking at.  I wrote a blog post about this last year; https://www.sweharris.org/post/2016-05- … webserver/

Also https can be _quicker_ than http with modern browsers; https://www.troyhunt.com/i-wanna-go-fas … advantage/

Re: HTTPS for chumby.com and forum

These days, HTTPS is far from the bottleneck for most applications. Also, even for something as innocuous as a meme site -- or the Chumby forums -- many places require you to sign in. It's bad practice, but many users use the same password across many sites, including sensitive ones like banking portals and e-commerce sites. All it takes is for one non-HTTPS login to get compromised, and the attacker can then try the credentials on other sites. By having *all* sites use HTTPS, that eliminates this attack vector, rather than trying to convince users to change their behavioral patterns.

Re: HTTPS for chumby.com and forum

The update to main chumby website for the dash also added enforcement of HTTPS for the login and signup pages.