Private messages on this site are not private. I could easily get them all if I wanted to. Same with credentials.
Easily?
Make me laugh! No you couldn't. You're just going to have to prove it, or shut up with your boasting. I completely spit on, and deny your abilities in this matter.
I bet you $50 that you can't "get all" of the PMs on CathInfo.com.I have to object to what you said here. You allege that private messages on CathInfo are not private, that there is no real security in place. You allege that any perceived security is false, much like "security through obscurity" (hiding a key to the house under the welcome mat). Anyone who knows what they're doing, and who wants in, can just flip up the welcome mat, take the key, and enter the house. Or the tiny padlock on a diary -- anyone who really wants in can just cut the thin leather strap with a scissors and open the diary like a regular book.
That is simply not true about the PM system on CathInfo. You can't just get at all the PMs "if you know what you're doing".I'd like to see you try. My site is plenty secure. I'm using the latest version of SMF. I doubt there are any mindless SQL injection bugs present in the code. Protecting against SQL injection is pretty standard fare these days. Maybe 10 years ago many sites had vulnerabilities like this. But just as you've learned a lot over the years, so have software developers. Many programming libraries protect against things automatically in 2017 that used to require a hired security expert to implement in 2005.
The Laravel PHP framework, for example, makes it trivial to protect against HTML form injection attacks, SQL injection, etc.
But that's a moot point, because I decided an hour ago that I will buy an SSL certificate for CathInfo. I surrender. The world is crazy. I disagree that it's necessary, but the whole world is stacked against website owners. They each have to "play the game" and pay up.
A couple weeks ago it was Firefox. Today I got a notice from Google:
Nonsecure Collection of Passwords will trigger warnings in Chrome 56 for http://www.cathinfo.com/
To: owner of http://www.cathinfo.com/
Beginning in January 2017, Chrome (version 56 and later) will mark pages that collect passwords or credit card details as “Not Secure” unless the pages are served over HTTPS.
I like how they equate a
simple forum password (which I don't care about) with one's credit card information or other SENSITIVE information. If you use your bank password for your CathInfo password, that's sensitive information. But you'd be stupid. I'd like to think many people are not that stupid.
When I join a forum to ask programming questions, etc. I use a very simple password. 7 characters, all lowercase, no numbers or symbols. If they hack my "Tractor.net" message board account, who gives a ____? Certainly not me.
But back to the issue of an SSL certificate for CathInfo --
Whatever it costs, I'm going to have to pay it,
sort of like blackmail. I can't have average readers/members thinking this site is going to cause them to have their identity stolen, or credit cards stolen, due to "insecurity" of my site. I don't want to deal with ominous warnings about CathInfo being a seedy back alley of the Internet, just because I don't want to pay their blood ransom. I surrender!
It's not worth it. I can't fight the whole world, even if I'm in the right.
Topic: Report any bugs or problems with new site here! (Read 7192 times)