Ben - as I understand it the situation is along the lines described by Tor. If you have a WiFi connection which does not require a password then the traffic can be intercepted. If it does have a password then the router needs to be hacked but many can be. Then the harvested passwords are put on a list and sold.
That’s why people use https - so that it is encrypted all the way between the browser and the server hosting the web page. Routers and ISPs don’t see the password.
For C&F admin one advantage of https would be that less passwords would go onto lists so fewer people would tell you that the site may have ben hacked. (And if a lot of people did then maybe the problem really was at your end)
It’s not necessary to hack the router if you have access to the network via the password, as is the case for WPA- or WPA2-encrypted public (e.g. cafeterias) networks (or just via a login page as is often the case for hotels). You’ll then be able to see all network traffic. The network encryption is only to protect from listening / connecting by others, it’s not protecting those on the network from each other. For that you need HTTPS, VPN, or other per-device encryption.
By contrast, I’ve never actually heard of an ISP being hacked and that being the source of passwords being lost. The main method I am familiar with is dumping passwords from a website’s own database. This isn’t hard to do for some websites.
Part of the problem is that this can go un-noticed for a while and then the passwords show up in some other public dump. A large portion of https://haveibeenpwned.com 's passwords are from such harvests and just added to a list. Passwords and personal information doesn’t sell for a lot individually, so you usually see it in massive heaps. This is also how you end up with out-dated passwords in lists that show up in some the phishing emails where someone claims to know your password. (You can read about each of the largest breaches on the website. You’ll see in the description that LinkedIn, or MySpace, had had passwords and data exposed that may have gone unknown for a while. Again, the point is that it was the website itself that had the problem.)
(I’m a little bit of a Cybersecurity enthusiast. I hope to become a Security auditor at some point; so I read up on how to hack websites and try to practice hacking on my own when I get the chance.)
Practically all of them, with just an exception or two, worked for me up to now. For example, yours was a photo of a little monkey doll with a human-sized whistle in its arms, and sitting on a book. I always assumed the photo was taken in your home. Now all the avatars are replaced with a teensy square that’s supposed to vaguely evoke a picture; it has a bent-inward upper right corner, and is accompanied by the words “User avatar”.
On my computer (Windows 10, Chrome) I’m not seeing anything in the way of either http or https written in any URL of any webpage I’m on, be it C&F or otherwise. I couldn’t tell you if it’s always been that way; I never really noticed. I just checked on my phone, and there C&F’s URLs begin with https. I’m getting the same “User avatar” thingum there, too, but I don’t know if that’s new, as I almost never access C&F by phone; any memory for me of such features is out the window.
Hmm. I’m not seeing C&F’s usual banner ads, either. I made no intentional move to block them.
Seems fairly common for browsers not to show details of the URL. I think they often show a little lock if it’s HTTPS and something else (iPad says ‘Not Secure’) for HTTP.
I don’t get the banner ads in Safari with HTTPS but do with HTTP. I have an ad blocker on the PC so Dale isn’t getting any crumbs from me now. I see that quite a few ad-funded sites are now showing a donate button if they detect an ad blocker
Right, that’s what I’ve got now. So that clears that up.
That must be the difference, then. I used to run an ad blocker, but when I got my new laptop I didn’t bother, so I must assume that seeing the C&F banner ads has had everything to do with the site not being secure.
I’m still not too happy about the avatars being blocked.
My current best guess is this … The HTTPS web server is slow about delivering the avatars, slower than the HTTP web server, and so slow that the browser gives up and just displays the text associated with the image, “user avatar”. Once your browser has a particular avatar in the cache, it doesn’t have to wait, and can display the image with the web page.
There seems to be some sort of redirection happening that works fine with the HTTP server, but not the HTTPS server. If I paste https://forums.chiffandfipple.com/download/file.php?avatar=1806.gif into the address bar (Firefox, Internet Explorer, or Microsoft Edge), the picture shows up just fine … and then your avatar displays fine when I look at a thread. But if I just click on the link, I get the same error you got.
The first link doesn’t work for me no matter how I do it; with a direct click it’s the same “403 Forbidden”, and if I paste it into the address bar, the tab reads “download”, and the page reads:
This site can’t be reached
download> ’s server IP address could not be found.
Search Google for > download file
ERR_NAME_NOT_RESOLVED
Here the blue text is simply to indicate that a link was provided. The actual link didn’t do anything for me either, apart from giving me a Google page with lists of info on how to download stuff.
Your second link works, though all I get is Ben’s avatar on a black page.
Just completed an update after closing all web pages and doing a restart, and now C&F’s URL reads “Not secure”, I’m getting the banner ads again, and I can see the avatars.
If I access C&F by a Google search, I get the secure version. What gives?
I think it may depend on which link has got stored by the various autocomplete, recent searches, recently visited features of the browser and search engine.
i get Forbidden for all Tunborough’s links from the HTTPS. I wonder if it’s quirk of the board software which makes the pages up on the fly. From a quick look links off site have https inserted but relative links don’t so must be relying on some default action of the server.
https://forums.chiffandfipple.com/download/file.php?avatar=1806.gif
and
https://forums.chiffandfipple.com/download/file.php?avatar=10298_1232201495.jpg
then I get a page with just the little avatar image on it. After I’ve done that, though, those two avatars show up in threads, and I can click on the links that were previously forbidden and get the avatars.
