Forum
Buying gear? Please use these links to help 14ers.com:

More info...

Other ways to help...

Secure Browsing on 14ers.com

Check here for updates to the forum and site.
Site Administrator
User avatar
Posts: 6368
Joined: Sun Jul 25, 2004 8:34 pm
Location: Breckenridge, CO

Secure Browsing on 14ers.com

Postby BillMiddlebrook » Mon Mar 14, 2011 3:01 pm

I've activated secure browsing (SSL) on 14ers.com for anyone that would like to use it. Just look for the "Secure Log In" link on the top-right of the 14ers.com home page (will refresh the home page under SSL where you can log in securely) or point your browser to "https://www.14ers.com"

If you're using your computer on a public or open WIFI network, logging into the site through the secure connection will prevent anyone from "sniffing" out your userid/password. On most sites, when your not using a secure connection, form data (included userids and passwords) are passed over the network as "clear text" and there are tools out there which allow evil-doers to see information as it's transmitted over the WIFI network.

Anyway, I just figured some of you would prefer to use SSL when logging into the site.

A few notes:
    - SSL browsing is a bit slower so many of you may just want to use it when logging into the site.
    - Once logged in via a secure connection, you can always change the url in your browser address box to "http://www.14ers.com" and surf without SSL.
    - Instead of using the "Secure Log In" link on the top of the home page, you can always just point your browser to "https://www.14ers.com" and everything you do from there will be via a secure connection, including logging into the forum.
    - Some pages (including the home page) may display an annoying pop-up warning you about unsecure items on the page. If you use IE, you've probably seen this before.
    - Some links (the Like/Dislike of trip reports) will not work when browsing under SSL
    - I'll be updating more pages to avoid the "unsecure" pop-ups
    - I'll be updating other login pages on the site
    - I'll also be adding this to the mobile version of the site as this may be quite helpful when using public wifi networks
"There's no recess and no rules in the school of life" - D. Mustaine

Moderator
User avatar
Posts: 1571
Joined: Thu Aug 04, 2005 10:46 pm
Location: Boulder, CO

Re: Secure Browsing on 14ers.com

Postby USAKeller » Mon Mar 14, 2011 4:34 pm

Now this feature I really like Bill, since half of my site usage occurs at work while logged in.
All we are called to do is do the next right thing.

User avatar
Posts: 694
Joined: Tue Jun 27, 2006 8:46 am
Location: Denver

Re: Secure Browsing on 14ers.com

Postby rickinco123 » Mon Mar 14, 2011 5:02 pm

Additionally, if you leave it SSL your work cannot see what you are doing unless they have an outbound proxy that breaks down the SSL connection, what happens on 14ers.com stays on 14ers.com. Good on you for buying a commercial cert.

Site Administrator
User avatar
Posts: 6368
Joined: Sun Jul 25, 2004 8:34 pm
Location: Breckenridge, CO

Re: Secure Browsing on 14ers.com

Postby BillMiddlebrook » Mon Mar 14, 2011 5:19 pm

Yes sir.

They can still see urls that you visit because they will be stored in server logs, but all other content you enter will be encrypted.

happy browsing...
"There's no recess and no rules in the school of life" - D. Mustaine

Posts: 3864
Joined: Wed Jul 02, 2008 9:56 pm

Re: Secure Browsing on 14ers.com

Postby tmathews » Mon Mar 14, 2011 5:28 pm

BillMiddlebrook wrote:They can still see urls that you visit because they will be stored in server logs, but all other content you enter will be encrypted.


In other words -- some people's "Off Route" posts will no longer potentially incriminate them with their employers. :wink:

Posts: 745
Joined: Wed May 03, 2006 9:21 pm
Location: Moab, UT/Glenwood Springs, CO

Re: Secure Browsing on 14ers.com

Postby kaiman » Tue Mar 15, 2011 7:33 am

Thanks for adding that feature Bill. That should also help prevent so much PHPBB spamming and unwanted solicitations.
"I want to keep the mountains clean of racism, religion and politics. In the mountains this should play no role."

- Joe Stettner

"Climb if you will, but remember that courage and strength are nought without prudence, and that a momentary negligence may destroy the happiness of a lifetime. Do nothing in haste; look well to each step; and from the beginning think what may be the end."

- Edward Whymper

Site Administrator
User avatar
Posts: 6368
Joined: Sun Jul 25, 2004 8:34 pm
Location: Breckenridge, CO

Re: Secure Browsing on 14ers.com

Postby BillMiddlebrook » Tue Mar 15, 2011 7:46 am

kaiman wrote:Thanks for adding that feature Bill. That should also help prevent so much PHPBB spamming and unwanted solicitations.

It should if I force forum registrations to be performed through the secure connection. That's the plan!
"There's no recess and no rules in the school of life" - D. Mustaine

User avatar
Posts: 77
Joined: Mon Apr 20, 2009 8:19 pm
Location: Boulder, CO

Re: Secure Browsing on 14ers.com

Postby robco » Wed Mar 16, 2011 11:56 am

Sorry for the nit-picking...

rickinco123 wrote:Additionally, if you leave it SSL your work cannot see what you are doing unless they have an outbound proxy that breaks down the SSL connection, what happens on 14ers.com stays on 14ers.com. Good on you for buying a commercial cert.


SSL isn't really vulnerable to man-in-the-middle attacks, since the CA certs are built into your web browser. Outbound proxies can't read/modify your data without being detected.

BillMiddlebrook wrote:Yes sir.

They can still see urls that you visit because they will be stored in server logs, but all other content you enter will be encrypted.

happy browsing...


The entire HTTP GET request is encrypted with SSL, so they can't read the urls. They'll be able to see the hostname you visit and how much data is transferred, that should be it.

Site Administrator
User avatar
Posts: 6368
Joined: Sun Jul 25, 2004 8:34 pm
Location: Breckenridge, CO

Re: Secure Browsing on 14ers.com

Postby BillMiddlebrook » Wed Mar 16, 2011 12:12 pm

robco wrote:The entire HTTP GET request is encrypted with SSL, so they can't read the urls. They'll be able to see the hostname you visit and how much data is transferred, that should be it.

That's good. I can still see the full SSL url info on the 14ers.com server logs, which is important for troubleshooting.
"There's no recess and no rules in the school of life" - D. Mustaine

User avatar
Posts: 780
Joined: Wed Oct 04, 2006 12:16 pm
Location: Denver, CO

Re: Secure Browsing on 14ers.com

Postby Oman » Wed Mar 16, 2011 12:30 pm

robco wrote:SSL isn't really vulnerable to man-in-the-middle attacks, since the CA certs are built into your web browser. Outbound proxies can't read/modify your data without being detected.

The entire HTTP GET request is encrypted with SSL, so they can't read the urls. They'll be able to see the hostname you visit and how much data is transferred, that should be it.


Didn't Colorado pass an English-only law?

User avatar
Posts: 694
Joined: Tue Jun 27, 2006 8:46 am
Location: Denver

Re: Secure Browsing on 14ers.com

Postby rickinco123 » Wed Mar 16, 2011 3:58 pm

robco wrote:Sorry for the nit-picking...

rickinco123 wrote:Additionally, if you leave it SSL your work cannot see what you are doing unless they have an outbound proxy that breaks down the SSL connection, what happens on 14ers.com stays on 14ers.com. Good on you for buying a commercial cert.


SSL isn't really vulnerable to man-in-the-middle attacks, since the CA certs are built into your web browser. Outbound proxies can't read/modify your data without being detected.


Sort of. Some corporate web filters break down the SSL encryption. They use their own CA cert which they push out to your browser via install image, script or group policy etc. That way you don't get a browser warning when you use their cert. Most users will click through browser warnings anyway, I don't think the general public has a very good understanding of how SSL works. The newer browsers all make it more obvious but I am skeptical as to how well it works.

As far a real man in the middle attack, some legit CAs in the past have allowed 3rd parties to resell their certs. When you go to buy the low end certs verification usually consists of sending an email to the mail domain requesting the cert. If the web page the purchasing is done on was written poorly, you could hack the request to be any email address you wanted so I could buy a cert for microsoft.com and send the verification email to my google account. Nice heh? That's one reason there are extended validation certificates now.

Online
Posts: 1966
Joined: Mon May 23, 2005 7:44 am

Re: Secure Browsing on 14ers.com

Postby Doug Shaw » Wed Mar 16, 2011 4:33 pm

robco wrote:SSL isn't really vulnerable to man-in-the-middle attacks, since the CA certs are built into your web browser. Outbound proxies can't read/modify your data without being detected.


So long as the user actually does what is intended with certificate errors - which rarely happens. 8 times out of 10 the user will just click through any error and continue browsing to the site - thereby defeating much of the value of SSL.

SSL protects a lot of very important data and as such there are a lot of people looking at HTTPS/SSL these days and finding weaknesses and problems with it and its implementations. In many cases, operational weaknesses may not necessarily be within SSL as a protocol so much as in the implementation of it - but the end result is the same. A few examples just from the last couple of years: SSLstrip & null prefix certificate attacks, rogue CAs.

But as usual, the human being is often the weakest and/or most-easily exploitable link in the system.

As far as EV certificates - they are only allowing the CAs to charge extra money for what they should have been doing in the first place. The "extended validation" will over time be sold down just like the "normal" validation has been.

Next

Who is online

Users browsing this forum: No registered users and 1 guest