Published on 12, July, 2020
Firefox highlights the fact that the online community is insecure and information submitted (such as passwords) can be viewed.
I have contacted the web team asking for the site to be made secure.
Thinking https will solve the concern of non-members seeing members only profiles, misunderstands what https is, and what it does. This is ONLY about the data IN TRANSIT. Think of the difference between a letter and a postcard in the mail. One has the contents on the outside, readable by all who see it, the other only has a name and address, the content is inside. This is the same principle. All https does is put that sensitive info in an envelope (to carry on the analogy) while it goes to the server. When it's there, the server has to see what that content is. It puts it into the database. The website itself then builds the pages we visit, like member profiles, by asking the database for the content. The thing that prevents non members from seeing members profiles (as the example above) is the code on the site itself. Only the webserver should be able to read and write to the database, and the permissions on the pages like profiles mean that unless you're logged in (aka be a member) you won't see any. Try logging out, then looking at any members profile, including your own. You get diverted to a log in or register page. The only concern beyond that would be if someone managed to break the database. Most of the time this is unlikely with any halfway competent sysadmin and some common sense IT safety.
Like everything in life, nothing is perfect. There are plenty of sites that fail in a lot of basic ways, so I wouldn't use them. I don't have any concerns about using this site. Sure I'd prefer there'd be more server capacity or load balancing as it's slow or inaccessible at times. I don't attribute that to anything more than "we're a small charity with a limited budget and manpower, we're doing our best". I wouldn't use ASPX or Windows Server but that's a personal thing. Often you don't control these decisions. There's often a history of existing infrastructure to maintain that you wouldn't necessarily choose if you were building today,
Another sign that it's about limited resources, is that it can't maintain a connection when logged in, specially after closing the browser and reopening it, You have to log back in. This is a sign that there's only X number of threads available, so you don't get much of a claim on one. It has to be quite stingy in pulling it away from you when it thinks you're not using it, so that someone else can use it. This is what you do with very limited resources, you spread them as thin as you can, while still being practical.
I have not misunderstood HTTPS.
As WebPM noted, the trend "is towards HTTPS throughout sites". Doing that help improve security for users.
All it protects is when it's in transit to or from the server. It guarantees it's not been tampered with, although that's a minor risk. When it's on the server it's then up to the site whether to show you something or not...but ok, I'm not here for an argument.
What sensitive stuff do you do over email? Passwords, account numbers etc that's ALL plain text. That's just as secure as http unless you use something like PGP encryption. For that, the recipient must also be using it. By default email is not secure either.
I'd argue there's a difference between the data we send here intended for public consumption, and email which isn't.
I understand where you're coming from on the whole black & white thing. In this case its not applicable. Even if everything was https, all it'd achieve is that the info would be inside the envelopes as it travels from you to the site and vice versa. It would still show the envelope, the sender and receiver. It'd keep it secret from your ISP. They can still see what site you're visiting, how often etc. They can infer what's in it.
Another thing that some services do is end-to-end encryption, like Telegram. This means that even the webmasters and sysadmins can't read the contents. For this site, it's meant to be a resource for it's members, and it's non-members. I read a few posts before I joined, and deemed that I was in a safe place, so I joined. If you do end-to-end encryption, that concept is ruled out.
Another reason for the posts to be public, is that the NAS can show fundraisers, backers etc what they're doing, and how they're helping people.
Security is never an absolute either. All we can do is follow the best practices we know about, keep updated and don't make silly mistakes. Something that's perfectly secure today, may not be tomorrow. It's a lifestyle. When you cover all the basics, you're likely going to be fine. If you're enough of atarget to be of interest to a govt actor like Mossad, there's nothing you can do to keep them out. The very best I could do would be like one man holding off an army. I might make them work through their lunch before they get through, but it's "when" not "if". For the vast majority f sites (and individuals) it's not targeted. It's like the burglar walking down the street, trying the doors, if one is unlocked, that's the one that get's robbed. The others are not worth the time or risk.
You've an idea of my knowledge on this. I also used to volunteer for an addiction charity. The IT requirements they have to comply with, to be legal in the UK is insane.I lost count of the amount of times I'd want to try to do something only to be informed it'd break compliance, so it's back to the drawing board to find another compliant solution. This is why I have perfect confidence in this site, as an outsider I can only see so much, but I know the PITA the UK legislation is behind the scenes.
Online life is much easier when HTTPS is applied site wide rather than in just in parts of a site. Perhaps that is just my autism coming through: I like things to be black or white and not shades of grey.
I agree about e-mail not (generally) being secure and I never send information such as account numbers via e-mail. Having said that, my most important e-mail addresses are secure.