Personally I’m afraid I’ll forget to connect to a VPN the next time I’m on an open airport/hotel Wi-Fi and someone will snatch my forum credentials - or someone else’s for that matter. Plaintext passwords through the air is scary and I have to jump through hoops to make my password manager fill in my password on http sites.

Is Mike not actively maintaining the website?

Since letsencrypt is free it’s hard to find a good reason not to enable SSL.
Anything I/we can do to help?

_________________
---
New new new new new video out! Serial Bootloader for my 65uino
Also, check out: I2C on a 6502 Single Board Computer
and Complete hardware overview of my 6502 SBC R1

_________________
http://WilsonMinesCo.com/ lots of 6502 resources
The "second front page" is http://wilsonminesco.com/links.html .
What's an additional VIA among friends, anyhow?

Still, a lot of scammers love impersonating trusted members of small communities.

If “Garth Wilson offers to sell you all his stuff for 50$ in a PM” to everyone on the site that could do a lot of damage.
Literally broadcasting usernames and passwords to any switch between you and a website in plain text will get someone burnt eventually - maybe not in 2003, but definitely in 2022.

Eventually we can also expect browsers to completely shun http sites, so I really hope we can get it fixed. Not that we care much about the SEO penalty - not that much competition around XD

_________________
---
New new new new new video out! Serial Bootloader for my 65uino
Also, check out: I2C on a 6502 Single Board Computer
and Complete hardware overview of my 6502 SBC R1

The risk with credentials over HTTP is most people re-use their passwords. It would be quite easy for a malicious actor to pivot to someone's email, banking or social media accounts if they happen to sniff a login to this site. So that's the main issue, and it is not about how sensitive this particular website's content is.

It is also annoying with Firefox, having to whitelist the site after every restart.

_________________
BB816 Computer YouTube series

_________________
http://WilsonMinesCo.com/ lots of 6502 resources
The "second front page" is http://wilsonminesco.com/links.html .
What's an additional VIA among friends, anyhow?

LastPass is a few bucks a month and totally worth every penny. There's a plugin for your browser and for your phone, all synced up but encrypted with your passphrase, and it autofills login forms for you.

Of course some sites try really hard to make it hard to use password managers, by breaking autofill and/or breaking cut & paste so that you can't even paste your long random password. And don't get me started on Roku channels that force you to type in your whole password on the remote...

That being said, setting up letsencrypt on a web site takes about 5 minutes and is pretty much "set and forget".

(I know Mike is aware of a need, eventually, to go to HTTPS, and is aware of LetsEncrypt and similar, but it's evidently not a priority. I've offered to help, too. It feels best not to keep bugging him about it!)

I ran a FreeBSD web server for 3 years back in the late 90's. Believe me when I say hackers are interested in any bit of information they can obtain. It's amazing how well they can take seemingly harmless information (bits here, bits there) and compose them into larger collections of information that can be phished with other sites like banks. I can only imagine their capabilities these days.

I'm very security minded yet I had about $3000 stolen from my bank account a few years ago through AWS. Even though Amazon admitted it wasn't any one thing I did wrong (they never would tell me how the hackers got my encryption keys). And AWS took their sweet time refunding my money.

This site needs to be on an up-to-date SSL certificate, etc.

_________________
Cat; the other white meat.

_________________
http://WilsonMinesCo.com/ lots of 6502 resources
The "second front page" is http://wilsonminesco.com/links.html .
What's an additional VIA among friends, anyhow?

As a stopgap, if setting up this webserver with TLS is too complex, maybe he can use a service like Cloudflare.
They provide free HTTPS for any website and you can be running in minutes after a few clicks. No change is necessary on the website's server. Only the DNS servers of the domain have to change. The connection is encrypted between users and Cloudflare, and then Cloudflare gets pages over plain HTTP from 6502.org.

This way user traffic is at least encrypted where it is at risk of being sniffed, on the user's machine and network.

As a bonus, you get additional protection from spammers, bots, etc, which are filtered by Cloudflare.

https://www.cloudflare.com/ssl/ (not affiliated, I'm just a satisfied user)

_________________
BB816 Computer YouTube series

Well, yeah I agree people should use different passwords (and maybe account names) for different sites.

For example, I don't use "cbmeeks" for any banking sites. In fact, my banking user names don't even reflect my real name in any way.

But what an attacker could do on this site is intercept passwords, log in as an admin, and erase content or worse, spam the boards with a known user. A clever hacker would go in and alter old posts slightly to include website links. This would be tricky to detect for a good long while.

_________________
Cat; the other white meat.

Can we perhaps agree that this is Mike's call? We can offer help - we have. We can make sure he's aware - he is.

After that, we're just being annoying, and I don't think that's a good idea.

_________________
http://WilsonMinesCo.com/ lots of 6502 resources
The "second front page" is http://wilsonminesco.com/links.html .
What's an additional VIA among friends, anyhow?

Yeah, this is certainly Mike's decision and I would be happy to offer any help.





Well, that's not totally what I was getting at. I just meant an attacker could read YOUR password, or mine, or someone else's and log in as that person. Then, find some old post and edit that post to include some spam URL. It would take a while to find that and fix it. We've had to deal with these kind of attacks before at some places I've worked.

Anyway, I was just making a general statement. In 2022, all sites should use SSL.

_________________
Cat; the other white meat.

In case it's not already known, I remind you that previously you had to buy SSL certificates to configure HTTPS but that for a few years it is free thanks to Let's Encrypt.

https://letsencrypt.org/