• Please use real names.

    Greetings to all who have registered to OPF and those guests taking a look around. Please use real names. Registrations with fictitious names will not be processed. REAL NAMES ONLY will be processed

    Firstname Lastname

    Register

    We are a courteous and supportive community. No need to hide behind an alia. If you have a genuine need for privacy/secrecy then let me know!
  • Welcome to the new site. Here's a thread about the update where you can post your feedback, ask questions or spot those nasty bugs!

My World: Asher really needs to move with the times!

fahim mohammed

Well-known member
OPF is not a secure site.

While it doesn’t bother me, as I know the OPF’s barman, I however think it should be secured by an https at least.

I am bugged by the continuous ‘ this site is not secure ‘ warnings.
 

Asher Kelman

OPF Owner/Editor-in-Chief
OPF is not a secure site.

While it doesn’t bother me, as I know the OPF’s barman, I however think it should be secured by an https at least.

I am bugged by the continuous ‘ this site is not secure ‘ warnings.

Hmm,

I never gets such warnings here!

Still I am happy to oblige. How does it make a difference?

I will ask around!

Asher
 

Robert Watcher

Well-known member
Hmm,

I never gets such warnings here!

Still I am happy to oblige. How does it make a difference?

I will ask around!

Asher

I found this article which make clarify a bit. https://www.infront.com/blog/the-blog/important-july-ssl-deadline-for-chrome

You can identify a secure https:// website with the lock beside the URL in the browser. All of my websites use the https:// protocol. As an example you will see the lock in the address bar for my site https://arwpix.com . I write a lot of apps that use the Google Maps API, weather API, and others for embedding content in sites - that now require an https website to work. If the apps are to use http, that functionality does not work.

It could well be that your web hosting provider offers free SSL certificates - or supply ones through cPanel. If not, you will need to purchase one on a yearly basis. The free SSL certificates are not secure enough for use on E-Commerce sites, but Google does accept the popular ones and allows your website to be accessed without warnings. Setup or certain links in your forum software may need to be updated for directing to https:// instead of http://. There should be instructions on the software website.


———-
 

Asher Kelman

OPF Owner/Editor-in-Chief
Fahim and Robert,

Thanks for making me more aware of the nomenclature and Google’s new policies.

Nevertheless, there’s nothing “insecure”, AFAIK about NOT having an Https designation when we don’t deal with your credit card or bank account numbers! We are not like Amazon or PayPal!

Your pictures can just as easily be stolen on an https site as on a regular site.

However, from July 2018, as a business policy decision, Google Chrome decides that not have an SLS security certificate gets you designated as “unsafe”. It’s a valid as saying Irish with tuberculosis make the best poets! Except at least there is some trace of truth to that!

I use Safari mostly and so far have seen no such “unsafe” warnings.

Still, I have no problem with prophylactics, but really, is it needed?

I will explore this with my providers as I promised above!

Asher
 

Jerome Marot

Well-known member
Unless I am mistaken, it does not seem that the connection is encrypted when logging in or registering, when the password is transmitted. That is indeed a problem.

If I am wrong and the connection is encrypted when transmitting the password, then opf already has a ssl certificate. Using it for all connections should not be too difficult.

Free ssl certificates can be obtained here: https://letsencrypt.org
 

Doug Kerr

Well-known member
I'm not sure I understand the issue here. OPF posts are readily findable with Google and then viewable. I'm not sure what CTD (cyber transmitted disease) the recommended secure transmission mode is a prophylactic against.

Best regards,

Doug
 

Robert Watcher

Well-known member
I'm not sure I understand the issue here. OPF posts are readily findable with Google and then viewable. I'm not sure what CTD (cyber transmitted disease) the recommended secure transmission mode is a prophylactic against.

Best regards,

Doug

It’s not for protecting OPF or hiding content from Google or anyone else. HTTPS is used more often by webusers than the original non-secure HTTP, primarily to protect page authenticity on all types of websites; secure accounts; and keep user communications, identity, and web browsing private (Words from Wikipedia). The thing is that since https is being mandated now, the user experience of websites will be affected and when people turn away from sites when they see that it is not secure, that will affect OPF as well.

True not everyone uses Chrome browser, but according to stats counters, around 60% of desktop and mobile web browsing is with Chrome. Even on tablets as high a 40%. That aside, Safari and Firefox and probably before long, the others - are following the standard of providing Not Secure warnings for non https sites or ones that include log in forms from non https.

It’s really that we website owners have no choice but to switch, if we want people to visit our website. A lot of business websites include Google maps of their location on their Contact Page. That can no longer be done on a non-secure http website.
Unless I misunderstood what you are saying in your comment Doug.


———
 

Jerome Marot

Well-known member
I'm not sure I understand the issue here. OPF posts are readily findable with Google and then viewable. I'm not sure what CTD (cyber transmitted disease) the recommended secure transmission mode is a prophylactic against.

Transmitting passwords in the clear is not so cool, is it?
 

Doug Kerr

Well-known member
It’s not for protecting OPF or hiding content from Google or anyone else. HTTPS is used more often by webusers than the original non-secure HTTP, primarily to protect page authenticity on all types of websites; secure accounts; and keep user communications, identity, and web browsing private (Words from Wikipedia). The thing is that since https is being mandated now, the user experience of websites will be affected and when people turn away from sites when they see that it is not secure, that will affect OPF as well.

True not everyone uses Chrome browser, but according to stats counters, around 60% of desktop and mobile web browsing is with Chrome. Even on tablets as high a 40%. That aside, Safari and Firefox and probably before long, the others - are following the standard of providing Not Secure warnings for non https sites or ones that include log in forms from nine https.

It’s really that we website owners have no choice but to switch, if we want people to visit our website. A lot of business websites include Google maps of their location on their Contact Page. That can no longer be done on a non-secure http website.

Thanks for the insight.

Unless I misunderstood what you are saying in your comment Doug.

No, I think you got my question.

Best regards,

Doug
 

Asher Kelman

OPF Owner/Editor-in-Chief
I'm using Firefox...no problems, warnings or anything else.

Also use safari...no warnings.



Exactly!

Still, Google is akin to the State of California in Power and influence. When they devise new standards, (as far as I know all reasonable), their market share is so important that most industries comply as if they were the Federal Government!

In fact we’re are as secure as any other website, for photography content. Https site are definitely needed to secure credit card and password information.

I plan to buy the needed SLS certificates but will look at this matter in a week!

Asher
 

Robert Watcher

Well-known member
Exactly!

Still, Google is akin to the State of California in Power and influence. When they devise new standards, (as far as I know all reasonable), their market share is so important that most industries comply as if they were the Federal Government!

In fact we’re are as secure as any other website, for photography content. Https site are definitely needed to secure credit card and password information.

I plan to buy the needed SLS certificates but will look at this matter in a week!

Asher

Asher there is no need to buy SSL certificate unless you are processing credit card payments or other hyper sensitive info on your website that requires the highest of security. The price goes quite high as security level goes up. But it certainly won’t harm anything to purchase one if that is your choice.

There are several free SSL certificates available that are adequate so you can use the https protocol and are accepted by the browsers as secure enough to deem a website safe. Especially for login forms and API calls. As Jerome mentioned there is letsencrypt- I provide for my web hosting clients, the free AutoSSL from Comodo that is part of the cPanel package - if your hosting provider has enabled that with their service.

As to whether one person or another gets a warning, isn’t the issue. Most of us appreciate when there is a level of security (SSL) when entering our user information (especially password) when logging in - which is done to gain full access to the OPF forum. The potential snooping when data is being transferred as page requests - that https protocol makes difficult - is a separate matter than the equally concerning way that passwords and other personal information is being stored on the server by the website software.

If that doesn’t bother some, their choice is to be at risk. But most internet user are becoming more and more concerned about security when browsing and rightly so. That is what Google has been addressing for several years now and is mandating this year. It’s a good thing. It may result in a little inconvenience for the webmaster to implement, but not for anyone else.


https://blog.mozilla.org/tanvi/2016/01/28/no-more-passwords-over-http-please/


————
 
Last edited:

Jerome Marot

Well-known member
As I already wrote, SSL would be necessary to ensure that our passwords are not transmitted in the clear. There is a risk that someone gets a user password and impersonates a member. The risk is small, but real.

The rest is up to the site administrator, but it is usually simpler to add SSL for the whole site.

As to certificates, your hosting provider may already have one for you or you can get one for free from let's encrypt: https://letsencrypt.org
 

Robert Watcher

Well-known member
As I already wrote, SSL would be necessary to ensure that our passwords are not transmitted in the clear. There is a risk that someone gets a user password and impersonates a member. The risk is small, but real.

The rest is up to the site administrator, but it is usually simpler to add SSL for the whole site.

As to certificates, your hosting provider may already have one for you or you can get one for free from let's encrypt: https://letsencrypt.org

Not only grabbing a user password to impersonate a member - but any hacker knows that all kinds of people (members) use the same user name and password to access not only other websites and forums, but also use the same password for online shopping or personal banking access. As you mention, the risk is small - but it is real.


——-
 

nicolas claris

OPF Co-founder/Administrator
I have transmitted all infos to Asher to move to https with OPF server.
But he is abroad, let him have some time.
Asher is aware :)
BTW, Robert, you're right about people using the same passwd for many sites, but there have been many many warns on the web about this issue. If people are stupid enough not to hear that, this is not the website manager who is responsible!
 

nicolas claris

OPF Co-founder/Administrator
But what about GDPR?

Will Europeans want that too?

Asher

As OPF does not store any other matter than what registrants did input themselves for their registration, and since OPF does not trade any informations about members, afaik, OPF does not need to have a warning banner about GDPR.
Would you wish so, GDPR mention could be added to the TOS.
 

fahim mohammed

Well-known member
As far as I know all US based sites( foto forum sites ) have posted the new EU regulations and members are expected to have read and agreed to them.

Furthermore, to the best of my knowledge, irrespective of the sites’s location it has to comply with the European directive if it is being used in/from EU

But what about GDPR?

Will Europeans want that too?

Asher
 

Asher Kelman

OPF Owner/Editor-in-Chief
As far as I know all US based sites( foto forum sites ) have posted the new EU regulations and members are expected to have read and agreed to them.


Well, Fahim, I only checked 2 and they still
Use http not https

http://luminous-landscape.com/

http://www.largeformatphotography.info/

Still, one more, Fuji Rumors and that is already compliant!

https://www.fujirumors.com


Furthermore, to the best of my knowledge, irrespective of the sites’s location it has to comply with the European directive if it is being used in/from EU

The EU is acting as a power to make rules beyond its jurisdiction. How can they enforce their rules without the USA pushing back!

Still, I will comply!

Asher
 

Jerome Marot

Well-known member
Well, Fahim, I only checked 2 and they still
Use http not https

http://luminous-landscape.com/

http://www.largeformatphotography.info/


Luminous landscape forces https on my mac. Large format photography does not.


The EU is acting as a power to make rules beyond its jurisdiction. How can they enforce their rules without the USA pushing back!

If a company makes business with EU citizen, the EU has the means to make them comply.

Still, I will comply!

As Nicolas noted, I don't think the GDPR applies to this site, which does not appear to sell the privacy of its members.

OTOH, https would be a smart move as soon as you have the time.
 

Doug Kerr

Well-known member
The preponderance of the sites I visit often use the HTTPS protocol.

On the other hand, The Pumpkin does not.

Best regards,

Doug
 
Top