It's all kicking off on Pistonheads...

[TAFKARM]

I'm no techie, but just checking we don't potentially have the same issue?

http://www.pistonheads.com/gassing/topic.asp?h=0&f=209&t=1576172

 

http://www.pistonheads.com/gassing/topic.asp?h=0&f=24&t=1648392

 

 

[Nick Algar - Competition Secretary]

Thanks Russ and interesting read. I'm sure our webmaster will answer soon ?

[bigron]

It doesn't look to be implemented on here. This isn't always a problem but my issue is with the sign in page which is also not secured by ssl/tls, so credentials from your browser to the site are sent in the clear. The chances of someone actually collecting the data is probably small but the risk still exists. 

[Dave Eastwood (Gadgetman) - Club Chairman]

The webmaster is aware of the thread. It's not my area of expertise, (I can knock an old fashioned style site together with Dreamweaver and Flash, but that's my limit!) So I can really add any comments of my own.

[TAFKARM]

Thanks - my big concern is security of the "only you can see these details! Understand?" Data that sits in our profile. 

I'll await response from on high, but thought best raise a possible vulnerability. 

[Kingster]

I'm aware of this and will look into it. 

[Kingster]

2 hours ago, RussH said:

Thanks - my big concern is security of the "only you can see these details! Understand?" Data that sits in our profile. 

I'll await response from on high, but thought best raise a possible vulnerability. 

The issue raised is to do with "packet sniffing" - so someone intercepting the network traffic when they are on the same network as you (like McDonalds/Airport/Office/Hotel wifi).

Your details are secure unless someone hacks your account - and while it is technically possible for someone to intercept your email and password using a packet sniffer like WireShark, it is pretty unlikely. The issue was raised on PH a year ago and there's no news of mass attacks on there as far as I can see?

User passwords are stored in an encrypted format, so even I can't see them. Personally - I don't use the same password for my bank etc as I do on forums or other public access sites and I change them every now and then despite the pain of remembering them all.

However, I'll talk to the Committee about implementing SSL on the server as our Member's data integrity is obviously very important.

[TAFKARM]

Thanks Chris

[Kingster]

We now have SSL logins and an A rating on SSL labs

you can put your details back in now @RussH so we can deliver your Club Mag!

[TAFKARM]

Thanks Chris - amazing work considering how long it's taken those PH muppets

[Kingster]

Thank Adrian for the effort all I did was prod him!

As he set the server up I left it to him. Moving forward I'll be taking over more and more though 

[Captain Colonial]

Yes, my thanks to Ade and Chris for all they do, including this.

Moving to this wasn't free and the risk was extremely minimal, but the cost was worth it to keep members feeling safe and secure about their personal details.  I'd like to add the club has never suffered a security breach with member info.

Of course, I know where you all live, and I know what some of you did last summer, so there's always me to worry about instead...  

[XTR2Turbo]

well done Chris and Ade.

David

[B.RAD]

Top work, thanks chaps

And thanks Russ for flagging, you're my hero x

[John Loudon - Sponsorship Liaison]

Since this was implemented I have been inundated with spam email. Is this coincidence or a possible link?