|
You guys are all correct in that an unsecured (http) connection is higher risk than a secured (https) connection. I'm guessing USSVI's security certificate has either expired or is not configured correctly.
What is the actual risk? Pretty low, in my opinion. Lacking the encrypted connection makes your data going back and forth from the site vulnerable to a "man in the middle" attack, which is still quite difficult to perform without malware. If you are sending credit card numbers, SSNs or banking information, your risk is higher. If you use the same password on an unsecured site in other places, you are at higher risk.
Mitigating your risk: - Use a password manager (I use LastPass) so you have a different strong password for every site you need a password on. If a hacker does manage to get your password, the damage they can do is limited. - Understand that "man in the middle" attacks are one of the most rare forms of hacking and are predominantly carried out on financial connections. See Malware below. - Subscribe to Have I Been Pwned (https://haveibeenpwned.com/) to see if you have been compromised i the past. The site will also tell you if your email address shows up in future hacks. - Make sure you are keeping up on Windows updates (or Mac or whatever you use) and that you are using some form of Anti-Malware and Anti-virus. - Malware on your computer can compromise ALL of your accounts. NEVER click on a link or open an attachment in email from someone you don't know of from someone you Do know if you are not expecting a link or attachment. This is called Phishing and can be very sophisticated in fooling people... but one click and you can be compromised. - Keep your browser (Chrome/Firefox/Edge/etc) updated. Most of these self update.
Please note, this BBS is not using secure socket connections (no https) as we do not deal in financials and actual trusted certificates are rather expensive. Expense may also be a reason USSVI is not updated. Additionally, a REAL certificate is actually not only expensive but complex to obtain and configure. Certificate Authorities make you PROVE the domain is secure and the applicant is actually the owner or authorized to get the cert. Any of these reasons could be contributors to USSVI's situation - they may not know HOW to get a proper certificate.
Source: a) This is what I do and b) I am a "Certified Ethical Hacker" (a fancy way of saying I have been trained like a bad guy but promised to use my powers only for Good, never for Evil).
Edit: So this made me curious, so I dug in and investigated. USSVI's certificate is valid, their server is not supporting TLS 1.2, the current protocols for encrypted connections. As Joe points out above, you get a warning, and if you click on the Learn More (or Advanced) button, you are allowed to proceed anyway. Note that your connection IS secured, just not with the most current protocols. In my opinion, this reduces your risk greatly, as in "better than nothing", but TLS 1.0 and 1.1 HAVE been hacked in the past. Another problem I see is they are hosting on GoDaddy, who in my experience, is not exactly cutting-edge with security. Further, USSVI's Certificate was issued BY GoDaddy, who will provide one to anyone with an account and $50. GoDaddy is NOT a "real" Certificate Authority. Not supporting modern security protocols was one of the reasons I moved all my (and my client's) web sites off GoDaddy.
So what does all this geekery mean?
You can use USSVI without https for little risk. You can use USSVI *with* https (if you dismiss the warning) with even less (but non-zero) risk.
-------------
MT2/SS
USS Simon Bolivar - SSBN 641 (B)
USS Henry M. Jackson - SSBN 730 (B)
USSVI - Wyoming Base
|