Security Certificate Expired?

This morning I got a warning that the Security Certificate for SCF expired today so I had to jump through some hoops to get in.

I'm using a Firefox browser.

Anyone else experience this?

Dan

Yes, via Safari.

I got a similar message.

Nothing dangerous. The SSL just expired because my host didn't update it. Billed me for it 3 weeks ago though.

Got the same certificate expired message in Safari.

Folks should keep in mind that the entire 'certificate' or 'https' (secure sockets) thing is largely insignificant. It is meant to give confidence to technically challenged people but anyone who understands what it is knows that it adds very little to security. It is simply an encryption on the communication between your browser and a website server. Since this site, or any other that is not doing financial transactions, offers no interest to most malicious people, there is no reason for them to try to capture the traffic between you and your browser.
But even if it was a website with financial transactions, understand that the communication stream is difficult to capture, it is far easier and more productive to gain access to the server itself. An analogy is like the security of your house, adding a way to encrypt the phone line is meaningless if you do not bother to put locks on your doors or windows, do not have an alarm system, do not have a fence, do not have a mean dog, or do not protect your family with a weapon. The certificate effort was mostly driven by a few large tech companies who are now largely in control.
Don

It has definitely impacted postings.

It certainly gives you pause when you log on and are greeted with "This site is not secure" in red. Took me a few times before I clicked Details.

It does and it's ridiculous.

I was afraid that if I ignored the warning that I would receive a box of spiders and cockroaches in the mail AND be exposed to COVID-19. Phew!!!

Well if I were to send you spiders, I'd at least send you chocolate covered ones.

Bobby,

Thanks for your work!
I knew the SSL cert was bull-squirt for a site like this but my Firefox browser locked me out until I went into the details and acknowledged that my computer may melt and I might contract Covid-19 if I proceeded. I got in once and after that it wouldn't even let me check the thread. I kept getting an error message.
If you are sending chocolate spiders, count me in. They have to be better than the chocolate covered ants I've eaten!

Dan

Don,

I am not sure this is entirely true. I had an account on a railroad site that was compromised and did not bother to encrypt passwords. The result has been bogus email messages claiming to have reached other more important sites. Unfortunately some users may have used the same password for that site and more important sites. Still, the problem is bad enough because it is possible for hackers to post bogus messages, links or steal copyrighted images.

I hope that this site encrypts passwords. If not, it should be mentioned on the user account page.

Hi Clark,
Understood, but if anyone is using the same password for multiple sites then they should have bigger concerns than a missing HTTP certificate.

I cannot recall a recent cyber-attack that involved sniffing packets. The most common 'hacking' method is physical access to a server (but you never hear anything about this issue). Who here thinks that these tech companies vets and bonds every person who has physical access? One of the more famous compromises was when a hacker purchased a large stack of pizzas and was allowed to waltz into the server room with a thumb drive. In another case a hacker gained physical access to an internet café router and replaced it with his own router. HTTPS is has no value in these more common types of hacks, physical access is far more feasible and cost effective way to access information. Just today I got a robocall letting me know that they had detected 'unusual' activity on my Apple device and that I immediately needed to 'press 1' to prevent a significant compromise of my personal information. I guess that they did not know they I do not have any Apple device in my home.

At my dialysis center and as a Medicare facility they are supposed to be following HIPPA guidelines to protect patients' electronically stored information (known as "ePHI"); this requires a new secure password every month. Yet when you walk into the lobby, they have hung a large poster showing the wireless user name and password their network for the next 12 months. I have also seen Verizon payment kiosks which stored everyone's credit card numbers and PINs in plain text files. They did a great job in making the kiosk hard drive highly secure to boot into but it took me 5 minutes to hook up a kiosk drive as slave drive and access the credit card text file. I instantly has access to hundreds of thousands credit cards and PIN numbers. I worked with a group who developed and implemented our own TCP/IP stack and we had equipment to sniff packets. It requires an incredible amount of time and money to sniff packets and recombine them; it is like trying to catch specific raindrops in a thunderstorm.

I have seen hundreds of thousands of user passwords over the years and I cannot tell you how easy it is to guess passwords. (It was so easy that I often would try guessing a user password rather than walking back to the server room.) If folks want to be more secure I suggest they be more concerned over the passwords they chose than worrying about an out-of-date https certificate and someone sniffing packets on a hobby website. My recommendation is that they stop choosing blindingly easy passwords, stop trying to manage complex password lists (often taped to their monitors),and spend a few minutes developing a password scheme. Bobby has previous mentioned how to do this. Why try to remember a bunch of different complex passwords instead of remembering a single scheme? This is a no brainer. Simply make a unique password scheme based upon the website name you are using combined with some other easy for you to recall person information. You might choose the first 6 letters of the website name, or skip the first two letters and select the next 6, or reverse the website name and use the first 5 characters. Then add to this another piece of personal information and add a special character (@#$%^&*?!). If the site requires a new password each month, then integrate the a date number somewhere in your scheme. The combinations are endless, gives you a unique password for every site, and only requires you to remember a single scheme.

At a minimum (and if folks want to be lazy) then at least use two different passwords. Use the same password for all non-commercial website like this one, websites that you might visit on public networks and do not do transactions on. But use a different, stronger password for transactional websites and never access them on public networks.

But it is easy scare people and fear is currently the method being used to control people in our society. The antidote to fear is knowledge and common sense for anyone who does not want to be a lemming.
Don

Yet another reason why this site needs to be in the cloud and not run on physical gear. These issues are already solved if you use Amazon ALB with Amazon ACM in front of your web servers. Cheap and 0 maintenance.