HTTP vs HTTPS

[Miltonian]

Hello everyone! I recently (as in, ten minutes ago) noticed that GitP is listed as a 'not secure' connection. So anyone with an onion router or something similar (I know just enough about computers to get me in trouble) could do...to be honest, I'm not sure what, but it's mildly concerning. Is there a reason behind this? Is it more expensive to move to https connections? What's the deal here?

[Jormengand]

Why, what information are you sending to Giant forums that you're worried will get stolen in transit? It's not like your posts aren't visible anyway, and you are using a different password for each site you visit, right?

[Miltonian]

So it can't be used as a back door into my computer? (Like I said, I know just enough to get me in trouble.)

[Jormengand]

So it can't be used as a back door into my computer? (Like I said, I know just enough to get me in trouble.)

No. If you downloaded and ran an executable file from an unverified publisher, that might do it, but connecting via HTTP isn't going to be used to hack your computer. If you really want, there are browser add-ons like HTTPS Everywhere which will force a secure connection anyway.

(You can also manually force a secure connection and then get your browser to add an exception when it complains, if you like).

[Anymage]

This thread would really be better in the science/technology subforum. They can explain what all these little details mean. (E.G: Onion routing is something you do, never something that's done to you.) A little knowledge is only a dangerous thing if it leads you to go into risky places you wouldn't otherwise know about. Otherwise, ignorance is far more likely to lead to trouble.

Specific to HTTPS, I'll repeat what Jormengand said. A secure connection only makes it harder for people to eavesdrop on what you send to the site and what it sends back to you. Important if it's something key like financial information or your primary email account, less so for a random forum. Nobody's going to be sneaking malware onto your computer just because your connection was not encrypted.

Malware in general tends to come from two places. Sometimes, the bad guys will just probe random computers around the internet, and ones that are receptive to random connections will be taken over. This is why you want to ensure that you have good security software and keep it up to date. Otherwise, they'll hope you download it yourself. Either being unlucky by visiting a page that attempts to inject malware, dumb enough to voluntarily download a sketchy file, or both by going to some of the sketchier sites out there without being well prepared. Again, good, up to date security software will help if an otherwise benign site happens to be running a bad ad. (Something that's been known to happen to even the best of places.) But if a bad ad did wind up getting past the ad service the forums use, browsing over HTTPS wouldn't save you.

[Psyren]

This has been asked before. The short answer is that the board uses vbulletin which has its own security, therefore HTTPS is not required. See Rawhide's post below:

This is a relatively recent change on Firefox's end. Firefox is now reporting that every login box not through HTTPS is insecure.

vBulletin uses its own protection and does not require HTTPS. However, we still recommend that you use a different password to other sites (actually, you should never use the same password on multiple sites anyway).

[Rawhide]

This thread would really be better in the science/technology subforum.

The question has been pretty much answered, with a quote from myself, but if you want to know more about how HTTPS works and what it does, feel free to ask in the Mad Science and Grumpy Technology forum. Thread closed as resolved.