Reply to Re: The Dink Network - Proper HTTPS Support
If you don't have an account, just leave the password field blank.
I suggest to make HTTPS support default, that is, automatically redirect from HTTP to HTTPS at least in web browsers. It is not a good idea to have passwords go over plaintext through the Internet. Some users might use their Dink Network passwords on other websites. You should do this ASAP for the security of the users of this site.
And as far as Dink Smallwood HD possibly not supporting this for DMODs, well I believe it uses HTTPS to check for updates from RTSoft so it ought to work for downloading DMODs from the Dink Network, so I doubt it would have any issue. Still, making sure that DMOD downloading within Dink Smallwood HD works is something to double-check after making HTTP traffic redirect to HTTPS, just to be absolutely sure.
I personally am a member of this site and have logged into it in the past over HTTP and am concerned about my own security. I am not worried about any of you guys being bad, I am worried about a man-in-the-middle attack, obviously the Dink Network itself is trustworthy, but plaintext passwords sent over HTTP are vulnerable to man-in-the-middle attacks anywhere their Internet traffic is routed through and it is easy to intercept data and this is very much a bad thing. A common packet capture and analysis tool like Wireshark can be used on a LAN to intercept all network traffic. So if someone is connected to a wireless LAN, public WiFi, and they visit the Dink Network website from there and login, very very easy for someone else to do a man-in-the-middle attack and get all their login info.
Sorry about that little network security rant, I used to not know very much about network security, like back when I became a member of this site I did not even notice that it was HTTP instead of HTTPS or think anything of it but I have learned more since then and most of what I learned was pretty disturbing, I got a Network+ certification from CompTIA, I admit I am still pretty lax about security compared to a lot of people. Like in macOS it requires me to have a password, so I have my password be a single space, since 1 character is the minimum number of characters and the spacebar is the biggest and most obvious key. On Windows 10 it requires me to have a pin number now and has complexity requirements and I figured out, the simplest possible pin number that meets those is 1000, easy to remember 1000. Prior to the new complexity requirements my pin number on Windows 10 was just all zeroes, 0000. I specifically have my sudoers files on macOS and Linux set to not require a password ever, under any circumstance, and I disable as many annoying “security” features as possible in most operating systems, like User Account Control on Windows and System Integrity Protection and Gatekeeper on macOS. So I am not the most security-conscious person out there, in fact I find security to be a real pain and get in the way of getting things done most of the time. But even I think that websites that use usernames and passwords should never ever use HTTP and the ones that do all need to switch to HTTPS-only.
And as far as Dink Smallwood HD possibly not supporting this for DMODs, well I believe it uses HTTPS to check for updates from RTSoft so it ought to work for downloading DMODs from the Dink Network, so I doubt it would have any issue. Still, making sure that DMOD downloading within Dink Smallwood HD works is something to double-check after making HTTP traffic redirect to HTTPS, just to be absolutely sure.
I personally am a member of this site and have logged into it in the past over HTTP and am concerned about my own security. I am not worried about any of you guys being bad, I am worried about a man-in-the-middle attack, obviously the Dink Network itself is trustworthy, but plaintext passwords sent over HTTP are vulnerable to man-in-the-middle attacks anywhere their Internet traffic is routed through and it is easy to intercept data and this is very much a bad thing. A common packet capture and analysis tool like Wireshark can be used on a LAN to intercept all network traffic. So if someone is connected to a wireless LAN, public WiFi, and they visit the Dink Network website from there and login, very very easy for someone else to do a man-in-the-middle attack and get all their login info.
Sorry about that little network security rant, I used to not know very much about network security, like back when I became a member of this site I did not even notice that it was HTTP instead of HTTPS or think anything of it but I have learned more since then and most of what I learned was pretty disturbing, I got a Network+ certification from CompTIA, I admit I am still pretty lax about security compared to a lot of people. Like in macOS it requires me to have a password, so I have my password be a single space, since 1 character is the minimum number of characters and the spacebar is the biggest and most obvious key. On Windows 10 it requires me to have a pin number now and has complexity requirements and I figured out, the simplest possible pin number that meets those is 1000, easy to remember 1000. Prior to the new complexity requirements my pin number on Windows 10 was just all zeroes, 0000. I specifically have my sudoers files on macOS and Linux set to not require a password ever, under any circumstance, and I disable as many annoying “security” features as possible in most operating systems, like User Account Control on Windows and System Integrity Protection and Gatekeeper on macOS. So I am not the most security-conscious person out there, in fact I find security to be a real pain and get in the way of getting things done most of the time. But even I think that websites that use usernames and passwords should never ever use HTTP and the ones that do all need to switch to HTTPS-only.
