FGRV not a secure site???

[Johnny M]

When I came to the site today I noticed my browser stated in RED "NOT SECURE", when I clicked on it, it read "YOUR CONNECTION TO THIS SITE IS NOT SECURE - You should not enter any sensitive information on this site (for example, passwords or credit cards) because it could be stolen by attackers.

I know this is the first time I have seen this warning, so when did this site become not secure, because just coming here and logging in puts your user name and password at risk, although I didn't see it until after I logged in.

I am a website developer myself so I am asking the admins to give this their immediate attention.

Thanks,
Name withheld for security reasons

[Donna D.]

You must not have read this announcement: http://www.fiberglassrv.com/forums/f...ssl-91348.html

[Johnny M]

Quote:

Originally Posted by Donna D.

You must not have read this announcement: http://www.fiberglassrv.com/forums/f...ssl-91348.html

Nope I sure didn't, thanks Donna. However, I am still surprise by reading the link that the forum has been going on unsecure for so long. This is a serious negligence issue for the owners of the site and I would like to know that in the future going forward that they will be more responsible in addressing security of user members profiles.

[gordon2]

Quote:

Originally Posted by Donna D.

You must not have read this announcement: http://www.fiberglassrv.com/forums/f...ssl-91348.html

Or this... http://www.fiberglassrv.com/forums/f...tml#post730677

or this... http://www.fiberglassrv.com/forums/f...tml#post724657

The argument for SSL has been made a few times but it was not implemented because of a concern over breaking links (which is a solvable issue), and the fact that limited data of value is passed on the site. Of course web admins know of the other reasons that SSL should be used, and now it seems that this site will soon also follow that basic security tenet.

Quote:

Originally Posted by Johnny M

...This is a serious negligence issue for the owners of the site and I would like to know that in the future going forward that they will be more responsible in addressing security of user members profiles.

I would not bet the farm on that. Its a free site managed by volunteers - limited time and resources. Not using the site and limiting what you share on it are options but I also hope it is a safe site to use since it has been so invaluable.

Now dont get me started on the bitcoin mining that maxxed out our CPUs when using this site... seems the code was hidden in an advertisement IIRC.

[steve dunham]

Every time I open up this site I get a warning that the site is not secure
I’ve been getting this same warning for over a year

“ NOT SECURE - fiberglass rv”

I get the same warning when I enter the Escape forum

[Donna D.]

Quote:

Originally Posted by steve dunham

Every time I open up this site I get a warning that the site is not secure
I’ve been getting this same warning for over a year

“ NOT SECURE - fiberglass rv”

I get the same warning when I enter the Escape forum

And the EscapeForum is going to go through the exact same update: Forum update this week - SSL - Escape Trailer Owners Community

[Rzrbrn]

Well if Jeff Bezos can be hacked I doubt there is much that can be truly done if the desire and skill set is there to muck about with this website. So don't use the same password across other websites and watch your CPU usage.

[Lisle]

I'm wondering if the private messaging part of this forum is secure? That's likely where a lot of personal data might appear -- phone numbers, addresses, PayPal accounts, etc.

Also, can someone let me know what CPU use is?

[Rzrbrn]

CPU means Central Processing Unit. On my McBook Pro laptop the Activity Monitor (AM)will tell you what program is using how much data, so if something uses a lot of data you can then try to identify what the program is and if you approve of it. All of the programs running through the CPU are listed. There is undoubtably a more technical explanation of the AM or how to use it but this is how I use it.

[Defenestrator]

It's a free site, but it's not a non-profit or hobby site. The "company" is a one-man show as far as I can tell, or very close to it, so the technical side of it is a bit on the neglected side. For example, in addition to being 5+ years behind on adopting SSL, the forum software being used is "end of life" and no longer supported. I also suspect the owner is more focused on (especially non-forum) growth right now, as it seems to have expanded to 52 total sites.

[John in Santa Cruz]

Quote:

Originally Posted by Defenestrator

It's a free site, but it's not a non-profit or hobby site. The "company" is a one-man show as far as I can tell, or very close to it, so the technical side of it is a bit on the neglected side. For example, in addition to being 5+ years behind on adopting SSL, the forum software being used is "end of life" and no longer supported. I also suspect the owner is more focused on (especially non-forum) growth right now, as it seems to have expanded to 52 total sites.

indeed, I was using Fuelly.com, coowned by the same 'SocialKnowlege LLC, for awhile to track my vehicle mileage, it too has been very neglected, nothing has been updated in eons, the android applet for it barely works.

SocialKnowlege operates the RVlife network and a bunch more, rvlife in turn has at least a dozen maker-specific RV sites under it, all are variations on the same thign as this one, different templates, but the same structure. and yeah, its ALL being managed by a one man shop who seems to have a pretty hands off attitude.

[JonRaw]

Quote:

Originally Posted by Defenestrator

It's a free site, but it's not a non-profit or hobby site. The "company" is a one-man show as far as I can tell, or very close to it, so the technical side of it is a bit on the neglected side. For example, in addition to being 5+ years behind on adopting SSL, the forum software being used is "end of life" and no longer supported. I also suspect the owner is more focused on (especially non-forum) growth right now, as it seems to have expanded to 52 total sites.

Based on the number of ads, click bait, popups, etc, I would say this is pretty much the opposite of not for profit site. I'm sure whoever owns this site does just fine selling our eyes to all of the advertisers.

[cpaharley2008]

It is secure now............!

[gordon2]

Quote:

Originally Posted by cpaharley2008

It is secure now............!

Of course just because the site uses SSL does not even remotely imply that the data stored on the server is secure. So all the usual admonishments for safe Internet use still apply. These include using unique passwords for each site or app, not exposing any sensitive information such as social security numbers, banking account or routing numbers, etc.

[cpaharley2008]

Why is the SSL any less than the on line banking "lock" display?

[gordon2]

Quote:

Originally Posted by cpaharley2008

Why is the SSL any less than the on line banking "lock" display?

Can you ask that another way? I do have a lock icon on my URL (Google Chrome browser).

The Site info shows the certificate is valid until June, issued by Cloudflair. (One reason websites avoid using SSL is the cost of the certificate).

SSL is a small part of the picture and banks better do pretty darn well at the rest of the security. Other sites might not do as well. Hence all the problems at sites with fewer resources, or even ones like Facebook.

By the way, I used to run a web server on an old computer at my house. I did have a SSL certificate but it was one that I issued to myself. Since I am not a trusted authority for issuing security certificates when you came to my site your browser (should have) issued a warning that the site might be fake (or words to that effect). But it still used SSL, just with a self-issued certificate. So the traffic to and from was encrypted, but that was the only security advantage for the user. They could not be sure the site was the one it claimed to be.

Its easy to set up a web server but maintaining the server properly is a lot of work, so I won't claim it was always secure and it maybe could have been hacked. Or I could have just decided to sell the data collected from my users. There is a lot of trust involved.

[Johnny M]

Quote:

Originally Posted by Defenestrator

It's a free site, but it's not a non-profit or hobby site. The "company" is a one-man show as far as I can tell, or very close to it, so the technical side of it is a bit on the neglected side. For example, in addition to being 5+ years behind on adopting SSL, the forum software being used is "end of life" and no longer supported. I also suspect the owner is more focused on (especially non-forum) growth right now, as it seems to have expanded to 52 total sites.

RV Life is definitely a for profit company. As for the software being at the "end of its life" that too is a huge security concern. This is how hackers do a lot of exploiting, by vulnerabilities of out dated software. With thousands upon thousands of posts and threads they could inject malicious code anywhere. The owner needs to migrate to up to date software to minimize security risks as well as rely on 3rd party site protection such as Site Lock Security in addition to high encryption SSL certificates.

All it takes is you visiting one hacked thread or post and malicious code can infect your computer stealing information on it as well and any other site you visit. There is a reason they call it a computer "virus".

[ZachO]

I was always a little surprised this site was unsecured, too. I know very, very little about all this stuff, but I do know that when I recently started a blog, just a very simple little blog, the web hosting service offered as part of the deal a secure site, in the sense that people would see that "lock" icon in the browser. All part of basic, $100/year web hosting.

[Defenestrator]

In addition to the danger of the forum software being EOL (which isn't as bad as it sounds, given how many years of revision/fixes went into vBulletin 3.x without major functionality additions), vBulletin 3.8.11 only works with PHP 7.1 or older, which itself stopped getting security updates at the end of 2019.

Unfortunately the owner has his work cut out for him in terms of updating. vBulletin 5 is unfixably terrible, so the most realistic upgrade path is to switch everything over to Xenforo instead. That means redoing a lot of customization in addition to learning a whole new system, plus around $5K in license costs.

[cpaharley2008]

It's always about the money.....