Protect the DUC
 

To protect the DUC and its Members & Moderators, may I suggest changing:

http://duc.avid.com/register.php

to

https://duc.avid.com/register.php


and


http://duc.avid.com/index.php

to

https://duc.avid.com/index.php




This Thread prompted this Post:
Fraudulent Avid Website Identified!
http://duc.avid.com/showthread.php?t=413711

Re: Protect the DUC
 

Quoting from:
https://www.securitymetrics.com/blog...sites-insecure

"Are HTTP Websites Insecure?

HTTP vs. HTTPS: One little letter can make a lot of difference
If you’ve never paid attention to the browser URL while surfing the Internet, today is the day to start. At the prefix of each website URL, you’ll usually see either HTTP or HTTPS. One shows the site you are on is secure (HTTPS), and the other does not (HTTP).

In terms of security, HTTP is completely fine when browsing the web. It only becomes an issue when you're entering sensitive data into form fields on a website. If you're entering sensitive data into an HTTP web page, that data is transmitted in cleartext and can be read by anyone. ... And those customers data is insecure.”

When we register on the DUC:
http://duc.avid.com/register.php?

Re: Protect the DUC
 

Converting my website was pretty trivial.

Re: Protect the DUC
 

Thank you, Avid, for converting the DUC’s prefix to https://

Re: Protect the DUC
 

Looks like "half-fixing" it appears ...

Now seeing both http://duc.avid.com/
and https://duc.avid.com/

Typing
Avid DUC Forum
in Google goes to: (Not secure) http://duc.avid.com/

However, typing in URL space
https://duc.avid.com/
gets to the “safe” DUC

So any new potential Member who Googles
Avid DUC Forum
then clicks up top on “How to Join & Post”
will be entering their personal details on the (Not secure) http://duc.avid.com/

Conclusion: still needs fixing!

Re: Protect the DUC
 

Yes should have been announced, and a redirect from http to https set up. There is no real fix until the unprotected site goes away. But maybe Avid is planning on doing that and we just jumped the gun?

Re: Protect the DUC
 

Been a while since I registered, but I don't remember the DUC asking for any personal (dangerous) information it self that was required, nor CC # social security or anything that could very well be used to usurp identity.

Not saying it's not a good thing they did go to HTTPS, but there's no real personal data here.

Re: Protect the DUC
 

https could potentially reduce spam posts, though

Re: Protect the DUC
 

This has been discussed before. It's open to MITM attacks, and there *is* critical data here. Especially passwords that users will naively reuse in their other Avid accounts and maybe accounts elsewhere, and I'll bet you there is confidential info in PMs. And what happens when vBulletin admin credentials are stolen? That would be fun. I'd just need to find where jeffro or other folks are... and unleash the pineapple. Nothing here is rocket science, or hard to do, you just don't put up any non-https web sites that are anything more than the dumbest static content.

Re: Protect the DUC
 

Thanks, Darryl.