Quote:
Originally Posted by Bob Olhsson
They changed something so it no longer omits the s from email notifications.
|
Work in progress ...
https://duc.avid.com/showpost.php?p=2594397&postcount=6
or
http://duc.avid.com/showpost.php?p=2594397&postcount=6
Quote:
Originally Posted by Darryl Ramm
Yes should have been announced, and a redirect from http to https set up. There is no real fix until the unprotected site goes away. But maybe Avid is planning on doing that and we just jumped the gun?
|
https://duc.avid.com/showpost.php?p=2519981&postcount=7
Quote:
Originally Posted by Darryl Ramm
The opponents of https here may be underestimating the potential risks involved.
There is just no reason any public (i.e. non toy) website should use open http today..
Https protects users from man in the middle attacks, protects users from easy things like stealing passwords (yes you should not reuse passwords or slight permutations on different services... but people do). Anybody want to guess how many users share passwords across DUC and avid.com and iLok.com? This and other reasons are why companies like Google are pushing for increased adoption of https, and folks have worked to make this all easier for web site owners to deploy. There is just no valid reason why Avid has not implemented https here. If not here, God hope Avid has folks paying attention to security elsewhere. A non-SSL protected user forum associated with corporate website, cloud services, online stores, billing systems, etc, is likely to be an interesting target for a malicious hacker. Oh and folks here with home studios full of valuable equipment... maybe being careful to not share location or other personal information on DUC... it may be possible to grab enough info about those users via a MITM attack to end up locating their studio.
|
https://duc.avid.com/showpost.php?p=...1&postcount=10
Quote:
Originally Posted by Frank Kruse
Anyone with a DropBox, Adobe, Yahoo, Myspace, LinkedIn account and many more has likely had his credentials compromised via past data breaches.
You can check here if your address comes up in one of these databases.
https://haveibeenpwned.com
It's not only about keeping credit card info safe but also about identity theft which can gain access to the latter indirectly. If you are still using the same logins since those breaches happened you'd better change them asap.
|
https://duc.avid.com/showpost.php?p=...5&postcount=15
Quote:
Originally Posted by Darryl Ramm
Have I Been Pwoned is a *very* well respected security web site. And since that URL uses https, you can be confident that it's really that web site you are seeing. If your email address is listed there on "sites" you don't think you have been to it's a sign that somebody else may have been using your email address, or some bad sites have some of your data (some "sites" where your email address will be reported consist of data stolen elsewhere). It does not necessarily mean your email account has been compromised, but change your password anyhow.
|
https://duc.avid.com/showpost.php?p=...8&postcount=16
Quote:
Originally Posted by JFreak
... let's just take Jeffro's word for it and assume Avid is once again taking a look into this...
|
https://duc.avid.com/showpost.php?p=...0&postcount=22
Quote:
Originally Posted by Darryl Ramm
…I don’t know any security person who would think this is not an issue worth fixing.
Want to guess how many Avid staff might reuse passwords or slight permutations on DUC and Avid in-house systems? Want to guess if they have a corporate password management system or hardware key/2FA authentication implemented for internal systems? Oh what goodies that might reveal?
Want to think what could happen if somebody MITM attacks and gets admin access to DUC and all the non-public info is scraped?
Security happens in layers, https is one of those important layers.
|
But what an enormous task!
Darryl stated
“There is no real fix until the unprotected site goes away”
There’s a heap of http prefixes when you consider all Pro Tools versions up to now - and their subsequent Documentation and Downloads, but "if a job’s worth doing, it’s worth doing well":
All past versions of Pro Tools
All Plug-Ins
All Documentation – (PDFs, Read Me, Knowledgebase articles etc. - including links to Drivers)
All should be available in Avid Download Centre (one-stop-shop)
BTW – trying to post this – got redirected into logging in again!
It’s the “
Reply” button that goes to a “http”-prefixed site
Copy URL to new tab and add an “s” … make it:
https
… and you’re in!