www.BoundAnna.com

Hi,

I noticed that both http://boundanna.net and http://bounanna.com are not encrypted and secured by a certificated. The forum traffic, subsequently, is also visible 'on the line'. Given the topic and, much understood, need for privacy on the web, I would like to request a certificate be placed on both domains and all services.

To request these certificates, please consider the service https://letsencrypt.org/. It is well know, supported, respected and, perhaps best of all, free.

Thanks

edit: it looks like there already was a topic for this - http://forum.boundanna.net/board/viewto ... f=3&t=8086

This is an open forum anyway. Anyone, even non-members, can read posts made here. Though this could be viewed as a disadvantage security-wise (though I don't think anyone here is using their true offline identity as their user name - which isn't recommended in any case), there is an advantage that people seeking a community like ours to share their kink can discover it and read a little before deciding to join.

Nearly twelve years ago, that was my case (as it was for many).

I don't have any issues with this forum not being encrypted. I have no private information stored here, and not even in my own computer! That's security 101 - don't leave your information lying around for ill-intentioned people to pick up.

Jenny.

I just saw Bing [Bot] reading this. They're onto us already. Why does Yandex [Bot] like self bondage discussions anyway?

Hi Jenny,

thanks for you reply.

bound_jenny wrote:This is an open forum anyway. Anyone, even non-members, can read posts made here.

I appreciate this forum being open and accessible for non-members. This is how I also started, and I think many can relate. However, this seems like a separate discussion and line of argument, unrelated to the use of HTTPS. There is nothing in HTTPS that prevents non-members of browsing the public and open forum, or search engines indexing its content. These certificates don't encrypt data at rest, they encrypt data in-transit and assure users they visited the site they intended - the little green lock in the url bar is sign sign of confidence people come to expect..

I agree with your statement and good advice not to store any personally identifiable information on the site. But there are scenario's where your tech-savvy roommate or the free-wifi in the neighbourhood monitors internet traffic. Leaving users exposed without their direct knowledge. Having a certificate on your website mitigates these Man-In-The-Middle attacks.

Lastly, Google and all major browser vendors are already penalising non-https sites [1]. This because, as an individual site, the information leakage might be benign, it is often the combination of different sources that result in harm. The penalties come in the form of giving this website a lower rating in search results, making it harder for new users to find, and/or displaying a warning message prior to opening, scaring new users away. I feel both go directly against your interest of having an open forum and the desire to accommodate non-members in their journey.

[1] https://www.youtube.com/watch?v=cBhZ6S0PFCY

Shannon SteelSlave wrote:I just saw Bing [Bot] reading this. They're onto us already. Why does Yandex [Bot] like self bondage discussions anyway?

Some are goo-goo for Google{Bot]s...

Not quite as tasty as Cocoa Puffs, but you can only be coo-coo for them. You can't be goo-goo for them.

Unlike Cocoa Puffs, the Google[Bot]s don't appreciate being soaked in milk.

Jenny.

Why don't they stick to their own species (sort of) and just browse software?
Thanks for tolerating my 'bot fears again. Should be a few months until they flare up again.

I'll echo what lobster wrote. It's not a dealbreaker for me because I control the internet connection and access sites of a personal nature from a dedicated virtual machine but it could affect others.

Without HTTPS someone with access to the router logs would be able to tell not just which computer accessed which site and when but what pages they looked at and potentially for how long. If you access from work or a public internet that would be the network administrator, at home the person who manages the internet (parent, spouse).

WIth HTTPS they would only be able to see the IP address of the server hosting the site (which could also be hosting many other sites) and potentially the original DNS lookup. With secure DNS on the horizon even that won't be possible.

Depending on how this site is hosted adding a certificate could be very straightforward and with LetsEncrypt now accepted by most browsers, there would be no expense. Feel free to pm if you'd like technical advice.

lobster wrote:I noticed that both http://boundanna.net and http://boundanna.com are not encrypted... (cut short and edited by Anna)

Hi Lobster! Thanks for your post. I have traditionally been rather negative to any form of encryption but I have understood that it would be good to have. The last year I have experimented trying to get encryption to work for BA by pulling on levers, pushing buttons and generally messing up settings. As you can see I have been somewhat less than successful in my adventures to add that extra S in the address bar. I guess that what it comes down to is that our host simply do not want to offer the service we need without getting paid for it. So where we stand as this moment is that yes, encryption is planed but currently there is no money for it*. (Also note, yes it might be wise to change host to a better more friendly host but this is a gigantic project and I can not do this at this time.)


(*Anyone who have been visiting this dark corner of the web for a while will have noticed something that has changed in these forums. Advertising. BA has always been run with the philosophy that it should pay for itself with the help of as non-intrusive advertising as possible. This no longer works and we have reached a situation where the future of the whole website is in question unless things improve.
Big hugs to all those who have made and continue to make this website possible, it would not be here without you.)

anna wrote: So where we stand as this moment is that yes, encryption is planed but currently there is no money for it*. (Also note, yes it might be wise to change host to a better more friendly host but this is a gigantic project and I can not do this at this time.)
we have reached a situation where the future of the whole website is in question unless things improve.
Big hugs to all those who have made and continue to make this website possible, it would not be here without you.)

Anna, whatever you need from me, please ask. Anything within my abilities, or even outside of them, as I really don't know my own strength as of yet. I have played many roles around here, some natural, some I had to learn, and some I had to put on a new face to accomplish, and have learned a lot.
Lobster, I hope my attempt to break the tension with humour was not ill-received. Shannon salutes you

Shannon SteelSlave wrote:Anna, whatever you need from me, please ask. Anything within my abilities

Thanks. You are already doing loads of simply being an active member here. There are loads of friends of this site that is doing lots to keep it running. I do not ask that anyone should do anything more or less than they do now. The issues will either sort themselves out or they will not, future will tell. The way this site is run rely on active members who share their ideas with the rest of us and a small amount of passive non members who might instead take an interest in any of the external websites advertised. Everyone above the age of 21 is welcome here and you all contribute in different ways.

Might I ask for your help on my latest crazy scheme? Should be fun. I promise.

Shannon SteelSlave wrote:Might I ask for your help on my latest crazy scheme? Should be fun. I promise.

Send me a PM and we will see what can be done.

Hi Anna,

thanks for your comments in the discussion. It's a shame to learn the hosting party is charging for what is essentially a commodity these days.

One other option to consider is to put cloudflare.com in front of the site. Cloud Flare offers a lot of networking tools, optimisations and protection. And they also support Flexible SSL - this allows a secure HTTPS connection between the visitor and Cloudflare, but forces Cloudflare to connect to your origin web server over unencrypted HTTP. An SSL certificate is not required on your origin web server and visitors will still see the site as being HTTPS enabled.

Perhaps less ideal, as the content is only partially encrypted, but it does protect users during the most vulnerable leg of their journey. Cloud Flare has a free plan that can be used and has no problem with adult content.

@Shannon no worries, thanks

Here is a relevant part in the CF documentation - https://support.cloudflare.com/hc/en-us ... SL-options

lobster wrote:One other option to consider is to put cloudflare.com in front of the site.

Thanks, that looks interesting.

Does your hoster not even support the free and open-source "Lets Encrypt"? Even the free webhosting services have lets-encrypt support nowadays.

For me it kind of is a dealbreaker to not have SSL support because more and more browsers start to actively reject non-https sites and it is a security risk when it comes to intercepting someone's username and password, which is the whole reason everyone and everything is migrating to SSL nowadays.