Is this site (GroupDIY) safe?

[clintrubber]

> Is this site (GroupDIY) safe?

Understood the actual question has been addressed well.

Partly in jest  , an additional and probably The Real Unsafe aspect of this site is its addictive character & friendly atmosphere & the tons of good info & exchange of it.
Years ago, I was a pretty heavy user, but could 'downsize'. Doing fine now, but it feels good to stop by now & then.    U is gewaarschuwd ! 

 

[micaddict]

Yeah, that may be the real bug.

Glad you caught it again.  ;D

Groetjes.

 

[clintrubber]

Glad you caught it again.  ;D

No no no, I'm just a toevallige voorbijganger ! ;-)

Prttg wknd alvast

 

[micaddict]

No no no, I'm just a toevallige voorbijganger ! ;-)

With 5711 posts under your belt?

You're just in denial, that's all. 

 

[clintrubber]

With 5711 posts under your belt?

You're just in denial, that's all. 

Ahh, oops, 'the former life', the addiction period.  8)  Clean now!

 

[micaddict]

Says he, just after he's lit up another one.

 

[Conviction]

Try the standard tricks (I assume you're on a Windows machine):

Hit the Windows button on your keyboard, enter the letters cmd and press enter.
Write ipconfig /flushdns and press enter. See what happens with the connection.
Sometimes it's necessary to clear the DNS cache.

It might also be a good idea to renew the network card connection (wifi or ethernet - doesn't matter):
Write ipconfig /release and press enter. Then write ipconfig /renew and press enter.

 

[emrr]

this is what I see

 

[micaddict]

Thanks guys. Keep it coming.

BTW I haven't had problems the last couple of days.

 

[PRR]

> this is what I see

Your Safari is not trusting Comodo.

Comodo is a well-known certificate issuer and generally trusted. They had a slip-up some years back but handled it well. I don't know why Safari would object.

 

[emrr]

or why Ethan's example does approve. 

 

[dmp]

Or why I get secure or unsecure depending on how I go to the page.

 

[JohnRoberts]

I think Ethan already said that Images are not SSL encoded, so they could be viewed and perhaps altered. Technically the site is not fully secure.

JR

 

[emrr]

I only get 'insecure' on the first visit of a computer wake cycle. 

 

[Ethan]

The reason for typically not encrypting images on a site where there are a lot of external image links (think about build threads that use outside image hosting) is that it will break a lot of image links if GroupDIY forces a request for a secure https connection to a linked image, and the server hosting the image cannot provide a valid TLS cert for the encryption handshake, you will see a busted image link.

There are ways to "fix" this.  One way is to have GroupDIY download the linked image and re-serve it. The downside is that creates a potential security issue to blindly download all externally linked images and re-serve them. There would have to be security checks on the downloaded image file before reserving the file from GroupDIY. It's a bit of overhead to do all that at runtime, so it would have to be done in batches for older posts, but could potentially be done when the post is submitted for new posts...I do have plans to implement this in the future.

As a quick test example, I just changed the external avatar image links to be protocol agnostic "//www.website.com" instead of "http" or "https". The result is that since GroupDIY.com is using https, it will make a request to the outside image server for an https connection. If the image server cannot provide one because it doesn't have a valid cert, the linked image will be busted like EMRR's avatar right now-- not intend as a poke at you, just an example.

So, currently, the tradeoff of forcing full encryption is there will be some busted image links. Everything is a compromise.

 

[emrr]

interesting that my avatar appears still on my user profile page and in the user toolbar at the top right, but busted next to posts. 

 

[Ethan]

interesting that my avatar appears still on my user profile page and in the user toolbar at the top right, but busted next to posts.

As a quick test example, I only changed the linking for the avatar that is displayed in a post.

 

[JohnRoberts]

As a quick test example, I only changed the linking for the avatar that is displayed in a post.

How much risk are we at from opening images?

I ASSume links to offsite are totally unprotected.

JR

PS  I am now seeing the secure lock ICON

 

[Ethan]

PS  I am now seeing the secure lock ICON

You will see the full lock icon on pages that have no externally linked images.
You will get the "partially encrypted" warning on pages that have externally linked images that are not using https.

How much risk are we at from opening images?

It depends on how creative/paranoid you want to get.
One possible threat is cross-site scripting. For example, using an image to inject some javascript to alter what you see on a page in an attempt lead you to another site. That has little to do with whether or not the site you're on uses encryption. That could potentially happen anywhere.
Members occasionally message me asking why the image they are trying to post leads to the "your image did not pass security checks" error. This typically happens when the image they tried to upload has some embedded script in the file. Usually, it's pretty innocent and nothing to worry about, like an html link to the photographer's website in the metadata, or gibberish that looks like it doesn't belong.

I ASSume links to offsite are totally unprotected. JR

Yeah, as a general rule, always use caution when clicking on any link.
Having said that, most modern browsers (Internet Exploder doesn't qualify ;D) have gotten pretty good about detecting most well-known security threats. Update your browsers and OS regularly as they almost always include security patches.

 

[JohnRoberts]

Thank you again

JR