Why is the POI Factory website listed as 'NOT SECURE'?

This site does use HTTPS for authentication (login). The serial number is 0f88ed86ee6171c06d50bc8c1d995e28.

The site doesn't use it when submitting posts, probably because there is no need since they aren't confidential (they will be public after clicking "submit" anyway).
Chrome shows that now to keep you aware in-case a website tries to ask you for credit card information or something.

I don't know of any other websites (forums, message boards, news, maps, weather, financial markets, restaurants, car dealerships, golf courses, real estate sites, pharmacies, municipalities, etc., etc., etc.) that are Not Secure like POI Factory is. Do you know of any?

As flyoffacliff noted, POI Factory uses HTTPS for the login screen (and the rest of the site still uses basic HTTP).

At the time we moved the login page, the hosting service we're using didn't have an HTTPS option available for the main site (which is why login happens through poi-factory .net rather than poi-factory .com).

Since then, I see the hosting service has added an HTTPS option that might work with the main site; so I need to do some checking/testing in order to get it implemented.

Jonathan (aka JM)

Login used to be in clear text but it's been secure since 1+ year ago (as far as I can remember). I don't see anything here that asks for credit card info. I welcome everyone to steal my posting or replies.

Why are you still using it?

Took you 9 years to realize that? Or is this some kind of retaliation because they removed your insensitive post?

Payment not secure??? That's something new to me. I didn't know POI factory users sell and buy stuff in this forum, or do they? You made a valid point if this site sells stuff thru non secure connection. As for open discussions... pffft... I don't care.

As you said... if you don't trust it, don't use it. I'm cool with non secure discussions.

while it isn't secure is there any great need to? If my banking, credit cards, or other financial pages were not secure I would be worried since there is information I don't want exposed. On this site everything you post is public and most on this site have no information showing or available as to their real name, city, age or other information that could be used. I guess if it bothers you that much you should stop using the site. Personally for this site I see no security problem.

I'm grateful that the owners of poi-factory operate the website and spend the money and time that is necessary to keep a website running, free of charge to users. HTTPS is an extra cost, both money and server load. A reasonable compromise is to only use HTTPS (TLS/SSL) for authentication (gathering username/password). POI-FACTORY is doing this. Operating full time in HTTPS has become less expensive over time than it used to be, but is still a non-travel extra expense.

Have you operated a busy website and made it HTTPS? Would you like to donate toward a server operating this way, including certificates, TLS/SSL accelerators, CPU, etc?

Finally, what is the benefit for a website with only public information? Your post is public and visible to all. There is no confidential personal data or banking data or tax data etc, once you are logged in. The only information that is confidential is the authentication session, which is encrypted with TLS/SSL. If you are not comfortable with your post being public, you may not want to use the website at all.

chewbacca - You were replying to Google's comments concerning NOT SECURE websites!

► https://support.google.com/chrome/answer/95617?visit_id=6368...

How would I know if you copy and paste? You posted it so naturally I thought you said it.

JM - Good choice!

It's good to hear that you took security seriously enough to go to the trouble to do that.

A lot of hosting providers (i.e. HostUS for example and no, I'm not affiliated with them but I do use them) are starting to support free Let's Encrypt certificates now so if yours doesn't, ask them when they plan to do so.

Unfortunately, people tend to freak-out when they see that message, not realizing that it's only really necessary to protect their login information on a forum like this. While payment and login/account as well as other sensitive information definitely need to be kept secure, I think the paid certificate-providers have worked hard to spread the FUD and probably lobbied for alarmist certificate-error wording in browsers in order to keep those payments coming in!

- Phil

...for the login, I'm satisfied. Nothing I put on here is sensitive or will divulge my location. I never use real names (other than maybe a first) on sites such as this. Correct cities are never used. My Facebook account; such as it is, is completely false. The name I use is wrong, birth-date is wrong, everything. I do this for security reasons. I can access Facebook if I so desire, but it is only for research purposes, not connecting with anyone. I was involved in law enforcement and corporate security work for my entire career. There is a treasure trove of info out there if you know how to get it. That's why I never divulge my name or location. It's just common sense. On sites like this I never divulge anything that I don't want the whole world to see. For instance, I may tell you where I've been, but I will not tell you where I am going. Just my two cents worth.

I have never had a issue with website since I joined 9 years ago, in fact I really appreciate all the work that has been done over the years

There are many reasons why ALL websites (not just login pages or certain web pages where sensitive information is used) should have the secure HTTPS certificate. If anyone cares to know why - Google Search is a wonderful tool to use.

Of the hundreds (who knows - maybe thousands) of different websites I have visited recently, POI Factory is the only non-HTTPS ('Not Secure') website I have come across.

I visit several forum type web sites that do what POI-Factory does, secure log-in, non-secure site after login. They too, are topic specific chit chat sites, nothing that I would/should be concerned with as far as personal security is concerned is discussed. Of course I am aware of this and if it bothered me I'd find another site to chit chat on about the subject matter.

I personally don't have enough free time, or the inclination to visit hundreds or thousands of sites and keep track of whether they are secure or not.

But in this instance I fail to see what big security issue is lurking around the corner to get us. I think this is basically a non-issue.

But in the end if you think the site is not secure enough for you then don't visit the site. Seems like a simple solution.

I hope this doesn't sound too dumb to ask...

When logged into The Factory via the https (.net) login page, we can then use the http (.com) pages so the http site knows we're a registered user and attributes our posts and actions to our account.

Does the http (.com) site know who we are via a cookie or something created on our computer which is passed back and forth with each of the many pages available on the site? If not, how do the http pages continue to know that I'm me? However it's done, if someone intercepts the back and forth between me and the http site, would it allow the hacker to know my username and password which would allow them to then log on as me and post messages, etc? If a cookie or something shared between my computer and the site allows a hacker to know my password, then I shouldn't use the site on public wifi like in motels and coffee shops. If the shared info letting the site know who I am does not allow a hacker to post messages, etc. under my username, then it seems OK to me to read and post messages on the site here as long as I offer no private information like my email address, credit card info, passwords, etc. while on public wifi.

As has been discussed before and shown to be acceptable by the site's owner, some here don't log out after each visit and that allows them to return to the site for days without having to log in again. Only after logging out or clearing browsing data is there a need to log in again.

On a related question, if using public wifi but while on a https site, how "uncrackable" is the back and forth between m computer and the site? If totally safe, then it should be OK to do online banking and other sensitive communications even while on public wifi. Being cautious and not knowing the answer, I've never considered doing any sensitive stuff while on public wifi but will confess to doing limited POI Factory visits logged in as me when I'm traveling and using motels' public wifi.

I will not use a public WiFi to log on to anything, mainly because I believe I was hacked on a public WiFi 3 years ago while travelling.

If I need to check email then I use cellular data as I normally disable WiFi on my phone and tablet when travelling. Over the past couple of years I have been shutting off the WiFi on the laptop as well and have found that it still suits my needs for upkeep of documentation without any need for temporary internet access.

Cookie keeping has always bothered me. I delete all cookies at the end of every session as I exit the browser. The small inconvenice of relogging in every time is trivial.

Google has done a big push to get webmasters to make sites secure. To secure the site you need an SSL Certificate and they are not cheap. Getting hacked and having your information exposed, being a victim of identity theft, or getting hacked is a possibility in today's world of technology. If you want to almost completely avoid it, then quit using technology like computers, cell phones, and the internet. If you are not happy with the security of this site, then quit using it.

Jonathan, thank you for having this FREE site for everyone to use. Being a Webmaster is time consuming, tedious, and often thankless. I want to take this opportunity to thank you and all involved for your hard work and dedication to this site.

I don't purposely 'keep track' of whether the websites I visit are secure or not. I've only seen one that's Not Secure - so it's easy to remember!

I just don't understand why you keep posting on this site if it is a risk? Why not shun it like the plague?

I don't see anything at risk here once you get through the secure login.

Enough of the rant, let's let JM decide if he wants to spend the extra $$ or not. If he decides not to, then move on.

This is why the EFF (Electronic Frontier Foundation) started Let's Encrypt, providing free SSL certificates which are now recognized by pretty much any legitimate browser. The certificates are fairly short-lived, requiring them to be updated every 3 months or so but there are programs (i.e. Certbot) and scripts to automate this process. The CA challenges you to either put a file on the site in question and/or create a DNS txt record to prove that you control the site and/or domain. This is more secure than just taking money from your wallet to sell you a certificate. Webmasters using Google Analytics are already familiar with this process.

Hosting providers like HostUS and Bluehost, for example, now support Let's Encrypt and more are adding this capability as time goes on. You'll never have to worry about updating your certificate again, as it is renewed automatically.

Google encourages encrypted websites and shows SSL-encrypted sites higher in search results than non-encrypted (plaintext) sites, all other things being equal.

- Phil

If you're that worried about security, or open/public WiFi, then use a VPN. I have unlimited SSL Usenet and 5 concurrent machine VPN for a grand total of US$4.99 per month - the VPN portion of that is US$1.00 per month. I don't bother using the VPN on here because there's no point.

As has been pointed out there's nothing on here at any kind of security risk except possibly your username and password - which IS https secure. And if you're not using a unique user/password combination on every different site then you already have a much bigger security problem than the POI site.

While it does make sense, what's the downside? Someone see's what I've just typed, they grab some pois as they are downloaded, etc.

Food for thought--what do you do when you are warned that parts of a banking website are not secured, such as images? Me, I don't proceed, but what if it's a transaction that was necessary and the reality was the banking was secured, it was icons and logos and images that were not?

When I gave my uncle a Netgear router (5 ghz he lives in NYC) for XMAS, he insisted that we hide the SSID when we set it up. It caused a heck of a lot of trouble, I explained there's no need to do that. If you use WPA2, it would be easier to try to break into your apartment to see if you wrote the wireless password down on a piece of paper than it would be to use a supercomputer to try to figure it out....

Couldn't stop it was so fascinating. I study people in shopping lines, best place to see the real person. They let their guard down and you can really see the inner soul. This was great, some one asked a question, got an answer that was very polite. Then the fun started, a full explanation of why, no risk/need, possible cost, extra work. This individual kept it going without even a thank you and going and going. I'll give another first and only for POI Factory, first site I have ever been on that never once used the word "Troll" after OP's 3rd and ongoing posts. If you don't like a free site with great info and People, move on to one of the "Secure" ones

was an ongoing joke at work about an "email stripper."

What's that?

It's a program that automatically removes please and thank you from the body of an email.

As far as lines go, I saw an interesting scenario at Costco. There was a woman, and then 4 distinct groups of people making purchases with her membership. To make matters worse, they were all paying cash! So now, the woman with the membership was paying, and trying to collect the proper payment from the other 3 parties. Normally I may have spoken up and said you guys are really holding up a long line, but I found it amusing from an observation standpoint. I was thinking that as an Executive Member this is beneficial as all those purchases are earning 2% for me. But they really could just leave with the purchases and figure out the money part later.

The main downside as a website operator is increased expense (for certificates and increased server capacity), increased hardware demands, and increased overhead of obtaining, maintaining, and renewing certificates, plus the additional regular encryption package updates needed. Encryption and creating encrypted sessions on a busy website places a non-trivial additional server load, increasing computing capacity requirements.

I'm guessing the folks (folk?) who are demanding TLS connections for all web pages do not operate their own website or do not contribute money toward the operation of a TLS/SSL enabled website.

Separately, for WiFi: "hiding" the SSID does not actually provide any security benefit, since the "hidden" SSID is still very visible in the wireless 802.11 frames flying around. In fact it may reduce security, since it forces clients (wifi supplicants) to send out every SSID they have programmed over the air in order to find the base station/access point that accepts their request. An intruder could use that information to create a rogue AP for the client to connect to with an SSID it is expecting, and other creative mischief. Better (and much easier for guests) to just leave the SSID broadcast.

I agree with the rest of your comment except the cost. The price of digital certificates is no longer in the hundred or thousand of dollars today. You can get one for as low as $10 per year.

Ken,

People who use the Chrome browser can't help but see the 'Not Secure' symbol in the URL bar staring at them (see link below). I don't recall ever seeing the 'Not Secure' symbol on any other website, which is why I brought it up in the first place.

To be clear, it's not a matter of this site being a risk or not being secure enough for me as you suggest - it's to raise the question of why POI Factory doesn't have secure web pages like 99.999% of the other websites. It should be very simple to understand. Instead, you obviously are bothered by thinking there is something sinister about me bringing it up. You have misunderstood! To put it nicely, you have jumped to an incorrect conclusion. I find the topic interesting, not dire.

https://i.ibb.co/jhwBzMM/not-secure.jpg

99.999% is quite a statistic - where did you pull that from? "not seeing it on any other website" as you state does not generate a statistic unless you have personally visited EVERY website on the internet, or at least a reasonable sampling thereof.

I have not mis-understood your comment and I don't read anything sinister about your bringing it up. And I have not jumped to an incorrect conclusion, nothing dire about it. I still maintain that if you are worried about security here then stop posting.

What I find interesting is that your reaction was to post a general comment. Did you send the site admim a email about your concerns before posting? Did they not respond and then you posted? I did see that admin posted a comment in this thread, was that a resonable answer? If so, why are we continuing?

In fact I find the topic quite trivial and best left to a behind the scenes admin solution, and would not have responded now except that your analogy of my comments are incorrect.

Done, and Done!

I see you still don't get it Ken! I am not 'worried about security here' as you suggest. You may want to re-read my previous post. I cannot help that you are unable to understand...

LOL

Ken - I actually feel sorry for you bud...

This thread is closed because it's degraded into a back and forth.

~Angela