SSL/TLS

[Luca vom Bruch]

Just noticed, the website and the forums don't seem to support HTTPS. I think that should be standard. Let's Encrypt is free.

[Marcel Semelka]

Yep, me being an IT administrator I have to agree and especially if you tell your customers now to put their order Number, serial Number, real name etc. into their forum profiles.

Even if your data gets stored encrypted in a database (which I really hope it does) the transport of the data is currently not. And with valueable customer data like this, HTTPS should not only be used, but is necessary!

It really is a standard nowadays to provide HTTPS, with encryption becoming more and more important.

You should protect the data of your customers against any type of malicious attacks, like you are protecting your software against piracy.

 

LetsEncrypt for example is a free solution for that, but it needs renewal every 3 months (which can be automated on the webserver with a script/cronjob).

Usually companies own a wildcard certificate for their domain, cheap solutions for that are starting at about 100-150 $ a year (like AlphaSSL, I just bought a 3-year valid one there a couple of days ago for the company whos IT I'm managing)

A wildcard certificate has the advantage that is allows all of your subdomains to be encrypted by the same certifcate.

For example you get a wildcard certificate for *.flightsimlabs.com, that would allow you to encrypt forums.flightsimlabs.com,support.flightsimlabs.com,redownload.flightsimlabs.com (which is also uncrypted at the moment) etc. with only one certificate.

 

Just my 2 cents

[Chirag Geiantilal]

Something like 2 factor auth would be good also, in resume we have our A320-X key here, with 2 factor auth it would be more secure, if someone tries to login in account.

[Jonathan Fong]

11 minutes ago, Chirag Geiantilal said:

Something like 2 factor auth would be good also, in resume we have our A320-X key here, with 2 factor auth it would be more secure, if someone tries to login in account.

I agree - the way it is now, if malicious individuals (e.g. hackers) get the passwords of forum members, they essentially have free serials for the A320X. They would still need the order number, though, but I don't feel very comfortable with my serial number being shown regardless...

[Karl Brooker]

Gents,

HTTPS is on the roadmap, so that's coming.
2FA will be discussed in the future, and we understand your concerns as to why you'd want it  

[Jonathan Fong]

On 3/17/2017 at 11:16 PM, Karl Brooker said:

Gents,

HTTPS is on the roadmap, so that's coming.
2FA will be discussed in the future, and we understand your concerns as to why you'd want it  

Excellent! Any chance of an ETA, or is it just going to be soon(tm) for now? I think us users would all verymuch appreciate it if it were bumped up to ASAP, now that we have to put our purchase data onto the forums...

[Lefteris Kalamaras]

We just installed an SSL certificate for the forums, so you can use https://forums.flightsimlabs.com 

Feel free to try it and let us know how it works for you.

 

EDIT: Fixed link.

[Ju_li_en Ke_ml_er]

the link adds a " . " after the .com

after removing it it works fine.

 

[Lefteris Kalamaras]

Thanks Julien, I fixed that link.

Also- SSL should work for Support and Redownload as well.

[Chirag Geiantilal]

Any news on 2FA?

[Lefteris Kalamaras]

On 3/17/2017 at 3:44 PM, Chirag Geiantilal said:

Something like 2 factor auth would be good also, in resume we have our A320-X key here, with 2 factor auth it would be more secure, if someone tries to login in account.

Your key is not visible even to administrators in here as it's blanked out. As such, you don't need to worry about it at all.