Announcement

**musicf8** · 18 October 2018, 06:03

Because they don't care

**BFeely** · 21 October 2018, 18:27

Can they be held liable? They just discovered HTTPS is free and added it to the homepage.

**musicf8** · 22 October 2018, 04:23

Liable for? It's not a crime not to use https

**BFeely** · 23 October 2018, 23:14

Seeing as the main site got Let's Encrypt and that this site is on a dedicated IP, I don't see it as being too hard, unless the vBulletin license is such that changing would mean needing a license for a new server.

**musicf8** · 23 October 2018, 23:17

I think it's more neglection. The front page is the most activity we have seen in 4+ years. The forums still has references to AOL servers. Honestly if 5.8 was never leaked, then i doubt the front page would have been updated.

**BFeely** · 11 November 2018, 20:22

Homepage might not actually have HTTPS after all, as it is a Cloudflare (likely Business/$200/mo due to the custom certificate) IP address, and Cloudflare supports cheating by having their proxy run HTTPS but the backend run unencrypted. Browsers and search engines will just blindly see it as valid.

**Dr.Flay** · 27 November 2018, 21:54

Various issues, Grade C

SSL Server Test: winamp.com (Powered by Qualys SSL Labs)

https://www.ssllabs.com/ssltest/analyze.html?d=winamp.com

Can they be held liable?
Yes if the site is breached or our plain text login details become available for sale.
And since GDPR, very biggly so.

**MrSinatra** · 28 November 2018, 01:05

Please let's not get the site turned off, ok?

**BFeely** · 30 December 2018, 13:31

It would be Winamp's responsibility for failing to provide even minimal industry standard security.

The Grade C given by SSL Labs is due to supporting SSLv3, and as a result being vulnerable to POODLE.
Even if SSLv3 were turned off, it would be capped to B because the site administrator installing the certificate file but not the chain file. This can cause a browser error if the intermediate certificate is not already in the browser's cache.

The server does support TLS 1.2, so the SSL toolkit installed on the server isn't completely obsolete.
The server does support strong ciphersuites, but at the same time supports the broken RC4 suite, and does not set server preference to the strong suites.

**Dr.Flay** · 30 December 2018, 15:10

It should be noted that the grade C is for the main domain.
Here in the forums there is no encryption

SSL Server Test: forums.winamp.com (Powered by Qualys SSL Labs)

https://www.ssllabs.com/ssltest/analyze.html?d=forums.winamp.com

**Wineroz** · 2 January 2019, 11:43

HTTPS is just to many letters. 4 is enough

**loisachtaler** · 31 January 2019, 20:39

My email leaked because no HTTPS?

HTTPS is definitely industry standard and has been for quite some time now. This is the only web site I have seen in a long time that does not use HTTPS. I even do it on my internal Web für NAS, etc., because it's easy and doesn't cost anything (Let's Encrypt, for instance). Today, I did get odd spam with the little used mail address I used to register today. Could be coincidence, but who knows.....

**solidjeuh** · 1 February 2019, 14:22

https SS) is normally required on websites/forums that use "password fields" or contain other private data of users. The new "GDPR" law also states that it must be made clear that cookies are stored, and whether scripts transfer data to external websites. This only applies in the EU. But since there are users who live in the EU, this law should also apply to the relevant site. I have translated 2 extensions that contain this law, so I know what I am talking about.

Announcement

Why no HTTPS?

Why no HTTPS?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment