PSA: Don't login to Spyderco Forum or send private info until SSL is fixed

insta9ves · May 6, 2019

Hi all,

Just a quick PSA to Spyderco and all users of their forums for the sake of protecting your private info.

I saw Kristi's note that SSL is being disabled. Please note that by doing this all traffic through forums is unencrypted, INCLUDING PII(personal identifiable info) and sensitive data i.e. username, email and password. Please don't login or update account info(i.e. address etc) until this is fixed. All your info is going thru public internet in plain text and any intermediate proxy i.e. your ISP, routers CAN SEE those info.

@spyderco/Sal/Kristi - You should add in your notice that until the SSL issue is fixed, the forums user should not attempt to login to their account, or perform any action that would send sensitive/personal info through the site. This is important as your company could be subjected to a lot of liabilities because this is considered a data breach.

Dfunk1210 · May 6, 2019

Yea, I noticed this yesterday when I tried to browse some info there.

attila. · May 7, 2019

What if I just try to go to the forum like normal? My browser (iPhone Safari) keeps me logged in. Does that also risk my data?

I wasn't aware of an SSL issue when I attempted to visit earlier today.

Thanks!

jazzz · May 7, 2019

I hope not. I can’t even get on to log off.

insta9ves · May 8, 2019

attila. said:
What if I just try to go to the forum like normal? My browser (iPhone Safari) keeps me logged in. Does that also risk my data?

I wasn't aware of an SSL issue when I attempted to visit earlier today.

Thanks!

As long as you don’t relogin, i.e. entering your username/email/pw again or submit any change to your account info like contact or address you should be fine. Those info go from your computer/mobile/client across the internet and needs to be encrypted via SSL(watch for the lock icon in the address bar or make sure the address starts with “https”).
If the site still remembers you being logged in, it’s probably because you still have a previous session with the site via your cookie and the server remembers your last state. In most cases you should be fine. Those cookie seldom contain personal info.
Btw every site is different and I haven’t dig into spyderco forums much, so im making some educated guess here.

MyLegsAreOk · May 8, 2019

Is spyderco going to fix this? I tried to just google info before I made my second thread in a row and when I clicked ANY linked it said the SSL cert wasn't valid and there was no cache.

Chris "Anagarika" · May 8, 2019

MyLegsAreOk said:
Is spyderco going to fix this? I tried to just google info before I made my second thread in a row and when I clicked ANY linked it said the SSL cert wasn't valid and there was no cache.

Yes.

Kristi is working on it.

James Y · May 8, 2019

I did notice it wasn't working on Monday. Is it fixed yet? Because I logged in yesterday and posted stuff there, and everything seems to be working normally. And I broused this morning and again, everything appears normal and people are posting.

Jim

The Deacon · May 8, 2019

Might pay to remember that, up until a couple years ago, sites like the Spyderco factory forum that do not process payments or otherwise need things like your real name, phone, and address, never bothered with SSL. Also, even on forums that use it, pages where users have posted photos hosted on non-SSL sites aren't fully secure.