Secure Login Pages

Peggy a secure certificate for ALL of the toastmaster clubs that use the domain toastmastersclubs.org would be a wild card certificate and would cost FTH $900 per year to support ALL clubs using our domain.

A club using a custom domain would cost $89 per year.

I am a District 35 club also, and have been "banned" from accessing the site via work.

<sarcasm>Aren't you volunteers supposed to be cheap? LOL </sarcasm>

900 bucks?!? Where are you shopping?

www.namecheap.com/security/ssl-certificates/wildcard.aspx

Positive or Essential, $94 or $99 bucks. While 900 or 99 from zero is still zero, however, it is much more affordable than you might think. You just need to shop a reseller. I use these for several of my clients. They work great when they need to offer multiple services and need a bunch of sub-domains secured.

Think its do-able? Let me know if I can help.

Our company did the same thing, and we really love FTH. The meeting scheduling part especially was awesome, designed specifically for Toastmasters! It just works. We moved to Sharepoint, and we're not going to be able to create the same kind of functionality.

I have to imagine that that IT people (not the word I was thinking in my head, btw) at a lot of company-based clubs are doing the same thing. Could the districts fund it, or could we crowdsource the funding? I'll pitch in. FTH is worth it.

FTH has acquired a secure certificate but many things have to be done to force the content to be accessed via the secure certificate.

1517456.toastmastersclubs.org/ works securely as they are only using fth items.

Those who use outside scripts and content will not be able to access the site securely or if they accessing content with absolute url the certificate will fail.

4456966.toastmastersclubs.org/ accesses the images with absolute URL

Brian:

Thanks for the update. I asked our company IT to review the site again, because our club really wants to go back to FTH. They had 2 comments.

1. The site now supports https, but does not force http traffic to https. If you access the site using http ( 3418923.toastmastersclubs.org/ ), then the login request also gets sent over http. The apache configuration should be updated to automatically redirect all http requests to https so that the site can only be accessed via https.
2. The ssl configuration on the site is vulnerable to the POODLE attack. The ssl configuration needs to be updated to disable the SSL 3 protocol. The following links contain more information.
   www.ssllabs.com/ssltest/analyze.html?d=3...s.org&hideResults=on
   community.qualys.com/blogs/securitylabs/...by-the-poodle-attack

Is there any chance that these changes are part of what you are contemplating?

Thanks

Kurt

Kurt,

I am the principal system developer at this time. For the last two years, I have been the only person doing system development, and I work as a volunteer. FTH is independently developed and maintained strictly with volunteer labor (all volunteers are also Toastmasters) and we do not have any budget to hire people or farm out development work. We do have another person that has recently volunteered to assist with development, but since the system is very large and involved, it is going to take a bit to get them up to speed.

This https improvement is on my to-do list--I have not forgotten it. However, the main problem that I have to find a way to resolve is that while we can switch to using https on the main pages, the website spawns many other pages (e.g. reports) that also need to get addressed. It is *not* as simple as you may think. This is a system wide, global change that has wide ranging impacts.

So... while I actually did try to make the switch a few months ago, we ran into issues (w/ reports) that indicated that there was a good bit more work involved in this than I originally thought. We also have to switch from https to http for clubs with a custom domain since our security certificate only addresses the toastmastersclubs.org domain.

Unfortunately, this is the fundamental conundrum with FTH being used for corporate clubs. We really do not have the means to quickly make changes that corporate clubs may be expecting. Also, while we certainly are interested in good security, if you look hard enough, you can probably find vulnerabilities. All I can promise is that we (me) will try to do the best we can to make improvements as my available spare time permits.