Secure Login Pages

Good day,

Our administrators recently informed us that the free hosting does not include a secure login.

Looking closely, it appears they are right? I have seen other threads that say this is not possible. Curiously, as a system administrator, why exactly is this not possible? You use the same TLD, and just change subdomains. A wildcard SSL cert would take care of this in about a half hours worth of time.

Is this a possibility, if not, please explain why not.

Thanks

The cost of a wildcard cert is about $900.00 if your company would like to donate the funds each year we would be glad to accept the funds. FTH is not part of Toastmasters International. FTH is run by Toastmaster volunteers for Toastmasters Clubs, the server is donated by a fellow Toastmaster.

So, on this same topic, as District 35 Webmaster, I've been notified that one of our corporate clubs have been banned from accessing their club website due to being an unsecure site.

Are you suggesting that to be secured through FTH each club would have to come up with $900 to become a secured site?

What other ways can our FTH sites be secured and safe from hackers and phishing schemes?

If this is not possible, FTH will not last long, especially in the corporate environments.

Respectfully,

Peggy Lee Hanson
District 35 Webmaster

Peggy,

FTH employs a number of security strategies. However, it really depends on what types of security are important to you...

• Passwords are stored in our database with MD5 encryption. No one can access passwords, not even me.
• Your email address is not required to be used for logins. An identifying number is used instead when you pick your name from the drop-down.
• Spam Assassin is highly regarded for checking email... we use it. (We went through a lot of effort to fully implement it last year.) It is sophisticated and will catch most suspicious emails.
• We block email with blind carbon copies, since those are frequently spam/phishing emails.
• We allow blocking must publically accessible email addresses to block spam/phishing emails.
• We block emails to distribution lists from those who are not authorized to send to those lists. (we check list membership)
• We provide a mechanism for clubs to black list email addresses.

However, some additional security strategies require an expenditure of money for a "security certificate" or similar. (https/SSL, DKIM signatures, etc.) As we are not supported by Toastmasters International, we are not a company, and we are an independent effort driven by volunteer Toastmasters labor and open source/free software only, we have no money for purchasing security certificates. (The fact that we have been able to accomplish as much as we have despite that is no small miracle.)

You should not infer that security is unimportant to us. However, the fundamental premise of FreeToastHost is that it is free for clubs and districts to use, so we cannot really absorb any expenses, because we have no funding.

Brian is really the go-to guy on this, and he has been an integral part of the FreeToastHost effort since 2004, and I defer to him and trust his instincts on this completely. I only chimed in here because I do not want people to think we don't care about security... We absolutely do care about security. However, we also have additional constraints that we adhere to.

Steve,

Thank you for your lengthy explanation. My intention was not to be disrespectful nor infer that security is not important to you or all who volunteer their time, resources, and brilliance to FTH. I sincerely apologize that my comment had that affect.

It is a concern, however, to me, and the clubs in my district, that another choice could be made by those clubs to go another route other FTH. I LOVE FTH and actively promote and support the program. But, I guess that would be their choice to make.

I will forward your explanation onto the district leaders, one of whose company has blocked access to his club; perhaps the explanation may be enough to allow club access to its members.

Please, once again, accept my deepest apology for the unintentional negative inference. But also please, accept my deepest gratitude for all you and your team do to make the job of webmaster easy.

In appreciation and with the utmost respect,
Peggy

Peggy,

I was not offended. However, in an open forum like this, I want to make sure people viewing this thread do not get the wrong ideas. Keep in mind that this is essentially like us having a conversation in front of a large crowd.