Hello,

Since this software is also offered to MorphOS users, I'm posting a warning here.

If you've bought a subscription by using the aeros-os.org website, your credit card details may have been stolen. The aeros-os.org website is missing HTTPS and anyone intercepting the traffic to the website could have stolen your CC details, including the CVV number.

If you haven't yet entered your CC details to the site but plan to:
- Don't enter the details until the web site has been fixed (it is hosted over HTTPS)

If you already used your credit card there, I suggest the following:
- Check your CC details for any suspicious activity
- Use your bank website to set CC usage limits (say limit it to your country only)
- I'd highly recommend contacting your bank and tell them your CC details may have been exposed and ask them for a new CC

Thank you Piru!
https: should work in a few minutes.. hopefully
https://aeros-os.org

As a side note:
Nobody entered something : )

EDIT:
The stripe PlugIN for my non HTTPS website uses TLS for communication anyway..
I doesn't rely on the website where it is embedded to.

EDIT2:
Meanwhile the pages are gone until TLS is running.


[ Edited by phoenixkonsole 26.03.2016 - 11:55 ]

Quote:

I bought this a couple of weeks ago it still hasn't arrived. If my card details have been stolen I will not be happy at all!

He is talking about the subscription.
Nobody has ordered a subscription using "stripe".


[ Edited by phoenixkonsole 26.03.2016 - 12:32 ]

@phoenixkonsole

https://letsencrypt.org/

Completely free, no need for dedicated IP, works like a charm.

All websites should be encrypted today!

Quote:
This is incorrect. Without HTTPS anyone can intercept & tamper with the html / javascript which is asking for the CC information, before the information is posted to the Stripe site.

HTTPS is mandatory for a secure payment site.

@Piru
Yep got it so I removed it from aeros-os.org as long TLS is not working.

@takemehomegrandma
Thanks I will check it out
EDIT: Looks indeed nice : )
It is still beta.. what does it mean? Could it do any harm?

[ Edited by phoenixkonsole 26.03.2016 - 12:40 ]

@Intuition

Oh.. I have missed the "hasn't arrived yet" part..
Can you please send me an email or pm, I can't identify you by your nickname.
I can check trackingnumbers

[ Edited by phoenixkonsole 26.03.2016 - 12:44 ]

@all
TLS is up now
https://aeros-os.org

If you type just aeros-os.org or www.aeros-os.org your will find it without TLS.
But even than it will switch to TLS as soon you click on the Subscription page.


[ Edited by phoenixkonsole 26.03.2016 - 13:19 ]

Quote:

Just sent you an email. Thanks.

You are welcome,
i have send you the Tracking number. Maybe you need to kick your neighbors ass ; )

Quote:
Power2People.org has been using it ever since the public beta was opened a few months back. MorphZone would be using it too if it did not already have a paid-for multi-year certificate.

For security reasons, they require certificates to be renewed every 90 days. The client is not yet capable of doing so automatically, which is one reason why this is still carrying the beta label I presume. That said, setting up a cron job should not be too difficult.

Quote:

It's looking like the postman has stolen it but I can't do anything about it until Tuesday due to the Easter holidays. :/

Quote:

Thank you! I will use it for all other pages and future projects

@Intuition
Yep, I am sorry about this. I cross my fingers.
I had one case where the postman has given a smartphone 4 house down the road...Nobody came to me - I had to find it in the hands of a 7years old child : )

Quote:
It's broken if you use https://www.aeros-os.org

Quote:
You should always redirect to HTTPS when the page is entered.

Since you now use HSTS this will ensure that the user will automatically use HTTPS in the future, regardless if the https:// is entered in the URL or not.

[ Edited by Piru 26.03.2016 - 22:27 ]

Quote:

It's only a relatively small amount of money but it's the principle of it that matters. There is always someone at home in our house 24/7 so either the postman has delivered it to the wrong house by accident or he's stolen it. Based on the standards of service since Royal Mail was privatised I wouldn't bet against it being the latter.

Quote:

Ok I have changed this... it should now redirect http to https ... at least in some minutes...

Ok, much better.

Now as a final touch go through the resources being loaded by the site and make sure they get loaded over HTTPS, too. This makes sure that the resources actually load (modern browsers refuse to load external resources over HTTP if the site is HTTPS). You also might get warnings from the browser if you have mixed content.

Thank you, will do this.. at a quick glimpse it should be the case.