Just curious if there's a reason why we're not using SSL for this website? If it's a cost issue, there's always LetsEncrypt as the alternative.
Just curious if there's a reason why we're not using SSL for this website? If it's a cost issue, there's always LetsEncrypt as the alternative.
Since there's not a whole lot of PII or PCI data being handled by the forums, I doubt it's a huge priority. LE is a cool service though, except for renewing certs which can get annoying. I manage a few applications on Forge which handles the renewal process automatically. If it weren't for that I don't know that I would go to the trouble.
Last edited by AOD_Guybrush; 08-10-2016 at 08:35 AM.
Not a huge priority, I just don't like storing my password sent via plain text :P Not to mention that it'd help with SEO as I believe Google deducts a ton of points for non-ssl sites being indexed.
If we're not just using a simple webhost, and access to the system - renewing would be as simple as a single line command via cron.
Code:./letsencrypt-auto --config /etc/letsencrypt/cli.ini -d clanaod.net -d www.clanaod.net certonly if [ $? -ne 0 ] then ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log` echo -e "The Lets Encrypt Cert has not been renewed! \n \n" $ERRORLOG | mail -s "Lets Encrypt Cert Alert" [email protected] else service apache2/nginx reload fi exit 0
The site is behind CloudFlare and actually does use CloudFlare's free SSL. The problem is the forum is configured to serve static content non-SSL and I'm not sure how much work the site owners would have to go through to get it to do forced-SSL.
I take it none of you have gone to https://www.clanaod.net ?
What once was can never be again,
What is now will never come anew,
What will be will only pass once.
Cherish it all.
To give a more detailed answer (I suppose)...
Everything on our website can be accessed via http or https, even static content. We don't force https because the security it would provide is pretty minimal and there is nothing transmitted that any observer would be particularly interested in. Since we use the cloudflare CDN to protect against DDoS attacks, cloudflare is already a man-in-the-middle and no one should consider the data they put on our website absolutely secure (because there is no way for me to make that guarantee).
I can understand wanting to prevent your workplace or school from eavesdropping or filtering your content, so you do have https available.
To address another concern here: Your password is never "sent in the clear". The forums store a salted cryptographic hash of your password which is used to validate a hash computed by your browser.
Also... We don't care much about SEO and google can down rank us all day long for all I care (Silencer might get bent out of shape by that comment :P )
Last edited by AOD_Archangel; 08-10-2016 at 10:55 AM.
What once was can never be again,
What is now will never come anew,
What will be will only pass once.
Cherish it all.
I mentioned the site already supports SSL - which implies I've been there. However, that isn't 100% SSL as there is static content being served over non-SSL - something most browsers warn about. And the biggest crutch: Try navigating to another page. Some of the links redirect you back to non-SSL.
bwahahahahahahaha
I'm not sure what the "security token" is, but considering it's presense on any form it appears to be a CSRF token. On the flip side, you can see my password got transmitted as a MD5 hash - and not a salted MD5 hash by any means (I've tested it). I work in webdev, and MD5s have long since been a laughable offense.
If you're curious: http://security.stackexchange.com/qu...dered-insecure
There are some better articles I just didn't want to find them. So yes, your browser computes an MD5 hash of your password before sending the POST data to the login script - but it's by no means salted and definitely not secure.
TL;DR: I've posted a screenshot of the MD5 hash for my password (which is a random password anyway) and due to the insecurity of MD5 hashes I'm changing my password.
The site links can be fixed pretty easily, those in people's signatures or posts not so much.
I'm not concerned about static content, the only stuff we deliver statically is images and I will never care if those come across SSL. To make maters worse, "static content" can be delivered through signatures which I can't much control either.
Last edited by AOD_Archangel; 08-10-2016 at 10:57 AM.
What once was can never be again,
What is now will never come anew,
What will be will only pass once.
Cherish it all.
Hi. You haven't met me. I'm Archangel. A long time software engineer for core networking equipment, including embedded web applications and firewall. I'm also a Command Sergeant in the clan in charge of all web services. Generally you shouldn't address anyone in the clan so condescendingly, but if you address me in that tone again, your time in AOD will be very short.
I did overstate that the browser salted the hash and will correct my statement above.
What once was can never be again,
What is now will never come anew,
What will be will only pass once.
Cherish it all.
I apologize for the offense I caused and will try to be more aware of my ramblings in the future. If you could spare the time, can you PM me what I said that came across as condescending (aside from "bwahaha" which I agree was in poor taste and regret it). I'm often blind to these things and would like a chance to acknowledge where I overstepped so as not to make a similar mistake.
I agree with your assessment on the potential of non-SSL content in signatures. In fact, upon deeper inspection of the content served over HTTPS I only found 1 file transmitted insecurely that was from the clanaod domain - http://www.clanaod.net/forums/images/icons/icon10.png, which used as the emote in thread titles and is setup with a full path instead of a relative path.
In the meantime, if people want SSL I would recommend getting the plugin "HTTPS Anywhere" and adding a rule for the forums here.
Cheers for the insight Zikeji