Just curious if there's a reason why we're not using SSL for this website? If it's a cost issue, there's always LetsEncrypt as the alternative.
Printable View
Just curious if there's a reason why we're not using SSL for this website? If it's a cost issue, there's always LetsEncrypt as the alternative.
Since there's not a whole lot of PII or PCI data being handled by the forums, I doubt it's a huge priority. LE is a cool service though, except for renewing certs which can get annoying. I manage a few applications on Forge which handles the renewal process automatically. If it weren't for that I don't know that I would go to the trouble.
Not a huge priority, I just don't like storing my password sent via plain text :P Not to mention that it'd help with SEO as I believe Google deducts a ton of points for non-ssl sites being indexed.
If we're not just using a simple webhost, and access to the system - renewing would be as simple as a single line command via cron.
Code:./letsencrypt-auto --config /etc/letsencrypt/cli.ini -d clanaod.net -d www.clanaod.net certonly
if [ $? -ne 0 ]
then
ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log`
echo -e "The Lets Encrypt Cert has not been renewed! \n \n" $ERRORLOG | mail -s "Lets Encrypt Cert Alert" [email protected]
else
service apache2/nginx reload
fi
exit 0
The site is behind CloudFlare and actually does use CloudFlare's free SSL. The problem is the forum is configured to serve static content non-SSL and I'm not sure how much work the site owners would have to go through to get it to do forced-SSL.
I take it none of you have gone to https://www.clanaod.net ?
To give a more detailed answer (I suppose)...
Everything on our website can be accessed via http or https, even static content. We don't force https because the security it would provide is pretty minimal and there is nothing transmitted that any observer would be particularly interested in. Since we use the cloudflare CDN to protect against DDoS attacks, cloudflare is already a man-in-the-middle and no one should consider the data they put on our website absolutely secure (because there is no way for me to make that guarantee).
I can understand wanting to prevent your workplace or school from eavesdropping or filtering your content, so you do have https available.
To address another concern here: Your password is never "sent in the clear". The forums store a salted cryptographic hash of your password which is used to validate a hash computed by your browser.
Also... We don't care much about SEO and google can down rank us all day long for all I care (Silencer might get bent out of shape by that comment :P )
I mentioned the site already supports SSL - which implies I've been there. However, that isn't 100% SSL as there is static content being served over non-SSL - something most browsers warn about. And the biggest crutch: Try navigating to another page. Some of the links redirect you back to non-SSL.
bwahahahahahahaha
http://i.imgur.com/IL4BnmX.png
I'm not sure what the "security token" is, but considering it's presense on any form it appears to be a CSRF token. On the flip side, you can see my password got transmitted as a MD5 hash - and not a salted MD5 hash by any means (I've tested it). I work in webdev, and MD5s have long since been a laughable offense.
If you're curious: http://security.stackexchange.com/qu...dered-insecure
There are some better articles I just didn't want to find them. So yes, your browser computes an MD5 hash of your password before sending the POST data to the login script - but it's by no means salted and definitely not secure.
TL;DR: I've posted a screenshot of the MD5 hash for my password (which is a random password anyway) and due to the insecurity of MD5 hashes I'm changing my password.
The site links can be fixed pretty easily, those in people's signatures or posts not so much.
I'm not concerned about static content, the only stuff we deliver statically is images and I will never care if those come across SSL. To make maters worse, "static content" can be delivered through signatures which I can't much control either.
Hi. You haven't met me. I'm Archangel. A long time software engineer for core networking equipment, including embedded web applications and firewall. I'm also a Command Sergeant in the clan in charge of all web services. Generally you shouldn't address anyone in the clan so condescendingly, but if you address me in that tone again, your time in AOD will be very short.
I did overstate that the browser salted the hash and will correct my statement above.
I apologize for the offense I caused and will try to be more aware of my ramblings in the future. If you could spare the time, can you PM me what I said that came across as condescending (aside from "bwahaha" which I agree was in poor taste and regret it). I'm often blind to these things and would like a chance to acknowledge where I overstepped so as not to make a similar mistake.
I agree with your assessment on the potential of non-SSL content in signatures. In fact, upon deeper inspection of the content served over HTTPS I only found 1 file transmitted insecurely that was from the clanaod domain - http://www.clanaod.net/forums/images/icons/icon10.png, which used as the emote in thread titles and is setup with a full path instead of a relative path.
In the meantime, if people want SSL I would recommend getting the plugin "HTTPS Anywhere" and adding a rule for the forums here.
Cheers for the insight Zikeji