Results 1 to 12 of 12
  1. #1
    If I'm not back in 5....wait longer! Volcom's Avatar
    Rank
    Forum Member
    Division
    None
    Status
    Active
    Join Date
    Nov 2015
    Location
    Munich, Germany
    Posts
    44

    Default https for the forums?

    Just curious if there's a reason why we're not using SSL for this website? If it's a cost issue, there's always LetsEncrypt as the alternative.

  2. #2
    A Mighty Pirate!

    AOD_Guybrush's Avatar
    Rank
    Master Sergeant
    Division
    Destiny 2
    Status
    Active
    Join Date
    Sep 2014
    Location
    Raleigh, NC
    Age
    29
    Posts
    3,218

    Default

    Since there's not a whole lot of PII or PCI data being handled by the forums, I doubt it's a huge priority. LE is a cool service though, except for renewing certs which can get annoying. I manage a few applications on Forge which handles the renewal process automatically. If it weren't for that I don't know that I would go to the trouble.
    Last edited by AOD_Guybrush; 08-10-2016 at 08:35 AM.



  3. #3
    If I'm not back in 5....wait longer! Volcom's Avatar
    Rank
    Forum Member
    Division
    None
    Status
    Active
    Join Date
    Nov 2015
    Location
    Munich, Germany
    Posts
    44

    Default

    Quote Originally Posted by AOD_Guybrush View Post
    Since there's not a whole lot of PII or PCI data being handled by the forums, I doubt it's a huge priority. LE is a cool service though, except for renewing certs which can get annoying. I manage a few applications on Forge which handles the renewal process automatically. If it weren't for that I don't know that I would go to the trouble.
    Not a huge priority, I just don't like storing my password sent via plain text :P Not to mention that it'd help with SEO as I believe Google deducts a ton of points for non-ssl sites being indexed.

    If we're not just using a simple webhost, and access to the system - renewing would be as simple as a single line command via cron.

    Code:
    ./letsencrypt-auto --config /etc/letsencrypt/cli.ini -d clanaod.net -d www.clanaod.net certonly
    
    if [ $? -ne 0 ]
     then
            ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log`
            echo -e "The Lets Encrypt Cert has not been renewed! \n \n" $ERRORLOG | mail -s "Lets Encrypt Cert Alert" [email protected]
     else
            service apache2/nginx reload
    fi
    
    exit 0

  4. #4
    Banned from Forums Zikeji's Avatar
    Rank
    Forum Member
    Division
    None
    Status
    Active
    Join Date
    Jul 2016
    Location
    Georgia
    Age
    21
    Posts
    63

    Default

    The site is behind CloudFlare and actually does use CloudFlare's free SSL. The problem is the forum is configured to serve static content non-SSL and I'm not sure how much work the site owners would have to go through to get it to do forced-SSL.

  5. #5
    King of the World and Principle Penetration Engineer of ClanAOD
    AOD_Archangel's Avatar
    Rank
    Command Sergeant
    Division
    Battlefield
    Status
    Active
    Join Date
    Sep 2004
    Location
    Raleigh, NC
    Age
    32
    Posts
    7,469

    Default

    I take it none of you have gone to https://www.clanaod.net ?

    What once was can never be again,
    What is now will never come anew,
    What will be will only pass once.
    Cherish it all.

  6. #6
    King of the World and Principle Penetration Engineer of ClanAOD
    AOD_Archangel's Avatar
    Rank
    Command Sergeant
    Division
    Battlefield
    Status
    Active
    Join Date
    Sep 2004
    Location
    Raleigh, NC
    Age
    32
    Posts
    7,469

    Default

    To give a more detailed answer (I suppose)...

    Everything on our website can be accessed via http or https, even static content. We don't force https because the security it would provide is pretty minimal and there is nothing transmitted that any observer would be particularly interested in. Since we use the cloudflare CDN to protect against DDoS attacks, cloudflare is already a man-in-the-middle and no one should consider the data they put on our website absolutely secure (because there is no way for me to make that guarantee).

    I can understand wanting to prevent your workplace or school from eavesdropping or filtering your content, so you do have https available.

    To address another concern here: Your password is never "sent in the clear". The forums store a salted cryptographic hash of your password which is used to validate a hash computed by your browser.

    Also... We don't care much about SEO and google can down rank us all day long for all I care (Silencer might get bent out of shape by that comment :P )
    Last edited by AOD_Archangel; 08-10-2016 at 10:55 AM.

    What once was can never be again,
    What is now will never come anew,
    What will be will only pass once.
    Cherish it all.

  7. #7
    Banned from Forums Zikeji's Avatar
    Rank
    Forum Member
    Division
    None
    Status
    Active
    Join Date
    Jul 2016
    Location
    Georgia
    Age
    21
    Posts
    63

    Default

    Quote Originally Posted by AOD_Archangel View Post
    I take it none of you have gone to https://www.clanaod.net ?

    I mentioned the site already supports SSL - which implies I've been there. However, that isn't 100% SSL as there is static content being served over non-SSL - something most browsers warn about. And the biggest crutch: Try navigating to another page. Some of the links redirect you back to non-SSL.

  8. #8
    Banned from Forums Zikeji's Avatar
    Rank
    Forum Member
    Division
    None
    Status
    Active
    Join Date
    Jul 2016
    Location
    Georgia
    Age
    21
    Posts
    63

    Default

    Quote Originally Posted by AOD_Archangel View Post
    To address another concern here: Your password is never "sent in the clear". The forums store a salted cryptographic hash of your password which is computed by your browser using javascript. When your password is validated, the forums send a challenge/response to see if you know how to manipulate the salted hash correctly.
    bwahahahahahahaha



    I'm not sure what the "security token" is, but considering it's presense on any form it appears to be a CSRF token. On the flip side, you can see my password got transmitted as a MD5 hash - and not a salted MD5 hash by any means (I've tested it). I work in webdev, and MD5s have long since been a laughable offense.

    If you're curious: http://security.stackexchange.com/qu...dered-insecure

    There are some better articles I just didn't want to find them. So yes, your browser computes an MD5 hash of your password before sending the POST data to the login script - but it's by no means salted and definitely not secure.

    TL;DR: I've posted a screenshot of the MD5 hash for my password (which is a random password anyway) and due to the insecurity of MD5 hashes I'm changing my password.

  9. #9
    King of the World and Principle Penetration Engineer of ClanAOD
    AOD_Archangel's Avatar
    Rank
    Command Sergeant
    Division
    Battlefield
    Status
    Active
    Join Date
    Sep 2004
    Location
    Raleigh, NC
    Age
    32
    Posts
    7,469

    Default

    The site links can be fixed pretty easily, those in people's signatures or posts not so much.

    I'm not concerned about static content, the only stuff we deliver statically is images and I will never care if those come across SSL. To make maters worse, "static content" can be delivered through signatures which I can't much control either.
    Last edited by AOD_Archangel; 08-10-2016 at 10:57 AM.

    What once was can never be again,
    What is now will never come anew,
    What will be will only pass once.
    Cherish it all.

  10. #10
    King of the World and Principle Penetration Engineer of ClanAOD
    AOD_Archangel's Avatar
    Rank
    Command Sergeant
    Division
    Battlefield
    Status
    Active
    Join Date
    Sep 2004
    Location
    Raleigh, NC
    Age
    32
    Posts
    7,469

    Default

    Quote Originally Posted by AOD_Zikeji View Post
    bwahahahahahahaha

    I'm not sure what the "security token" is, but considering it's presense on any form it appears to be a CSRF token. On the flip side, you can see my password got transmitted as a MD5 hash - and not a salted MD5 hash by any means (I've tested it). I work in webdev, and MD5s have long since been a laughable offense.

    If you're curious: http://security.stackexchange.com/qu...dered-insecure

    There are some better articles I just didn't want to find them. So yes, your browser computes an MD5 hash of your password before sending the POST data to the login script - but it's by no means salted and definitely not secure.

    TL;DR: I've posted a screenshot of the MD5 hash for my password (which is a random password anyway) and due to the insecurity of MD5 hashes I'm changing my password.
    Hi. You haven't met me. I'm Archangel. A long time software engineer for core networking equipment, including embedded web applications and firewall. I'm also a Command Sergeant in the clan in charge of all web services. Generally you shouldn't address anyone in the clan so condescendingly, but if you address me in that tone again, your time in AOD will be very short.

    I did overstate that the browser salted the hash and will correct my statement above.

    What once was can never be again,
    What is now will never come anew,
    What will be will only pass once.
    Cherish it all.

  11. #11
    Banned from Forums Zikeji's Avatar
    Rank
    Forum Member
    Division
    None
    Status
    Active
    Join Date
    Jul 2016
    Location
    Georgia
    Age
    21
    Posts
    63

    Default

    Quote Originally Posted by AOD_Archangel View Post
    Hi. You haven't met me. I'm Archangel. A long time software engineer for core networking equipment, including embedded web applications and firewall. I'm also a Command Sergeant in the clan in charge of all web services. Generally you shouldn't address anyone in the clan so condescendingly, but if you address me in that tone again, your time in AOD will be very short.

    I did overstate that the browser salted the hash and will correct my statement above.
    I apologize for the offense I caused and will try to be more aware of my ramblings in the future. If you could spare the time, can you PM me what I said that came across as condescending (aside from "bwahaha" which I agree was in poor taste and regret it). I'm often blind to these things and would like a chance to acknowledge where I overstepped so as not to make a similar mistake.

    I agree with your assessment on the potential of non-SSL content in signatures. In fact, upon deeper inspection of the content served over HTTPS I only found 1 file transmitted insecurely that was from the clanaod domain - http://www.clanaod.net/forums/images/icons/icon10.png, which used as the emote in thread titles and is setup with a full path instead of a relative path.

    In the meantime, if people want SSL I would recommend getting the plugin "HTTPS Anywhere" and adding a rule for the forums here.

  12. #12
    If I'm not back in 5....wait longer! Volcom's Avatar
    Rank
    Forum Member
    Division
    None
    Status
    Active
    Join Date
    Nov 2015
    Location
    Munich, Germany
    Posts
    44

    Default

    Cheers for the insight Zikeji


 

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
vBulletin Skin By: ForumThemes.com
Top