Return to “Everything & Anything”

Post

Re: HTTPS access

#16
Silverware wrote:
plillevold wrote:
Mordakai wrote:....

Not really sure that's worse. Anyone this paranoid presumably has the sense to not reuse a password that matters on random gaming forums, so there's nothing to lose if that password is compromised.
.
Well, would you consider me paranoid for not showing off my credit card pin code when I pay at the store as well? What's the point with pin codes and passwords if we not at least try to keep them secret? No matter what my password is, the default should be that it doesn't travel unencrypted over the wire. And that requires a SSL secured server in the receiving end.
This is the correct point.
And one of the two valid points made for SSL encryption on here.

Passwords and SEO Ranking :V
...and Privacy :wave:




...No, just kidding :ghost:
old-fashioned :ghost:
Post

Re: HTTPS access

#17
My reasons to use HTTPS:

* Security: less chance a man in the middle injects something bad into HTTP traffic (like this javascript exploit).
* Privacy: harder for intermediaries to read my traffic, which includes my speech and information about my system (HTTP headers). The latter can be used to find vulnerabilities in my system.
* Less emails leaked to spambots
* Less chance for an attacker to impersonate as Josh ;)

For privacy, I like how Joanna Rutkowska puts it:
And, no, realistically, I don't think I am, or this blog is, that important or controversial, that the US or other government, or whoever, will likely want to block, censor or tamper with it in any way. This is more about principles. About the feeling that even if They wanted, they could not. It's a nice feeling.
Indeed there are many ways how my email could leak, and HTTP without TLS is just one tiny among them.
Spam bots are lesser of my concerns. My top concerns are security and privacy.
I try to make the life of adversaries harder. Every little bit helps.

Now on breaking the server.

Silverware is right that if this forum is hacked all emails are stolen. This is not a reason to ignore transmission security, but is a separate and very real threat.
plillevold wrote:I think the site is only fairly secure today because it is a small niche site with not a lot of attention.
To some degree yes, but another small niche game site got hacked: https://wz2100.net/news/when-idiots-attack/
Post

Re: HTTPS access

#18
IMO it was a reasonable request and reasonable thing to point out, no need to go to war over it :ghost:

Thanks for bringing it to my attention temp13. I fear I may have no control over it due to phpBB's general awfulness, but I'll look into it nonetheless.
“Whether you think you can, or you think you can't--you're right.” ~ Henry Ford
Post

Re: HTTPS access

#22
JoshParnell wrote:I mean it has occurred to me years ago...luckily I have no web skills... :ghost:
You do have control, depends on the provider.
If you have access to your apache2 conf (presuming apache2 or httpd, these are the industry standards after all) then you just throw a duplicate version of your virtual host onto :443, and enable SSL by adding the following

Code: Select all

    SSLProxyEngine on
    SSLEngine on
    SSLCertificateFile /path/to/pem/certificate.pem
    SSLCertificateKeyFile /path/to/privKey/private.key
    
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
        SSLOptions +StdEnvVars
    </Directory>
    # Fix MSIE
    BrowserMatch "MSIE [2-6]" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
    # MSIE 7 and newer should be able to use keepalive
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
Throw

Code: Select all

<IfModule mod_ssl.c>
around the Virtual host definition for :443, to make sure you dont get errors if SSL is disabled on the server.

Now, if you have a provider doing all the back end stuff, it'll be a pain to find where the stuff you need to change is, and it'll be harder to get a good free certificate. (So you will likely have to pay for one, not that it's overly expensive just annoying)

SSL is easy, and wraps over existing code. It doesn't interfere unless you are going through >3 proxies/tunnels, at which point you start to get packet overhead that prevents any actual data being sent.
°˖◝(ಠ‸ಠ)◜˖°
WebGL Spaceships and Trails
<Cuisinart8> apparently without the demon driving him around Silver has the intelligence of a botched lobotomy patient ~ Mar 04 2020
console.log(`What's all ${this} ${Date.now()}`);
Post

Website HTTPS

#23
Hi all!

Active lurker here. Just wanted to throw an idea out there to get https working for ltheory.com. It's not terribly difficult to add and is much more secure. Thought this may be an appropriate time given the renovations & housekeeping going on.

Best,
Kez
Last edited by Kez on Wed Jun 14, 2017 5:22 pm, edited 1 time in total.
Post

Re: Website HTTPS

#24
Our official stance on it at the moment is "Not worth the effort/expenses currently required to get it running with our hosting service and phpbb". If we ever decide to sell copies of LT from the site, we will of course add SSL, but likely not before.

Thanks for the suggestion, though! And it's always nice to see a lurker drop in. :) I'm going to merge this with our other thread for housekeeping purposes.
Have a question? Send me a PM! || I have a Patreon page up for REKT now! || People talking in IRC over the past two hours: Image
Image
Image

Online Now

Users browsing this forum: No registered users and 28 guests

cron