New OOTS products from CafePress
New OOTS t-shirts, ornaments, mugs, bags, and more
Results 1 to 8 of 8
  1. - Top - End - #1
    Pixie in the Playground
     
    RangerGuy

    Join Date
    Jun 2018

    Exclamation Board does not use HTTPS connections

    Hello! I am a new person on the boards, but I noticed that while signing up for a login that the board and the entire site itself does not use HTTPS. I am posting to request that the site and forum be updated to use this not only for logins but on every page. The client-side MD5 hash for logins that vBulletin uses is considerably more vulnerable compared to using TLS via HTTPS (e.g., MITM attacks via javascript injection over HTTP, brute-force cracking of the MD5 hash that is sent in the clear). Additionally, because the site uses HTTP, all private messages that you read or send here are transmitted completely in the clear for anyone using a packet-sniffer to read.

    The Internet is moving to HTTPS for every connection, and I believe that this site should do so as well. It provides privacy and security to users, and now that the newer HTTP/2 protocol is standard in all web browsers and only works for HTTPS sites, there are speed benefits to doing so as well. Additionally, in October, Chrome and other browsers will be putting a red "not secure" notification on HTTP sites that use any form fields.

    I hope this information helps!
    Last edited by BarbarianSmash; 2018-06-17 at 04:57 AM.

  2. - Top - End - #2
    Banned
     
    Jormengand's Avatar

    Join Date
    Oct 2012
    Location
    In the Playground, duh.

    Default Re: Board does not use HTTPS connections


  3. - Top - End - #3
    Pixie in the Playground
     
    RangerGuy

    Join Date
    Jun 2018

    Default Re: Board does not use HTTPS connections

    Quote Originally Posted by Jormengand View Post
    This has been discussed.
    Yes, I have seen that thread, and I addressed various aspects of it in my post. vBulletin's "security" without HTTPS is inadequate.

  4. - Top - End - #4
    Pixie in the Playground
    Join Date
    May 2018

    Default Re: Board does not use HTTPS connections

    TLS is as bad as SSL was last time I bothered to keep track of it, about 10-15 years ago (sorry, can't post links yet):
    CVE-2017-7805
    CVE-2018-7162
    CVE-2018-11712
    The latter two were submitted on this year, in previous month even.

    Sure, it does mitigate the problem of MitM existing somewhat, but, just as SSL before, it's more of a roadbump if someone is actually out to get you. Good security is impossible with there being no open hardware and firmware available in any case. That's not to say I'm encouraging you to drop all and any protection measures, but chances are your password and PMs on a webcomic/traditional games forum is a fairly low-priority target. Social engineering remains one of the prime vectors of attack to this day anyway.

  5. - Top - End - #5
    Pixie in the Playground
     
    RangerGuy

    Join Date
    Jun 2018

    Default Re: Board does not use HTTPS connections

    Quote Originally Posted by fenfire View Post
    TLS is as bad as SSL was last time I bothered to keep track of it, about 10-15 years ago (sorry, can't post links yet):

    CVE-2017-7805
    This is a bug that that has to do with Firefox using TLS, not TLS itself. It has nothing to do with a flaw in TLS encryption.

    CVE-2018-7162
    This is about a DoS attack on a webserver, not about TLS encryption vulnerability.

    CVE-2018-11712
    This is a bug related to WebKit using TLS, again not about a TLS encryption vulnerability.

    If you have a problem with TLS 1.3, then you should have a problem with the thousands of banking or other sensitive websites that use it for their encryption. We are always moving to better version of encryption across the board, but of course if we aren't using encryption at all, then it's pointless to even argue about how good TLS is or is not.

    Sure, it does mitigate the problem of MitM existing somewhat, but, just as SSL before, it's more of a roadbump if someone is actually out to get you. Good security is impossible with there being no open hardware and firmware available in any case. That's not to say I'm encouraging you to drop all and any protection measures, but chances are your password and PMs on a webcomic/traditional games forum is a fairly low-priority target. Social engineering remains one of the prime vectors of attack to this day anyway.
    I think you misunderstand. It is not that someone is watching this website specifically trying to hack people's passwords; it is that someone on the network you're on could use a packet sniffer to watch for all of your traffic (or anyone's traffic), hoping for some way of finding out some information about you, like a username/password (even hashed). Then, they use this to find other accounts of yours, etc. Sending all information in the clear or using a vulnerable MD5 hash (which has been well-documented as horrible for encryption) is frankly irresponsible.

    People that use this site should have some minimal expectation of security, and the current implementation does not provide this.

    vBulletin has an easy how-to for turning on HTTPS for their forums. I would link to it, but I can't since my account is so new. Of course, the site would need a security certification to begin with, but that can be found with services like letsencrypt dot org for free.

  6. - Top - End - #6
    Pixie in the Playground
     
    RangerGuy

    Join Date
    Jun 2018

    Default Re: Board does not use HTTPS connections

    If it helps, vBulletin has an article explaining why their forums should use HTTPS. Just Google "vbulletin converting your forum to https".

    From vBulletin's site:

    WHY DO I NEED HTTPS?
    Data sent over regular http connections are sent in plain text and could in theory be read by anyone who intercepts the connection. With an https connection, the data is securely encrypted, meaning that even if someone intercepted it, they wouldn't be able to read it.
    Starting in January 2017, Google's Chrome browser will begin to mark non-https pages as 'Insecure'. This warning may put off visitors to your site. Other browsers are expected to follow suit in due course.

    Additionally, Google is now using https as a ranking signal, meaning not having https could harm your site's ranking in Google.
    Next month, Chrome will mark all HTTP sites as "Not secure" in the address bar. In October, Chrome will make the warning red in the address bar.

  7. - Top - End - #7
    Pixie in the Playground
     
    RangerGuy

    Join Date
    Jun 2018

    Default Re: Board does not use HTTPS connections

    With that, I'm finished. I'm only trying to help, and if Giant in the Playground decides not to go forward with using a secure connection, that's your own choice.
    Last edited by BarbarianSmash; 2018-06-18 at 02:03 PM. Reason: typo

  8. - Top - End - #8
    Sheriff in the Playground Administrator
     
    Roland St. Jude's Avatar

    Join Date
    Sep 2005
    Gender
    Male

    Default Re: Board does not use HTTPS connections

    Sheriff: Thanks for the suggestion. As mentioned, this issue has been discussed and responded to by an Admin relatively recently and directly.
    Forum Rules

    Sheriff Roland by Chris the Pontifex

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •