Results 1 to 8 of 8
-
2018-06-17, 04:54 AM (ISO 8601)
- Join Date
- Jun 2018
Board does not use HTTPS connections
Hello! I am a new person on the boards, but I noticed that while signing up for a login that the board and the entire site itself does not use HTTPS. I am posting to request that the site and forum be updated to use this not only for logins but on every page. The client-side MD5 hash for logins that vBulletin uses is considerably more vulnerable compared to using TLS via HTTPS (e.g., MITM attacks via javascript injection over HTTP, brute-force cracking of the MD5 hash that is sent in the clear). Additionally, because the site uses HTTP, all private messages that you read or send here are transmitted completely in the clear for anyone using a packet-sniffer to read.
The Internet is moving to HTTPS for every connection, and I believe that this site should do so as well. It provides privacy and security to users, and now that the newer HTTP/2 protocol is standard in all web browsers and only works for HTTPS sites, there are speed benefits to doing so as well. Additionally, in October, Chrome and other browsers will be putting a red "not secure" notification on HTTP sites that use any form fields.
I hope this information helps!Last edited by BarbarianSmash; 2018-06-17 at 04:57 AM.
-
2018-06-17, 05:49 AM (ISO 8601)
- Join Date
- Oct 2012
- Location
- In the Playground, duh.
Re: Board does not use HTTPS connections
This has been discussed.
-
2018-06-18, 03:38 AM (ISO 8601)
- Join Date
- Jun 2018
-
2018-06-18, 05:17 AM (ISO 8601)
- Join Date
- May 2018
Re: Board does not use HTTPS connections
TLS is as bad as SSL was last time I bothered to keep track of it, about 10-15 years ago (sorry, can't post links yet):
CVE-2017-7805
CVE-2018-7162
CVE-2018-11712
The latter two were submitted on this year, in previous month even.
Sure, it does mitigate the problem of MitM existing somewhat, but, just as SSL before, it's more of a roadbump if someone is actually out to get you. Good security is impossible with there being no open hardware and firmware available in any case. That's not to say I'm encouraging you to drop all and any protection measures, but chances are your password and PMs on a webcomic/traditional games forum is a fairly low-priority target. Social engineering remains one of the prime vectors of attack to this day anyway.
-
2018-06-18, 01:22 PM (ISO 8601)
- Join Date
- Jun 2018
Re: Board does not use HTTPS connections
This is a bug that that has to do with Firefox using TLS, not TLS itself. It has nothing to do with a flaw in TLS encryption.
CVE-2018-7162
CVE-2018-11712
If you have a problem with TLS 1.3, then you should have a problem with the thousands of banking or other sensitive websites that use it for their encryption. We are always moving to better version of encryption across the board, but of course if we aren't using encryption at all, then it's pointless to even argue about how good TLS is or is not.
Sure, it does mitigate the problem of MitM existing somewhat, but, just as SSL before, it's more of a roadbump if someone is actually out to get you. Good security is impossible with there being no open hardware and firmware available in any case. That's not to say I'm encouraging you to drop all and any protection measures, but chances are your password and PMs on a webcomic/traditional games forum is a fairly low-priority target. Social engineering remains one of the prime vectors of attack to this day anyway.
People that use this site should have some minimal expectation of security, and the current implementation does not provide this.
vBulletin has an easy how-to for turning on HTTPS for their forums. I would link to it, but I can't since my account is so new. Of course, the site would need a security certification to begin with, but that can be found with services like letsencrypt dot org for free.
-
2018-06-18, 01:56 PM (ISO 8601)
- Join Date
- Jun 2018
Re: Board does not use HTTPS connections
If it helps, vBulletin has an article explaining why their forums should use HTTPS. Just Google "vbulletin converting your forum to https".
From vBulletin's site:
WHY DO I NEED HTTPS?
Data sent over regular http connections are sent in plain text and could in theory be read by anyone who intercepts the connection. With an https connection, the data is securely encrypted, meaning that even if someone intercepted it, they wouldn't be able to read it.
Starting in January 2017, Google's Chrome browser will begin to mark non-https pages as 'Insecure'. This warning may put off visitors to your site. Other browsers are expected to follow suit in due course.
Additionally, Google is now using https as a ranking signal, meaning not having https could harm your site's ranking in Google.
-
2018-06-18, 02:01 PM (ISO 8601)
- Join Date
- Jun 2018
Re: Board does not use HTTPS connections
With that, I'm finished. I'm only trying to help, and if Giant in the Playground decides not to go forward with using a secure connection, that's your own choice.
Last edited by BarbarianSmash; 2018-06-18 at 02:03 PM. Reason: typo
-
2018-06-18, 03:48 PM (ISO 8601)
- Join Date
- Sep 2005
- Gender
Re: Board does not use HTTPS connections
Sheriff: Thanks for the suggestion. As mentioned, this issue has been discussed and responded to by an Admin relatively recently and directly.