So, if someone did something.... thanks.
You're welcome.
ped had big trouble due to using FluxBB + interaction between SFS & Cloudflare. Multiple issues in multiple places. Eventually, including much to-and-fro between him & the Mods, he got it sorted.
]]>......HTTP logged-in cookies can be sniffed.
Wow, dodged a bullet there... I hate to get my cookies sniffed, lol.
Hey Garry, Alex, Ped - Long time no see! Ped, you've got "incoming", check your emails.
I've missed you guys, I'll try to check in more often.
We've had some lively times in the States as you know this year and the "fun" just never seems to stop.
BTW, (on a different note) I haven't converted my forum to HTTPS yet. If memory serves Ped is familiar with "Go-Dawgy" and their pricing, I may have to change hosting companies to be able to afford the HTTPS.
When browsing under HTTPS all SFS-bound page-links are HTTPS-links†
When browsing under HTTP, all SFS-bound page-links are HTTP-links
That is the problem.
Why is it a problem? Because when browsing under HTTP it means that the LOGIN link will be “http://www.stopforumspam.com/forum/login.php”, and *that* means that the login will be prone to a MITM (“Man In The Middle”) attack (an HTTPS login is NOT subject to a MITM attack, which is the main value of that protocol).
Brief explanation:
As Garry says, a SSL Certificate enables the full connection between your browser & the SFS webserver to be encrypted from end-to-end, but does NOT mean that the SFS site is free from having been hacked. What it DOES mean is that no-one else can read what is passed either from your browser to SFS nor from SFS to your browser.
When you connect from your browser to SFS the HOST request string is in plain text, which means that all servers between you & SFS can see your request; this is true regardless of whether it is HTTP or HTTPS (that can be changed only by using a TOR browser). However, all other connection particulars change from that point if the connection is HTTPS.
The first act is to make a DNS request on the HOST string as to obtain the current IP Address of the server, and that is always in plain-text.
If HTTP then EVERYTHING is in plain text (HTML5, by default, is in UTF-8).
If HTTPS (using a SSL certificate) then EVERYTHING is encrypted, including all REQUEST/RESPONSE metadata. That is vitally important if, as the obvious example, that you are connecting via WiFi at some coffee-bar, since the owners can sniff (listen in on) your full conversation if not encrypted.
One extra to think about is that under HTTP cookies are part of the metadata & are in plain text. They can therefore be sniffed for each connection, which means that HTTP logged-in cookies can be sniffed. As long as both the SFS cookie encryption is sound & your password is not trivial that should not be a problem.
The final extra is that the mighty Google is penalising sites that do not use HTTPS. Naturally, the load is souped up with SSL encryption.
†and stay as HTTPS except for the Forum link, which re-directs to HTTP, which is damn annoying!
PS
I no longer use Google to search as I'm sick to death of the way that it sniffs absolutely everything that I do. I use DDG instead. Much quicker & cleaner.
Ok, I am connected using the https, :https://www.stopforumspam.com/forum/post.php?tid=8036
and it shows it is secure.
However if I refresh , by clicking the "Forum" button up at the top, it links me to this
http: http://www.stopforumspam.com/forum/post.php?tid=8036
And the it says the same, not secured, which is expected when it is http.
I am also using firefox,.... even though I do not like it much.
------------ edit -------------------------
From: https://support.mozilla.org/en-US/kb/in … =inproduct
What can I do if a login page is insecure?
If a login page for your favorite site is insecure, you can try and see if a secure version of the page exists by typing https:// before the url in the location bar. You can also try to contact the web administrator for the site and ask them to secure their connection.
Having the ssl ceritficate, and using https instead gives people a false sense of security,
Unfortunately, the newest browser versions have added a "new feature" and when you
link to a url that is still the traditional "http", it will say that it is not secure.
The deception is , that even if the site does use ssl, and a https url, that does not necessarily
mean it really is secure, but the browser will let you think it is secure.
=== edited =====
I am glad we have 2 choices here, we can use :http://www.stopforumspam.com or https://www.stopforumspam.com
On another forum, we had lot's of complaints because they do not use https, do not have a ssl
certificate,..
So I did some research, to try to see if it really is that important or necessary to use the ssl certifcates.
On banking sites, and some sites where the "data" is sensitive, it is more important, how ever it does
not guarantee anything,..
If you want you can read more on that, here:
http://forums.debian.net/viewtopic.php? … 17#p629939
From: https://perezbox.com/2015/07/https-does … r-website/
The actual act of securing a website is a very complex process. HTTPS does not stop attackers from hacking a website, web server or network. It will not stop an attacker from exploiting software vulnerabilities, brute forcing your access controls or ensure your websites availability by mitigating Distributed Denial of Services (DDOS) attacks.
Here are a number of articles I’ve written that better explain the dynamic nature of securing your websites, and what happens when you don’t. Notice how HTTPS has very little to do with the process. ---snip---
To prove this point, you can see various examples in recent history in which several entities had their certificates spoofed. In 2014, Threatpost reported that a number of popular entities were having theircertificates spoofed:---- read more--
Another:
https://www.sott.net/article/275524-Why … -you-think
Below is another article, you may not be aware of this as well:
From: https://www.wordfence.com/blog/2017/04/ … -phishing/
====
We even managed to get an SSL certificate for our demonstration attack domain from LetsEncrypt . Getting the SSL certificate took us 5 minutes and it was free. By doing this we received the word ‘Secure’ next to our domain in Chrome and the little green lock symbol in Firefox
FYI, I'm using firefox as a browser.
]]>