You are not logged in.

#1 2017-06-05 12:33 pm

jimmie 48
Member
Registered: 2011-02-18
Posts: 20

SFS site not secure

I got a message, posted in a drop down box, when logging in that stopforumspam site is not secure and that log in information could be comprised.   Also, on the browser search line the picture of the lock has a red hash line through it which I believe is telling me the site is not secure.

FYI, I'm using firefox as a browser.

Offline

#2 2017-06-05 1:16 pm

GarryRicketson
Moderator
From: Mexico
Registered: 2011-08-19
Posts: 1,232
Website

Re: SFS site not secure

That is because you are using the "http" url,...and there is no ssl certificate.
Try using :
https://www.stopforumspam.com
or
https://www.stopforumspam.com/forum/
instead, and see what it says.
The website and forum are as secure as possible, but after all said and done,
nothing is really very secure on the internet.
But that would be a different topic.

Having the ssl ceritficate,  and using https instead gives people a false sense of security,
Unfortunately, the newest browser versions have added a "new feature" and when you
link to a url that is still the traditional "http", it will say that it is not secure.
The deception is , that even if the site does use ssl, and a https url, that does not necessarily
mean it really is secure, but the browser will let you think it is secure.
=== edited =====
I am glad we have 2 choices here, we can use :http://www.stopforumspam.com or https://www.stopforumspam.com

On another forum, we had lot's of complaints because they do not use https, do not have a ssl
certificate,..
So I did some research, to try to see if it really is that important or necessary to use the ssl certifcates.
On banking sites, and some sites where the "data" is sensitive, it is more important, how ever it does
not guarantee anything,..
If you want you can read more on that, here:
http://forums.debian.net/viewtopic.php? … 17#p629939

From: https://perezbox.com/2015/07/https-does … r-website/

The actual act of securing a website is a very complex process. HTTPS does not stop attackers from hacking a website, web server or network. It will not stop an attacker from exploiting software vulnerabilities, brute forcing your access controls or ensure your websites availability by mitigating Distributed Denial of Services (DDOS) attacks.
Here are a number of articles I’ve written that better explain the dynamic nature of securing your websites, and what happens when you don’t. Notice how HTTPS has very little to do with the process. ---snip---
To prove this point, you can see various examples in recent history in which several entities had their certificates spoofed. In 2014, Threatpost reported that a number of popular entities were having theircertificates spoofed:---- read more-- 

Another:
https://www.sott.net/article/275524-Why … -you-think
Below is another article, you may not be aware of this as well:


From: https://www.wordfence.com/blog/2017/04/ … -phishing/
====
We even managed to get an SSL certificate for our demonstration attack domain from LetsEncrypt . Getting the SSL certificate took us 5 minutes and it was free. By doing this we received the word ‘Secure’ next to our domain in Chrome and the little green lock symbol in Firefox

Offline

#3 2017-06-05 1:59 pm

pedigree
uıɐbɐ ʎɐqǝ ɯoɹɟ pɹɐoqʎǝʞ ɐ buıʎnq ɹǝʌǝu ɯ,ı
From: New Zealand
Registered: 2008-04-16
Posts: 6,536

Re: SFS site not secure

Then there is something between you and here as when you access the site via HTTPS, there isnt a certificate problem

Offline

#4 2017-06-05 2:39 pm

GarryRicketson
Moderator
From: Mexico
Registered: 2011-08-19
Posts: 1,232
Website

Re: SFS site not secure

There is something I am noticing as well that seems kind of odd.

Ok, I am connected using the https, :https://www.stopforumspam.com/forum/post.php?tid=8036
and it shows it is secure.

However if I refresh , by clicking the "Forum" button  up at the top, it links me to this
http: http://www.stopforumspam.com/forum/post.php?tid=8036

And the it says the same, not secured, which is expected when it is http.
I am also using firefox,.... even though I do not like it much.
------------ edit -------------------------
From: https://support.mozilla.org/en-US/kb/in … =inproduct

What can I do if a login page is insecure?

If a login page for your favorite site is insecure, you can try and see if a secure version of the page exists by typing https:// before the url in the location bar. You can also try to contact the web administrator for the site and ask them to secure their connection.

Offline

#5 2017-06-05 6:39 pm

Alex Kemp
Moderator
From: Nottingham, England
Registered: 2009-12-02
Posts: 1,862
Website

Re: SFS site not secure

There IS a problem with SFS when logging in, and it has zilch to do with which browser is being used, and only incidentally to do with whether browsing under the HTTP or HTTPS protocol, but it most certainly is a problem at SFS's end & NOT the browser:–

  • When browsing under HTTPS all SFS-bound page-links are HTTPS-links†

  • When browsing under HTTP, all SFS-bound page-links are HTTP-links

That is the problem.

Why is it a problem? Because when browsing under HTTP it means that the LOGIN link will be “http://www.stopforumspam.com/forum/login.php”, and *that* means that the login will be prone to a MITM (“Man In The Middle”) attack (an HTTPS login is NOT subject to a MITM attack, which is the main value of that protocol).

Brief explanation:

As Garry says, a SSL Certificate enables the full connection between your browser & the SFS webserver to be encrypted from end-to-end, but does NOT mean that the SFS site is free from having been hacked. What it DOES mean is that no-one else can read what is passed either from your browser to SFS nor from SFS to your browser.

When you connect from your browser to SFS the HOST request string is in plain text, which means that all servers between you & SFS can see your request;  this is true regardless of whether it is HTTP or HTTPS (that can be changed only by using a TOR browser). However, all other connection particulars change from that point if the connection is HTTPS.

  1. The first act is to make a DNS request on the HOST string as to obtain the current IP Address of the server, and that is always in plain-text.

  2. If HTTP then EVERYTHING is in plain text (HTML5, by default, is in UTF-8).

  3. If HTTPS (using a SSL certificate) then EVERYTHING is encrypted, including all REQUEST/RESPONSE metadata. That is vitally important if, as the obvious example, that you are connecting via WiFi at some coffee-bar, since the owners can sniff (listen in on) your full conversation if not encrypted.

One extra to think about is that under HTTP cookies are part of the metadata & are in plain text. They can therefore be sniffed for each connection, which means that HTTP logged-in cookies can be sniffed. As long as both the SFS cookie encryption is sound & your password is not trivial that should not be a problem.

The final extra is that the mighty Google is penalising sites that do not use HTTPS. Naturally, the load is souped up with SSL encryption.

†and stay as HTTPS except for the Forum link, which re-directs to HTTP, which is damn annoying!

PS
I no longer use Google to search as I'm sick to death of the way that it sniffs absolutely everything that I do. I use DDG instead. Much quicker & cleaner.

Offline

#6 2017-06-05 11:09 pm

pedigree
uıɐbɐ ʎɐqǝ ɯoɹɟ pɹɐoqʎǝʞ ɐ buıʎnq ɹǝʌǝu ɯ,ı
From: New Zealand
Registered: 2008-04-16
Posts: 6,536

Re: SFS site not secure

i'll just have to force https for some stuff and tell flux to stop being a pain in the ass with the HTTP redirection

Offline

#7 2017-06-18 11:53 pm

Magyver
Member
From: Mississippi Gulf Coast, USA
Registered: 2010-11-15
Posts: 450
Website

Re: SFS site not secure

Alex Kemp wrote:

......HTTP logged-in cookies can be sniffed.

Wow, dodged a bullet there... I hate to get my cookies sniffed, lol.

Hey Garry, Alex, Ped - Long time no see! Ped, you've got "incoming", check your emails.
I've missed you guys, I'll try to check in more often.

We've had some lively times in the States as you know this year and the "fun" just never seems to stop.
BTW, (on a different note) I haven't converted my forum to HTTPS yet. If memory serves Ped is familiar with "Go-Dawgy" and their pricing, I may have to change hosting companies to be able to afford the HTTPS.


The Mud Bug Mafia

Offline

#8 2017-06-19 1:44 am

jimmie 48
Member
Registered: 2011-02-18
Posts: 20

Re: SFS site not secure

Just an update for the situation I described in the first post.
SFS site shows that it is Secure now.   So, if someone did something.... thanks.

Offline

#9 2017-06-19 4:22 am

Magyver
Member
From: Mississippi Gulf Coast, USA
Registered: 2010-11-15
Posts: 450
Website

Re: SFS site not secure

@jimmie 48: Ped & his peeps don't let any moss grow under their feet!


The Mud Bug Mafia

Offline

#10 2017-06-19 9:34 am

Alex Kemp
Moderator
From: Nottingham, England
Registered: 2009-12-02
Posts: 1,862
Website

Re: SFS site not secure

jimmie 48 wrote:

So, if someone did something.... thanks.

You're welcome.

ped had big trouble due to using FluxBB + interaction between SFS & Cloudflare. Multiple issues in multiple places. Eventually, including much to-and-fro between him & the Mods, he got it sorted.

Offline

Board footer

Powered by FluxBB

Close
Close