|
SSL/TLS via httpS?
Hello getDare
I love this site! I use it on my phone even. And with all the free WiFi in the cities I would just love to use it while logged into a public WiFi-AccesPoint. But I don't. Why? Because the traffic between my phone and the site-server is not encrypted. Anyone logged into the same access point could read my traffic, my username, if I need to log in even my password, when checking my profile options .. anything really. I know, because I sometimes am one of those people lurking in free WiFis just to see what people are doing. Eventually I will use a VPN to my home, encrypting all my traffic either way. Still though, I would love to see getdare use https. And not just as an option, but always default to it. I currently can't afford to send any money to cover any costs concerning this because my business is just getting started and I am very very low on money - scraping by really. But since setting up webservers with encryption is part of what I do I would even offer myself to do it with and for you (always supervised via Desktop sharing). With letsencrypt.org it is easily possible to have cost free SSL-Certificates, which renew automatically as well. Implementing this would need root shell access to the server though - which is why I would only feel comfortable doing this while sharing my desktop. If you have a sys-admin who can do this for you, please tell him about this. If you don't I offer my services free of charge! Should you be using a webhoster where you don't have root access, and they do want money for it, I think some users of getdare would be happy to finance a campaign to visit this site on a more secure way. Just think about all the average non tech savvy users using the same passwords over and over again. Let their traffic get snooped et voila, they become a spam donor. Believe me: it is incredible what flies around unencrypted in a Starbucks or MacDonalds! So.. feel free to contact me. Also maybe others would like to chime in as well. Thank you very much for your attention! Just ask, and I'll put it in for you ;) EDIT: and I just saw the suggestion zone. Maybe move it there, mods? 2nd EDIT: just imagine the shared networks in dorms and different people living together |
I've had a look into this and while it's not as bad as it first seems, it's still pretty bad.
The passwords are being hashed locally using MD5 (unsalted): Code:
onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)"Code:
Frame 28641: 880 bytes on wire (7040 bits), 880 bytes captured (7040 bits) on interface 0This is very easily attacked by capturing the packet (as I just did), and using something like Fiddler to manipulate the POST payload upon logon with the username and hash of someone else on your local network. |
Well in my opinion *Insert smart sounding techno Babble here*
Love, Zoey |
Quote:
This is real bad if the servers ever get "hacked".. hmm also: "salting" MD5 is still not secure. MD5 is obsolete since.. when was the youngest member of this site born? I am no coder, so I have no idea what it would need to rework the password-scheme. But if it were to be reeimplemented, I'd suggest to never roll your own "encryption/hash-function". Use what is established and gets updated. PHP Code:
Quote:
Room-mates could be neferious enough. The hole college student apartment uses the same network?.. yeah, nobody is studying IT there and wants to test what they have learned. Or people like me.. on a public WiFi.. :o -- if there is one, there are many who do this My offer about helping to implement SSL/TLS free of charge still stands! My sites get an A+ rating on https://www.ssllabs.com/ssltest/ using a cost free certificate that automatically renews itself → https://letsencrypt.org/ Encrypt all the things!! ============== Quote:
|
I did some quick digging.
I do not know which hosting plan is being used by getdare on cloudflare, but even the free option now includes SSL/TLS. Maybe an admin can just "flick the switch" one day? That's my 50 cents on this for now. Rachie? If you read this, any insight? Maybe get Depp back for this? |
Just a new FYI:
Firefox will soon implement warnings into forms when the site does not offer encryption! https://ma.ttias.be/firefox-nightly-...p-as-insecure/ Again: my offer still stands! |
Just wanted to bring this up again. My offer still stands, of implementing SSL/TLS functionality cost free (see above) I really, really, REALLY want this site to encrypt its traffic.
|
This is a great offer and whether or not they take you up on it I hope they sort this soon. It's ridiculous to have a website like this not on https.
FWIW, vBulletin doesn't just store your password in md5 but its approach is known to be obviously weak. Eg. https://www.troyhunt.com/data-breach...etin-and-weak/ This forum is at least on 3.8.7, but given the footer says 2013 who knows when it was last patched or if it's even still supported by vBulletin. |
I suspect the ad system (Juicy Ads? maybe some others too) will need reconfiguring somewhere to use https (or all the ads will disappear, which isn't a good outcome for GD as a whole) — this should be done now, or at least ahead of enabling https for the site itself. (Also, we'd want CloudFlare using https to the origin as well as to the client, so a letsencrypt-issued cert is important as well as any CF configuration.)
As IllPUTitIN, happy to help if it'll…help. Umm :) vBulletin 3 is…rather old, and likely more complex to plan and execute a smooth upgrade. As Bluetooth points out, there are probably problems with the latest versions, but https should make things considerably less of a problem, and the latest version possibly more so. There's a cost to upgrading, also. Their upgrading tool will then work for the current site, although with a big version jump it's entirely likely that controls and such will move around and confuse everyone; so not to be done without some planning. |
Yup, the ads might pose a problem, I haven't thought about those! But I hope the ad-network would provide a solution fo that, since more and more sites go to TLS/SSL. Of course this can be tested easily and run in parallel until all kinks have been worked out. (as for now, putting https in front of getdare.com just automatically brings you back to http, which speaks to a well configured server for that case)
concerning vBulletin, I have no solution for that, but that is a whole other matter. first and foremost, with all the governments literally snooping all traffic that leads out of their countries, transport encryption should be implemented. (again, for which I'd happily provide my time and resources) |
I agree that this is bad. I am visiting this site via TOR using a very-high-entropy password that I don't use anywhere else (passwordsafes ftw!), So the worst thing that can happen to ME is that I loose access to my account because someone re-sends the hash, given that this sounds as if there is no protection against replay-attacks…
BUT: I am willing to bet one month of denial, that there are quite a few other users, for whom this is not the case. Hashing with MD5, while certainly not good, is IMO still a passing-grade (hashing with sha3 really wouldn't be any better). What Is however really worrisome is all that extremely private stuff that could in some cases ruin peoples lives go over the wire unencrypted. If someone is able to correlate a certain account to a certain person this could be nasty and might not be as hard as you may think. Given the information that user X is a Y year old male student of subject Z in a certain medium-sized town can narrow down things A LOT. So by all means: Please enable encryption or at least provide it as an option. It's not even that slow nowadays: If you can afford PHP, you can afford encryption. ;-) |
It is a free option for current contracts with cloudflare. So in the worst case, it's a check box away.
|
vBulletin breaches
I don't understand why the site admins aren't on top of this. Do we need to message some of them individually?
Please note, the current version of vBulletin is 5. This site is running version 3. This is a post about a slew of sites using old versions of vBulletin which have been compromised over the past few years and which have come to light lately: https://www.troyhunt.com/i-just-adde...-i-been-pwned/ GD is not on this list, but it's not exhaustive. HTTPS is important, and so is using a hosting service so we get patches automatically. At this point, I think the correct assumption is that GD HAS been hacked and your account is not secure. |
Just wanting to put this back on the map. Anyone? I am still happy to help for free! I do get A+ ratings for my site's HTTPS implementation by SSL-labs.
The offer still stands. |
I'm not incredibly concerned about the password issues (though obviously they are a concern for people who use their accounts a bit more than me), but the fact we aren't running SSL on pages is both weird, bad, and bad for ad revenue.
Just a reminder to the admins - SSL is one of the deciding factors used by Google for working out your website rank. It's not hard to have and is definitely advisable. It also stops all your users from being tracked to every single page they go on. Oddly, doing a quick SSL lookup shows that there is in fact a SSL cert for getdare: https://www.sslshopper.com/ssl-check...tdare.com/bbs/ But Chrome is reporting these pages as insecure. If the website is to continue, I think it really does need a bit of a security spruce-up and some updates. I'm also willing to help as a security-centred web developer if you guys are interested. |
| All times are GMT -7. The time now is 05:51 AM. |
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.