|
11-10-2016, 08:09 PM | #1 |
getDare Devil
|
SSL/TLS via httpS?
Hello getDare
I love this site! I use it on my phone even. And with all the free WiFi in the cities I would just love to use it while logged into a public WiFi-AccesPoint. But I don't. Why? Because the traffic between my phone and the site-server is not encrypted. Anyone logged into the same access point could read my traffic, my username, if I need to log in even my password, when checking my profile options .. anything really. I know, because I sometimes am one of those people lurking in free WiFis just to see what people are doing. Eventually I will use a VPN to my home, encrypting all my traffic either way. Still though, I would love to see getdare use https. And not just as an option, but always default to it. I currently can't afford to send any money to cover any costs concerning this because my business is just getting started and I am very very low on money - scraping by really. But since setting up webservers with encryption is part of what I do I would even offer myself to do it with and for you (always supervised via Desktop sharing). With letsencrypt.org it is easily possible to have cost free SSL-Certificates, which renew automatically as well. Implementing this would need root shell access to the server though - which is why I would only feel comfortable doing this while sharing my desktop. If you have a sys-admin who can do this for you, please tell him about this. If you don't I offer my services free of charge! Should you be using a webhoster where you don't have root access, and they do want money for it, I think some users of getdare would be happy to finance a campaign to visit this site on a more secure way. Just think about all the average non tech savvy users using the same passwords over and over again. Let their traffic get snooped et voila, they become a spam donor. Believe me: it is incredible what flies around unencrypted in a Starbucks or MacDonalds! So.. feel free to contact me. Also maybe others would like to chime in as well. Thank you very much for your attention! Just ask, and I'll put it in for you EDIT: and I just saw the suggestion zone. Maybe move it there, mods? 2nd EDIT: just imagine the shared networks in dorms and different people living together
__________________
(the puppy / it / it) - m - pan - germany
proud to be Simi's pet Unofficial getDare Minecraft-Server likes - limits - toys -- pm dares Randomly Locked in Chastity (locked or not: no orgasms for this pup) kik: LockedPuppy Last edited by Locked Puppy; 11-11-2016 at 10:59 AM. Reason: possibly posted in the wrong thread |
The following 6 users say Thank You to Locked Puppy for this post: |
11-13-2016, 04:45 AM | #2 |
Member
|
I've had a look into this and while it's not as bad as it first seems, it's still pretty bad.
The passwords are being hashed locally using MD5 (unsalted): Code:
onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)" Code:
Frame 28641: 880 bytes on wire (7040 bits), 880 bytes captured (7040 bits) on interface 0 Ethernet II, Src: AsrockIn_ea:c1:44 (00:34:22:ef:e0:31), Dst: SamsungE_16:36:81 (21:fb:6b:18:16:77) Internet Protocol Version 4, Src: 192.168.192.37, Dst: 104.25.185.9 Transmission Control Protocol, Src Port: 58448, Dst Port: 80, Seq: 1, Ack: 1, Len: 826 Hypertext Transfer Protocol POST /bbs/login.php?do=login HTTP/1.1\r\n Host: www.getdare.com\r\n User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0\r\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n Accept-Language: en-GB,en;q=0.5\r\n Accept-Encoding: gzip, deflate\r\n Referer: http://www.getdare.com/bbs/\r\n DNT: 1\r\n Connection: keep-alive\r\n Upgrade-Insecure-Requests: 1\r\n Content-Type: application/x-www-form-urlencoded\r\n Content-Length: 194\r\n \r\n [Full request URI: http://www.getdare.com/bbs/login.php?do=login] [HTTP request 1/1] [Response in frame: 28655] File Data: 194 bytes HTML Form URL Encoded: application/x-www-form-urlencoded Form item: "vb_login_username" = "redambergreen" Form item: "vb_login_password" = "" Form item: "s" = "" Form item: "securitytoken" = "guest" Form item: "do" = "login" Form item: "vb_login_md5password" = "7a495904a8c0b3e6aabe27440b436c28" Form item: "vb_login_md5password_utf" = "7a495904a8c0b3e6aabe27440b436c28" This is very easily attacked by capturing the packet (as I just did), and using something like Fiddler to manipulate the POST payload upon logon with the username and hash of someone else on your local network. |
11-13-2016, 04:49 AM | #3 |
Account Banned
|
Well in my opinion *Insert smart sounding techno Babble here*
Love, Zoey
__________________
21/F KIK *NEW* Likes: pee dares, light pain,Hidden public, creative dares Dislikes: Self Bondage, edgeing Limits: pictures, family/freinds, Serious pain, Perminant/Body Altering, Scat I DO HAVE THE RIGHT TO SAY "FUCK THAT I AINT DOING IT" TO ANY DARE BDSM TEST PM Dares My Toys My Human Sex Map Im looking for new things to try so i can soon expand my likes |
11-13-2016, 05:32 AM | #4 | ||
getDare Devil
|
Quote:
This is real bad if the servers ever get "hacked".. hmm also: "salting" MD5 is still not secure. MD5 is obsolete since.. when was the youngest member of this site born? I am no coder, so I have no idea what it would need to rework the password-scheme. But if it were to be reeimplemented, I'd suggest to never roll your own "encryption/hash-function". Use what is established and gets updated. PHP Code:
Quote:
Room-mates could be neferious enough. The hole college student apartment uses the same network?.. yeah, nobody is studying IT there and wants to test what they have learned. Or people like me.. on a public WiFi.. -- if there is one, there are many who do this My offer about helping to implement SSL/TLS free of charge still stands! My sites get an A+ rating on https://www.ssllabs.com/ssltest/ using a cost free certificate that automatically renews itself → https://letsencrypt.org/ Encrypt all the things!! ============== That should do it!
__________________
(the puppy / it / it) - m - pan - germany
proud to be Simi's pet Unofficial getDare Minecraft-Server likes - limits - toys -- pm dares Randomly Locked in Chastity (locked or not: no orgasms for this pup) kik: LockedPuppy |
||
The following user says Thank You to Locked Puppy for this post: |
11-17-2016, 06:25 PM | #5 |
getDare Devil
|
I did some quick digging.
I do not know which hosting plan is being used by getdare on cloudflare, but even the free option now includes SSL/TLS. Maybe an admin can just "flick the switch" one day? That's my 50 cents on this for now. Rachie? If you read this, any insight? Maybe get Depp back for this?
__________________
(the puppy / it / it) - m - pan - germany
proud to be Simi's pet Unofficial getDare Minecraft-Server likes - limits - toys -- pm dares Randomly Locked in Chastity (locked or not: no orgasms for this pup) kik: LockedPuppy |
11-29-2016, 11:35 AM | #6 |
getDare Devil
|
Just a new FYI:
Firefox will soon implement warnings into forms when the site does not offer encryption! https://ma.ttias.be/firefox-nightly-...p-as-insecure/ Again: my offer still stands!
__________________
(the puppy / it / it) - m - pan - germany
proud to be Simi's pet Unofficial getDare Minecraft-Server likes - limits - toys -- pm dares Randomly Locked in Chastity (locked or not: no orgasms for this pup) kik: LockedPuppy |
01-06-2017, 08:02 AM | #7 |
getDare Devil
|
Just wanted to bring this up again. My offer still stands, of implementing SSL/TLS functionality cost free (see above) I really, really, REALLY want this site to encrypt its traffic.
__________________
(the puppy / it / it) - m - pan - germany
proud to be Simi's pet Unofficial getDare Minecraft-Server likes - limits - toys -- pm dares Randomly Locked in Chastity (locked or not: no orgasms for this pup) kik: LockedPuppy |
01-06-2017, 12:19 PM | #8 |
Junior Member
Join Date: Dec 2013
Posts: 7
|
I suspect the ad system (Juicy Ads? maybe some others too) will need reconfiguring somewhere to use https (or all the ads will disappear, which isn't a good outcome for GD as a whole) — this should be done now, or at least ahead of enabling https for the site itself. (Also, we'd want CloudFlare using https to the origin as well as to the client, so a letsencrypt-issued cert is important as well as any CF configuration.)
As IllPUTitIN, happy to help if it'll…help. Umm vBulletin 3 is…rather old, and likely more complex to plan and execute a smooth upgrade. As Bluetooth points out, there are probably problems with the latest versions, but https should make things considerably less of a problem, and the latest version possibly more so. There's a cost to upgrading, also. Their upgrading tool will then work for the current site, although with a big version jump it's entirely likely that controls and such will move around and confuse everyone; so not to be done without some planning. |
01-06-2017, 05:55 PM | #9 |
getDare Devil
|
Yup, the ads might pose a problem, I haven't thought about those! But I hope the ad-network would provide a solution fo that, since more and more sites go to TLS/SSL. Of course this can be tested easily and run in parallel until all kinks have been worked out. (as for now, putting https in front of getdare.com just automatically brings you back to http, which speaks to a well configured server for that case)
concerning vBulletin, I have no solution for that, but that is a whole other matter. first and foremost, with all the governments literally snooping all traffic that leads out of their countries, transport encryption should be implemented. (again, for which I'd happily provide my time and resources)
__________________
(the puppy / it / it) - m - pan - germany
proud to be Simi's pet Unofficial getDare Minecraft-Server likes - limits - toys -- pm dares Randomly Locked in Chastity (locked or not: no orgasms for this pup) kik: LockedPuppy |
Tags |
encryption, https, security, service, ssl |
|
|