whocaresabout_de

secured connection to this forum? | need SSL

4 posts in this topic

Hi,

what's about setting up a secured connection for this forum? At least after the exploitusage.

New passwords do not gather any benefit if the registration information as same as the login credentials are beeing send through plaintext through the web.

Esp. with the look onto the current and growing size of users logging in here hourly/daily. There should be a kinda responsibility.

 

Currently it surely looks like:

USER(plain http) --Users-ISP-- backbone-transit(still plain http) -- cloud-flare(POST/GET data from upstream/backend(still plain http)) -- backbone-transit -- Datacenter(ISP) -- backend-exileforum-webserver

 

Sniffing at some hotspot or compromized any other compromized network or during any transit/portmirror to cloudflare or backendserver... is too easy. Even without spoofing any adresses.

##

/root: tcpdump -i em1 -vv -l -A -p tcp port 80 | grep -E -i 'pass=|password=|login=|user=|username=|pass:|password:|user:|username:'
tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
Referer: http://www.exilemod.com/?_fromLogin=1&_fromLogout=1
login__standard_submitted=1&csrfKey=7XXXYZdeadbeef14ef87182cd48cafe2&auth=xyz123%40whocaresabout_de&password=Q1w2e3r4&remember_me=0&remember_me_checkbox=1&signin_anonymous=0
Location: http://www.exilemod.com/?_fromLogin=1&_fromLogout=1
E....?@.?..j..>ph.o....P<@..`T.%P..w....GET /?_fromLogin=1&_fromLogout=1 HTTP/1.1
Referer: http://www.exilemod.com/?_fromLogin=1&_fromLogout=1
Referer: http://www.exilemod.com/?_fromLogin=1&_fromLogout=1
Referer: http://www.exilemod.com/?_fromLogin=1&_fromLogout=1
##

 

- frontend connection to cloud-flare should be secured with an valid (non-ev cert)

- backend connection to the upstream/originate webserver should be secured at least with a self signed certificate - else transfer to and from cloudflare would be proceed in plaintext

 

I think, even if there is 3rd party content is embedded at this forum(for sure) - doesent matter if pictures, banners, buttons, etc. through an plain link, then the change of the color at browser/url-line is acceptable. Because it provides a general better feeling surfing this forum. Furthermore it would become more positive rated at several seach-engines and their ranking (eg. google/alexa page-ranking)

t

Whats your opinion about it?

 

--

Free-SSL-Certificates:

#1-year valid https://www.startssl.com/

#3-months valid https://letsencrypt.org/

Edited by whocaresabout_de
added tcpdump output
1 person likes this

Share this post


Link to post
Share on other sites

Fun fact, Cloudflare gives free SSL certs, they just need to add an page rule that http://*exilemod.com* should allways use ssl in CF.

See for your sefl, https://exilemod.com do work, just some CSS/JS paths that need to be fixed

 

But for your tcpdump  to work, you still have to do an MiM before it works, any way. any sits should do SSL in 2016

Edited by itsatrap

Share this post


Link to post
Share on other sites
Advertisement

We didn't get hacked by an exploit though. But I do agree that ssl should still be implemented. Better safe than sorry

1 person likes this

Share this post


Link to post
Share on other sites
Advertisement

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.