11-08-2017, 10:51 AM | #1 |
Member
Join Date: Aug 2016
Drives: Red 2013 BRZ Premium 6MT
Location: Chicago, IL
Posts: 58
Thanks: 13
Thanked 24 Times in 16 Posts
Mentioned: 1 Post(s)
Tagged: 0 Thread(s)
|
HTTPS
Hi guys,
I'm a senior software developer at my company, and I have to say it's absolutely nuts that this site doesn't use HTTPS. I know we're car guys and not computer guys here, so I just want to tell you what kinds of things happen when you don't use HTTPS: 1. Your password is sent plain text over the internet. Anybody who has access to the packets that are sent here can read your password as plain as day, and you don't have to be a genius to do so. This means your ISP, any trunk line users, the datacenter, anybody performing a man in the middle attack, anybody. And this is more likely to happen than you may think, speaking from experience. 2. Even when we're not sending passwords, somebody can perform something called a man in the middle attack, where they intercept the data that you are sending to the server, and then forward it on your behalf, get the response from the server, but change it when it goes back to you. This could be used to lure people to meets that are actually setups to mug you etc. Again, speaking from experience I had a friend that this happened to, and again, much more likely than you think. 3. Your identity is very obvious to anybody who obtains the packets, so they know who is exactly where and what they are doing. What's more, any attacker can plainly see that the site isn't using HTTPS, so they're not going to waste their time going after sites who are, they're going to come right for us because we're an obvious and vulnerable target. It's hard to explain why we should care about this so much since we're not all software guys here, but rest assured this is a very serious matter. if the admins of the site want help setting this up I have a lot of experience doing so, but it's wildly inappropriate to leave the site as is with hundreds of people typing their password in every day. It only costs 10 dollars a year to get a certificate, and about 5 minutes to install it. Please DO something about this, and as I said, I'm more than happy to help, many years in the business. |
11-08-2017, 11:15 AM | #2 |
Senior Member
Join Date: Sep 2017
Drives: 2022 BRZ Limited Silver
Location: Jacksonville, FL
Posts: 2,533
Thanks: 882
Thanked 2,047 Times in 1,190 Posts
Mentioned: 68 Post(s)
Tagged: 0 Thread(s)
|
And Let's Encrypt is free. Not reason not to run SSL these days. I use LE all over the place now. Only downfall is the certs expire in 90days. There are pros and cons of this.
Pros: More secure API for cert renewal Forces you to set up an automated process to install new certs Cons: Need to spend the time figuring out how to automate the cert install process. |
The Following User Says Thank You to ermax For This Useful Post: | Tristor (10-04-2018) |
11-08-2017, 11:26 AM | #3 |
Wes
Join Date: Feb 2017
Drives: Artisan Spirits '17 86
Location: Toronto
Posts: 2,812
Thanks: 1,192
Thanked 1,693 Times in 1,003 Posts
Mentioned: 21 Post(s)
Tagged: 0 Thread(s)
|
Dyno?
|
11-08-2017, 11:30 AM | #4 | |
Member
Join Date: Aug 2016
Drives: Red 2013 BRZ Premium 6MT
Location: Chicago, IL
Posts: 58
Thanks: 13
Thanked 24 Times in 16 Posts
Mentioned: 1 Post(s)
Tagged: 0 Thread(s)
|
Quote:
|
|
11-08-2017, 11:31 AM | #5 |
Member
Join Date: Aug 2016
Drives: Red 2013 BRZ Premium 6MT
Location: Chicago, IL
Posts: 58
Thanks: 13
Thanked 24 Times in 16 Posts
Mentioned: 1 Post(s)
Tagged: 0 Thread(s)
|
Another sidebare with this is that I didn't even notice that this site wasn't encrypted at first, but firefox briefly flashed a notice in the password field just the other day, so I've been unknowingly sending plaintext passwords for a long time without even knowing it. That's one of the big reasons this isn't ok.
|
11-08-2017, 11:36 AM | #6 | |
Senior Member
Join Date: Sep 2017
Drives: 2022 BRZ Limited Silver
Location: Jacksonville, FL
Posts: 2,533
Thanks: 882
Thanked 2,047 Times in 1,190 Posts
Mentioned: 68 Post(s)
Tagged: 0 Thread(s)
|
Quote:
So with LE I just set it and forget it. |
|
11-08-2017, 11:47 AM | #7 | |
Member
Join Date: Aug 2016
Drives: Red 2013 BRZ Premium 6MT
Location: Chicago, IL
Posts: 58
Thanks: 13
Thanked 24 Times in 16 Posts
Mentioned: 1 Post(s)
Tagged: 0 Thread(s)
|
Quote:
Totally get that forgetting... i definitely have to scratch my head for a few every time I refresh. Getting to be about that time actually. |
|
11-08-2017, 12:19 PM | #8 |
Junior Senior with Cheese
Join Date: Aug 2014
Drives: 15 BRZ
Location: York, PA
Posts: 3,001
Thanks: 6,820
Thanked 7,032 Times in 2,341 Posts
Mentioned: 13 Post(s)
Tagged: 2 Thread(s)
|
I sincerely hope you're not using the same username and password combination for a car forum that you are for, well anything else really.
That said, the site using HTTP only is something people should keep in mind if sending billing info for classifieds via PM. Don't do that. Request a PayPal invoice, use the vendor's storefront, just about anything else, but don't PM your credit card info. |
11-08-2017, 12:19 PM | #9 |
The Gunshine State
Join Date: Aug 2016
Drives: '14 BRZ Limited
Location: Florida
Posts: 1,463
Thanks: 631
Thanked 1,163 Times in 587 Posts
Mentioned: 9 Post(s)
Tagged: 0 Thread(s)
|
I'm not an IT guy.
So basically, you're saying Skynet will become self-aware if we don't add that little "s" in?
__________________
Current DD: M235i |
The Following User Says Thank You to 8RZ For This Useful Post: | finch1750 (02-25-2018) |
11-08-2017, 12:31 PM | #10 |
Senior Member
Join Date: Sep 2017
Drives: 2022 BRZ Limited Silver
Location: Jacksonville, FL
Posts: 2,533
Thanks: 882
Thanked 2,047 Times in 1,190 Posts
Mentioned: 68 Post(s)
Tagged: 0 Thread(s)
|
I just noticed ACME support is being added to Apache:
https://letsencrypt.org/2017/10/17/a...che-httpd.html ACME is the open protocol which LE uses for validating domain ownership and requesting or renewing certs. So if this is added to Apache then the whole process would be fully automated. Basically you would just tell Apache you want a cert from LE and it would do everything else. No user and password or anything is needed. |
11-08-2017, 03:04 PM | #12 | |
Member
Join Date: Aug 2016
Drives: Red 2013 BRZ Premium 6MT
Location: Chicago, IL
Posts: 58
Thanks: 13
Thanked 24 Times in 16 Posts
Mentioned: 1 Post(s)
Tagged: 0 Thread(s)
|
Quote:
And that changes nothing about man-in-the-middle attacks. HTTPS is really just not an option. We could probably sit here and think of 100 reasons if we wanted to. |
|
11-08-2017, 10:59 PM | #13 |
extra what?
Join Date: Sep 2014
Drives: a 13 e8h frs
Location: vantucky, wa
Posts: 32,086
Thanks: 52,528
Thanked 36,809 Times in 19,084 Posts
Mentioned: 1111 Post(s)
Tagged: 9 Thread(s)
|
Meh. Don't use this password for anything else and don't post anything you don't want the whole world to see.
Problem solved.
__________________
|
The Following User Says Thank You to Ultramaroon For This Useful Post: | spike021 (11-11-2017) |
11-09-2017, 04:28 AM | #14 |
Senior Member
Join Date: Sep 2017
Drives: 2022 BRZ Limited Silver
Location: Jacksonville, FL
Posts: 2,533
Thanks: 882
Thanked 2,047 Times in 1,190 Posts
Mentioned: 68 Post(s)
Tagged: 0 Thread(s)
|
As he said, he is concerned about the safety of ALL users of the site, not just his own. I tell people all the time not to use the same password on all sites but they do it anyways.
People in this industry tend to be concerned about things like this and he was simply offering his services to the forum. |
The Following 4 Users Say Thank You to ermax For This Useful Post: |
|
|
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Does ft86club.com support secure https:// ? | jonnyozero3 | Site Announcements / Questions / Issues | 0 | 04-30-2015 01:16 PM |
https://scontent-a-atl.xx.fbcdn.net/hphotos-xfa1/v/t1.0-9/1796528_366899856806734_765 | jhusey | Forced Induction | 4 | 11-05-2014 09:32 PM |