HTTPS

[runfrodorun]

Hi guys,

I'm a senior software developer at my company, and I have to say it's absolutely nuts that this site doesn't use HTTPS. I know we're car guys and not computer guys here, so I just want to tell you what kinds of things happen when you don't use HTTPS:

1. Your password is sent plain text over the internet. Anybody who has access to the packets that are sent here can read your password as plain as day, and you don't have to be a genius to do so. This means your ISP, any trunk line users, the datacenter, anybody performing a man in the middle attack, anybody. And this is more likely to happen than you may think, speaking from experience.
2. Even when we're not sending passwords, somebody can perform something called a man in the middle attack, where they intercept the data that you are sending to the server, and then forward it on your behalf, get the response from the server, but change it when it goes back to you. This could be used to lure people to meets that are actually setups to mug you etc. Again, speaking from experience I had a friend that this happened to, and again, much more likely than you think.
3. Your identity is very obvious to anybody who obtains the packets, so they know who is exactly where and what they are doing.

What's more, any attacker can plainly see that the site isn't using HTTPS, so they're not going to waste their time going after sites who are, they're going to come right for us because we're an obvious and vulnerable target.

It's hard to explain why we should care about this so much since we're not all software guys here, but rest assured this is a very serious matter. if the admins of the site want help setting this up I have a lot of experience doing so, but it's wildly inappropriate to leave the site as is with hundreds of people typing their password in every day. It only costs 10 dollars a year to get a certificate, and about 5 minutes to install it.

Please DO something about this, and as I said, I'm more than happy to help, many years in the business.

[ermax]

And Let's Encrypt is free. Not reason not to run SSL these days. I use LE all over the place now. Only downfall is the certs expire in 90days. There are pros and cons of this.

Pros:
More secure
API for cert renewal
Forces you to set up an automated process to install new certs

Cons:
Need to spend the time figuring out how to automate the cert install process.

[StraightOuttaCanadaEh]

Dyno?

[runfrodorun]

Quote:

Originally Posted by ermax

And Let's Encrypt is free. Not reason not to run SSL these days. I use LE all over the place now. Only downfall is the certs expire in 90days. There are pros and cons of this.

Pros:
More secure
API for cert renewal
Forces you to set up an automated process to install new certs

Cons:
Need to spend the time figuring out how to automate the cert install process.

Yeah that's rough. I didn't know that about LE. I still get 2 year certs on my sites, and that's infrequent enough that I don't even think about it manually installing them when the time comes around.

[runfrodorun]

Another sidebare with this is that I didn't even notice that this site wasn't encrypted at first, but firefox briefly flashed a notice in the password field just the other day, so I've been unknowingly sending plaintext passwords for a long time without even knowing it. That's one of the big reasons this isn't ok.

[ermax]

Quote:

Originally Posted by runfrodorun

Yeah that's rough. I didn't know that about LE. I still get 2 year certs on my sites, and that's infrequent enough that I don't even think about it manually installing them when the time comes around.

My problem with 2 year certs is I have to dig around for a while to refresh my memory on installing them. Hahaha. Now it's just a set it and forget it. With IIS it's easy to automate. There are already tools that will do this for LE certs. On Apache it's really easy... just drop the files and then restart Apache. So that's real simple to schedule with a cron job.

So with LE I just set it and forget it.

[runfrodorun]

Quote:

Originally Posted by ermax

My problem with 2 year certs is I have to dig around for a while to refresh my memory on installing them. Hahaha. Now it's just a set it and forget it. With IIS it's easy to automate. There are already tools that will do this for LE certs. On Apache it's really easy... just drop the files and then restart Apache. So that's real simple to schedule with a cron job.

So with LE I just set it and forget it.

Yeah I could definitely see that being how it would be set up (I'm apache) since I have mail hosted on that server, I could even integrate with unix mail.

Totally get that forgetting... i definitely have to scratch my head for a few every time I refresh. Getting to be about that time actually.

[ScoobsMcGee]

I sincerely hope you're not using the same username and password combination for a car forum that you are for, well anything else really.

That said, the site using HTTP only is something people should keep in mind if sending billing info for classifieds via PM. Don't do that. Request a PayPal invoice, use the vendor's storefront, just about anything else, but don't PM your credit card info.

[8RZ]

I'm not an IT guy.

So basically, you're saying Skynet will become self-aware if we don't add that little "s" in?

[ermax]

I just noticed ACME support is being added to Apache:
https://letsencrypt.org/2017/10/17/a...che-httpd.html

ACME is the open protocol which LE uses for validating domain ownership and requesting or renewing certs. So if this is added to Apache then the whole process would be fully automated. Basically you would just tell Apache you want a cert from LE and it would do everything else. No user and password or anything is needed.

[runfrodorun]

Quote:

Originally Posted by 8RZ

I'm not an IT guy.

So basically, you're saying Skynet will become self-aware if we don't add that little "s" in?

Maybe not that, but many bad things.

-S

[runfrodorun]

Quote:

Originally Posted by ScoobsMcGee

I sincerely hope you're not using the same username and password combination for a car forum that you are for, well anything else really.

That said, the site using HTTP only is something people should keep in mind if sending billing info for classifieds via PM. Don't do that. Request a PayPal invoice, use the vendor's storefront, just about anything else, but don't PM your credit card info.

I try to use different passwords whenever possible (and usually pretty long passwords as well) but the thing is there's enough people that won't and there's nothing we can do to force them to change, and so a certain level of responsibility should be taken.

And that changes nothing about man-in-the-middle attacks. HTTPS is really just not an option. We could probably sit here and think of 100 reasons if we wanted to.

[Ultramaroon]

Meh. Don't use this password for anything else and don't post anything you don't want the whole world to see.

Problem solved.

[ermax]

As he said, he is concerned about the safety of ALL users of the site, not just his own. I tell people all the time not to use the same password on all sites but they do it anyways.

People in this industry tend to be concerned about things like this and he was simply offering his services to the forum.