HTTPS
 

Hi guys,

I'm a senior software developer at my company, and I have to say it's absolutely nuts that this site doesn't use HTTPS. I know we're car guys and not computer guys here, so I just want to tell you what kinds of things happen when you don't use HTTPS:

1. Your password is sent plain text over the internet. Anybody who has access to the packets that are sent here can read your password as plain as day, and you don't have to be a genius to do so. This means your ISP, any trunk line users, the datacenter, anybody performing a man in the middle attack, anybody. And this is more likely to happen than you may think, speaking from experience.
2. Even when we're not sending passwords, somebody can perform something called a man in the middle attack, where they intercept the data that you are sending to the server, and then forward it on your behalf, get the response from the server, but change it when it goes back to you. This could be used to lure people to meets that are actually setups to mug you etc. Again, speaking from experience I had a friend that this happened to, and again, much more likely than you think.
3. Your identity is very obvious to anybody who obtains the packets, so they know who is exactly where and what they are doing.

What's more, any attacker can plainly see that the site isn't using HTTPS, so they're not going to waste their time going after sites who are, they're going to come right for us because we're an obvious and vulnerable target.

It's hard to explain why we should care about this so much since we're not all software guys here, but rest assured this is a very serious matter. if the admins of the site want help setting this up I have a lot of experience doing so, but it's wildly inappropriate to leave the site as is with hundreds of people typing their password in every day. It only costs 10 dollars a year to get a certificate, and about 5 minutes to install it.

Please DO something about this, and as I said, I'm more than happy to help, many years in the business.

And Let's Encrypt is free. Not reason not to run SSL these days. I use LE all over the place now. Only downfall is the certs expire in 90days. There are pros and cons of this.

Pros:
More secure
API for cert renewal
Forces you to set up an automated process to install new certs

Cons:
Need to spend the time figuring out how to automate the cert install process.

Dyno?

Yeah that's rough. I didn't know that about LE. I still get 2 year certs on my sites, and that's infrequent enough that I don't even think about it manually installing them when the time comes around.

Another sidebare with this is that I didn't even notice that this site wasn't encrypted at first, but firefox briefly flashed a notice in the password field just the other day, so I've been unknowingly sending plaintext passwords for a long time without even knowing it. That's one of the big reasons this isn't ok.

My problem with 2 year certs is I have to dig around for a while to refresh my memory on installing them. Hahaha. Now it's just a set it and forget it. With IIS it's easy to automate. There are already tools that will do this for LE certs. On Apache it's really easy... just drop the files and then restart Apache. So that's real simple to schedule with a cron job.

So with LE I just set it and forget it.

Yeah I could definitely see that being how it would be set up (I'm apache) since I have mail hosted on that server, I could even integrate with unix mail.

Totally get that forgetting... i definitely have to scratch my head for a few every time I refresh. Getting to be about that time actually.

I sincerely hope you're not using the same username and password combination for a car forum that you are for, well anything else really.

That said, the site using HTTP only is something people should keep in mind if sending billing info for classifieds via PM. Don't do that. Request a PayPal invoice, use the vendor's storefront, just about anything else, but don't PM your credit card info.

https://imgs.xkcd.com/comics/password_reuse.png

I'm not an IT guy.

So basically, you're saying Skynet will become self-aware if we don't add that little "s" in?

I just noticed ACME support is being added to Apache:
https://letsencrypt.org/2017/10/17/a...che-httpd.html

ACME is the open protocol which LE uses for validating domain ownership and requesting or renewing certs. So if this is added to Apache then the whole process would be fully automated. Basically you would just tell Apache you want a cert from LE and it would do everything else. No user and password or anything is needed.

Maybe not that, but many bad things.

-S

I try to use different passwords whenever possible (and usually pretty long passwords as well) but the thing is there's enough people that won't and there's nothing we can do to force them to change, and so a certain level of responsibility should be taken.

And that changes nothing about man-in-the-middle attacks. HTTPS is really just not an option. We could probably sit here and think of 100 reasons if we wanted to.

Meh. Don't use this password for anything else and don't post anything you don't want the whole world to see.

Problem solved.

As he said, he is concerned about the safety of ALL users of the site, not just his own. I tell people all the time not to use the same password on all sites but they do it anyways.

People in this industry tend to be concerned about things like this and he was simply offering his services to the forum.

There's more you can do without HTTPS than just steal info. HTTPS guarantees that only the server can decrypt the message to it, and only the particular client can decrypt the message from the server. Without that guarantee, then anyone can intercept messages coming back from the server to you and modify them and you would not know.

So for example, I just met up with somebody from the forums last night. It could have been a gang that fed me a false location and phone number by intercepting my request to the server to load the message that he gave me and modified it before it was displayed on my screen, and then stabbed me and took my car after meeting up somewhere. Extreme example, but there are creative people that could probably find a successful way to take advantage of members.

Historically there have been many, many creative abuses of sites that do not use HTTPS and they vary vastly beyond stealing passwords.

VPNs and Password Managers for the win. I don't have any duplicate passwords, it's beautiful.

That said, I agree. Should be HTTPS.

It's always the damn Russians.

fwiw I use the https everywhere plugin, and ssl on my own NAS.

I agree, anything with a password should use https.

I actually had this same concern a year ago when this was brought up on the thread concerning the hack on JB Autosport's network.

I ran Wireshark (on a private network of course - NEVER on a public network) to see if I could sniff my password from the packets. Interestingly, what I found was that the password was still somehow encrypted. Maybe this was due to other factors I wasn't aware about, but I was pretty surprised.

I think HTTPS is a good idea, but with that said, a lot of people don't really see this as an issue since for them, it's just a forum account with no personal information. As long as people aren't reusing passwords, they should be fine.

Looks like this issue is still not resolved. Looks like this site may not be managed on a continual basis - perhaps someone set it up and then its running purely on user posts to forums.

There are like 2 active mods left, but really if it is that large a concern a PM to the admin and main mod @ichitaka05 would probably go farther then a thread that may not get checked (until now that I tagged a mod)

Yeah... sadly, I don’t have much power over this part. Admin Hachiroku or other admin FT-HS do those kind of things.

And the person hiding behind a new user name instead of using their normal one is worried about it? Paranoid much?

Well everyone here has a pseudonym so you dont have to be sarcastic about me hiding behind a new user name. When I login using firefox it warns the password is not encrypted, and https does not work. I agree that there is nothing confidential here and I don't use common passwords on different sites - so it is not a show stopper

The point is that the rest of us have only one.

To be fair, a poorly managed HTTPS site doesn't offer that much more security than plain text, while increasing the complexity. SSL or TLSv1.0 encryption isn't too difficult to attack given the proper circumstances. Unless Hachi or FT-HS go all-in on properly locking down and maintaining the site, simply getting a cert and enabling HTTPS is setting things up to break once that cert expires. Not much else.