Encryption

MyE28.com Forum system comments and questions. Please post registration, login, or general forum usage problems here.
Post Reply
duggi
Posts: 2417
Joined: Apr 26, 2007 4:45 PM
Location: San Francisco, CA
Contact:

Encryption

Post by duggi »

I can't believe I've never noticed, but I did today and am concerned that mye28 isn't encrypted with an SSL certificate. Not trying to call anyone out, web security is hard, but considering how many sites are getting popped these days...I'm surprised it hasn't already been an issue. Is there any way I can help?
SPF2006
Posts: 595
Joined: May 01, 2010 9:26 PM
Location: Baltimore, Maryland

Re: Encryption

Post by SPF2006 »

+1.
tig
Posts: 9245
Joined: Mar 18, 2013 6:25 PM
Location: Durango
Contact:

Re: Encryption

Post by tig »

Was discussed before: http://www.mye28.com/viewtopic.php?f=8&t=125208

There I wrote:
cek wrote:
Justin_FL wrote:I can patch the server soon but from a quick reading it affects encrypted SSL data, which is not used by this forum.
Wow, I just noticed that the sign-in page does not use SSL.

This means that every user's password is SENT IN CLEAR TEXT when they enter it. This means that you should NEVER log in to mye28.com from wireless network that you are not 100% sure is secure (like a coffee shop) because it is likely that someone is sniffing the data and will see your password.

If you use that same password on other sites then all the hacker needs to know is your email address.

People using this forum should use extra care to use a UNIQUE password for this site from all other passwords they use.

Since the Heartbleed vulnerability gives attackers access to memory on the server it does not matter if SSL is actually in use or not. The test I pointed to above shows that the site is exploitable.
duggi
Posts: 2417
Joined: Apr 26, 2007 4:45 PM
Location: San Francisco, CA
Contact:

Re: Encryption

Post by duggi »

ok then. my offer for help is there if anyone wants it.
tig
Posts: 9245
Joined: Mar 18, 2013 6:25 PM
Location: Durango
Contact:

Re: Encryption

Post by tig »

Upcoming Chrome update will label HTTP sites ‘not secure’
https://www.engadget.com/2018/02/08/goo ... ure-label/

I, too, am willing to help however I can.
duggi
Posts: 2417
Joined: Apr 26, 2007 4:45 PM
Location: San Francisco, CA
Contact:

Re: Encryption

Post by duggi »

If it's a cost issue, https://letsencrypt.org is a fantastic [FREE] option. I do this stuff for a living, so really, I don't mind lending a hand. Mye28 has been an invaluable resource to me for over 10 years now...I'm honestly not sure I could've survived my 528e this long without this forum :laugh:

If it is about money and/or time, I'm willing to foot those costs for the sake of this community. Sorry if I'm being pushy, it'd just be sad to see this forum suffer because some jacka** came along and saw everything was unencrypted.
Justin_FL
MyE28 IT Guru
MyE28 IT Guru
Posts: 2822
Joined: Feb 12, 2006 12:00 PM
Location: Palm Beach
Contact:

Re: Encryption

Post by Justin_FL »

I'll look into this.
danix
Posts: 270
Joined: Jul 09, 2018 4:10 PM
Location: San Francisco

Re: Encryption

Post by danix »

Bump. I second what duggi said - letsencrypt is free, easy, and I can help. And I'm off this week...
SPF2006
Posts: 595
Joined: May 01, 2010 9:26 PM
Location: Baltimore, Maryland

Re: Encryption

Post by SPF2006 »

Bump - any updates?
SlickDizzy
Posts: 836
Joined: Apr 26, 2007 7:03 PM
Location: Milwaukee, WI
Contact:

Re: Encryption

Post by SlickDizzy »

Any updates? I have been periodically getting notifications from my credit monitoring software that some very old forum account logins from other sites are being found on the dark web. There should really be some form of encryption on this site.
danix
Posts: 270
Joined: Jul 09, 2018 4:10 PM
Location: San Francisco

Re: Encryption

Post by danix »

+1. There's several offers for help here, and if the platform supports it, letsencrypt is free.
If it doesn't support it, I'm sure we'd chip in for a "real" cert.
Spen
Posts: 1601
Joined: Feb 23, 2011 11:38 PM
Location: Seattle, WA, USA

Re: Encryption

Post by Spen »

Happy to contribute too. A ssl cert should be peanuts for us to collectively pay for and figure out what tls software is being used. I was a web and computer guy for 17 years professionally before I gave it up for a dirty wrench.
SlickDizzy
Posts: 836
Joined: Apr 26, 2007 7:03 PM
Location: Milwaukee, WI
Contact:

Re: Encryption

Post by SlickDizzy »

Will this ever be addressed?
code
Posts: 145
Joined: Jun 26, 2018 5:57 PM

Re: Encryption

Post by code »

I’ll throw my hat in the ring for help. We do SSLs on all of the sites we develop, it’s super important in the current state of the web.
duggi
Posts: 2417
Joined: Apr 26, 2007 4:45 PM
Location: San Francisco, CA
Contact:

Re: Encryption

Post by duggi »

I spent a few hours getting a proof of concept working...it's not hard: https://forum.duggi.net
WVe28
Posts: 2125
Joined: Jul 29, 2007 8:57 AM
Location: Charleston, WV

Re: Encryption

Post by WVe28 »

I do agree, the longer this site is completely unencrypted, the more vulnerable we all become. I'm sure there are many members who unknowingly use the same passwords for mye28 as they do for more "sensitive" sites. What do you need, Beamters? Benefactors of this site range from blue collar to millionaires to tech-giant executives. The internet is no longer a place where you can stand up a site and leave it for a decade. Let us know what is needed to secure it and I'm sure we can overcome any obstacles.
Justin_FL
MyE28 IT Guru
MyE28 IT Guru
Posts: 2822
Joined: Feb 12, 2006 12:00 PM
Location: Palm Beach
Contact:

Re: Encryption

Post by Justin_FL »

I think it is probably time to update the site to a current hosting package, the one we are on is old and the backend management software is older (still supported) but lacking features like free SSL stores that are common now vs years ago. So I don't see getting the certificate in place until then, otherwise you have to do a bit of script and config file hacking to make them work which breaks Plesk. The current release has the ability to manage them just fine.

Maybe once this hurricane is away I'll talk with Jeremy about initiating the process.

And correct me if I'm wrong, but the risk here is a man in the middle attack, i.e. someone sniffing your Internet packets and getting the login info or your PMs.
duggi
Posts: 2417
Joined: Apr 26, 2007 4:45 PM
Location: San Francisco, CA
Contact:

Re: Encryption

Post by duggi »

Justin_FL wrote:I think it is probably time to update the site to a current hosting package, the one we are on is old and the backend management software is older (still supported) but lacking features like free SSL stores that are common now vs years ago. So I don't see getting the certificate in place until then, otherwise you have to do a bit of script and config file hacking to make them work which breaks Plesk. The current release has the ability to manage them just fine.

Maybe once this hurricane is away I'll talk with Jeremy about initiating the process.

And correct me if I'm wrong, but the risk here is a man in the middle attack, i.e. someone sniffing your Internet packets and getting the login info or your PMs.
Thanks for the thoughtful reply, totally fair. Please feel free to reach out if you need extra technical hands or a little $$ to make it easier.

And yes, the risk is down to a man-in-the-middle stealing user credentials. It's the common practice of reusing credentials across multiple sites that puts the users here at risk, but the site itself has nothing important to "encrypt" or "hide" from the public. It would be sad though if mye28 was opportunistically hacked and taken-down by some rando "just because they could."
Post Reply