secured connection to this forum? | need SSL

[whocaresabout_de 17]

Hi,

what's about setting up a secured connection for this forum? At least after the exploitusage.

New passwords do not gather any benefit if the registration information as same as the login credentials are beeing send through plaintext through the web.

Esp. with the look onto the current and growing size of users logging in here hourly/daily. There should be a kinda responsibility.

 

Currently it surely looks like:

USER(plain http) --Users-ISP-- backbone-transit(still plain http) -- cloud-flare(POST/GET data from upstream/backend(still plain http)) -- backbone-transit -- Datacenter(ISP) -- backend-exileforum-webserver

 

Sniffing at some hotspot or compromized any other compromized network or during any transit/portmirror to cloudflare or backendserver... is too easy. Even without spoofing any adresses.

##

/root: tcpdump -i em1 -vv -l -A -p tcp port 80 | grep -E -i 'pass=|password=|login=|user=|username=|pass:|password:|user:|username:'
tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
Referer: http://exile.majormittens.co.uk/?_fromLogin=1&_fromLogout=1
login__standard_submitted=1&csrfKey=7XXXYZdeadbeef14ef87182cd48cafe2&auth=xyz123%40whocaresabout_de&password=Q1w2e3r4&remember_me=0&remember_me_checkbox=1&signin_anonymous=0
Location: http://exile.majormittens.co.uk/?_fromLogin=1&_fromLogout=1
E....?@.?..j..>ph.o....P<@..`T.%P..w....GET /?_fromLogin=1&_fromLogout=1 HTTP/1.1
Referer: http://exile.majormittens.co.uk/?_fromLogin=1&_fromLogout=1
Referer: http://exile.majormittens.co.uk/?_fromLogin=1&_fromLogout=1
Referer: http://exile.majormittens.co.uk/?_fromLogin=1&_fromLogout=1
##

 

- frontend connection to cloud-flare should be secured with an valid (non-ev cert)

- backend connection to the upstream/originate webserver should be secured at least with a self signed certificate - else transfer to and from cloudflare would be proceed in plaintext

 

I think, even if there is 3rd party content is embedded at this forum(for sure) - doesent matter if pictures, banners, buttons, etc. through an plain link, then the change of the color at browser/url-line is acceptable. Because it provides a general better feeling surfing this forum. Furthermore it would become more positive rated at several seach-engines and their ranking (eg. google/alexa page-ranking)

t

Whats your opinion about it?

 

--

Free-SSL-Certificates:

#1-year valid https://www.startssl.com/

#3-months valid https://letsencrypt.org/

Edited September 7, 2016 by whocaresabout_de
added tcpdump output

[itsatrap 251]

Fun fact, Cloudflare gives free SSL certs, they just need to add an page rule that http://*exile.majormittens.co.uk* should allways use ssl in CF.

See for your sefl, https://exile.majormittens.co.uk do work, just some CSS/JS paths that need to be fixed

 

But for your tcpdump  to work, you still have to do an MiM before it works, any way. any sits should do SSL in 2016

Edited September 7, 2016 by itsatrap

[.Doppelpoint 14]

bump @Eichi

secure ssl-connection i would also pretty appreciate it.

[Guest]

We didn't get hacked by an exploit though. But I do agree that ssl should still be implemented. Better safe than sorry