Wilders is now https (ssl)?

Re: Wilders is now HTTPS = SSL !

It isn't, as far as I am concerned. I setup SSL access for testing purposes after the recent Certificate Authority breach, just to see for myself what all the issues were. As that unfolded, I looked into the arguments for and against enabling SSL access, whether it really was a performance issue or not, what the different types and levels of certificates buy you, and so on...

The forum staff has been playing with it since then, and I've been watching for impacts and issues. And, there were some. Coding issues where vBulletin didn't maintain full SSL access, which I had to fix. And then there is the overhead, which isn't a big deal for a small handful of users, but, given our activity level versus the hosting size of servers, would be an impact if we converted over to SSL access.

From my view, my opinion is not changed from the many times I've been asked about this. SSL access for this kind of website is simply not necessary. 99% of what happens here, across large numbers of guests and smaller numbers of members, is people reading and writing publicly visible posts. Content that everyone, everywhere can see and which is likely all cached on search engine servers, anyway. Why provide encryption for that? As for login and profile info... no, there's nothing there. The hashed password verification routine is plenty good enough for login, and no one has any serious personal data stored in the forum.

As for now, SSL access will stay available, but, it is not the recommended or the default access method for the forum. You can use it if you want. It works well. And maybe the extra data from more people using it will help determine the true cost and impacts involved.

 

Re: Wilders is now HTTPS = SSL !

No, the use of SSL does not protect this website, its software or server. Someone asked me something similar offline from this, whether forcing SSL would prevent hackers from attacking. No, it won't. SSL is not a protective barrier keeping anyone out. Everyone can access the site using SSL if it is enabled - good guys and bad guys. And hack attempts, things like SQL injection, or other known exploitable holes in either the vBulletin application or the underlying webserver software, are in no way prevented by implementing SSL.

CastleCops was hit by DDoS - extremely large ones. SSL would not have prevented that or reduced the impacts in any way. (You might even be able to argue that if SSL uses more CPU then sessions not using SSL, then a DDoS using SSL might be a little heavier on the attacked website. But, at the level of those attacks, the difference, if any, would have been meaningless. Down is down regardless of some percentage impact difference.)

No, the site here is not defended by implementing SSL. Well, short of my passwords being discovered by hackers, I suppose. That would be bad. But, I've always used SSL and SSH for site management functions.

 

Re: Wilders is now HTTPS = SSL !

As you may know, it's pretty easy to sniff network data. When one is using the same network as you, he could find out your password pretty easy.
Using SSL, the data sent between your pc and the webserver is encrypted, making it close to impossible to find out one's password.

It has nothing to do with server protection of any kind. It's just to make sure data transferred on the network can't be read by anyone else.

In a home environment this isn't a real issue, but when you are at (semi) public places this is a real security improvement.

20$ ain't much, but is there a need to?

First of all SSL wasn't installed to be used by all the users. So only those who want to use SSL should enable it, and those few people can ignore the error message.

Also, self-signed certs are still safe, since they still encrypt the data. In general you wouldn't want to use a self signed certificate, due to the fact that a hacker could make those themselves, and you cannot verify it's source.
However, when you trust Wilders' certificate that shouldn't be an issue.

Also, when you're using Firefox, you can use the 'Perspectives' plug-in to auto accept the certificate.
Of course you could just add it to your exceptions list too, but perspectives adds a bit of functionality.

( 1. If you connect to a website with an untrusted (e.g., self-signed certificate)*, Firefox will give you a very nasty security error and force you to manually install an exception. Perspectives can detect whether a self-signed certificate is valid, and automatically overrides the annoying security error page if it is safe to do so.
2. It is possible that an attacker may trick one of the many Certificate Authorities trusted by Firefox into incorrectly issuing a certificate for a trusted website. Perspectives can also detect this attack and will warn you if things look suspicious.)