Wilders is now https (ssl)?

Discussion in 'General Topics' started by CloneRanger, Apr 14, 2011.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    ssl.gif

    How about that ! I don't recall seeing any anouncement about it, maybe it's just started ? In fact when did it ?

    No big deal as i trust ya ;) but noticed these

    ssl1.gif

    ssl2.gif

    I guess it's due to the self signing ? which doesn't bother me, on here anyway ;) Anyway nice one :) :thumb:
     
  2. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,873
    Re: Wilders is now HTTPS = SSL !

    With Opera...:thumb:
     

    Attached Files:

  3. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    Re: Wilders is now HTTPS = SSL !

    Correct
     
  4. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    Re: Wilders is now HTTPS = SSL !

    Finally, nice :)
     
  5. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    Re: Wilders is now HTTPS = SSL !

    actually..... quite lame considering you can get certs for as little as $20 a year :cautious:
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Re: Wilders is now HTTPS = SSL !

    Just curious, why is this such a big deal?

    -rich
     
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,873
    Location:
    New England
    Re: Wilders is now HTTPS = SSL !

    It isn't, as far as I am concerned. I setup SSL access for testing purposes after the recent Certificate Authority breach, just to see for myself what all the issues were. As that unfolded, I looked into the arguments for and against enabling SSL access, whether it really was a performance issue or not, what the different types and levels of certificates buy you, and so on...

    The forum staff has been playing with it since then, and I've been watching for impacts and issues. And, there were some. Coding issues where vBulletin didn't maintain full SSL access, which I had to fix. And then there is the overhead, which isn't a big deal for a small handful of users, but, given our activity level versus the hosting size of servers, would be an impact if we converted over to SSL access.

    From my view, my opinion is not changed from the many times I've been asked about this. SSL access for this kind of website is simply not necessary. 99% of what happens here, across large numbers of guests and smaller numbers of members, is people reading and writing publicly visible posts. Content that everyone, everywhere can see and which is likely all cached on search engine servers, anyway. Why provide encryption for that? As for login and profile info... no, there's nothing there. The hashed password verification routine is plenty good enough for login, and no one has any serious personal data stored in the forum.

    As for now, SSL access will stay available, but, it is not the recommended or the default access method for the forum. You can use it if you want. It works well. And maybe the extra data from more people using it will help determine the true cost and impacts involved.
     
  8. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    Re: Wilders is now HTTPS = SSL !

    Doing my part to provide the extra data... :cool:
     
  9. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Re: Wilders is now HTTPS = SSL !

    Maybe it's useful for those with slippy fingers and write their passwords in the username field. :blink: :argh:
     
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Re: Wilders is now HTTPS = SSL !

    As it's a security/privacy forum + i think it announces visibly to one and all, that they are serious about such things :thumb: Not that they wern't before :D

    Of course anyone can get a Cert these days :( for little or even no $, but even so i believe it's worth having, for the reason stated ;)
     
  11. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,322
    Location:
    Philippines
    Re: Wilders is now HTTPS = SSL !

    Not much of a security expert, but I don't see the point either. I just searched Google for "Wilders is now HTTPS = SSL !" is this post came up as first hit. If everything is public why the need for SSL?
     
  12. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,824
    Re: Wilders is now HTTPS = SSL !

    Yeah don't really need SSL here at Wilders.
     
  13. trial and error

    trial and error Registered Member

    Joined:
    May 19, 2007
    Posts:
    72
    Location:
    the former USA
    Re: Wilders is now HTTPS = SSL !

    Interesting nonetheless to me because this is a site dedicated to securing us online.

    If fully implemented, (certs get recognized, etc) would it help the site more than the users? CastleCops (RIP) had troubles several times, wonder if going https could mitigate those risks.
     
  14. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,873
    Location:
    New England
    Re: Wilders is now HTTPS = SSL !

    No, the use of SSL does not protect this website, its software or server. Someone asked me something similar offline from this, whether forcing SSL would prevent hackers from attacking. No, it won't. SSL is not a protective barrier keeping anyone out. Everyone can access the site using SSL if it is enabled - good guys and bad guys. And hack attempts, things like SQL injection, or other known exploitable holes in either the vBulletin application or the underlying webserver software, are in no way prevented by implementing SSL.

    CastleCops was hit by DDoS - extremely large ones. SSL would not have prevented that or reduced the impacts in any way. (You might even be able to argue that if SSL uses more CPU then sessions not using SSL, then a DDoS using SSL might be a little heavier on the attacked website. But, at the level of those attacks, the difference, if any, would have been meaningless. Down is down regardless of some percentage impact difference.)

    No, the site here is not defended by implementing SSL. Well, short of my passwords being discovered by hackers, I suppose. That would be bad. ;) But, I've always used SSL and SSH for site management functions.
     
  15. trial and error

    trial and error Registered Member

    Joined:
    May 19, 2007
    Posts:
    72
    Location:
    the former USA
    Re: Wilders is now HTTPS = SSL !

    Hi LowWaterMark
    Thanks for that!
     
  16. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    For the Firefox 'HTTPS Everywhere' add-on, custom rules can be written in 'APPDATA\Roaming\Firefox\Profiles\xxxxxxxx\Extensions\HTTPSEverywhereUserRules'

    (As explained here on eff.org.)

    Just c/p the text below, save it as an .xml file and store it in the above mentioned HTTPSEverywhereUserRules map.

    Code:
    <ruleset name="WildersSecurity">
      <target host="www.wilderssecurity.com" />
      <target host="wilderssecurity.com" />
    
      <rule from="^http://(www\.)?wilderssecurity\.com/" to="https://wilderssecurity.com/"/>
    </ruleset>
    Typing wilderssecurity.com in the FF address bar will then direct automatically to https.
     
    Last edited: Apr 22, 2011
  17. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,322
    Location:
    Philippines
  18. Eagle Creek

    Eagle Creek Global Moderator

    Joined:
    Jul 27, 2004
    Posts:
    734
    Location:
    The Netherlands
    Re: Wilders is now HTTPS = SSL !

    As you may know, it's pretty easy to sniff network data. When one is using the same network as you, he could find out your password pretty easy.
    Using SSL, the data sent between your pc and the webserver is encrypted, making it close to impossible to find out one's password.

    It has nothing to do with server protection of any kind. It's just to make sure data transferred on the network can't be read by anyone else.

    In a home environment this isn't a real issue, but when you are at (semi) public places this is a real security improvement.

    20$ ain't much, but is there a need to?

    First of all SSL wasn't installed to be used by all the users. So only those who want to use SSL should enable it, and those few people can ignore the error message.

    Also, self-signed certs are still safe, since they still encrypt the data. In general you wouldn't want to use a self signed certificate, due to the fact that a hacker could make those themselves, and you cannot verify it's source.
    However, when you trust Wilders' certificate that shouldn't be an issue.

    Also, when you're using Firefox, you can use the 'Perspectives' plug-in to auto accept the certificate.
    Of course you could just add it to your exceptions list too, but perspectives adds a bit of functionality.

    ( 1. If you connect to a website with an untrusted (e.g., self-signed certificate)*, Firefox will give you a very nasty security error and force you to manually install an exception. Perspectives can detect whether a self-signed certificate is valid, and automatically overrides the annoying security error page if it is safe to do so.
    2. It is possible that an attacker may trick one of the many Certificate Authorities trusted by Firefox into incorrectly issuing a certificate for a trusted website. Perspectives can also detect this attack and will warn you if things look suspicious.)
     
Loading...
Thread Status:
Not open for further replies.