(engineer attention) HTTPS? Not Secure? What's up with the security here?

[TheLoveBandit]

This thread is intended to answer the recurring questions about https and notices from browsers that the site url is 'Not Secure'.

As you can see from the history of posts (ignore the time stamp on this specific one, I stole an old one and edited it to be at the front of the thread)...as I was saying, As you can see from the history of posts, the issue of integrating with https security levels has been a concern for members and staff alike for many years. Bluelight is run 100% on volunteer efforts, so having the right combination of people with the skill to fix this, and the time and availability to see it thru, and most importantly the trust of ownership to get that close with the server means it took years to get this implemented. And, as you see, it wasn't implemented fully or properly, hence the questions about security.

As of December 2018 we are keenly aware, and in a position to fix the issue 100% within the next several weeks. We will advise once this is complete.

 

[lolwhatzdrugs]

Very good question? No unique IP? No https?

How come bluelight does not have a unique IP and offer https? This is a large website with a login form.... If anyone should have this bluelight should. You should specifically raise a little money for this. I never noticed it before but all this shit is going over cleartext. There is no reason for this.

A unique IP is a trivial cost for such a large site. Where's a webmaster? I bet a kickstarter or the like would raise the money in 10 minutes, then force https to everyone. I'll throw in some.

A hidden service would be a plus.


"Technical information about Bluelight

Bluelight uses three UNIX servers, hosted in Amsterdam, the Netherlands.
The forum runs on vBulletin with plugins and custom modifications. Additional features include Blogs and CMS modules. Bluelight also generously provides a dedicated server for Pillreports.com."

...shouldn't you guys have a unique IP? Do you not want to self sign a certificate? What's the deal?

 

[lolwhatzdrugs]

No answers? Comments?

 

[alasdairm]

why do we need a unique ip address? that's what dns is for.

on https, i don't have a good answer for you but we'll discuss it and i'll get back to you.

alasdair

 

[lolwhatzdrugs]

why do we need a unique ip address? that's what dns is for.

on https, i don't have a good answer for you but we'll discuss it and i'll get back to you.

alasdair

I'm thinking of shared servers where without a unique (I said unique, I mean static too) IP directed to a subnet IP they could spoof your secure connection.

Since you guys have a private server it most certainly has it's own static IP, the only implementation required is a signed certificate. There is a cert issuer that gives them for free but will still throw the untrusted error (not good...) and another one which won't at their lowest tier but also offer higher levels of verification (https://cert.startcom.org/ with them I got a ssl cert for the entire domain in an hour or two free wiht no "this certificate is not trusted" message), but personally I would just ask all of BL if they'd be willing to chip in for a signed from a VERY well known provider like verisign or something to that effect.

I would. Everyone using the EFf.org 's https everywhere would thank you, and you could even force https if their client accepted it. For login forms at a big site it really is necessary.... there's gotta be enough people here reusing their pass across sites, and they may not know when you get here it goes as cleartext.



Thanks for the response.

 

[lolwhatzdrugs]

Did someone seriously remove my bump? I consider this shit that important. People are sending passwords over cleartext.... I didn't even realize it, and for what this site is it should be a no brainer.

I mean, it has been a month before I bumped this, but maybe I'll just link to this thread in my signature that I've never had before or something.... (or does this site even have them or do I have them turned off?)

 

[GodandLove]

Let's just say, without https this site and it's users are WIDE OPEN.

 

[lolwhatzdrugs]

Let's just say, without https this site and it's users are WIDE OPEN.

Thank youz very much

 

[alasdairm]

on the https issue i already told you that i don't have a good answer for you but we'll discuss it and i'll get back to you. i have nothing to add to add at this time.

alasdair

 

[sirfoxey]

my only comment to the https issue is that my understanding is that it puts more load on the server which may or may not be a issue for the server. It all seriousness though, it is not like we are keeping bank details or any other real information on the server. So as long as you are not using a password which you use elsewhere, who cares if it is sent in clear text?

 

[lolwhatzdrugs]

on the https issue i already told you that i don't have a good answer for you but we'll discuss it and i'll get back to you. i have nothing to add to add at this time.

alasdair

my only comment to the https issue is that my understanding is that it puts more load on the server which may or may not be a issue for the server. It all seriousness though, it is not like we are keeping bank details or any other real information on the server. So as long as you are not using a password which you use elsewhere, who cares if it is sent in clear text?

That's all I can ask! Appreciate it, just wondering on any updates! Thanks!

on the https issue i already told you that i don't have a good answer for you but we'll discuss it and i'll get back to you. i have nothing to add to add at this time.

alasdair

my only comment to the https issue is that my understanding is that it puts more load on the server which may or may not be a issue for the server. It all seriousness though, it is not like we are keeping bank details or any other real information on the server. So as long as you are not using a password which you use elsewhere, who cares if it is sent in clear text?

Because it hides all communications between you and bluelight, your username, your password and EVERYTHING you say here.... It's a best practice for username password, but better to offer it for more than merely the login forms, and it protects people who don't realize you shouldn't be reusing passwords. With it installed all anyone (webhost, snooping internet cafes, tor exit node) ever knows is you're communicating with bluelight and nothing more.

And increased server strain is minimal, my webhost now offers it for free on their shared servers.... All it is is a shared secret verified on each page load or the login form at the very least, encryption of that level may have taxed servers from long ago but it's immaterial for any modern webhost/server arrangement.

 

[lolwhatzdrugs]

FWIW I'll donate 40 bucks the second I see https available on every page load.

 

[Lysis]

The cert only guarantees privacy. It doesn't guarantee that the site or you won't have data leaked due to a hack.

I don't think it's a big deal here but you are right that logins should use https. But, just fyi, there are apparently 3 sites being hosted on the servers albeit all 3 are owned by the same people.

I don't think I would worry about it unless you use the same credentials as you use for your bank or something like that.

 

[lolwhatzdrugs]

The cert only guarantees privacy. It doesn't guarantee that the site or you won't have data leaked due to a hack.

I don't think it's a big deal here but you are right that logins should use https. But, just fyi, there are apparently 3 sites being hosted on the servers albeit all 3 are owned by the same people.

I don't think I would worry about it unless you use the same credentials as you use for your bank or something like that.

The

cert only guarantees privacy.

Yeah!

I'm not worried about it! I use an encrypted password manager/generator with dual authentication. I'm thinking of the dumb people!

Besides when bigbrother is storing our data I want them to have to suck up as much as unencryptable shit as possible... just cause.

 

[Lysis]

I haven't used antivirus since 2006 and don't have a password on my wifi router (just don't broadcast). Never been hacked.

I don't really care if big brother knows I'm going to bluelight. I'm not trying to kill the president or bomb a building, so meh.

 

[lolwhatzdrugs]

Yeah me neither! But still. If it locks shit down and doesn't cost anything why the hell not?

Maybe theres that one paranoid freak who won't sign up for bluelight because it lacks ssh and dies because they couldn't ask a question? I'm thinking of you, you paranoid lurker freaks out there!

 

[Lysis]

yeah, I know you are right. Normally, I would bounce without ssl, but this is just a forum so at the same time, I don't feel my password is safe regardless. There are drug addicts who can read your password and who control the site, so I kinda weigh the points there.

I think you are right, but I also don't consider this place safe even if it had ssl. I think there is more of a chance that an admin does something shady or the site gets hacked anyway.

but in essence, you are right.

 

[lolwhatzdrugs]

Ego boost!!!!!!!!!!!!!!!!!!

 

[TheKyros]

While I do understand your desire for network security I personally believe the point of failure if anything is going to be vBulletin getting hacked at some point. Most of these forum code bases aren't exactly top notch examples of secure coding principles but now that I think about it a bit more that doesn't really make it better either to ignore the lack of ssl at least on the login and possibly user account pages.

 

[lolwhatzdrugs]

Probably, but that is no reason to say 'fuck it'. You're only as strong as the weakest links, and best to make them as strong as possible.