Welcome to ECCIE - Sign up today!

GneissGuy · 01-10-2010, 06:09 PM

I'd like to suggest that eccie be set up to optionally allow connections via SSL/https:

The advantage of this is that it makes it much more difficult for someone to snoop on your web browsing.

If you properly use a properly configured SSL/https web site, it helps keep people from snooping on your browsing. They can see that you're visiting https://www.eccie.net/threadid=1324, but they can't see what you're typing, what your password is, or your userid. They also can't impersonate the web site by, for instance by putting up an identical looking web site that asks for your password. (If the user is careful and looks for the web site ID and lock symbol.)

This will make it much more difficult for your ISP to snoop on you. There are also a lot of people who set up IP snooping for commercial criminal purposes. For instance, it's common for someone to set up a rogue wireless access point at a hotel or near a legitimate free wireless point at a restaurant. They can then see passwords, account numbers, and set up web sites that impersonate other web sites. This is a lot harder if you're going to an https web site. They're usually out to steal credi card numbers, bank account numbers and passwords, etc. but they might abuse an eccie account number too. It could also be used by a stalker who knows a lady is at a particular hotel.

It does require setting up the web server that way. The web site needs to have the links set up correctly. (For instance, the links need to specify www.eccie.net, not http://www.eccie.net.)

ASPD had this. It had a few problems, but it mostly worked.

ztonk · 01-10-2010, 09:38 PM

I heartily second this one!

There would be the cost of getting a certificate from a recognized certificate authority (CA) and it would be a bit more taxing on the web server, but I think it would be well worth it!

LazurusLong · 01-10-2010, 09:49 PM

Not sure how well that worked for ASPD since it did nothing to protect the site from hackers and no one is entering any account numbers or credit card information on a review board.

I wonder how many attempts to capture a user name and password to an escort review board for "commercial criminal purposes" might have happened?

How much more server use would this incur? Give the dramatic increase in bandwidth and server churn with the tremendous growth since ASPD went dark, what actual quantifiable benefits to the site would there be?

GneissGuy · 01-11-2010, 12:45 AM

Quote:

Originally Posted by LazurusLong

Not sure how well that worked for ASPD since it did nothing to protect the site from hackers and no one is entering any account numbers or credit card information on a review board.

I wonder how many attempts to capture a user name and password to an escort review board for "commercial criminal purposes" might have happened?

How much more server use would this incur? Give the dramatic increase in bandwidth and server churn with the tremendous growth since ASPD went dark, what actual quantifiable benefits to the site would there be?

SSL/https only protects against eavesdropping. It gives you no protection at all against the vast majority of ways of hacking a web site. It protects the end user, not the web site that much.

However, if you don't use SSL/https, any internet provider in the path between the admin's internet connection and the web host can steal the admin's passwords any time he logs in and then log in as an admin. This would include the guy running the free wireless in the coffee shop, bar, hotel, etc. or someone with a rogue access point at any such place.

laserface · 01-12-2010, 09:44 AM

GoDaddy's "Standard SSL" certificate is cheap (normal price $49.95/year, currently running a special for $29.95 for the first year for new customers, multi-year certificates available at discounted rates), and doesn't require any validation or documentation other than having an e-mail sent to (and appropriately responded to by) the contact address in the domain's WHOIS information.

ravishme · 11-15-2015, 07:35 AM

[also posted in a related thread]

ANY site that accepts passwords SHOULD use HTTPS. Period. Otherwise any user logging in immediately gives his/her credentials to everybody between the two ends of the connection, and many of those middlemen serve that data up on a platter to everybody who asks, and everybody who's hacked into their networks.

This also means that from the moment one logs in without HTTPS, a number of people and/or software entities can then log into one's account at will and do anything with it.

Configuring the web server's TLS (since the older SSL is basically cracked now) is interesting too, since ideally you want to provide only modern, more secure encryptions and forward secrecy (which means cracking keys doesn't crack all the past sessions' content along with them).

I think the problem is that most folks assume a site like this would at least have HTTPS, and then spill their guts all over the site in utterly readable-on-the-wire cleartest based on that faith.

HTTPS isn't uncrackable - the odds are any organization with enough cash to throw at the problem will eventually be able to crack it (hence the desire for forward secrecy), But it does change things from anybody being able to read *everything* without ANY effort, to requiring (usually) an expensive operation to capture any text at all. Assuming the web servers TLS (used by HTTPS) is correctly set up, etc.

Refs:
http://httpd.apache.org/docs/2.4/ssl/ssl_howto.html
https://www.ssllabs.com/ssltest/

I'm not offering to do it (sorry), but I do want to emphasize the someone really, really needs to.

squashhead · 11-15-2015, 06:35 PM

I am also in favor of https. But unfortunately not very many users take the time to chime in on their support of it.