The forum of the forums
Welcome to the Official Support Forum of Forumotion!

To take full advantage of everything offered by our forum, please log in if you are already a member, or join our community if you've not yet.



Create a free forum like this one.

Why no secure connection? (SSL)

View previous topic View next topic Go down

Why no secure connection? (SSL)

Post by Roob4rb on June 8th 2013, 9:43 pm

I was wondering, why is there no secured SSL-connection available for forumotion.com?

Currently when I log in to your forum, my password is sent to your server totally unencrypted and ready for any eavesdropper or intermediate party to read.

This is especially critical when using for shared networks such as schools, companies and public WiFi hotspots. If there are no plans for supporting SSL then I'd at least expect a warning that says your credentials are sent unencrypted over the Internet, so users can be made aware of this and decide not to login when they are on an untrusted network.

Roob4rb
New Member

Posts : 14
Reputation : 1
Language : Dutch, English || PHP, Python, Perl

Back to top Go down

Re: Why no secure connection? (SSL)

Post by Ultron's Vision on June 8th 2013, 10:03 pm

Using public networks is always a security issue and not recommended unless it's absolutely secured.

Even with SSL, there is software to get access to the key passed to a user via so-called handshakes and other distinctly exploitative if not even malicious means.

However I'm quite positive that this would be a good thing to do.
Then again, not everyone is aware of the ssl: protocol, yet even what http: even means.

Ultron's Vision
Forumember

Male Posts : 634
Reputation : 45
Language : English | German | HTML | JavaScript | PHP | C++ | Perl | Java
Location : Vienna, Austria

http://duelacademy.net

Back to top Go down

Re: Why no secure connection? (SSL)

Post by Roob4rb on June 8th 2013, 10:10 pm

@Ultron's Vision wrote:Using public networks is always a security issue and not recommended unless it's absolutely secured.
There is no 'absolutely secured' network, but HTTPS - just like any other encrypted protocol - was designed to send sensitive information over untrusted networks.
Even with SSL, there is software to get access to the key passed to a user via so-called handshakes and other distinctly exploitative if not even malicious means.
I'm not aware of such software, do you have any references to articles about this? There are no such current exploits known for SSLv2/SSLv3/TLS with proper ciphers, or the entire Internet would be a big chaos of information leakage.
However I'm quite positive that this would be a good thing to do.
Then again, not everyone is aware of the ssl: protocol, yet even what http: even means.
It should just be default for a login form, and preferably for the entire site. Redirects from http to https are not rocket science and I'm sure that FM staff has thought about this, just wondering why it currently isn't in place.

Roob4rb
New Member

Posts : 14
Reputation : 1
Language : Dutch, English || PHP, Python, Perl

Back to top Go down

Re: Why no secure connection? (SSL)

Post by Ultron's Vision on June 8th 2013, 10:17 pm

I'm not talking about fetching the key directly out of the SSL-encrypted data, I'm talking about a physical being behind a screen that is using software to gain access to the PC transmitting the data over SSL.

Ultron's Vision
Forumember

Male Posts : 634
Reputation : 45
Language : English | German | HTML | JavaScript | PHP | C++ | Perl | Java
Location : Vienna, Austria

http://duelacademy.net

Back to top Go down

Re: Why no secure connection? (SSL)

Post by SLGray on June 9th 2013, 12:29 am

Please do not start multi - topics about the same issue/question.

Use this one - http://help.forumotion.com/t124548-password-stored-unencrypted#829371

Topic Locked


After rereading both topics, this one will be reopened.


When your topic has been solved, ensure you mark the topic solved.
Never post your email in public.


SLGray
Administrator
Administrator

Male Posts : 35641
Reputation : 2374
Language : English
Location : United States

http://fmthemes.forumotion.com/

Back to top Go down

Re: Why no secure connection? (SSL)

Post by Sanket on June 11th 2013, 2:43 pm

Well, you can suggest it if you want a SSL connection. There is no answer to a why there is no SSL connection Wink

Edit: To add to this, a SSL connection is required when a website has many online transactions. I don't see a reason for Forumotion to have a SSL connection. Maybe, it was justified if Forumotion was a paid host.

Here i found a suggestion for the same.
http://help.forumotion.com/t90345-ssl-https-on-login?highlight=https

Sanket
ForumGuru

Male Posts : 48766
Reputation : 2819
Language : English
Location : Mumbai

http://webartzforum.com

Back to top Go down

Re: Why no secure connection? (SSL)

Post by Roob4rb on June 11th 2013, 2:52 pm

a SSL connection is required when a website has many online transactions
That's not true, a SSL connection is required when sensitive information is sent to/from the server, such as login credentials.

When I now login to forumotion.com, my password is sent unencrypted in plaintext over the internet to your server. Anybody capturing that data could see the password of any user, including your own staff account credentials.

Roob4rb
New Member

Posts : 14
Reputation : 1
Language : Dutch, English || PHP, Python, Perl

Back to top Go down

Re: Why no secure connection? (SSL)

Post by Sanket on June 11th 2013, 2:55 pm

Read my edited post above.
I did not say SSL was only used when there are only transactions involved. Take the example of facebook or gmail which are big websites, with billions of users, they can afford to have the same. For a free forum, its not really justified.

Show me a example of a free forum with this, then maybe i would vote yes in that suggestion Wink

Sanket
ForumGuru

Male Posts : 48766
Reputation : 2819
Language : English
Location : Mumbai

http://webartzforum.com

Back to top Go down

Re: Why no secure connection? (SSL)

Post by Roob4rb on June 11th 2013, 3:14 pm

@Sanket wrote:Read my edited post above.
I did not say SSL was only used when there are only transactions involved. Take the example of facebook or gmail which are big websites, with billions of users, they can afford to have the same. For a free forum, its not really justified.
A simple SSL-certificate costs about 5-10 euro's per year, this is about the same you'd pay for a domain name.

If you would order a wildcard SSL-certificate (*.forumotion.com) all your users with *.forumotion.com hostnames could use the same certificate and benefit from the added security, this would be a bit more expensive but still it would be a lot of added service.

Show me a example of a free forum with this, then maybe i would vote yes in that suggestion Wink
I don't think you understand what my issue is at all. All passwords of all your users/staff/etc are now sent unencrypted over the internet. Without any warning whatsoever. Why would you need an example of a free forum with an SSL connection to convince you of the fact that your connection-security is currently non-existant?



Last edited by Sanket on June 11th 2013, 3:22 pm; edited 1 time in total (Reason for editing : Removed Bold)

Roob4rb
New Member

Posts : 14
Reputation : 1
Language : Dutch, English || PHP, Python, Perl

Back to top Go down

Re: Why no secure connection? (SSL)

Post by Sanket on June 11th 2013, 3:21 pm

So you have a suggestion section to provide the inputs on how much a SSL connection costs. This is a support section, where we answer to problems that are faced on the forum. This is a suggestion & not a problem.

Please don't use bold or color. Please keep to the default text. This is reserved for the staff for moderation.

If you would order a wildcard SSL-certificate (*.forumotion.com) all your users with *.forumotion.com hostnames could use the same certificate and benefit from the added security, this would be a bit more expensive but still it would be a lot of added service.
Expensive, yes thats what I said.

Do you have anymore questions?


Last edited by Sanket on June 11th 2013, 3:27 pm; edited 1 time in total

Sanket
ForumGuru

Male Posts : 48766
Reputation : 2819
Language : English
Location : Mumbai

http://webartzforum.com

Back to top Go down

Re: Why no secure connection? (SSL)

Post by kirk on June 11th 2013, 3:26 pm

@Roob4rb wrote:
I don't think you understand what my issue is at all. All passwords of all your users/staff/etc are now sent unencrypted over the internet. Without any warning whatsoever. Why would you need an example of a free forum with an SSL connection to convince you of the fact that your connection-security is currently non-existant?


Roob4rb with all due respect.
Who cares. you are rambling on like a mad man, i had told you the other day when you was talking about almost the same thing you can create a post in the suggestions section.
forumotion has been like this since the beginning. along with many other host and services paid or free on the web.. i mean i am not trying to sound bitter but this is becoming very annoying and have been getting complaints for potential flaming. i do not see it going that far and am trying to be as fair as i can

All i can tell you once again is that if you feel that unconformable on how forumotion or any other service send information over the web, then do not use that service. And by all means, please do feel to suggest this in the suggestions section. I mean i really do not know what you expect us to do here. This is something that etoxic the owner of forumotion would have to change. we have no control over this here.

for what it's worth we have answered all we can on this matter.

kirk
Forumaster

Male Posts : 11037
Reputation : 651
Language : English,Vulcan,Klingon, Romulan,& Gorn

Back to top Go down

Re: Why no secure connection? (SSL)

Post by Roob4rb on June 11th 2013, 3:28 pm

It is actually an issue with the current implementation of the forum, namely that my password is sent unencrypted over the internet!

If you need consultation of how to order/implement/configure this on your server then I'd gladly help, this is what I do for a living. But please don't be so difficult about a security measure that costs a few bucks per year and provides your entire userbase with much more added security.

(Also, could you please stop with micromanaging what I do with formatting, links, etc, this is highly anti-productive Sad I'm trying to help you by bringing serious security issues under your attention, and all you do is try to find rules that are broken or policy that does not match what I'm typing.)

Roob4rb
New Member

Posts : 14
Reputation : 1
Language : Dutch, English || PHP, Python, Perl

Back to top Go down

Re: Why no secure connection? (SSL)

Post by Sanket on June 11th 2013, 3:29 pm

So i understand the whole point of this, sorry but there is nothing more we could do other than pointing you in the right direction since you are trying to solicit your services here.

Thread is Locked.

Sanket
ForumGuru

Male Posts : 48766
Reputation : 2819
Language : English
Location : Mumbai

http://webartzforum.com

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum