The forum of the forums
Would you like to react to this message? Create an account in a few clicks or log in to continue.

Why no secure connection? (SSL)

5 posters

Go down

Why no secure connection? (SSL) Empty Why no secure connection? (SSL)

Post by Roob4rb June 8th 2013, 9:43 pm

I was wondering, why is there no secured SSL-connection available for forumotion.com?

Currently when I log in to your forum, my password is sent to your server totally unencrypted and ready for any eavesdropper or intermediate party to read.

This is especially critical when using for shared networks such as schools, companies and public WiFi hotspots. If there are no plans for supporting SSL then I'd at least expect a warning that says your credentials are sent unencrypted over the Internet, so users can be made aware of this and decide not to login when they are on an untrusted network.
avatar
Roob4rb
New Member

Posts : 14
Reputation : 1
Language : Dutch, English || PHP, Python, Perl

Back to top Go down

Why no secure connection? (SSL) Empty Re: Why no secure connection? (SSL)

Post by Ultron's Vision June 8th 2013, 10:03 pm

Using public networks is always a security issue and not recommended unless it's absolutely secured.

Even with SSL, there is software to get access to the key passed to a user via so-called handshakes and other distinctly exploitative if not even malicious means.

However I'm quite positive that this would be a good thing to do.
Then again, not everyone is aware of the ssl: protocol, yet even what http: even means.
Ultron's Vision
Ultron's Vision
Forumember

Male Posts : 634
Reputation : 45
Language : English | German | HTML | JavaScript | PHP | C++ | Perl | Java
Location : Vienna, Austria

http://duelacademy.net

Back to top Go down

Why no secure connection? (SSL) Empty Re: Why no secure connection? (SSL)

Post by Roob4rb June 8th 2013, 10:10 pm

Ultron's Vision wrote:Using public networks is always a security issue and not recommended unless it's absolutely secured.
There is no 'absolutely secured' network, but HTTPS - just like any other encrypted protocol - was designed to send sensitive information over untrusted networks.
Even with SSL, there is software to get access to the key passed to a user via so-called handshakes and other distinctly exploitative if not even malicious means.
I'm not aware of such software, do you have any references to articles about this? There are no such current exploits known for SSLv2/SSLv3/TLS with proper ciphers, or the entire Internet would be a big chaos of information leakage.
However I'm quite positive that this would be a good thing to do.
Then again, not everyone is aware of the ssl: protocol, yet even what http: even means.
It should just be default for a login form, and preferably for the entire site. Redirects from http to https are not rocket science and I'm sure that FM staff has thought about this, just wondering why it currently isn't in place.
avatar
Roob4rb
New Member

Posts : 14
Reputation : 1
Language : Dutch, English || PHP, Python, Perl

Back to top Go down

Why no secure connection? (SSL) Empty Re: Why no secure connection? (SSL)

Post by Ultron's Vision June 8th 2013, 10:17 pm

I'm not talking about fetching the key directly out of the SSL-encrypted data, I'm talking about a physical being behind a screen that is using software to gain access to the PC transmitting the data over SSL.
Ultron's Vision
Ultron's Vision
Forumember

Male Posts : 634
Reputation : 45
Language : English | German | HTML | JavaScript | PHP | C++ | Perl | Java
Location : Vienna, Austria

http://duelacademy.net

Back to top Go down

Why no secure connection? (SSL) Empty Re: Why no secure connection? (SSL)

Post by SLGray June 9th 2013, 12:29 am

Please do not start multi - topics about the same issue/question.

Use this one - https://help.forumotion.com/t124548-password-stored-unencrypted#829371

Topic Locked


After rereading both topics, this one will be reopened.


Why no secure connection? (SSL) Slgray10

When your topic has been solved, ensure you mark the topic solved.
Never post your email in public.
SLGray
SLGray
Administrator
Administrator

Male Posts : 51464
Reputation : 3519
Language : English
Location : United States

https://forumsclub.com/gc/128-link-directory/

Back to top Go down

Why no secure connection? (SSL) Empty Re: Why no secure connection? (SSL)

Post by Sanket June 11th 2013, 2:43 pm

Well, you can suggest it if you want a SSL connection. There is no answer to a why there is no SSL connection Wink

Edit: To add to this, a SSL connection is required when a website has many online transactions. I don't see a reason for Forumotion to have a SSL connection. Maybe, it was justified if Forumotion was a paid host.

Here i found a suggestion for the same.
https://help.forumotion.com/t90345-ssl-https-on-login?highlight=https
Sanket
Sanket
ForumGuru

Male Posts : 48766
Reputation : 2830
Language : English
Location : Mumbai

Back to top Go down

Why no secure connection? (SSL) Empty Re: Why no secure connection? (SSL)

Post by Roob4rb June 11th 2013, 2:52 pm

a SSL connection is required when a website has many online transactions
That's not true, a SSL connection is required when sensitive information is sent to/from the server, such as login credentials.

When I now login to forumotion.com, my password is sent unencrypted in plaintext over the internet to your server. Anybody capturing that data could see the password of any user, including your own staff account credentials.
avatar
Roob4rb
New Member

Posts : 14
Reputation : 1
Language : Dutch, English || PHP, Python, Perl

Back to top Go down

Why no secure connection? (SSL) Empty Re: Why no secure connection? (SSL)

Post by Sanket June 11th 2013, 2:55 pm

Read my edited post above.
I did not say SSL was only used when there are only transactions involved. Take the example of facebook or gmail which are big websites, with billions of users, they can afford to have the same. For a free forum, its not really justified.

Show me a example of a free forum with this, then maybe i would vote yes in that suggestion Wink
Sanket
Sanket
ForumGuru

Male Posts : 48766
Reputation : 2830
Language : English
Location : Mumbai

Back to top Go down

Why no secure connection? (SSL) Empty Re: Why no secure connection? (SSL)

Post by Roob4rb June 11th 2013, 3:14 pm

Sanket wrote:Read my edited post above.
I did not say SSL was only used when there are only transactions involved. Take the example of facebook or gmail which are big websites, with billions of users, they can afford to have the same. For a free forum, its not really justified.
A simple SSL-certificate costs about 5-10 euro's per year, this is about the same you'd pay for a domain name.

If you would order a wildcard SSL-certificate (*.forumotion.com) all your users with *.forumotion.com hostnames could use the same certificate and benefit from the added security, this would be a bit more expensive but still it would be a lot of added service.

Show me a example of a free forum with this, then maybe i would vote yes in that suggestion Wink
I don't think you understand what my issue is at all. All passwords of all your users/staff/etc are now sent unencrypted over the internet. Without any warning whatsoever. Why would you need an example of a free forum with an SSL connection to convince you of the fact that your connection-security is currently non-existant?



Last edited by Sanket on June 11th 2013, 3:22 pm; edited 1 time in total (Reason for editing : Removed Bold)
avatar
Roob4rb
New Member

Posts : 14
Reputation : 1
Language : Dutch, English || PHP, Python, Perl

Back to top Go down

Why no secure connection? (SSL) Empty Re: Why no secure connection? (SSL)

Post by Sanket June 11th 2013, 3:21 pm

So you have a suggestion section to provide the inputs on how much a SSL connection costs. This is a support section, where we answer to problems that are faced on the forum. This is a suggestion & not a problem.

Please don't use bold or color. Please keep to the default text. This is reserved for the staff for moderation.

If you would order a wildcard SSL-certificate (*.forumotion.com) all your users with *.forumotion.com hostnames could use the same certificate and benefit from the added security, this would be a bit more expensive but still it would be a lot of added service.
Expensive, yes thats what I said.

Do you have anymore questions?


Last edited by Sanket on June 11th 2013, 3:27 pm; edited 1 time in total
Sanket
Sanket
ForumGuru

Male Posts : 48766
Reputation : 2830
Language : English
Location : Mumbai

Back to top Go down

Why no secure connection? (SSL) Empty Re: Why no secure connection? (SSL)

Post by kirk June 11th 2013, 3:26 pm

Roob4rb wrote:
I don't think you understand what my issue is at all. All passwords of all your users/staff/etc are now sent unencrypted over the internet. Without any warning whatsoever. Why would you need an example of a free forum with an SSL connection to convince you of the fact that your connection-security is currently non-existant?


Roob4rb with all due respect.
Who cares. you are rambling on like a mad man, i had told you the other day when you was talking about almost the same thing you can create a post in the suggestions section.
forumotion has been like this since the beginning. along with many other host and services paid or free on the web.. i mean i am not trying to sound bitter but this is becoming very annoying and have been getting complaints for potential flaming. i do not see it going that far and am trying to be as fair as i can

All i can tell you once again is that if you feel that unconformable on how forumotion or any other service send information over the web, then do not use that service. And by all means, please do feel to suggest this in the suggestions section. I mean i really do not know what you expect us to do here. This is something that etoxic the owner of forumotion would have to change. we have no control over this here.

for what it's worth we have answered all we can on this matter.
kirk
kirk
Forumaster

Male Posts : 11037
Reputation : 653
Language : English,Vulcan,Klingon, Romulan,& Gorn

Back to top Go down

Why no secure connection? (SSL) Empty Re: Why no secure connection? (SSL)

Post by Roob4rb June 11th 2013, 3:28 pm

It is actually an issue with the current implementation of the forum, namely that my password is sent unencrypted over the internet!

If you need consultation of how to order/implement/configure this on your server then I'd gladly help, this is what I do for a living. But please don't be so difficult about a security measure that costs a few bucks per year and provides your entire userbase with much more added security.

(Also, could you please stop with micromanaging what I do with formatting, links, etc, this is highly anti-productive Sad I'm trying to help you by bringing serious security issues under your attention, and all you do is try to find rules that are broken or policy that does not match what I'm typing.)
avatar
Roob4rb
New Member

Posts : 14
Reputation : 1
Language : Dutch, English || PHP, Python, Perl

Back to top Go down

Why no secure connection? (SSL) Empty Re: Why no secure connection? (SSL)

Post by Sanket June 11th 2013, 3:29 pm

So i understand the whole point of this, sorry but there is nothing more we could do other than pointing you in the right direction since you are trying to solicit your services here.

Thread is Locked.
Sanket
Sanket
ForumGuru

Male Posts : 48766
Reputation : 2830
Language : English
Location : Mumbai

Back to top Go down

Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum