Need for HTTPS

Troubleshooting
Post Reply
MaheshS
Posts: 1186
Joined: 02 Feb 2010, 22:36

Need for HTTPS

Post by MaheshS »

Hi Guys,

I didn't notice this till now at all, the forum seems to run on normal HTTP rather than HTTPS, we are currently passing all data in plain text which can be easily MITM'd. Any chance we can get hold of a SSL cert and put it on? It's about 50 dollars per year I think, we can source funds for this and I am willing to contribute. Thoughts / comments?

Also noticed the forum downtime yesterday due to mySQL DB corruption, if you need a hand with sys admin, more than happy to lend a hand.

Could also do with adding some extra addins to phBB so it's easier to use via iPhone / Andorid / Windows etc. I can also look into this separately if you want.

Mahesh

thanjavooran
Posts: 2972
Joined: 03 Feb 2010, 04:44

Re: Need for HTTPS

Post by thanjavooran »

Though I am totally ignorant of this highly technical aspect welcome your offer. Let pundits decide.
Thanjavooran
13 03 2016

rshankar
Posts: 13754
Joined: 02 Feb 2010, 22:26

Re: Need for HTTPS

Post by rshankar »

Mahesh - sound like good suggestions- count me in

Nick H
Posts: 9379
Joined: 03 Feb 2010, 02:03

Re: Need for HTTPS

Post by Nick H »

MaheshS wrote: I didn't notice this till now at all, the forum seems to run on normal HTTP rather than HTTPS, we are currently passing all data in plain text which can be easily MITM'd.
This is something I don't understand, but I suspect there is a good answer... What is the point of encrypting post contents, when the whole world can just look at the forum and read the posts?

MaheshS
Posts: 1186
Joined: 02 Feb 2010, 22:36

Re: Need for HTTPS

Post by MaheshS »

Nick H wrote:
MaheshS wrote: I didn't notice this till now at all, the forum seems to run on normal HTTP rather than HTTPS, we are currently passing all data in plain text which can be easily MITM'd.
This is something I don't understand, but I suspect there is a good answer... What is the point of encrypting post contents, when the whole world can just look at the forum and read the posts?
So the contents of the forum post may be visible to all and sundry [ that is the purpose ] however with just HTTP you are also under the risk of your credentials [including email, username, password etc] being visible as well. That is the problem :) And if people use same user name / email password combination in different places [Google, Facebook, Online Banking etc] then you are vulnerable in so many different ways that it's scary!

The posts we make may not be sensitive, but the other data that it's holding / transfering behind the scene is.

For example, from my computer now to hit rasikas.org web site, I go thro the following servers before getting there,

Code: Select all

  1     2 ms     1 ms     1 ms  xxx.xxx.xxx.xxx
  2     4 ms     2 ms     2 ms  xxx.xxx.xxx.xxx
  3    14 ms     9 ms    15 ms xxx.xxx.xxx.xxx
  4    10 ms     9 ms     9 ms  1-1-2.pr01.ixhs.uk.exponential-e.net [94.31.32.186]
  5     9 ms     8 ms     9 ms  94.31.32.185.in-use.above.net [94.31.32.185]
  6    10 ms    10 ms     9 ms  ae7.mpr3.lhr3.uk.zip.zayo.com [64.125.21.17]
  7    88 ms    90 ms   127 ms  ae27.cs1.lhr15.uk.eth.zayo.com [64.125.30.234]
  8    86 ms    83 ms    84 ms  ae5.cs1.dca2.us.eth.zayo.com [64.125.29.131]
  9    83 ms    85 ms    84 ms  ae27.cr1.dca2.us.zip.zayo.com [64.125.30.247]
 10    85 ms    84 ms    84 ms  ae15.er4.iad10.us.zip.zayo.com [64.125.31.22]
 11    84 ms    85 ms    99 ms  ae16.er5.iad10.us.zip.zayo.com [64.125.31.77]
 12    86 ms    84 ms    83 ms  208.185.23.134.t00867-03.above.net [208.185.23.134]
 13    86 ms    85 ms    87 ms  ip-208-113-156-4.dreamhost.com [208.113.156.4]
 14    86 ms    85 ms    84 ms  ip-208-113-156-73.dreamhost.com [208.113.156.73]
 15    83 ms    84 ms   112 ms  apache2-dap.kili.dreamhost.com [173.236.152.7]
The data is passed to so many different servers in plain text. Any one on these servers can easily sniff the traffic :)

Google network evesdropping, man in the middle attack, http v https and you should get more info.

Nick H
Posts: 9379
Joined: 03 Feb 2010, 02:03

Re: Need for HTTPS

Post by Nick H »

MaheshS wrote: So the contents of the forum post may be visible to all and sundry [ that is the purpose ] however with just HTTP you are also under the risk of your credentials [including email, username, password etc] being visible as well. That is the problem :) And if people use same user name / email password combination in different places [Google, Facebook, Online Banking etc] then you are vulnerable in so many different ways that it's scary!
Thanks

OK, I was halfway there already and, just because I know not to use the same password for more than one purpose, I'm aware that not everybody does, and that some people do just that. So there is an element of protecting us from ourselves here.

srkris
Site Admin
Posts: 3497
Joined: 02 Feb 2010, 03:34

Re: Need for HTTPS

Post by srkris »

MaheshS,

That's a good suggestion, thanks. Let me check the process and get back to you soon if i need any clarification/help with it.

rajeshnat
Posts: 9906
Joined: 03 Feb 2010, 08:04

Re: Need for HTTPS

Post by rajeshnat »

Maheshs,
Https slightly slows down the site and how about the links that are already indexed by Google , do we have to reindex again when https is implemented

Mods,
Per se the problem in hand is we are using mysql standard version . My worry is with data going up the backups are not done efficiently and may be srkris has not even tested the restore of backups in another test server . srkris can upgrade the mysql server to an enterprise grade and he can always pool money- I am certainly willingly to pay

There are lot of features like View all posts by user , view all topics by user which I asked , got it done and then suddenly it is gone- despite my asks has not been restored . Few UI migrations that he did in the past were quite a challenge and only when rolled back it was best.

My 2 cents more than the http vs https the mysql is a bigger headache that srkris has to resolve.

sankark
Posts: 2321
Joined: 16 Dec 2008, 09:10

Re: Need for HTTPS

Post by sankark »

A self signed certificate wouldn't cost any $$$. So an idea is to post a message about a self signed certificate and ask users to install in the trust store. Though I wouldn't recommend this for a site with a multitude of visitors, I reckon unique visitors to rasikas.org is in the low '000s (1 - 9) and this could work/be feasible.

https://support.google.com/webmasters/a ... 3543?hl=en - though what Google indexing does with a self signed certificate isn't clear from that page; this FAQ @ https://plus.google.com/+JohnMueller/posts/PY1xCWbeDVC is silent on the question of self signed certificates. Indirect message is to use a cert by a trusted CA I believe.

Post Reply