This bulletin board does not use https

Off topic discussion zone.

Moderators: winston, another_commander, Cody

Post Reply
UK_Eliter
---- E L I T E ----
---- E L I T E ----
Posts: 1103
Joined: Sat Sep 12, 2009 11:58 pm
Location: Essex (mainly industrial and occasionally anarchic)

This bulletin board does not use https

Post by UK_Eliter » Sun Oct 22, 2017 11:37 pm

Dear all

I imagine this has been discussed before - though I can't find any such discussion - but why does this board use the insecure http protocol and not rather the secure https? I'd prefer the latter!

User avatar
Cody
Sharp Shooter Spam Assassin
Sharp Shooter Spam Assassin
Posts: 13680
Joined: Sat Jul 04, 2009 9:31 pm
Location: Corke's Drift
Contact:

Re: This bulletin board does not use https

Post by Cody » Sun Oct 22, 2017 11:48 pm

I've no idea what that would entail, but it'd be down to Giles (or perhaps Jens) to sort out, and neither are about much.
Their dreams a tattered sail in the wind

User avatar
Diziet Sma
---- E L I T E ----
---- E L I T E ----
Posts: 6310
Joined: Mon Apr 06, 2009 12:20 pm
Location: Aboard the Pitviper S.E. "Blackwidow"

Re: This bulletin board does not use https

Post by Diziet Sma » Mon Oct 23, 2017 5:40 am

Yep.. It would be up to Giles, as owner of the domain, to arrange an SSL certificate. Unfortunately, they're not free. Prices typically range from $70 - $250 or more per year, depending on your registrar and what kind of site you run. So there's that to consider also.


Edit: I did a little digging using 'whois', and found Giles' hosting company. Here's a list of their SSL Certificate prices.



Image
Most games have some sort of paddling-pool-and-water-wings beginning to ease you in: Oolite takes the rather more Darwinian approach of heaving you straight into the ocean, often with a brick or two in your pockets for luck. ~ Disembodied

User avatar
Cody
Sharp Shooter Spam Assassin
Sharp Shooter Spam Assassin
Posts: 13680
Joined: Sat Jul 04, 2009 9:31 pm
Location: Corke's Drift
Contact:

Re: This bulletin board does not use https

Post by Cody » Mon Oct 23, 2017 12:01 pm

Of more importance to me would be repair and upgrade of the forum software - and an alternative colour scheme.
Their dreams a tattered sail in the wind

User avatar
Diziet Sma
---- E L I T E ----
---- E L I T E ----
Posts: 6310
Joined: Mon Apr 06, 2009 12:20 pm
Location: Aboard the Pitviper S.E. "Blackwidow"

Re: This bulletin board does not use https

Post by Diziet Sma » Mon Oct 23, 2017 3:49 pm

Cody wrote:
Mon Oct 23, 2017 12:01 pm
Of more importance to me would be repair and upgrade of the forum software - and an alternative colour scheme.

That gets my vote!
Most games have some sort of paddling-pool-and-water-wings beginning to ease you in: Oolite takes the rather more Darwinian approach of heaving you straight into the ocean, often with a brick or two in your pockets for luck. ~ Disembodied

UK_Eliter
---- E L I T E ----
---- E L I T E ----
Posts: 1103
Joined: Sat Sep 12, 2009 11:58 pm
Location: Essex (mainly industrial and occasionally anarchic)

Re: This bulletin board does not use https

Post by UK_Eliter » Mon Oct 23, 2017 4:21 pm

Am I to take it from the image that the site might have SSL already, only not a version that registers in the browser?

Also, what about Let's Encrypt? Can that organisation provide us with free SSL? I don't know how these things work.

User avatar
Cody
Sharp Shooter Spam Assassin
Sharp Shooter Spam Assassin
Posts: 13680
Joined: Sat Jul 04, 2009 9:31 pm
Location: Corke's Drift
Contact:

Re: This bulletin board does not use https

Post by Cody » Mon Oct 23, 2017 4:38 pm

Am I to take it from the image that the site might have SSL already, only not a version that registers in the browser?
No idea really, but I expect that's a current price/feature list, and this software hasn't been upgraded properly for a fair while.
Their dreams a tattered sail in the wind

UK_Eliter
---- E L I T E ----
---- E L I T E ----
Posts: 1103
Joined: Sat Sep 12, 2009 11:58 pm
Location: Essex (mainly industrial and occasionally anarchic)

Re: This bulletin board does not use https

Post by UK_Eliter » Mon Oct 23, 2017 4:40 pm

I think the most important thing is security (and I don't mind the board interface). We don't want a flood of spam, or people's credentials being stolen. We did hacked by some bot once before, I seem to recall. I am afraid I can't contribute a hosting computer or any relevant programming of systems administration ability but I could donate a few quid if that would help.

User avatar
Diziet Sma
---- E L I T E ----
---- E L I T E ----
Posts: 6310
Joined: Mon Apr 06, 2009 12:20 pm
Location: Aboard the Pitviper S.E. "Blackwidow"

Re: This bulletin board does not use https

Post by Diziet Sma » Mon Oct 23, 2017 4:53 pm

UK_Eliter wrote:
Mon Oct 23, 2017 4:21 pm
Am I to take it from the image that the site might have SSL already, only not a version that registers in the browser?

No.. even the cheapest option will put a padlock icon in the browser address bar. Pricier options turn the bar green as well. But neither Oolite's BB or the Oolite.org website have a padlock icon.

UK_Eliter wrote:
Mon Oct 23, 2017 4:21 pm
Also, what about Let's Encrypt? Can that organisation provide us with free SSL? I don't know how these things work.

Yes, they absolutely can! It would, of course, still need someone with admin rights to the server to set it up.

And thank you SO much for that link! I've been wanting to add SSL encryption to my family's business website for a while now. This means there's one less annual cost involved. Much appreciated!
Most games have some sort of paddling-pool-and-water-wings beginning to ease you in: Oolite takes the rather more Darwinian approach of heaving you straight into the ocean, often with a brick or two in your pockets for luck. ~ Disembodied

User avatar
cim
Quite Grand Sub-Admiral
Quite Grand Sub-Admiral
Posts: 4018
Joined: Fri Nov 11, 2011 6:19 pm

Re: This bulletin board does not use https

Post by cim » Mon Oct 23, 2017 4:54 pm

UK_Eliter wrote:
Mon Oct 23, 2017 4:21 pm
Also, what about Let's Encrypt? Can that organisation provide us with free SSL? I don't know how these things work.
Let's Encrypt is an excellent provider - I use them for my sites - but it depends whether the hosting provider supports it.

User avatar
Diziet Sma
---- E L I T E ----
---- E L I T E ----
Posts: 6310
Joined: Mon Apr 06, 2009 12:20 pm
Location: Aboard the Pitviper S.E. "Blackwidow"

Re: This bulletin board does not use https

Post by Diziet Sma » Mon Oct 23, 2017 5:09 pm

UK_Eliter wrote:
Mon Oct 23, 2017 4:40 pm
I think the most important thing is security (and I don't mind the board interface). We don't want a flood of spam, or people's credentials being stolen. We did hacked by some bot once before, I seem to recall.

I think you may be over-estimating what https can do, a little.. :wink: :)

Essentially, it encrypts all data sent between the browser and server, in both directions. From the perspective of a BB like ours, the practical benefit is that member logins would be encrypted. This means that passwords are no longer transmitted in plain text. Plain text logins are easily "sniffed" during transmission, by anyone with the motive and means (not a high barrier) to do so. I'm not privy to the details of the bot hack, but I doubt it was done by sniffing an admin's password. A password guessing bot would be my first guess, and against those, the only defence is a high quality password.

Https is not going to result in a reduction in spam attempts, either. Spam bots will still be able to connect to the account creation page, to try and create an account, and then log in. There are tools and organisations available to help keep almost all spammers out of the forum, and I'm an admin on a forum that uses them. They work very well. But they won't work with the antiquated BB software we use here. The upgrade Cody spoke of would go a long way in helping with that particular problem.
Most games have some sort of paddling-pool-and-water-wings beginning to ease you in: Oolite takes the rather more Darwinian approach of heaving you straight into the ocean, often with a brick or two in your pockets for luck. ~ Disembodied

UK_Eliter
---- E L I T E ----
---- E L I T E ----
Posts: 1103
Joined: Sat Sep 12, 2009 11:58 pm
Location: Essex (mainly industrial and occasionally anarchic)

Re: This bulletin board does not use https

Post by UK_Eliter » Mon Oct 23, 2017 5:24 pm

Dizzy: ah, yes, right. But still, especially given the 'KRACK' vulnerability, SSL would indeed - as you'd agree, I think - be good. I believe that the aforementioned vulnerability would be rendered safe by a VPN (but not everyone using these boards has one) and perhaps by operating system and/or router patches (but perhaps not everyone's system would be patched).

By the way: by 'I don't mind the board interface' I didn't mean that I don't how the interface is. Rather I meant I am happy enough with the current interface.

User avatar
Diziet Sma
---- E L I T E ----
---- E L I T E ----
Posts: 6310
Joined: Mon Apr 06, 2009 12:20 pm
Location: Aboard the Pitviper S.E. "Blackwidow"

Re: This bulletin board does not use https

Post by Diziet Sma » Mon Oct 23, 2017 6:32 pm

UK_Eliter wrote:
Mon Oct 23, 2017 5:24 pm
Dizzy: ah, yes, right. But still, especially given the 'KRACK' vulnerability, SSL would indeed - as you'd agree, I think - be good.

Hmm.. I'd missed seeing that one. And yeah, it's nasty. Yes, SSL would help protect against passwords to the BB being obtained via that attack.

UK_Eliter wrote:
Mon Oct 23, 2017 5:24 pm
I believe that the aforementioned vulnerability would be rendered safe by a VPN (but not everyone using these boards has one) and perhaps by operating system and/or router patches (but perhaps not everyone's system would be patched).

In some ways yes, in others no. SSL does essentially the same thing as a VPN, in a more limited way. But a VPN won't stop someone using krack to break into your home wi-fi network, for example.


UK_Eliter wrote:
Mon Oct 23, 2017 5:24 pm
By the way: by 'I don't mind the board interface' I didn't mean that I don't how the interface is. Rather I meant I am happy enough with the current interface.

I'm happy enough with the current interface as well.. (APART FROM THE MISSING "LIKE" BUTTON!!!) But unfortunately, this forum software is showing its age. The fact we even need Spam Assassins is proof of that. There are better ways to handle spam.
Most games have some sort of paddling-pool-and-water-wings beginning to ease you in: Oolite takes the rather more Darwinian approach of heaving you straight into the ocean, often with a brick or two in your pockets for luck. ~ Disembodied

User avatar
Cody
Sharp Shooter Spam Assassin
Sharp Shooter Spam Assassin
Posts: 13680
Joined: Sat Jul 04, 2009 9:31 pm
Location: Corke's Drift
Contact:

Re: This bulletin board does not use https

Post by Cody » Mon Oct 23, 2017 9:02 pm

The fact we even need Spam Assassins is proof of that. There are better ways to handle spam.
That'd be the only way being made redundant could make me happy!
Their dreams a tattered sail in the wind

Post Reply