-
If you enjoy the forum please consider supporting it by signing up for a NES Membership The benefits pay for the membership many times over.
SSL for login: I will donate $50 to make it happen
- Thread starter Reptile
- Start date
SSL Logins are a secure method of signing into NES.
Anybody who can monitor your network can capture you screen name and login password.
Once they have this, they can view any personal information and PM's ect.
If they were evil, they could use that information to mess up your life.
When logging in with SSL- the information is encrypted between your computer and the NES server. It basically can not be intercepted by a third party.
If we all used SSL login - the people who we PM will also be better protected and hackers won't be able to easily access their PM's.
SSL is just a way to make it just a bit harder for hackers to get into our accounts.
Sometimes addresses and phone numbers are exchanged by PM. As a general rule for gun owners, it is wise to prevent prying eyes from knowing our addresses.
As for full time SSL (SSL for all page views) - I would pay another $50 for that as well. I hear it is a drag on the server though because it must encrypt and decrypt on the fly. The only drawback is that you must click a box to view outside links whenever you want to branch off of NES.
Anybody who can monitor your network can capture you screen name and login password.
Once they have this, they can view any personal information and PM's ect.
If they were evil, they could use that information to mess up your life.
When logging in with SSL- the information is encrypted between your computer and the NES server. It basically can not be intercepted by a third party.
If we all used SSL login - the people who we PM will also be better protected and hackers won't be able to easily access their PM's.
SSL is just a way to make it just a bit harder for hackers to get into our accounts.
Sometimes addresses and phone numbers are exchanged by PM. As a general rule for gun owners, it is wise to prevent prying eyes from knowing our addresses.
As for full time SSL (SSL for all page views) - I would pay another $50 for that as well. I hear it is a drag on the server though because it must encrypt and decrypt on the fly. The only drawback is that you must click a box to view outside links whenever you want to branch off of NES.
- Joined
- Apr 24, 2005
- Messages
- 47,528
- Likes
- 33,556
The only cost is with the secure certificate, which comes in three flavors:
Self Signed - Free, but you get an annoying message every time you access a site with a self-signed cert via SSL.
Low security - Signed by a certificate authority, does not pop up a message when you access the site, ownership confirmation consists only of confirming you own the URL (and perhaps not even that). When you examine the certificate, it will state that this certificate does not supply ownership info. Price runs about $50.year.
High security - Singed by a certificate authority, does not pop up a message when you access the site, identity of certificate owner confirmed through a documentation process. The certificate will display the owning info, and many browsers will display all or part of the address bar in green. Price runs about $100/year.
- Joined
- Apr 24, 2005
- Messages
- 47,528
- Likes
- 33,556
Not if you get it from VeriSign.![[wink]](/xen/styles/default/xenforo/smilies.vb/002.gif "Wink [wink]")
I have too much respect for Derek to ever conclude he would consider buying from Verisign.
Besides the pricing issues, their history of chicaner is enough to send me elsewhere.
Remember when they added a default record to the A server so that any bogus URL would go to one of their sites? Not only was this tacky, but it messed up software that took action based on detecting use of an invalid URL.
And then there is the "domain tasting" tomfoolery. For a while, any WHOIS done on networksolutions.com would cause Network Soutions to taste the domain registration (a registrar can return a registration within 5 days and not pay the ICANN fee) so that Network Solutions would become the only registrar from which you could buy the domain during that period of time. This kind of trickery was necessary since other registrars such as Godaddy offered the same registration service at a much lower price.
Historically, forum software has to be one of the top reasons servers get compromised. You need to expect that any data you have on a forum is *not* secure. You have no idea what other kinds of software are running on a server that hosts a forum, no idea where backups are kept, etc, etc. Additionally, I am 100% sure that every forum on the internet is monitored by the .gov three letter agencies in connection with various wars (Terror, Drugs, etc).....Bottom Line: you have no privacy here.
The only thing an SSL cert really protects you against is packet sniffing for your password on an open wifi network. A free self signed certificate that has the brower ask you if its ok to connect would be just fine for the few times you must use an open network. You can add exceptions to your browser so you only get asked the first time you connect.
The only thing an SSL cert really protects you against is packet sniffing for your password on an open wifi network. A free self signed certificate that has the brower ask you if its ok to connect would be just fine for the few times you must use an open network. You can add exceptions to your browser so you only get asked the first time you connect.
FWIW, I would be perfectly happy with a self-signed cert that we could somehow distribute (or authenticate) out-of-band if cost/mistrust of commercial CAs is an issue.
But, I'd also throw in a few dollars for a commercial solution if that were decided upon.
But, I'd also throw in a few dollars for a commercial solution if that were decided upon.
Using SSL for logins has minimal costs, just the annual price of a certificate and the slight additional server overhead of using encryption for the login page. Full-time SSL adds some overhead to every session, and causes popups for users (page contains unencrypted content...).
Actually, using SSL for all page views (aka "fulltime SSL", like gmail has) would provide protection against a variety of risks.
It makes it much more difficult for anybody 'in path' to either view or modify the information you send to the server, or what the server sends to you. This is true of any network, not just open WiFi; many ISPs have been implicated in sniffing and/or modifying content.
Actually, using SSL for all page views (aka "fulltime SSL", like gmail has) would provide protection against a variety of risks.
It makes it much more difficult for anybody 'in path' to either view or modify the information you send to the server, or what the server sends to you. This is true of any network, not just open WiFi; many ISPs have been implicated in sniffing and/or modifying content.
Yeah, lulzsec is going to fly to america and set up a sniffer at the local mcdonalds for one of you to go there to log onto NES.... ![[rofl]](/xen/styles/default/xenforo/smilies.vb/013.gif "ROFL [rofl]")
If you're that paranoid about sniffing, you probably should use some sort of internet sanitary napkin, like a VPN or an SSH tunnel to get your traffic concealed at least on the last few miles.
-Mike
If you're that paranoid about sniffing, you probably should use some sort of internet sanitary napkin, like a VPN or an SSH tunnel to get your traffic concealed at least on the last few miles.
-Mike
- Joined
- Apr 24, 2005
- Messages
- 47,528
- Likes
- 33,556
Yup. The source code is widely available, so all someone has to do is peruse it until they find a bug and then use a web crawler to find instances of the forum that exhibit the bug.
The single most useful thing one can do in regards to forum security is NEVER use a "sensitive" password on a forum. Forum passwords should never be the same, or similar to, passwords used to access financial systems, CNC control panels or reactor control systems.
Crap. Now I gotta change my password to the Pilgrim nuke plant control system.
Re-comitting to my $100 offer from 2011
I know my cow-orkers and ISP run packet sniffers, no reason to make things easy for them.
I know my cow-orkers and ISP run packet sniffers, no reason to make things easy for them.
![[smile]](/xen/styles/default/xenforo/smilies.vb/001.gif "Smile [smile]")
I'm working on a couple different avenues for this... tested it out late last year with mixed results, but I think I've come up with a better solution at this point... more to come.
Can we get servers hosted in Switzerland thate will keep the NSA noses out? I'd kick in an extra $100 a year for that. Seriously.
http://www.artmotion.eu/en-qa/
http://www.npr.org/2014/07/12/330751548/switzerland-from-banking-paradise-to-data-safe-zone
http://www.artmotion.eu/en-qa/
http://www.npr.org/2014/07/12/330751548/switzerland-from-banking-paradise-to-data-safe-zone
It's really more of a server thing than a vBulletin thing. vB does everything it needs to in order to "support" it, it's more in regards to some of the other non-stock optimizations that we've done to both the server and the supporting software.
I'm a big fan of the Google position of encryption by default. All web traffic should be encrypted and furthermore use perfect forward secrecy. Don't forget to encrypt the cookies that allow folks to have the site remember them too.
- - - Updated - - -
....said the government and hackers who want access to your information...
- - - Updated - - -
....said the government and hackers who want access to your information...
Last edited:
