I guess I never really paid attention until today, but the site doesn't support HTTPS, and I want it to.

It seems that anyone who can sniff your internet connection can easily gain access to your account (the password is basically being sent in plain text), see what you're reading, what you're posting, and what private messages you send and receive.

So who can sniff your internet connection? That would be your government, other governments, your ISP, people using the same wifi (starbucks and whatnot), people driving by your house (you were probably too lazy to set up your wifi router correctly, weren't you?), people with fancy equipment in cell range (you read and post from your phone, right?), hackers that compromised a router between you and the server, random unethical people who happen to own a router between you and the server, and other people that no one even knows about.

I imagine most people don't care. A likely response will be, "If someone wants to go through all that trouble to read my posts, let em." or "I doubt anyone really cares enough to hack my connection."

The problem is, people are already listening to your internet connection, and it's not because they're targetting you. They're just scanning for easy targets (this site) and personal information that they can profit from (the stuff you will probably send in a "private" message). Also, if you were to post something unsavory in the political forums and upset someone in the government, they wouldn't have to get a warrant to access the server and figure out who you are, because it's public knowledge. That means, instead of having to convince a judge of something, they can just go ahead an anonymously screw with you because you pissed them off. If all that isn't enough, financial transactions are regularly arranged on this forum. Some of them for thousands of dollars. Do you really want to buy from someone you trust or has built a good reputation here, when any 12 year can take over their account with very little effort?

I'm not suggesting spending hundreds of dollars on an SSL certificate. A free one from StartSSL works fine.

Also, if you were to post something unsavory in the political forums and upset someone in the government, they wouldn't have to get a warrant to access the server and figure out who you are, because it's public knowledge. That means, instead of having to convince a judge of something, they can just go ahead an anonymously screw with you because you pissed them off.

:gawk:

Seems prudent to me. Always best to stay a step ahead of those who would do us harm.

I certainly can't speak for most people, but in my neighborhood very few Internet connections are unprotected.

It's not as easy as you might think to tell if a wifi router is unprotected. Often, even those that use WPA2, also have WPA and/or WEP enabled. If WEP is enabled, you might as well have no protection at all. But even supposing the router has only WPA2 enabled, it probably also has WPS enabled. WPS is a thing where you give it an 8 digit pin, and it tells you the WPA/WPA2 password and other settings needed to set up your device. And, of course, WPS has a terrible flaw. If the first four digits are correct, it returns a different error message than if none of the digits are correct. This means you only have to crack two four-digit pins instead of one eight-digit pin, or in other words, instead of having to make at most 100,000,000 guesses, you only need at most 20,000 guesses, which can be done pretty quickly.

So.. no problem.. turn off WPS.

So apparently there's a bug with most routers where even though there's an option to turn of WPS, if you turn it off it's still active and your router is still vulnerable. Good times...

I say make it so.

I suppose I should also post a solution, in case you're just now finding out your router isn't secure. You can flash DD-WRT to your router. Don't ask me how, and don't blame me if you brick your router. Google that crap and read, read, read.

Also, the security of your wireless router isn't just about people who wan't to spy on you. That's only a small part of it. It's mostly about people who want to do terrible, illegal things on the internet, but don't want it traced back to them. Then want it traced back to you, or someone like you. So they drive around scanning for insecure wireless routers, break in real quick, and do their stuff. There's a humorous and sad number of stories about people getting their front door broken down by a swat team because of what someone else did with their internet connection.

... and this is now apparently in response to a deleted post. Oh well.

I suppose I should also post a solution, in case you're just now finding out your router isn't secure. You can flash DD-WRT to your router. Don't ask me how, and don't blame me if you brick your router. Google that crap and read, read, read.

Also, the security of your wireless router isn't just about people who wan't to spy on you. That's only a small part of it. It's mostly about people who want to do terrible, illegal things on the internet, but don't want it traced back to them. Then want it traced back to you, or someone like you. So they drive around scanning for insecure wireless routers, break in real quick, and do their stuff. There's a humorous and sad number of stories about people getting their front door broken down by a swat team because of what someone else did with their internet connection.

I have my router set up so only devices I specifically allow (I think it goes by their MAC address?) can access my wifi. Is this also not secure because of the WEP and WPS stuff?

It's a never ending battle!

I have my router set up so only devices I specifically allow (I think it goes by their MAC address?) can access my wifi. Is this also not secure because of the WEP and WPS stuff?

It's a never ending battle!

Limiting to MAC addresses causes a slight annoyance to someone trying to break in, but otherwise does not add any security. They just have to listen for the unencrypted MAC addresses of allowed clients, and then spoof their MAC address. It's just an extra point and click for someone who does this stuff.

Limiting to MAC addresses causes a slight annoyance to someone trying to break in, but otherwise does not add any security. They just have to listen for the unencrypted MAC addresses of allowed clients, and then spoof their MAC address. It's just an extra point and click for someone who does this stuff.

Well, it will at least keep the pesky neighbors from piggybacking my wifi I suppose.

I mean if someone really wants to break into my wifi and they know what they're doing it seems like they're going to break in regardless :/

Besides, I hire security guards around the clock to protect my server.

Well, it will at least keep the pesky neighbors from piggybacking my wifi I suppose.

I mean if someone really wants to break into my wifi and they know what they're doing it seems like they're going to break in regardless :/

Besides, I hire security guards around the clock to protect my server.

But not your holiday decorations, obviously.

You probably have more things to worry about with this version of vBulletin going to be a full version behind shortly. They just released 5.1.6.

But not your holiday decorations, obviously.
I'm sorry Tgo, but that was kinda funny.

I think this is a good idea. Let's not let this thread die!

Seems like a good idea if it doesn't have secret holes in it that we don't know about.

Tillmen is only doing this so that nobody thinks about how we have all given him complete access to both our computers and our GS accounts.

http://cdn.meme.am/instances/500x/53978259.jpg

Tillmen is only doing this so that nobody thinks about how we have all given him complete access to both our computers and our GS accounts.

http://cdn.meme.am/instances/500x/53978259.jpg

hey.. if that is what it takes so I don't have to remember how to move from point A to point B... so be it.

Seems like a good idea if it doesn't have secret holes in it that we don't know about.Not to worry, SSL only has secret holes that we do know about. It's definitely a benefit, I just don't know what the cost to implement would be. Sockets and weiner dogs are notorious rivals.

This reminds me. Today Tillmen I tried connecting multiple times to lichproject.org through some new virtual machines and it just didn't like your SSL cert or something.

I can provide you access if you want to check it out but it totally blocked all things lich like.

Apparently your browser likes you request a favicon several times without giving a user agent, and that got it blocked. I added an exception for it, so it shouldn't happen again. I kinda wish it didn't do that though. I'm guessing it doesn't like the format of my favicon.

I couldn't find any problems with the SSL cert. People sometimes have problems with the playershops site, because I don't have a cert for the old shops.lichproject.org. If you try going there using http, it just redirects you to ps.lichproject.org with no problem, but if you try https, it has to use the invalid cert before it can redirect you. I'm going to assume that was it, but I dunno.

I think something is fucked up with his CA bundle.

cURL didn't even like it when we were attempting to debug.

Can you post the error message or give me anything to go on? Everything seems to work fine for me no matter what I use.

Can you post the error message or give me anything to go on? Everything seems to work fine for me no matter what I use.


curl -v https://www.lichproject.org
* Rebuilt URL to: https://www.lichproject.org/
* Hostname was NOT found in DNS cache
* Trying 198.50.233.130...
* connect to 198.50.233.130 port 443 failed: Connection timed out
* Failed to connect to www.lichproject.org port 443: Connection timed out
* Closing connection 0
curl: (7) Failed to connect to www.lichproject.org port 443: Connection timed out

That doesn't appear to have anything to do with SSL. Kinda looks like a firewall issue, or if you were spamming the server or doing other funny business, the server could just be ignoring you.

I think Tillmen and I got it figured out. I was able to connect now. I will see what happens when it switches to another machine.


That doesn't appear to have anything to do with SSL. Kinda looks like a firewall issue, or if you were spamming the server or doing other funny business, the server could just be ignoring you.

I love to do funny business with your server.