Question about this site/forum server

This area is for discussions that do not fit into the formal firearms discussions of the website. Common sense and non-controversial contributions are expected. Certain topics are forbidden. See the forum rules for more details.

Moderators: Chuck, Mustang380gal, Coordinators, Moderators

User avatar
AlanM
Posts: 9435
Joined: Mon Jul 04, 2005 1:38 am
Location: Was Stow, OH now Charlottesville, VA

Question about this site/forum server

Post by AlanM »

Any idea why Chrome is indicating that this URL and site is not secure?
All other forums I frequent show a url prefix of "https://".
This one doesn't.
AlanM
There are no dangerous weapons; there are only dangerous men. - RAH
Four boxes to be used in defense of liberty: soap, ballot, jury, ammo - use in that order.
If you aren't part of the solution, then you obviously weren't properly dissolved.
ArmedAviator
Posts: 1191
Joined: Wed Jul 18, 2012 5:59 pm
Contact:

Re: Question about this site/forum server

Post by ArmedAviator »

It costs money to get a properly signed SSL certificate. Each domain requires its own. They go from $45/yr and up generally. In addition to immediate cost of the certificate, depending on server hardware performance, encryption also utilizes more CPU processing (although with modern CPUs, its negligible).

An SSL certificate is really needed for two things: 1) payment processing 2) any other sensitive information being transported between server and client. Forums are generally in neither category. With that said, every time you login, your password is sent unencrypted to the server for verification. This is one reason why you should always use different passwords on each website.

Since Snowden showed the world what NSA/CIA/alphabet soup does with intercepting all information transmitted on the internet, it has become commonplace to have as many websites as possible switch to encrypted SSL (HTTPS) to limit Big Brother's insight into our daily lives. But that's still only a bandaid on a gunshot wound.
Good luck and stand fast, true Patriots.
TDwin
rimfireOH
OFCC Member
OFCC Member
Posts: 420
Joined: Fri Dec 27, 2013 9:49 am
Location: NE Ohio

Re: Question about this site/forum server

Post by rimfireOH »

The Let's Encrypt people are working toward lowering that barrier.

Worth looking into.
User avatar
sodbuster95
OFCC Patron Member
OFCC Patron Member
Posts: 6954
Joined: Mon Dec 01, 2008 5:14 pm
Location: Maumee
Contact:

Re: Question about this site/forum server

Post by sodbuster95 »

rimfireOH wrote:The Let's Encrypt people are working toward lowering that barrier.

Worth looking into.
I've been using Let's Encrypt for some time now. It works very well, is fairly easy to implement (depending on your platform, of course), and the price is right (free, including for commercial use). The downside is that they must be renewed every 90 days versus multi-year certificates from more "main-line" vendors (which obviously cost quite a bit more). However, there are ways to enable auto-renew (also depending on platform).
NRA Benefactor Life Member

Information posted in these forums is my personal opinion only. It is not intended, nor should it be construed, as legal advice.
techguy85
Posts: 1332
Joined: Mon Jul 16, 2012 8:55 am
Location: Columbus

Re: Question about this site/forum server

Post by techguy85 »

sodbuster95 wrote:
rimfireOH wrote:The Let's Encrypt people are working toward lowering that barrier.

Worth looking into.
I've been using Let's Encrypt for some time now. It works very well, is fairly easy to implement (depending on your platform, of course), and the price is right (free, including for commercial use). The downside is that they must be renewed every 90 days versus multi-year certificates from more "main-line" vendors (which obviously cost quite a bit more). However, there are ways to enable auto-renew (also depending on platform).
Yes, also, Letsencrypt certs are trusted by most browsers these days. I use a script to automatically renew my certificates in advance of them expiring.
I would think adding SSL/TLS to this site wouldn't be too much work, certainly if it is on its own VM like I think someone told me it was, it should be doable.

As for the OP's question, Crhome has started to warn about any site without an encrypted connection with their latest release. As someone above mentioned, the forum is not encrypted so your password is sent in cleartext, unless the login page itself has SSL. (haven't checked) So yes, it is good practice to use a different password on every site, but especially with a login that isn't encrypted in transit.
If I'm not mistaken the main OFCC site is encrypted, or at least the payment accepting parts are.
User avatar
AlanM
Posts: 9435
Joined: Mon Jul 04, 2005 1:38 am
Location: Was Stow, OH now Charlottesville, VA

Re: Question about this site/forum server

Post by AlanM »

Well, that's convinced me to change my password from an easy to remember text string to a 12 character random string generated by LastPass.
AlanM
There are no dangerous weapons; there are only dangerous men. - RAH
Four boxes to be used in defense of liberty: soap, ballot, jury, ammo - use in that order.
If you aren't part of the solution, then you obviously weren't properly dissolved.
User avatar
JustaShooter
OFCC Coordinator
OFCC Coordinator
Posts: 5800
Joined: Thu Feb 07, 2013 3:08 pm
Location: Akron/Canton Area

Re: Question about this site/forum server

Post by JustaShooter »

AlanM wrote:Well, that's convinced me to change my password from an easy to remember text string to a 12 character random string generated by LastPass.
Since the password is sent in the clear for this forum, it won't matter. What matters is that you don't use the same password elsewhere. Oh, and good choice using LastPass - great tool, and I especially like its security checkup that makes sure you arent sharing passwords and evaluates their strength.
Christian, Husband, Father
NRA Life Member
NRA Certified Range Safety Officer
NRA Certified Pistol & Rifle Instructor

Want to become more active with OFCC and help fight for your rights? Click Here!
JEaton
Posts: 518
Joined: Mon Jul 04, 2005 8:51 am
Location: SW Ohio
Contact:

Re: Question about this site/forum server

Post by JEaton »

Along these lines, the site https://haveibeenpwned.com/ is good to monitor if your accounts have been exposed in any corporate hacks.

JLE
WhyNot
OFCC Member
OFCC Member
Posts: 1221
Joined: Tue Dec 18, 2012 8:23 am
Location: NW Ohio

Re: Question about this site/forum server

Post by WhyNot »

Sooo, we have a prominent firearms website where individuals can be imitated, observed, followed; copied. In what way does this end good again please?
Acquisitions thus far:

-Slingshot
-Butter knife
-Soda straw and peas
-Sharpened pencil
-Newspaper roll
--water balloon (*diversionary*)

Yeah, I'm that good
User avatar
JustaShooter
OFCC Coordinator
OFCC Coordinator
Posts: 5800
Joined: Thu Feb 07, 2013 3:08 pm
Location: Akron/Canton Area

Re: Question about this site/forum server

Post by JustaShooter »

WhyNot wrote:Sooo, we have a prominent firearms website where individuals can be imitated, observed, followed; copied. In what way does this end good again please?
Relax.

First, anyone can already observe, follow, and copy everything you post here. Nothing is secret. So, at most someone could pretend to be you on the forums. Something that, I might add, has never happened.

Second, it's pretty difficult to take advantage of the situation. One of three things has to happen for someone to be able to see the plaintext password:

1: Your device is compromised - in which case they can get your password regardless of how the site is set up (and you have way bigger problems than someone being able to post to the forums as you.)

2: The OFCC forum server is compromised - in which case, again, there are bigger problems than someone being able to post as you.

3: You are subjected to a "man in the middle" attack, where either a machine between your device and the OFCC server is compromised, or you log in to OFCC while on an unsecured network that has been compromised.

# 3 is pretty difficult to pull off. You are *way* more likely to have your device compromised.

In any case, if a miscreant does manage to grab your login credentials, they aren't going to play around with your account here. No, they are going to either try that login combination on more interesting online services like your bank, your credit card provider, etc., or they are going to sell it for a few cents along with a bunch of other credentials to someone else who will do that.

So be sure you aren't using the same login credentials on multiple accounts. Use a VPN when connecting to an unsecured WiFi connection. Practice safe computing and protect your device. There, now the chances of a compromise to your account are vanishingly small.

Yes, OFCC should implement HTTPS for the forums since it is a potential issue and is the standard practice today. However, that takes someone with the skills and ability - but most importantly, time - to make the change. You may have noticed that we are an all-volunteer organization - everyone of us gives of our personal time after work and family obligations. To be honest, we have a lot of things that are higher priorities that we need to be focused on with those limited resources. Is there someone here who is willing to volunteer their time and skills to implement that change?
Christian, Husband, Father
NRA Life Member
NRA Certified Range Safety Officer
NRA Certified Pistol & Rifle Instructor

Want to become more active with OFCC and help fight for your rights? Click Here!
ArmedAviator
Posts: 1191
Joined: Wed Jul 18, 2012 5:59 pm
Contact:

Re: Question about this site/forum server

Post by ArmedAviator »

JustaShooter wrote:3: You are subjected to a "man in the middle" attack, where either a machine between your device and the OFCC server is compromised, or you log in to OFCC while on an unsecured network that has been compromised.

# 3 is pretty difficult to pull off. You are *way* more likely to have your device compromised.
I disagree. This is ridiculously easy to pull off provided the blackhat is on the same network as the victim. Wireshark can get a submitted password easily and quickly. It's most common on "Open" WiFi networks because anybody can connect. Even if they are not "Open," if the WiFi password/code is shared to others, anyone else conected has the potential to see your traffic unencrypted (unless HTTPS/SSL/TLS is used by you to connect to the remote server).
JustaShooter wrote:So be sure you aren't using the same login credentials on multiple accounts. Use a VPN when connecting to an unsecured WiFi connection. Practice safe computing and protect your device. There, now the chances of a compromise to your account are vanishingly small.[/url]
These are the best two recommendations for online security that sooooo many people overlook. Private Internet Access (PIA) is my preferred VPN provider, but there are others. Pro-tip, use it on phone, laptop, etc. anytime you're on public WiFi, and use it on your whole house internet, even. It takes some special skill to do the latter, however - some services (i.e. Netflix) do not work with it and need work arounds.
JustaShooter wrote:Yes, OFCC should implement HTTPS for the forums since it is a potential issue and is the standard practice today. However, that takes someone with the skills and ability - but most importantly, time - to make the change. You may have noticed that we are an all-volunteer organization - everyone of us gives of our personal time after work and family obligations. To be honest, we have a lot of things that are higher priorities that we need to be focused on with those limited resources. Is there someone here who is willing to volunteer their time and skills to implement that change?
I'd be happy to help. I'm fairly well versed with Nginx, Apache, Lighttpd, and HAProxy and the Linux, Solaris, and BSD operating systems.
Good luck and stand fast, true Patriots.
TDwin
JEaton
Posts: 518
Joined: Mon Jul 04, 2005 8:51 am
Location: SW Ohio
Contact:

Re: Question about this site/forum server

Post by JEaton »

ArmedAviator
Have you found some of the PIA server IPs banned on this forum or other sites? I run into that occasionally.

JLE
ArmedAviator wrote:Private Internet Access (PIA) is my preferred VPN provider, but there are others. Pro-tip, use it on phone, laptop, etc. anytime you're on public WiFi, and use it on your whole house internet, even. It takes some special skill to do the latter, however - some services (i.e. Netflix) do not work with it and need work arounds.
ArmedAviator
Posts: 1191
Joined: Wed Jul 18, 2012 5:59 pm
Contact:

Re: Question about this site/forum server

Post by ArmedAviator »

JEaton wrote:Have you found some of the PIA server IPs banned on this forum or other sites? I run into that occasionally.
In a very select few sites, yes. I've never had a banned IP problem on any websites I frequent, such as OFCC sites/forums.


If you have some intelligent router or software that can route for you on your device, you can get around this by sending traffic to those websites through normal ISP traffic and not the VPN. I take care of this via firewall rules on my pfSense firewall. pfSense acts as mt VPN client with PIA so all traffic is encrypted at that exit point for all of my devices at home. The only two things ive found I need to setup these work arounds for is Netflix (port 443 to specific devices such as smart TVs - Netflix's network IPs range drastically so can't do it by destination address) and some email servers (SMTP port 25), but this is can usually be specified with a destination address.
Good luck and stand fast, true Patriots.
TDwin
techguy85
Posts: 1332
Joined: Mon Jul 16, 2012 8:55 am
Location: Columbus

Re: Question about this site/forum server

Post by techguy85 »

I'm also willing to help. My main experience and expertise as it relates to this is in CentOS and Ubuntu / Apache...
bignflnut
Volunteer
Volunteer
Posts: 8135
Joined: Mon Jun 30, 2008 12:14 pm
Location: Under Naybob Tinfoil Bridge
Contact:

Re: Question about this site/forum server

Post by bignflnut »

JustaShooter wrote:
WhyNot wrote:Sooo, we have a prominent firearms website where individuals can be imitated, observed, followed; copied. In what way does this end good again please?
Relax.

First, anyone can already observe, follow, and copy everything you post here. Nothing is secret. So, at most someone could pretend to be you on the forums. Something that, I might add, has never happened.

Nobody has ever pretended to be me on these forums. :)
“It’s not that we don’t have enough scoundrels to curse; it’s that we don’t have enough good men to curse them.”–G.K. Chesterton-Illustrated London News, 3-14-1908

Republicans.Hate.You. See2020.

"Avarice, ambition, revenge and licentiousness would break the strongest cords of our Constitution, as a whale goes through a net. Our Constitution was made only for a moral and religious people. It is wholly inadequate to the government of any other." John Adams to Mass Militia 10-11-1798
Post Reply