Question about this site/forum server
Moderators: Chuck, Mustang380gal, Coordinators, Moderators
- AlanM
- Posts: 9435
- Joined: Mon Jul 04, 2005 1:38 am
- Location: Was Stow, OH now Charlottesville, VA
Question about this site/forum server
Any idea why Chrome is indicating that this URL and site is not secure?
All other forums I frequent show a url prefix of "https://".
This one doesn't.
All other forums I frequent show a url prefix of "https://".
This one doesn't.
AlanM
There are no dangerous weapons; there are only dangerous men. - RAH
Four boxes to be used in defense of liberty: soap, ballot, jury, ammo - use in that order.
If you aren't part of the solution, then you obviously weren't properly dissolved.
There are no dangerous weapons; there are only dangerous men. - RAH
Four boxes to be used in defense of liberty: soap, ballot, jury, ammo - use in that order.
If you aren't part of the solution, then you obviously weren't properly dissolved.
-
- Posts: 1191
- Joined: Wed Jul 18, 2012 5:59 pm
- Contact:
Re: Question about this site/forum server
It costs money to get a properly signed SSL certificate. Each domain requires its own. They go from $45/yr and up generally. In addition to immediate cost of the certificate, depending on server hardware performance, encryption also utilizes more CPU processing (although with modern CPUs, its negligible).
An SSL certificate is really needed for two things: 1) payment processing 2) any other sensitive information being transported between server and client. Forums are generally in neither category. With that said, every time you login, your password is sent unencrypted to the server for verification. This is one reason why you should always use different passwords on each website.
Since Snowden showed the world what NSA/CIA/alphabet soup does with intercepting all information transmitted on the internet, it has become commonplace to have as many websites as possible switch to encrypted SSL (HTTPS) to limit Big Brother's insight into our daily lives. But that's still only a bandaid on a gunshot wound.
An SSL certificate is really needed for two things: 1) payment processing 2) any other sensitive information being transported between server and client. Forums are generally in neither category. With that said, every time you login, your password is sent unencrypted to the server for verification. This is one reason why you should always use different passwords on each website.
Since Snowden showed the world what NSA/CIA/alphabet soup does with intercepting all information transmitted on the internet, it has become commonplace to have as many websites as possible switch to encrypted SSL (HTTPS) to limit Big Brother's insight into our daily lives. But that's still only a bandaid on a gunshot wound.
Good luck and stand fast, true Patriots.
TDwin
TDwin
-
- OFCC Member
- Posts: 420
- Joined: Fri Dec 27, 2013 9:49 am
- Location: NE Ohio
- sodbuster95
- OFCC Patron Member
- Posts: 6954
- Joined: Mon Dec 01, 2008 5:14 pm
- Location: Maumee
- Contact:
Re: Question about this site/forum server
I've been using Let's Encrypt for some time now. It works very well, is fairly easy to implement (depending on your platform, of course), and the price is right (free, including for commercial use). The downside is that they must be renewed every 90 days versus multi-year certificates from more "main-line" vendors (which obviously cost quite a bit more). However, there are ways to enable auto-renew (also depending on platform).rimfireOH wrote:The Let's Encrypt people are working toward lowering that barrier.
Worth looking into.
NRA Benefactor Life Member
Information posted in these forums is my personal opinion only. It is not intended, nor should it be construed, as legal advice.
Information posted in these forums is my personal opinion only. It is not intended, nor should it be construed, as legal advice.
-
- Posts: 1332
- Joined: Mon Jul 16, 2012 8:55 am
- Location: Columbus
Re: Question about this site/forum server
Yes, also, Letsencrypt certs are trusted by most browsers these days. I use a script to automatically renew my certificates in advance of them expiring.sodbuster95 wrote:I've been using Let's Encrypt for some time now. It works very well, is fairly easy to implement (depending on your platform, of course), and the price is right (free, including for commercial use). The downside is that they must be renewed every 90 days versus multi-year certificates from more "main-line" vendors (which obviously cost quite a bit more). However, there are ways to enable auto-renew (also depending on platform).rimfireOH wrote:The Let's Encrypt people are working toward lowering that barrier.
Worth looking into.
I would think adding SSL/TLS to this site wouldn't be too much work, certainly if it is on its own VM like I think someone told me it was, it should be doable.
As for the OP's question, Crhome has started to warn about any site without an encrypted connection with their latest release. As someone above mentioned, the forum is not encrypted so your password is sent in cleartext, unless the login page itself has SSL. (haven't checked) So yes, it is good practice to use a different password on every site, but especially with a login that isn't encrypted in transit.
If I'm not mistaken the main OFCC site is encrypted, or at least the payment accepting parts are.
- AlanM
- Posts: 9435
- Joined: Mon Jul 04, 2005 1:38 am
- Location: Was Stow, OH now Charlottesville, VA
Re: Question about this site/forum server
Well, that's convinced me to change my password from an easy to remember text string to a 12 character random string generated by LastPass.
AlanM
There are no dangerous weapons; there are only dangerous men. - RAH
Four boxes to be used in defense of liberty: soap, ballot, jury, ammo - use in that order.
If you aren't part of the solution, then you obviously weren't properly dissolved.
There are no dangerous weapons; there are only dangerous men. - RAH
Four boxes to be used in defense of liberty: soap, ballot, jury, ammo - use in that order.
If you aren't part of the solution, then you obviously weren't properly dissolved.
- JustaShooter
- OFCC Coordinator
- Posts: 5805
- Joined: Thu Feb 07, 2013 3:08 pm
- Location: Akron/Canton Area
Re: Question about this site/forum server
Since the password is sent in the clear for this forum, it won't matter. What matters is that you don't use the same password elsewhere. Oh, and good choice using LastPass - great tool, and I especially like its security checkup that makes sure you arent sharing passwords and evaluates their strength.AlanM wrote:Well, that's convinced me to change my password from an easy to remember text string to a 12 character random string generated by LastPass.
Christian, Husband, Father
NRA Life Member
NRA Certified Range Safety Officer
NRA Certified Pistol & Rifle Instructor
Want to become more active with OFCC and help fight for your rights? Click Here!
NRA Life Member
NRA Certified Range Safety Officer
NRA Certified Pistol & Rifle Instructor
Want to become more active with OFCC and help fight for your rights? Click Here!
-
- Posts: 518
- Joined: Mon Jul 04, 2005 8:51 am
- Location: SW Ohio
- Contact:
Re: Question about this site/forum server
Along these lines, the site https://haveibeenpwned.com/ is good to monitor if your accounts have been exposed in any corporate hacks.
JLE
JLE
-
- OFCC Member
- Posts: 1224
- Joined: Tue Dec 18, 2012 8:23 am
- Location: NW Ohio
Re: Question about this site/forum server
Sooo, we have a prominent firearms website where individuals can be imitated, observed, followed; copied. In what way does this end good again please?
Acquisitions thus far:
-Slingshot
-Butter knife
-Soda straw and peas
-Sharpened pencil
-Newspaper roll
--water balloon (*diversionary*)
Yeah, I'm that good
-Slingshot
-Butter knife
-Soda straw and peas
-Sharpened pencil
-Newspaper roll
--water balloon (*diversionary*)
Yeah, I'm that good
- JustaShooter
- OFCC Coordinator
- Posts: 5805
- Joined: Thu Feb 07, 2013 3:08 pm
- Location: Akron/Canton Area
Re: Question about this site/forum server
Relax.WhyNot wrote:Sooo, we have a prominent firearms website where individuals can be imitated, observed, followed; copied. In what way does this end good again please?
First, anyone can already observe, follow, and copy everything you post here. Nothing is secret. So, at most someone could pretend to be you on the forums. Something that, I might add, has never happened.
Second, it's pretty difficult to take advantage of the situation. One of three things has to happen for someone to be able to see the plaintext password:
1: Your device is compromised - in which case they can get your password regardless of how the site is set up (and you have way bigger problems than someone being able to post to the forums as you.)
2: The OFCC forum server is compromised - in which case, again, there are bigger problems than someone being able to post as you.
3: You are subjected to a "man in the middle" attack, where either a machine between your device and the OFCC server is compromised, or you log in to OFCC while on an unsecured network that has been compromised.
# 3 is pretty difficult to pull off. You are *way* more likely to have your device compromised.
In any case, if a miscreant does manage to grab your login credentials, they aren't going to play around with your account here. No, they are going to either try that login combination on more interesting online services like your bank, your credit card provider, etc., or they are going to sell it for a few cents along with a bunch of other credentials to someone else who will do that.
So be sure you aren't using the same login credentials on multiple accounts. Use a VPN when connecting to an unsecured WiFi connection. Practice safe computing and protect your device. There, now the chances of a compromise to your account are vanishingly small.
Yes, OFCC should implement HTTPS for the forums since it is a potential issue and is the standard practice today. However, that takes someone with the skills and ability - but most importantly, time - to make the change. You may have noticed that we are an all-volunteer organization - everyone of us gives of our personal time after work and family obligations. To be honest, we have a lot of things that are higher priorities that we need to be focused on with those limited resources. Is there someone here who is willing to volunteer their time and skills to implement that change?
Christian, Husband, Father
NRA Life Member
NRA Certified Range Safety Officer
NRA Certified Pistol & Rifle Instructor
Want to become more active with OFCC and help fight for your rights? Click Here!
NRA Life Member
NRA Certified Range Safety Officer
NRA Certified Pistol & Rifle Instructor
Want to become more active with OFCC and help fight for your rights? Click Here!
-
- Posts: 1191
- Joined: Wed Jul 18, 2012 5:59 pm
- Contact:
Re: Question about this site/forum server
I disagree. This is ridiculously easy to pull off provided the blackhat is on the same network as the victim. Wireshark can get a submitted password easily and quickly. It's most common on "Open" WiFi networks because anybody can connect. Even if they are not "Open," if the WiFi password/code is shared to others, anyone else conected has the potential to see your traffic unencrypted (unless HTTPS/SSL/TLS is used by you to connect to the remote server).JustaShooter wrote:3: You are subjected to a "man in the middle" attack, where either a machine between your device and the OFCC server is compromised, or you log in to OFCC while on an unsecured network that has been compromised.
# 3 is pretty difficult to pull off. You are *way* more likely to have your device compromised.
These are the best two recommendations for online security that sooooo many people overlook. Private Internet Access (PIA) is my preferred VPN provider, but there are others. Pro-tip, use it on phone, laptop, etc. anytime you're on public WiFi, and use it on your whole house internet, even. It takes some special skill to do the latter, however - some services (i.e. Netflix) do not work with it and need work arounds.JustaShooter wrote:So be sure you aren't using the same login credentials on multiple accounts. Use a VPN when connecting to an unsecured WiFi connection. Practice safe computing and protect your device. There, now the chances of a compromise to your account are vanishingly small.[/url]
I'd be happy to help. I'm fairly well versed with Nginx, Apache, Lighttpd, and HAProxy and the Linux, Solaris, and BSD operating systems.JustaShooter wrote:Yes, OFCC should implement HTTPS for the forums since it is a potential issue and is the standard practice today. However, that takes someone with the skills and ability - but most importantly, time - to make the change. You may have noticed that we are an all-volunteer organization - everyone of us gives of our personal time after work and family obligations. To be honest, we have a lot of things that are higher priorities that we need to be focused on with those limited resources. Is there someone here who is willing to volunteer their time and skills to implement that change?
Good luck and stand fast, true Patriots.
TDwin
TDwin
-
- Posts: 518
- Joined: Mon Jul 04, 2005 8:51 am
- Location: SW Ohio
- Contact:
Re: Question about this site/forum server
ArmedAviator
Have you found some of the PIA server IPs banned on this forum or other sites? I run into that occasionally.
JLE
Have you found some of the PIA server IPs banned on this forum or other sites? I run into that occasionally.
JLE
ArmedAviator wrote:Private Internet Access (PIA) is my preferred VPN provider, but there are others. Pro-tip, use it on phone, laptop, etc. anytime you're on public WiFi, and use it on your whole house internet, even. It takes some special skill to do the latter, however - some services (i.e. Netflix) do not work with it and need work arounds.
-
- Posts: 1191
- Joined: Wed Jul 18, 2012 5:59 pm
- Contact:
Re: Question about this site/forum server
In a very select few sites, yes. I've never had a banned IP problem on any websites I frequent, such as OFCC sites/forums.JEaton wrote:Have you found some of the PIA server IPs banned on this forum or other sites? I run into that occasionally.
If you have some intelligent router or software that can route for you on your device, you can get around this by sending traffic to those websites through normal ISP traffic and not the VPN. I take care of this via firewall rules on my pfSense firewall. pfSense acts as mt VPN client with PIA so all traffic is encrypted at that exit point for all of my devices at home. The only two things ive found I need to setup these work arounds for is Netflix (port 443 to specific devices such as smart TVs - Netflix's network IPs range drastically so can't do it by destination address) and some email servers (SMTP port 25), but this is can usually be specified with a destination address.
Good luck and stand fast, true Patriots.
TDwin
TDwin
-
- Posts: 1332
- Joined: Mon Jul 16, 2012 8:55 am
- Location: Columbus
Re: Question about this site/forum server
I'm also willing to help. My main experience and expertise as it relates to this is in CentOS and Ubuntu / Apache...
-
- Volunteer
- Posts: 8135
- Joined: Mon Jun 30, 2008 12:14 pm
- Location: Under Naybob Tinfoil Bridge
- Contact:
Re: Question about this site/forum server
JustaShooter wrote:Relax.WhyNot wrote:Sooo, we have a prominent firearms website where individuals can be imitated, observed, followed; copied. In what way does this end good again please?
First, anyone can already observe, follow, and copy everything you post here. Nothing is secret. So, at most someone could pretend to be you on the forums. Something that, I might add, has never happened.
Nobody has ever pretended to be me on these forums.
“It’s not that we don’t have enough scoundrels to curse; it’s that we don’t have enough good men to curse them.”–G.K. Chesterton-Illustrated London News, 3-14-1908
Republicans.Hate.You. See2020.
"Avarice, ambition, revenge and licentiousness would break the strongest cords of our Constitution, as a whale goes through a net. Our Constitution was made only for a moral and religious people. It is wholly inadequate to the government of any other." John Adams to Mass Militia 10-11-1798
Republicans.Hate.You. See2020.
"Avarice, ambition, revenge and licentiousness would break the strongest cords of our Constitution, as a whale goes through a net. Our Constitution was made only for a moral and religious people. It is wholly inadequate to the government of any other." John Adams to Mass Militia 10-11-1798