Jump to content

This sites' connection is not safe?


Temeter

Recommended Posts

3 minutes ago, Temeter said:

Been getting a warning from firefox that this sites connection isn't safe? It's not been there in the past, what's happened?

As there is (AFAIK) no ssl version of this site (On that: Why, it's 2017 already), and therefore no cert to complain about, I assume you have recently upgraded Firefox and are seeing the latest feature that nobody wanted - bugging you about entering logins on unencrypted sites. Ignore it. If it annoys you, disable it by setting "security.insecure_field_warning.contextual.enabled" to false in about:config.
This nagging nanny krakens is getting out of hand, and as such I have recently ditched Firefox for PaleMoon, a fork from before things got silly.

Link to comment
Share on other sites

6 minutes ago, Temeter said:

So it's firefox showing a warning now? I see.

If it's the one I think it is (annoying box under the login text field), yes.
IMO there's no valid excuse for this forum not running ssl, but so long as you don't re-use passwords or enter any really sensitive data here, there's no reason for the enforced paranoia. Who's going to man-in-the-middle your connection to a game forum anyway?

Edited by steve_v
Link to comment
Share on other sites

8 minutes ago, steve_v said:

If it's the one I think it is (annoying box under the login text field), yes.
IMO there's no valid excuse for this forum not running ssl, but so long as you don't re-use passwords or enter any really sensitive data here, there's no reason for the enforced paranoia. Who's going to man-in-the-middle your connection to a game forum anyway?

That's the one I noticed at first, but I was more talking about the normal warning right of the task bar. Didn't know this site just didn't ever use SSL.

You can just hope Sqad is making regular backups...

Edited by Temeter
Link to comment
Share on other sites

8 minutes ago, Temeter said:

You can just hope Sqad is making regular backups...

It's not a case of SQUAD loosing stuff, not using SSL just means that any data transferred between your browser and the forum server is unencrypted - so theoretically someone could snoop on it. Theoretically.
Not using SSL is pretty lame in this day and age, certificates can be had for free, and the only reason I can think of is that somebody is too cheap to get a server that can handle the encryption overhead. Hell, I run SSL on my ancient (2008) webserver box, it's not hard.

Link to comment
Share on other sites

3 hours ago, steve_v said:

Who's going to man-in-the-middle your connection to a game forum anyway?

Answer:  The folks who who hope that, like an awful lot of people on the Internet (probably the large majority, actually), you will

3 hours ago, steve_v said:

re-use passwords

^ that.

Seriously, folks, don't re-use passwords in general, and especially don't re-use any password that you have ever used on a site that's not SSL (such as this forum).

Yes, that's a hassle, which is why so many people re-use passwords.  But you really don't want to be in a place where someone has broken into something that you really care about because you used the same password on a little game forum.

Link to comment
Share on other sites

And you can't even overtrust SSLs. Storing plaintext password in the backend db is still happening in some websites today and that is irrelevant to what protocol server/client communicates.

Well, I admit it's a little bit off topic...

Link to comment
Share on other sites

9 hours ago, Snark said:

Seriously, folks, don't re-use passwords in general, and especially don't re-use any password that you have ever used on a site that's not SSL (such as this forum).

Yes, this. Though it's still far more likely that one of the sites you use has its database stolen than your cleartext login getting filched off the wire. it has happened to some big players *cough Yahoo! and it will happen again.
Just remember that anything you post to some server on the internet is on some server you know nothing about. Security there may be questionable or non-existant. Assume the worst.

Link to comment
Share on other sites

It shows up in Chrome too. I'm not sure how I've not seen that before... HTTPS Everywhere please?

10 minutes ago, steve_v said:

...
Security there may be questionable or non-existant. Assume the worst.

I assume the worst, but I really like KSP and the community, I would have expected Squad to do a little bit better on the security side of their public website. We have to push the internet to more security.

Edited by jwalker343
Link to comment
Share on other sites

And in the Jesus Name don't ever use Passwords that are copy of your loginname....

Me: you will my help with upgrading your pc (family)

Fam: Yes but there is a Admin installed i use a Ghost Account 

Me: password? 

Fam: Admin i don't know, my is Ghost because cool name..

Me: facepalm... Admin password from Store firstinstall 12345....

I Think i am a  Hacker man....

Funny Kabooms

Urses

PS: we don't only have to push the Internet to more awarnes we need to begin with Users around us.

Link to comment
Share on other sites

  • 2 weeks later...

it's a lot worse than people on this thread have made out.

If J random troll from somewhere like 4chan wanted to, they could do an enormous amount of damage to the forums. And it's entirely because of the lack of login security.
Any half decent script kiddy could capture a mod, or admin's credentials, login as them, and use the moderator/admin powers to completely trash the place, and that admin's reputation.

if, for example they stole @Snark's, @sal_vager's, or some other high ranking member's login, All the damage done by J random troll is going to look exactly like it was done by the legitimate owner of that name.

Not a wonderful outcome, even if all the lost/defaced threads are recovered from backup.

Link to comment
Share on other sites

  • 2 weeks later...

This is because the encryption certificate was issued for "kerbalspaceprogram.com" not ".kerbalspaceprogram.com"  Note the missing dot at the beginning.  This means that browsers will only consider the certificate valid for "kerbalspaceprogram.com" and not sites like "forum.kerbalspaceprogram.com" or "bugs.kerbalspaceprogram.com". 

The certificate still works and your connection is still secure, it is just listed that the browser doesn't know that it's for this site.   It is perfectly fine to just add an exception in your browser. 

Link to comment
Share on other sites

10 minutes ago, Ruedii said:

The certificate still works and your connection is still secure, it is just listed that the browser doesn't know that it's for this site.

Eh? No SSL here. What's cert domains got to do with anything if the site doesn't use SSL?

Link to comment
Share on other sites

Just now, Frybert said:

The forum has now, and has for a while, a lot of shortcomings.

Hence why I wish I could help. I know my efforts would be a drop of water in the ocean, but at least I can say "I tried". But I feel I'm rambling and whatnot.

Link to comment
Share on other sites

6 hours ago, Frybert said:

The forum has now, and has for a while, a lot of shortcomings.

It boggles my mind that we still don't have SSL on the forums. It's not like certificates are hard to come by, all I can assume is that no-one with the power to fix this actually cares...
The supposed motivation for moving to IPS was security, and yet "security: step one, use SSL" is still unimplemented. :confused:

Link to comment
Share on other sites

On 4/29/2017 at 1:00 PM, Frybert said:

In my experience the site is laughably insecure. And that's the least of its problems.

Most forum software is horribly insecure, and full of zero-day vulnerabilities to various URL-based hacks.

They are far from secure.  I wouldn't recommend doing any secure transactions over them.

 

Link to comment
Share on other sites

This looks like on-premises Invision Forum software. If this were a hosted forum, Invision would have offered a free certificate as the user base is larger than 200 users.

For on-premises sites though, it just seems to be a matter of putting a cert on the web server and turning SSL on in the forum panel. However, this will likely cause more browser complaints with the embedded pictures a lot of users use, including myself, that come from non-SSL servers. Maybe this was a design decision to allow imgur and other image sites to work here.

Link to comment
Share on other sites

On 04/05/2017 at 2:13 AM, Gordon Fecyk said:

it just seems to be a matter of putting a cert on the web server and turning SSL on in the forum panel.

Yup, it is that easy. I'm at a bit of a loss as to why Squad still hasn't flipped that switch, especially considering the switch to IPS was (supposedly) for security enhancements in the first place...
 

On 04/05/2017 at 2:13 AM, Gordon Fecyk said:

However, this will likely cause more browser complaints with the embedded pictures a lot of users use, including myself, that come from non-SSL servers. Maybe this was a design decision to allow imgur and other image sites to work here.

Imgur has ssl.
So does my preferred image host, postimg.org.
So does youtube.
So does deviantart.
So does <insert sensible, security concious image host>...

For all of the above, and pretty much every other image host out there, simply sed -e 's/http:/https:/g'

In fact, I don't see any images here that aren't hosted on ssl capable sites.
Sure, many of them are posted as http links, but the forum software mangles links for you already - it'd be a trivial change to have it auto-fix http links that have a known https variant.
Even if this is "too hard" (as usual around here it seems) :rolleyes:, leaving the links / embedded images as-is and getting the odd "partially secure" warning is still much better than no encryption at all.

Got any more excuses for Squad not implementing SSL, like a sane person would?

Edited by steve_v
Link to comment
Share on other sites

Nope @steve_v, just trying to guess the webmaster's thinking when they set this site up. This place isn't the only one; the natives over at RationalWiki complain similarly. As they should; anything accepting passwords should be over HTTPS.

I'm still trying to fix my own site; either I use my internal certificate authority that no one else trusts, or somehow make Let's Encrypt work on IIS so the auto-renewal works. There is an implementation of Let's Encrypt for Windows that works though, so it's only a matter of time.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
×
×
  • Create New...