SSL

Risky Justice · 09-26-2017, 07:13 PM

Why not enable SSL for the forums? Passwords aren't secure without it, and it would only be $10 a year. More to secure the Camaro5 forums and stuff though...

umby24 · 10-30-2017, 08:31 PM

Agreed. Can also use Let's Encrypt and just get some free basic SSL Certs.

h422694 · 10-30-2017, 08:58 PM

Just curious. What is being posted on Camaro / Corvette forums that needs to be secured?

Risky Justice · 10-30-2017, 09:42 PM

Well, if someone with the expertise wanted to, they could gain access to an administrative account. No password on these forums is secure.

h422694 · 10-31-2017, 02:57 AM

Really? And if someone actually had the "expertise" you are talking about, SSL wouldn't even slow them up. Think target, Bank of America, and Experian just to name a few. And those companies spend millions on security, not $10.00.

umby24 · 10-31-2017, 12:00 PM

As I see it, you have two things users would care about, and an additional item for what the administrators will care about.

For the users:
1. Their passwords
Most users have some degree of password reuse between sites. This being the case, as they are transmitting their sensitive password across the wire unencrypted, anyone who happens to be in the path between their computer, and the server where camaro6 is hosted now have that person's password in plain. All it takes is a MITM on any one of those nodes (from my location, thats 14 nodes) and your account is compromised, on top of any other sites that you use the same/similar login credentials. That could be a users bank, email, network, etc.

2. Their private messages

Private messages are supposed to be just that, private. Again through MITM attacks, stealing the creds, or just straight sniffing their traffic on a pub wifi, you have their "private" creds, their "private" messages, all in your hands. This is a simple attack to carry out for pretty much anyone. There are video tutorials all over the place on how to accomplish this.

Administrators:

3. Admin control of Camaro6, Camaro5, Corvette7.
Sniffing the traffic of an administrator of this site opens up compromise to the entire network of websites and forums hosted by them to destruction, essentially. This would be any attackers ideal situation, as from that point forward they have complete control.

The companies who spent millions on security were worth trillions. They're going to have the best of the best of attackers hitting them every day just due to the possibility for a huge payday. Thats how a company spending millions on security can be hit. An attacker of that skill level is unlikely to be interested in a site of this size.

However, the excuse of "Hackers will get in anyway, why spend money on security?" is like saying "Robbers will just kick the door off the hinges, why put a lock on my door?"

In both instances the lack of security is an invitation to attack, and having security acts as a deterrent. The more difficult it is to get at something, the less inviting it is to would be attackers.

If you practice a zero reuse policy on passwords, don't expose your e-mail address or login name for other places or where you browse outside of camaro6, then you're in a good place, but to blanket assume that everyone else does so would be incorrect, because I can pretty much promise there are multiple users on this site who use the same login for their email or bank as they do for this site.

I'll quote someone else on this:
"If you let people store a password with you, you must take responsibility for protecting it, even if the security of your own site isn't critical."

TLDR; Having SSL Ensures the C.I.A. Of this site, provides peace of mind for users, and protects them when they browse outside of this website.

Risky Justice · 10-31-2017, 12:38 PM

Quote:

Originally Posted by h422694

Really? And if someone actually had the "expertise" you are talking about, SSL wouldn't even slow them up. Think target, Bank of America, and Experian just to name a few. And those companies spend millions on security, not $10.00.

Good thing those people aren't likely to care about these forums. Some bored teenager on some Mustang forums might get a kick out of it though. Just like locking your house won't keep everyone out, it still keeps the majority out, and that is better than nothing.

09-26-2017, 07:13 PM	#1
Risky Justice Drives: 2016 Camaro 2SS M6 Join Date: Jan 2017 Location: Panama City, FL Posts: 217	SSL Why not enable SSL for the forums? Passwords aren't secure without it, and it would only be $10 a year. More to secure the Camaro5 forums and stuff though... __________________ ‘16 Camaro 2SS M6 - RotoFab CAI, Soler Performance TB, E85 8.102 @ 89.85 MPH (bone stock)

10-30-2017, 08:31 PM	#2
umby24 Drives: None Join Date: May 2017 Location: Texas Posts: 63	Agreed. Can also use Let's Encrypt and just get some free basic SSL Certs. __________________ 2017 HBM SS 1LE \| EE Catch Can \| Gm Clear tails \| Rotofab CAI \| DD Smoked sidemarkers \| StainlessWorks Catback

10-30-2017, 09:42 PM	#4
Risky Justice Drives: 2016 Camaro 2SS M6 Join Date: Jan 2017 Location: Panama City, FL Posts: 217	Well, if someone with the expertise wanted to, they could gain access to an administrative account. No password on these forums is secure. __________________ ‘16 Camaro 2SS M6 - RotoFab CAI, Soler Performance TB, E85 8.102 @ 89.85 MPH (bone stock)

10-31-2017, 12:00 PM	#6
umby24 Drives: None Join Date: May 2017 Location: Texas Posts: 63	As I see it, you have two things users would care about, and an additional item for what the administrators will care about. For the users: 1. Their passwords Most users have some degree of password reuse between sites. This being the case, as they are transmitting their sensitive password across the wire unencrypted, anyone who happens to be in the path between their computer, and the server where camaro6 is hosted now have that person's password in plain. All it takes is a MITM on any one of those nodes (from my location, thats 14 nodes) and your account is compromised, on top of any other sites that you use the same/similar login credentials. That could be a users bank, email, network, etc. 2. Their private messages Private messages are supposed to be just that, private. Again through MITM attacks, stealing the creds, or just straight sniffing their traffic on a pub wifi, you have their "private" creds, their "private" messages, all in your hands. This is a simple attack to carry out for pretty much anyone. There are video tutorials all over the place on how to accomplish this. Administrators: 3. Admin control of Camaro6, Camaro5, Corvette7. Sniffing the traffic of an administrator of this site opens up compromise to the entire network of websites and forums hosted by them to destruction, essentially. This would be any attackers ideal situation, as from that point forward they have complete control. The companies who spent millions on security were worth trillions. They're going to have the best of the best of attackers hitting them every day just due to the possibility for a huge payday. Thats how a company spending millions on security can be hit. An attacker of that skill level is unlikely to be interested in a site of this size. However, the excuse of "Hackers will get in anyway, why spend money on security?" is like saying "Robbers will just kick the door off the hinges, why put a lock on my door?" In both instances the lack of security is an invitation to attack, and having security acts as a deterrent. The more difficult it is to get at something, the less inviting it is to would be attackers. If you practice a zero reuse policy on passwords, don't expose your e-mail address or login name for other places or where you browse outside of camaro6, then you're in a good place, but to blanket assume that everyone else does so would be incorrect, because I can pretty much promise there are multiple users on this site who use the same login for their email or bank as they do for this site. I'll quote someone else on this: "If you let people store a password with you, you must take responsibility for protecting it, even if the security of your own site isn't critical." TLDR; Having SSL Ensures the C.I.A. Of this site, provides peace of mind for users, and protects them when they browse outside of this website. __________________ 2017 HBM SS 1LE \| EE Catch Can \| Gm Clear tails \| Rotofab CAI \| DD Smoked sidemarkers \| StainlessWorks Catback

10-30-2017, 08:58 PM	#3
h422694 Drives: '16 Z06 7 Spd, 2024 High Country HD Join Date: May 2015 Location: Kansas City area Posts: 442	Just curious. What is being posted on Camaro / Corvette forums that needs to be secured?

10-31-2017, 02:57 AM	#5
h422694 Drives: '16 Z06 7 Spd, 2024 High Country HD Join Date: May 2015 Location: Kansas City area Posts: 442	Really? And if someone actually had the "expertise" you are talking about, SSL wouldn't even slow them up. Think target, Bank of America, and Experian just to name a few. And those companies spend millions on security, not $10.00.