Drummerworld and SSL -- It's time

K

KamaK

Platinum Member
Bernhard,

I'd gladly chip in the $7.50 for the first year and 30 mins to show you how to set up SSL/HTTPS. I feel like a chump every time I type something here (including my password) because anyone with wire access can see it. Heck, I'd chip in $20 for a 3-year cert.

I get that there are drawbacks (the yearly expense, performance overhead, requirement of technical expertise to add a rewrite rule so old links work, periodic renewals, registration). But a number of us check in from hotel wifi, bar wifi, and other public places and would greatly appreciate the increase in privacy.

Note: Looks like COMODO resellers are ~9/yr these days.
 
Dr_Watso

Dr_Watso

Platinum Member
The port is open on the firewall, but the default apache page with self-signed is what you get.

Since I don't use this password anywhere else I'm not that worried about it and other than passwords, I think someone snooping this data stream would be pretty disappointed. If you're going to do it, make sure to re-direct http to https or it's pretty useless for anyone but you, I and other folks with IT sec on their minds.
 
K

KamaK

Platinum Member
Dr_Watso said:
If you're going to do it, make sure to re-direct http to https or it's pretty useless for anyone but you, I and other folks with IT sec on their minds.
Click to expand...

Indeed, though it's generally best to use a rule instead of a redir, so that the string beyond the domain name is preserved, and all of the links on the board continue working.

Something simple like:


Code: 
    RewriteEngine on
    RewriteCond   %{SERVER_PORT}  !^443$
    RewriteRule ^/(.*)$ https://www.drummerworld.com/$1 [L,R]
 
Dr_Watso

Dr_Watso

Platinum Member
Pocket-full-of-gold said:
There are times when I'm privy to a discussion and feel nothing but an utter friggen' moron.

This is one of those times.
Click to expand...

As simplified as I can, since it's an important topic, and maybe you'll find it interesting. It's certainly more complicated than I'll make it out to be, and please feel free to ask questions if you like.

Websites that begin with "https://www.example.com" rather than the regular http are "secured" by utilizing a tech called SSL which is what Kamak is talking about for DW.

Think of SSL kind of like "pig latin". Two people can communicate without using real english, but still understand each other on the basis that they both realize you just re-arrange the letters to each word in a set way. If an outsider who doesn't have the "code" tries to listen in, say a small child who hasn't figured it out yet, they'll be confused.

That's a long way of saying it's a literal cipher key. Just like radio cipher or my previous example of the "pig latin" code, using SSL/HTTPS can help prevent a nefarious fellow who's trying to listen into the data exchange and get passwords, or what have you.

Since we don't exchange credit card numbers or do business on this site, it's not that big of a deal, but using it is certainly best practice and helps with security.
 
K

KamaK

Platinum Member
Dr_Watso said:
I don't think I would trust it as much for something critical, but for general use like this that's neat!
Click to expand...

On the flip side, we can trust that Verisign/Symantec/Thawte/Entrust trusts their customers just enough to be willing to take their money. Sigh, the uncanny intermingling of capitalism and privacy... I guess it's hard to complain with my mouth full.
 
Jeremy Bender

Jeremy Bender

Platinum Member
I don't understand what any of this means. Is the future use of this forum in danger of a security breach to our own computers? Will we start having to pay to be members?
Thanks. I know very little about these things.
 
K

KamaK

Platinum Member
Jeremy Bender said:
I don't understand what any of this means. Is the future use of this forum in danger of a security breach to our own computers? Will we start having to pay to be members?
Thanks. I know very little about these things.
Click to expand...

Ultimately, it means that anyone on your local network or anyone on DWorlds network can see anything you submit to the site, and know what you've been looking at. It also means that any DW data passing through your ISP is automatically being routed through a mystery closet and analyzed by the NSA.

(no, really, not being paranoid or making this up, there really is a government closet at your ISP analyzing absolutely everything you see and post).

Not an issue for 95% of the content here, but this includes your user/password and PM's.
 
Dr_Watso

Dr_Watso

Platinum Member
KamaK said:
Not an issue for 95% of the content here, but this includes your user/password and PM's.
Click to expand...

Yep, this is really the only "worry". People often use similar username and password combos on multiple sites, so the fact that someone can snoop our passwords on this site as we use them could be an issue for some.

For the time being, everyone reading this should make sure the password they use here is not the same as one for something critical or financial.
 
Dr_Watso

Dr_Watso

Platinum Member
KamaK said:
On the flip side, we can trust that Verisign/Symantec/Thawte/Entrust trusts their customers just enough to be willing to take their money. Sigh, the uncanny intermingling of capitalism and privacy... I guess it's hard to complain with my mouth full.
Click to expand...

I almost stated such in my response, but meh.

I think I only feel "safer" because we're paying for it with the big providers. Makes me feel like they will have better, more secure and more redundant/consistent service. If that's true or not is hard to say in the grand scheme, but at least I can sue!
 
DrumEatDrum

DrumEatDrum

Platinum Member
I'd settle for not using the same 10 year old version of V-bulletin and adding some modern features around here.

I love this forum, but it's stuck in internet past.
 
Dr_Watso

Dr_Watso

Platinum Member
Jeremy Bender said:
What if you use "incognito" mode on Chrome?
Click to expand...

All that does is prevent your computer from storing info locally on the hard drive about visited sites and all that jazz.

It does not change the fact that passwords here are sent to the server un-encrypted and "snoopable". Please don't use common passwords here and change any passwords that you share with this site and others.
 
T.Underhill

T.Underhill

Pioneer Member
This is what your Internet traffic would look like when you login to the site via http not https. The username and password is shown in "clear text" meaning readable to whoever is capturing your traffic. I know this has been stated, but the visual is interesting. This traffic is likely to only be compromised if you're on a public network like an open WiFi connection.
 

Attachments

  • Auth_decode.png
    Auth_decode.png
    314.4 KB · Views: 539
K

KamaK

Platinum Member
Bernhard,

Websense is now blocking your site from a number of organizations, including my work.
 
You must log in or register to reply here.
Top