#1 2018-04-04 06:48:19

Dr-Duke
Member
Germany
Reputation: +388
Registered: 2016-07-20
Posts: 703
Windows XP Firefox 52.0

Secure access to SiMPLE

Hi all!

Recently I was asking myself if the access to SiMPLE is secured with https. Obviosly it seem's to be not. Brings up the question:"Why?" Any ideas how to change? Ideas welcome & and of course the question to Tuia, why you didn't? Old Forum software? Lazy? wink

Best regards,
Sven

Offline

    Positive reputation 0   Negative reputation 0

#2 2018-04-04 09:10:08

ABAS
disciple of Jeff
Pahlavi Iran
Reputation: +1960
Registered: 2015-12-10
Posts: 2,322
Website
Windows 7 Cyberfox 52.5

Re: Secure access to SiMPLE

who wanna hack us? he will unplug his pc once he face maj.merlin posts & PMs

Last edited by ABAS (2018-04-04 14:02:11)

Offline

    Positive reputation 1   Negative reputation 0

#3 2018-04-04 15:40:39

bud
maestro
Reputation: +1835
Location: shangri la
Registered: 2012-07-07
Posts: 3,941
Website
Windows 7 Firefox 59.0

Re: Secure access to SiMPLE

try this (use a private window to prevent image caching)     https://www.httpvshttps.com/

Offline

    Positive reputation 1   Negative reputation 0

#4 2018-04-04 21:42:58

Trench
Member
United States
Reputation: +129
Registered: 2014-05-05
Posts: 221
Windows 10 Chrome 65.0

Re: Secure access to SiMPLE

bud wrote:

try this (use a private window to prevent image caching)     https://www.httpvshttps.com/

That site seems like some weird agenda for how to present "HTTP/2 will make your web sites faster."  Instead they attribute it to "encryption is making your site faster", when the speed difference being shown is all due to HTTP/2 and not the encryption.

For a site named "HTTPvsHTTPS" and explicitly stating "encryption is faster", the test to prove that point would have been to use HTTP 1.1 encrypted vs unecrypted.  Which would have shown just a negligible to noticeable overhead of "all the same HTTP things are occurring, but now additionally encrypted and decrypted at each end."

The bottom line is still "who cares", since the reason you'll encrypt has nothing to do with whether it will make your site any faster.  But with a nagging question of "but then why misrepresent the information?"

-Trench

Offline

    Positive reputation 0   Negative reputation 0

#5 2018-04-04 22:28:01

Trench
Member
United States
Reputation: +129
Registered: 2014-05-05
Posts: 221
Windows 10 Chrome 65.0

Re: Secure access to SiMPLE

Dr-Duke wrote:

why you didn't? Old Forum software? Lazy?

You forgot to list "money" as a possible reason.  Its not uncommon for phpBB hosting services to be giving you access to control your application, but not the underlying HTTP server.  And to want to charge you per month for supplying the certificate and configuring the HTTP server to use it, as one of their value-added services.  So "how many $$$ per month is reasonable just to protect already-hashed passwords" might have been weighed.

-Trench

Offline

    Positive reputation 1   Negative reputation 0

#6 2018-04-05 04:55:39

Dr-Duke
Member
Germany
Reputation: +388
Registered: 2016-07-20
Posts: 703
Windows XP Firefox 52.0

Re: Secure access to SiMPLE

Thanks alot bud for your effort, here are the results:

Test without https:
32308799nn.png

Test with https:
32308802wy.png

Guess the results speak for themself.. smile

Offline

    Positive reputation 0   Negative reputation 0

#7 2018-04-05 15:32:53

bud
maestro
Reputation: +1835
Location: shangri la
Registered: 2012-07-07
Posts: 3,941
Website
Windows 7 Firefox 59.0

Re: Secure access to SiMPLE

Trench wrote:
bud wrote:

try this (use a private window to prevent image caching)     https://www.httpvshttps.com/

That site seems like some weird agenda for how to present "HTTP/2 will make your web sites faster."  Instead they attribute it to "encryption is making your site faster", when the speed difference being shown is all due to HTTP/2 and not the encryption.

For a site named "HTTPvsHTTPS" and explicitly stating "encryption is faster", the test to prove that point would have been to use HTTP 1.1 encrypted vs unecrypted.  Which would have shown just a negligible to noticeable overhead of "all the same HTTP things are occurring, but now additionally encrypted and decrypted at each end."

The bottom line is still "who cares", since the reason you'll encrypt has nothing to do with whether it will make your site any faster.  But with a nagging question of "but then why misrepresent the information?"

-Trench

Yeah i checked it out a bit more, and its seems to be special made to make regular http:// look really slow. I do use https on some sites, but the server software doesnt support spdy or http2 anyway.
-
A ssl certificate is not that cheap either depending on where you host, ivé made certificates for my own use, but it does looks ugly everytime the browser complains about it not being safe. A newb seeing this would certainly hesitate to go further.
-
ssl.jpg
-

Offline

    Positive reputation 1   Negative reputation 0

#8 2018-04-05 19:13:39

Trench
Member
United States
Reputation: +129
Registered: 2014-05-05
Posts: 221
Windows 10 Chrome 65.0

Re: Secure access to SiMPLE

bud wrote:

A ssl certificate is not that cheap either depending on where you host, ivé made certificates for my own use, but it does looks ugly everytime the browser complains about it not being safe. A newb seeing this would certainly hesitate to go further

Yeah, creating your own private CA or simply creating a self-signed certificate "gives you a certificate", but doesn't serve the purpose of providing a TLS/SSL certificate that users of your public web site would trust.  The certificate has to come from a certificate authority that the web browser / operating system platforms already trust (which is the "money required" option), or you would have to convince your web site users to manually install and approve your "rogue" self-generated certificate as trusted.

Services like Let's Encrypt aim to provide free TLS/SSL certificates that many operating system and browser platforms will already trust, because Let's Encrypt was able to get one of those publicly-trusted companies (IdenTrust) to sign one of their issuing certificates, such that certificates which chain to Let's Encrypt's issuing certificate end up being trusted by default.  (So long as the base platform trusts IdenTrust to begin with.)

I think we can consider this "charity at the TLS/SSL certificate level", with the aim of making more sites able to encrypt where cost of yearly certificate renewal would have been a barrier.  But it does still require control over your HTTP server in order to implement it, or at least cooperation from your hosting provider even if you don't have "full" control.

But what you'll notice is missing from the list of host providers with Let's Encrypt support are those major hosting companies where "money from selling TLS/SSL certificates to those sites that need it" is part of the business plan, and part of how the hosting itself can be priced where it is.

Dr-Duke wrote:

Guess the results speak for themself..

Unfortunately, they do not.  You're looking at the speed improvement of a web server that implements HTTP/2, and a web browser that supports HTTP/2.  Not the difference of "HTTP versus HTTPS", as the site is otherwise worded to portray.

-Trench

Offline

    Positive reputation 1   Negative reputation 0

#9 2018-04-08 05:36:02

Dr-Duke
Member
Germany
Reputation: +388
Registered: 2016-07-20
Posts: 703
Windows XP Firefox 52.0

Re: Secure access to SiMPLE

So I guess we're all doomed, eh? Oh ma gosh, this whole technically stuff drives me crazy! big_smile

Offline

    Positive reputation 0   Negative reputation 0

#10 2018-04-08 09:33:09

iCQ
Spammer
Netherlands
Reputation: +544
Location: Netherlands
Registered: 2017-07-31
Posts: 1,967
Linux Vivaldi 1.95

Re: Secure access to SiMPLE

I heard a few months ago google (chrome) and some others will not support http anymore in the future... geeezzz...

Anyway a few tips:
1 do not use same password here as on your one million dollar bank account
2 make sure you do not write down secrets while visit this forum or other unsecure sites
3 if you REALLY want to write down something that has to be private here DO NOT PRESS SUBMIT afterwards
4 most of this forum is open and public... dont sweat
5 use PGP and put the key in your signature so the people here can still decode/read your post
6 dont use SIMPLE for any terror or general illegal activities

Personally i dont mind http AT ALL... good note of course OP. We shouldnt bother Tuia and this "a bit older" php forum to join the certificate war. This is not a bank and the people here that use this site for sharing their trade/war secrets should get hacked anyway.

Offline

    Positive reputation 0   Negative reputation 0

#11 2018-04-09 02:03:18

Dr-Duke
Member
Germany
Reputation: +388
Registered: 2016-07-20
Posts: 703
Windows XP Firefox 52.0

Re: Secure access to SiMPLE

iCQ wrote:

We shouldnt bother Tuia and this "a bit older" php forum to join the certificate war. This is not a bank and the people here that use this site for sharing their trade/war secrets should get hacked anyway.

Forgive me, but kinda bold answer. Users have the right to ask the question what is happening with their data been send to SiMPLE during the log-in proccess and the difference of almost 5,9ms whilst using a secure protocol. What's happening with this data? Lost? Or maybe, what would've be the worst option - sold? If last option would be the case than that's really a break of trust and really worth leaving SiMPLE.

And -forgive me-  but why is a running rat answering my questions?

Offline

    Positive reputation 1   Negative reputation 0

#12 2018-04-09 17:38:38

PitViper
TGE|
United States
Reputation: +431
Location: *TheGreatEscape|USA
Registered: 2014-09-27
Posts: 2,188
Website
Windows 7 Chrome 65.0

Re: Secure access to SiMPLE

Dr-Duke wrote:

What's happening with this data? Lost? Or maybe, what would've be the worst option - sold? If last option would be the case than that's really a break of trust and really worth leaving SiMPLE.

Not a chance.

Offline

    Positive reputation 1   Negative reputation 0

#13 2018-04-09 18:59:27

bud
maestro
Reputation: +1835
Location: shangri la
Registered: 2012-07-07
Posts: 3,941
Website
Windows 7 Firefox 59.0

Re: Secure access to SiMPLE

The "secure" internet protocol (https) is good for stuff that involves creditcards and bank transfers, also perhaps if you have the habit of writing write pm to your mistress and things like that.

It has no relevance in a standard forum like this.

As for the loadtime aspect, your browser cashes all static things so it doesnt have to download it everytime you visit.

Offline

    Positive reputation 1   Negative reputation 0

#14 2018-04-11 07:34:46

Dr-Duke
Member
Germany
Reputation: +388
Registered: 2016-07-20
Posts: 703
Windows XP Firefox 52.0

Re: Secure access to SiMPLE

PitViper wrote:
Dr-Duke wrote:

What's happening with this data? Lost? Or maybe, what would've be the worst option - sold? If last option would be the case than that's really a break of trust and really worth leaving SiMPLE.

Not a chance.

You think I forgot who's answering me with the thoughts of what happened in the past? wink

Offline

    Positive reputation 0   Negative reputation 0

#15 2018-04-12 19:54:20

iCQ
Spammer
Netherlands
Reputation: +544
Location: Netherlands
Registered: 2017-07-31
Posts: 1,967
Linux Vivaldi 1.95

Re: Secure access to SiMPLE

bud wrote:

The "secure" internet protocol (https) is good for stuff that involves creditcards and bank transfers, also perhaps if you have the habit of writing write pm to your mistress and things like that.

It has no relevance in a standard forum like this.

As for the loadtime aspect, your browser cashes all static things so it doesnt have to download it everytime you visit.

Totally agree... AND dont use same password for this service here (simple) as for your other accounts.

Even with https you will not be 100% safe either...

What are the risks? Well... without https a so called "man in the middle attack" becomes quickly more fruitful.

You have to think about
1 your isp can see your forum activities
2 if you on public wifi it is awfully easy for someone to grab your account and activities
3 any party in between can more easy get your data

I have to say with this service its absolutely not needed to https anything. Except maybe your password AND if anyone in the simple team thinks or feels there is a hacker after them, in that case work with caution.

Last edited by iCQ (2018-04-12 20:09:35)

Offline

    Positive reputation 0   Negative reputation 0

#16 2018-04-13 03:31:03

Dr-Duke
Member
Germany
Reputation: +388
Registered: 2016-07-20
Posts: 703
Windows XP Firefox 52.0

Re: Secure access to SiMPLE

Interessting.. Funny stuff I read here... big_smile

https://youtu.be/k41em4dr30g

Offline

    Positive reputation 0   Negative reputation 0

Board footer