HTTPS (Secure HTTP)

eagle · 09-06-2008, 12:28 PM

To my delight, Avalon has "https" enabled - security.

I would HIGHLY suggest that all mods/admins, log out, close your browser, log back in using:

https://www.projectavalon.net/forum/index.php

That S at the end of HTTP will put you in secure mode.

Then CHANGE your admin/mod password.

If the mods/admins fail to do this, the forum could be compromised by hackers.

All other users should use the https, and never http, and change their passwords as well.

Sidders2:
What browser do you use? I use firefox.

Administrator · 09-06-2008, 12:48 PM

Hi Eagle

I do not see the need for HTTPS (SSL) as the Forum is open to the public anyway

we are not hiding anything with regards information, so no point encrypting it as such.

When you use normal HTTP for browsing the internet, you are sending and receiving back and forth from your computer in what we call Plain Text. This means that a hacker if they really wanted too could sit there and monitor the traffic from your computer to the web server and if clever enough could see the information.

When using HTTPS each bit of information sent back and forth is encrypted and this would stop the hacker seeing anything.
The problem using HTTPS is that it is so SLOWwwww and also the Server you are attaching too needs to install what we call a Certificate to prove that it is who says it is.
We have not installed any SSL certificates on ProjectAvalon and so if you try to use HTTPS you will get security warning boxes appear everytime you click on a link, this is a right pain

Now the main worry people have with using Forums and not using HTTPS is that their Passwords could be transmitted in Plain Text, which would not be good. Alot of Cheap/Free Forums do this and hence why they get hacked alot.
Vbulletin even when using HTTP still encrypts the Password when sending it to the server and this is one of the reasons I chose it.

So if a bored hacker wanted to see what Forum information was being sent back and forth, then he could by monitoring the traffic, but he would not be able to De-Chiper the Password.
So no point in him really doing this as he can just come to the forums as a guest and see all the posts anyway

Hope this makes sense.

Cheers

GateKeeper

eagle · 09-06-2008, 01:20 PM

It is certainly up to each, what they want to do.

I personally prefer my data encrypted again, it will make it that much more difficult for hackers. For instance, they can know where keywords originate from, whereas, only the mods/admins know this now. You know that eagle is from IP x.x.x.x. If my posts go over the internet, through routers, all that can be determined by the machines in place to monitor. In other words, ssl provides point to point encryption. No one can see the data in flight without some very sophisticated machines.

I do not get any security warnings from firefox and I believe that is easily fixed.

It is good to know the passwords are encrypted by default.

Again, https is for the extremely paranoid or anonymous posters who wish to remain that way.

The performance hit on the client or the server is not that bad really. This server is fast in ssl mode.

Rocky_Shorz · 09-13-2008, 12:26 AM

* This could be a problem with the server's configuration, or it could be someone trying to impersonate the server...

Hey Eagle

Why would you ask the Mods to re-enter create new passwords?

you've hit my watch list on this one...

Operator · 09-13-2008, 12:49 AM

Hi,

I tried to https on www.projectavalon.net because it may be the subtle difference. However it failed too.

Let me clear up a misunderstanding ....

Using an SSL certificate would NOT in any way conceal information on this forum. It would also NOT in any way protect members' identities
since everything can be tracked and routes can back engineered to locate a person. However I guess that us discussing our stuff
on a forum here would rather be tracked to inform THEM what kind of directions opposition is taking.

The usage of an SSL certificate however INDEED does protect the traffic to- and from the server from being tapped into and hence being abused
by malevolent individuals to disrupt the
flawless functioning of the forum.

That's also the reason why passwords should be changed AFTER installing an SSL certificate. But be sure that governments that
spend trillions of dollars on defense still can tap into the traffic.

I hope this clarifies the techy stuff around encryption ....

09-06-2008, 12:28 PM	#1
eagle Avalon Senior Member Join Date: Sep 2008 Posts: 75	HTTPS (Secure HTTP) To my delight, Avalon has "https" enabled - security. I would HIGHLY suggest that all mods/admins, log out, close your browser, log back in using: https://www.projectavalon.net/forum/index.php That S at the end of HTTP will put you in secure mode. Then CHANGE your admin/mod password. If the mods/admins fail to do this, the forum could be compromised by hackers. All other users should use the https, and never http, and change their passwords as well. Sidders2: What browser do you use? I use firefox.

09-06-2008, 12:48 PM	#2
Administrator Project Avalon Administrator Join Date: Aug 2008 Posts: 221	Re: HTTPS (Secure HTTP) Hi Eagle I do not see the need for HTTPS (SSL) as the Forum is open to the public anyway we are not hiding anything with regards information, so no point encrypting it as such. When you use normal HTTP for browsing the internet, you are sending and receiving back and forth from your computer in what we call Plain Text. This means that a hacker if they really wanted too could sit there and monitor the traffic from your computer to the web server and if clever enough could see the information. When using HTTPS each bit of information sent back and forth is encrypted and this would stop the hacker seeing anything. The problem using HTTPS is that it is so SLOWwwww and also the Server you are attaching too needs to install what we call a Certificate to prove that it is who says it is. We have not installed any SSL certificates on ProjectAvalon and so if you try to use HTTPS you will get security warning boxes appear everytime you click on a link, this is a right pain Now the main worry people have with using Forums and not using HTTPS is that their Passwords could be transmitted in Plain Text, which would not be good. Alot of Cheap/Free Forums do this and hence why they get hacked alot. Vbulletin even when using HTTP still encrypts the Password when sending it to the server and this is one of the reasons I chose it. So if a bored hacker wanted to see what Forum information was being sent back and forth, then he could by monitoring the traffic, but he would not be able to De-Chiper the Password. So no point in him really doing this as he can just come to the forums as a guest and see all the posts anyway Hope this makes sense. Cheers GateKeeper

09-06-2008, 01:20 PM	#3
eagle Avalon Senior Member Join Date: Sep 2008 Posts: 75	Re: HTTPS (Secure HTTP) It is certainly up to each, what they want to do. I personally prefer my data encrypted again, it will make it that much more difficult for hackers. For instance, they can know where keywords originate from, whereas, only the mods/admins know this now. You know that eagle is from IP x.x.x.x. If my posts go over the internet, through routers, all that can be determined by the machines in place to monitor. In other words, ssl provides point to point encryption. No one can see the data in flight without some very sophisticated machines. I do not get any security warnings from firefox and I believe that is easily fixed. It is good to know the passwords are encrypted by default. Again, https is for the extremely paranoid or anonymous posters who wish to remain that way. The performance hit on the client or the server is not that bad really. This server is fast in ssl mode.

09-13-2008, 12:26 AM	#4
Rocky_Shorz Avalon Senior Member Join Date: Sep 2008 Location: USA Posts: 1,098	Re: HTTPS (Secure HTTP) * This could be a problem with the server's configuration, or it could be someone trying to impersonate the server... Hey Eagle Why would you ask the Mods to re-enter create new passwords? you've hit my watch list on this one... Last edited by Rocky_Shorz; 09-13-2008 at 12:29 AM.

09-13-2008, 12:49 AM	#5
Operator Avalon Senior Member Join Date: Sep 2008 Location: Caribbean Posts: 375	Re: HTTPS (Secure HTTP) Hi, I tried to https on www.projectavalon.net because it may be the subtle difference. However it failed too. Let me clear up a misunderstanding .... Using an SSL certificate would NOT in any way conceal information on this forum. It would also NOT in any way protect members' identities since everything can be tracked and routes can back engineered to locate a person. However I guess that us discussing our stuff on a forum here would rather be tracked to inform THEM what kind of directions opposition is taking. The usage of an SSL certificate however INDEED does protect the traffic to- and from the server from being tapped into and hence being abused by malevolent individuals to disrupt the flawless functioning of the forum. That's also the reason why passwords should be changed AFTER installing an SSL certificate. But be sure that governments that spend trillions of dollars on defense still can tap into the traffic. I hope this clarifies the techy stuff around encryption ....