Selam Aleykum,

I wanted to tell this with kind words. But sorry, I can't...

The security of this website is a joke. No TLS a.k.a HTTPS? Meaning everybody could possible read your password when you log in (oops, your bank account with the same username and password just got hacked). I wouldn't be surprised if you didn't even hash the passwords before storing them.

Anyway, for the love of god. Google for "Let's Encrypt", you can get an SSL certificate for free, as it is an non-profit. It would probably take you like 10 minutes to get the certificates and an additional 10 for changing the settings for your servers.

TLS/SSL will not make much of a difference. The very same parties who can intercept http, can also intercept https.95% of HTTPS servers vulnerable to trivial MITM attacks. If you fancy to intercept other people's TLS traffic over wifi, then install sslsplit or mitmproxy. It is trivial to intercept mobile network traffic. There are cheap devices available to do that.
Using TLS/SSL will actually give a false sense of security. Security theatre is not without danger. Some people may really start believing in the effectiveness of what are otherwise just cargo-cult TLS rituals.

It is perfectly ok to start running the site in TLS/SSL but without ever making the false claim that it would then be safer.

It is quite possible to build relatively secure forum applications, but they will have to implement their own cryptographical primitives. For example, bitsquare.io has a famously secure architecture.

Another alternative is to do like facebook and allow access the site from the tor network. It is also perfectly possible to run the site simultaneously on the clearnet and on the darknet (like facebook does). Tor traffic to a darknet site is encrypted automatically over TLS/SSL, without the certificate-authority cesspool that makes https so vulnerable to interception.

:salam:

:jz: for the suggestion, we plan to implement it soon :ia:.

Be assured that passwords are hashed and not stored anywhere in plaintext.

What are you talking about? The article you noted clearly states that 95% haven't enabled HTTP Strict Transport Security (HSTS). The moment you turn the feature on, a midm attack becomes almost impossible.

Also, I am not talking about state actors or skilled hackers. It's more about people accessing islamicboard on a public wifi, be it on university or somewhere else.

Hey there! Looks like you're enjoying the discussion, but you're not signed up for an account.

When you create an account, you can participate in the discussions and share your thoughts. You also get notifications, here and via email, whenever new posts are made. And you can like posts and make new friends.
Sign Up

Also, thanks for these tools!

Apparently, the new "STS preloaded list" could work conceivably in a similar way as the way in which SSH looks up the server's key in the known_hosts file, but it only does that for the 100 most popular sites, or so. Hence, Certificate and Public Key Pinning would not work for this site or for most other sites either. It would solve the problem for most of the traffic, but not for most of the sites. With the following problem having run out of control a long time ago:
Certificate pinning allows to bypass standard certificate authority chains to mitigate the risk of an valid certificate be issued to a criminal.
TLS/SSL certificate authority cesspool is considered a bad joke. Just security theatre.
Well, SSH is quite resilient against actors or skilled hackers. The SSL/TLS certificate authority cesspool is not.

We have enabled HTTPS now.

:salam:

We have noticed that some of the images used by members in their signatures are not linked from secure hosts. :ia: we will be automatically converting all such links to https and if the host does not support it, the image will not be displayed properly. Please make sure that any image that you link from an external source uses https protocol.