× Register Login What's New! Contact us
Results 1 to 8 of 8 visibility 3282

Security Improvements For This Website

  1. #1
    00001001's Avatar Full Member
    brightness_1
    Full Member
    star_rate star_rate
    Join Date
    Nov 2016
    Location
    Amsterdam
    Gender
    Male
    Religion
    Islam
    Posts
    92
    Threads
    10
    Rep Power
    45
    Rep Ratio
    15
    Likes Ratio
    36

    Security Improvements For This Website

    Report bad ads?

    Selam Aleykum,

    I wanted to tell this with kind words. But sorry, I can't...

    The security of this website is a joke. No TLS a.k.a HTTPS? Meaning everybody could possible read your password when you log in (oops, your bank account with the same username and password just got hacked). I wouldn't be surprised if you didn't even hash the passwords before storing them.

    Anyway, for the love of god. Google for "Let's Encrypt", you can get an SSL certificate for free, as it is an non-profit. It would probably take you like 10 minutes to get the certificates and an additional 10 for changing the settings for your servers.
    chat Quote

  2. Report bad ads?
  3. #2
    kritikvernunft's Avatar Full Member
    brightness_1
    IB Senior Member
    star_rate star_rate star_rate star_rate star_rate star_rate star_rate star_rate
    Join Date
    Jun 2016
    Gender
    Male
    Religion
    Other
    Posts
    590
    Threads
    35
    Rep Power
    48
    Rep Ratio
    18
    Likes Ratio
    31

    Re: Security Improvements For This Website

    format_quote Originally Posted by 00001001 View Post
    No TLS a.k.a HTTPS?
    TLS/SSL will not make much of a difference. The very same parties who can intercept http, can also intercept https.95% of HTTPS servers vulnerable to trivial MITM attacks. If you fancy to intercept other people's TLS traffic over wifi, then install sslsplit or mitmproxy. It is trivial to intercept mobile network traffic. There are cheap devices available to do that.
    format_quote Originally Posted by 00001001 View Post
    Anyway, for the love of god. Google for "Let's Encrypt", you can get an SSL certificate for free, as it is an non-profit. It would probably take you like 10 minutes to get the certificates and an additional 10 for changing the settings for your servers.
    Using TLS/SSL will actually give a false sense of security. Security theatre is not without danger. Some people may really start believing in the effectiveness of what are otherwise just cargo-cult TLS rituals.

    It is perfectly ok to start running the site in TLS/SSL but without ever making the false claim that it would then be safer.

    It is quite possible to build relatively secure forum applications, but they will have to implement their own cryptographical primitives. For example, bitsquare.io has a famously secure architecture.

    Another alternative is to do like facebook and allow access the site from the tor network. It is also perfectly possible to run the site simultaneously on the clearnet and on the darknet (like facebook does). Tor traffic to a darknet site is encrypted automatically over TLS/SSL, without the certificate-authority cesspool that makes https so vulnerable to interception.
    chat Quote

  4. #3
    AabiruSabeel's Avatar Administrator
    brightness_1
    عـــابر سبيـــل
    star_rate star_rate star_rate star_rate star_rate star_rate star_rate star_rate star_rate star_rate star_rate
    Join Date
    Mar 2006
    Gender
    Male
    Religion
    Islam
    Posts
    9,165
    Threads
    375
    Rep Power
    180
    Rep Ratio
    133
    Likes Ratio
    45

    Re: Security Improvements For This Website



    for the suggestion, we plan to implement it soon .

    format_quote Originally Posted by 00001001 View Post
    I wouldn't be surprised if you didn't even hash the passwords before storing them.
    Be assured that passwords are hashed and not stored anywhere in plaintext.
    chat Quote

  5. #4
    00001001's Avatar Full Member
    brightness_1
    Full Member
    star_rate star_rate
    Join Date
    Nov 2016
    Location
    Amsterdam
    Gender
    Male
    Religion
    Islam
    Posts
    92
    Threads
    10
    Rep Power
    45
    Rep Ratio
    15
    Likes Ratio
    36

    Re: Security Improvements For This Website

    format_quote Originally Posted by kritikvernunft View Post
    TLS/SSL will not make much of a difference. The very same parties who can intercept http, can also intercept https.95% of HTTPS servers vulnerable to trivial MITM attacks. If you fancy to intercept other people's TLS traffic over wifi, then install sslsplit or mitmproxy. It is trivial to intercept mobile network traffic. There are cheap devices available to do that.
    What are you talking about? The article you noted clearly states that 95% haven't enabled HTTP Strict Transport Security (HSTS). The moment you turn the feature on, a midm attack becomes almost impossible.

    Also, I am not talking about state actors or skilled hackers. It's more about people accessing islamicboard on a public wifi, be it on university or somewhere else.
    chat Quote

  6. Report bad ads?
  7. #5
    00001001's Avatar Full Member
    brightness_1
    Full Member
    star_rate star_rate
    Join Date
    Nov 2016
    Location
    Amsterdam
    Gender
    Male
    Religion
    Islam
    Posts
    92
    Threads
    10
    Rep Power
    45
    Rep Ratio
    15
    Likes Ratio
    36

    Re: Security Improvements For This Website

    format_quote Originally Posted by kritikvernunft View Post
    sslsplit or mitmproxy. It is trivial to intercept mobile network traffic. There are cheap devices available to do that.
    Also, thanks for these tools!
    chat Quote

  8. #6
    kritikvernunft's Avatar Full Member
    brightness_1
    IB Senior Member
    star_rate star_rate star_rate star_rate star_rate star_rate star_rate star_rate
    Join Date
    Jun 2016
    Gender
    Male
    Religion
    Other
    Posts
    590
    Threads
    35
    Rep Power
    48
    Rep Ratio
    18
    Likes Ratio
    31

    Re: Security Improvements For This Website

    format_quote Originally Posted by 00001001 View Post
    The article you noted clearly states that 95% haven't enabled HTTP Strict Transport Security (HSTS). The moment you turn the feature on, a midm attack becomes almost impossible.
    Apparently, the new "STS preloaded list" could work conceivably in a similar way as the way in which SSH looks up the server's key in the known_hosts file, but it only does that for the 100 most popular sites, or so. Hence, Certificate and Public Key Pinning would not work for this site or for most other sites either. It would solve the problem for most of the traffic, but not for most of the sites. With the following problem having run out of control a long time ago:
    Certificate pinning allows to bypass standard certificate authority chains to mitigate the risk of an valid certificate be issued to a criminal.
    TLS/SSL certificate authority cesspool is considered a bad joke. Just security theatre.
    format_quote Originally Posted by 00001001 View Post
    Also, I am not talking about state actors or skilled hackers. It's more about people accessing islamicboard on a public wifi, be it on university or somewhere else.
    Well, SSH is quite resilient against actors or skilled hackers. The SSL/TLS certificate authority cesspool is not.
    chat Quote

  9. #7
    AabiruSabeel's Avatar Administrator
    brightness_1
    عـــابر سبيـــل
    star_rate star_rate star_rate star_rate star_rate star_rate star_rate star_rate star_rate star_rate star_rate
    Join Date
    Mar 2006
    Gender
    Male
    Religion
    Islam
    Posts
    9,165
    Threads
    375
    Rep Power
    180
    Rep Ratio
    133
    Likes Ratio
    45

    Re: Security Improvements For This Website

    We have enabled HTTPS now.

    OVh85Mq 1 - Security Improvements For This Website
    | Likes noraina, 00001001 liked this post
    chat Quote

  10. #8
    AabiruSabeel's Avatar Administrator
    brightness_1
    عـــابر سبيـــل
    star_rate star_rate star_rate star_rate star_rate star_rate star_rate star_rate star_rate star_rate star_rate
    Join Date
    Mar 2006
    Gender
    Male
    Religion
    Islam
    Posts
    9,165
    Threads
    375
    Rep Power
    180
    Rep Ratio
    133
    Likes Ratio
    45

    Re: Security Improvements For This Website



    We have noticed that some of the images used by members in their signatures are not linked from secure hosts. we will be automatically converting all such links to https and if the host does not support it, the image will not be displayed properly. Please make sure that any image that you link from an external source uses https protocol.
    chat Quote


  11. Hide
Hey there! Security Improvements For This Website Looks like you're enjoying the discussion, but you're not signed up for an account.

When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. And you can like posts and share your thoughts. Security Improvements For This Website
Sign Up

Similar Threads

  1. Too much security on this forum
    By Believer51 in forum Feedback & Suggestions
    Replies: 10
    Last Post: 12-31-2010, 11:05 AM
  2. Security Loophole - Please See!
    By imam bukhari in forum Halal Fun
    Replies: 11
    Last Post: 07-03-2010, 10:32 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
create