I wanted to tell this with kind words. But sorry, I can't...
The security of this website is a joke. No TLS a.k.a HTTPS? Meaning everybody could possible read your password when you log in (oops, your bank account with the same username and password just got hacked). I wouldn't be surprised if you didn't even hash the passwords before storing them.
Anyway, for the love of god. Google for "Let's Encrypt", you can get an SSL certificate for free, as it is an non-profit. It would probably take you like 10 minutes to get the certificates and an additional 10 for changing the settings for your servers.
Anyway, for the love of god. Google for "Let's Encrypt", you can get an SSL certificate for free, as it is an non-profit. It would probably take you like 10 minutes to get the certificates and an additional 10 for changing the settings for your servers.
Using TLS/SSL will actually give a false sense of security. Security theatre is not without danger. Some people may really start believing in the effectiveness of what are otherwise just cargo-cult TLS rituals.
It is perfectly ok to start running the site in TLS/SSL but without ever making the false claim that it would then be safer.
It is quite possible to build relatively secure forum applications, but they will have to implement their own cryptographical primitives. For example, bitsquare.io has a famously secure architecture.
Another alternative is to do like facebook and allow access the site from the tor network. It is also perfectly possible to run the site simultaneously on the clearnet and on the darknet (like facebook does). Tor traffic to a darknet site is encrypted automatically over TLS/SSL, without the certificate-authority cesspool that makes https so vulnerable to interception.
What are you talking about? The article you noted clearly states that 95% haven't enabled HTTP Strict Transport Security (HSTS). The moment you turn the feature on, a midm attack becomes almost impossible.
Also, I am not talking about state actors or skilled hackers. It's more about people accessing islamicboard on a public wifi, be it on university or somewhere else.
The article you noted clearly states that 95% haven't enabled HTTP Strict Transport Security (HSTS). The moment you turn the feature on, a midm attack becomes almost impossible.
Apparently, the new "STS preloaded list" could work conceivably in a similar way as the way in which SSH looks up the server's key in the known_hosts file, but it only does that for the 100 most popular sites, or so. Hence, Certificate and Public Key Pinning would not work for this site or for most other sites either. It would solve the problem for most of the traffic, but not for most of the sites. With the following problem having run out of control a long time ago: Certificate pinning allows to bypass standard certificate authority chains to mitigate the risk of an valid certificate be issued to a criminal.
TLS/SSL certificate authority cesspool is considered a bad joke. Just security theatre.
format_quote Originally Posted by 00001001
Also, I am not talking about state actors or skilled hackers. It's more about people accessing islamicboard on a public wifi, be it on university or somewhere else.
Well, SSH is quite resilient against actors or skilled hackers. The SSL/TLS certificate authority cesspool is not.
We have noticed that some of the images used by members in their signatures are not linked from secure hosts. we will be automatically converting all such links to https and if the host does not support it, the image will not be displayed properly. Please make sure that any image that you link from an external source uses https protocol.
Hey there! Looks like you're enjoying the discussion, but you're not signed up for an account.
When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. And you can like posts and share your thoughts.
Sign Up
Bookmarks