SAUK Discussion Board

Go Back   SAUK Discussion Board > Board Management > SAUK - Main Website
Join! Blogs FAQ Calendar Search Today's Posts Mark Forums Read

Notices

Reply  Post New Thread
 
Thread Tools
  #1  
Old 9th September 2018, 21:07
Freyja Freyja is offline
Member
 
Join Date: Jul 2016
Location: NORTH
Posts: 797
Blog Entries: 2
Default Doing a learn

So, I'm trying to get into some network job and I literally just learned about http/https. Why is SAUK not protected? This site is open to loads of vulnerabilities/attacks. Literally no security. Every site you go on should be https as the S means secure connection. You'll see it on the browser.



https://support.google.com/chrome/an...indicator&rd=1
Reply With Quote
  #2  
Old 9th September 2018, 21:19
biscuits biscuits is offline
Member
 
Join Date: Jul 2005
Location: in the tin.
Posts: 16,214
Default Re: Doing a learn

I just put a https:// at the start of it

like this:
https://www.social-anxiety-community...ad.php?t=89744

and now it has the https:// at the start of it when I click on other sections of the site and it's kept the https://. But it still says it's not secure:



The link for the site has been pooped for a while. Think Occultus is looking into it.
Reply With Quote
  #3  
Old 9th September 2018, 21:25
Freyja Freyja is offline
Member
 
Join Date: Jul 2016
Location: NORTH
Posts: 797
Blog Entries: 2
Default Re: Doing a learn

Yeah I tried to see if you could secure it yourself but nah, think the site itself has to be secured by the main admin.
Reply With Quote
  #4  
Old 9th September 2018, 21:52
_Tink_ _Tink_ is offline
Co-Administrator
 
Join Date: May 2013
Location: Cheshire
Posts: 18,260
Default Re: Doing a learn

Yep, one more to add to Occultus' list. The forum needs a complete overhaul in my opinion
Reply With Quote
  #5  
Old 9th September 2018, 22:26
Freyja Freyja is offline
Member
 
Join Date: Jul 2016
Location: NORTH
Posts: 797
Blog Entries: 2
Default Re: Doing a learn

^ Up to date forum software would be good tbh, cause then we'd one up the competitors and people would be more likely to stay if the software wasn't so old. More customisation ideally. I'm not fond of the colour blue to look at all the time so I've had to change the whole site to black with an addon haha.

If Occultus is paying for the vBulletin software this is actually cheaper I believe. https://xenforo.com/purchase/xenforo-details Plus it's a waaaaay better forum software with everything already built in. (preview live here)

Probs could do with an advertising boost too, maybe gather donations for a google adsense boost.

But yeah priority getting the site secure in case someone ddos's us.
Reply With Quote
  #6  
Old 10th September 2018, 09:27
_Tink_ _Tink_ is offline
Co-Administrator
 
Join Date: May 2013
Location: Cheshire
Posts: 18,260
Default Re: Doing a learn

^ Thanks for this. I shall pass all of this on.

Unfortunately, the moderating team as such cannot make any changes. The responsibility would fall to the owner of the site.
Reply With Quote
  #7  
Old 10th September 2018, 09:31
anxiouslondoner anxiouslondoner is online now
Member
 
Join Date: Mar 2011
Location: Pandaemonium, SE27
Posts: 4,048
Default Re: Doing a learn

^^ TBH the skin on this site is very noisy, far too much irrelevant info, we could do with a simpler, less cluttered modern design without all the distractions around everything.
Reply With Quote
  #8  
Old 11th September 2018, 14:00
Sisyphus Sisyphus is offline
Member
 
Join Date: Aug 2012
Location: Hiding
Posts: 27
Blog Entries: 1
Default Re: Doing a learn

This has come up before.

For me the issue is privacy and it does make me a little less inclined to be open.

Changing to a secure link can break things though so it isn't a 10 minute job.

Using Extended Validation Certificates (technical and possibly scary link) would also make interception easier to spot, unless you are using IE that is where manual checking of the certificate is something to get in the habit of doing.

ETA: Securing the link would do nothing to prevent a ddos (distributed denial-of-service) attack.

The HTTPS is about encrypting the link between the browser and the SA server. The scary part is that anyone who has access to any point on that link can see everything you do. That includes your username and password.
Reply With Quote
  #9  
Old 15th September 2018, 00:34
Utopia Utopia is offline
Member
 
Join Date: Jul 2015
Posts: 769
Default Re: Doing a learn

The reason is that it costs money for whoever owns the domain name or hosting for the forum. The only suggestion I would have would be to use a different password than your banking password for example, but its unlikely that your password will be compromised, although your isp can see everything you do on this site, but that shouldn't matter given that it's a public forum.

It's more than likely that your password is stored in an encrypted form anyway, so the only chance someone would gain access to it is someone making a huge amount of effort to somehow intercept the data before it hits the forum servers (which is unlikely for any person outside of your isp or the government).
Reply With Quote
  #10  
Old 15th September 2018, 11:05
Chocolate Chin Chocolate Chin is online now
Moderator
 
Join Date: Mar 2016
Posts: 805
Default Re: Doing a learn

Not sure if this is of any use to anyone and may not help in this situation, but it's a related plugin for your browser.


HTTPS Everywhere
Reply With Quote
  #11  
Old 15th September 2018, 17:05
Sisyphus Sisyphus is offline
Member
 
Join Date: Aug 2012
Location: Hiding
Posts: 27
Blog Entries: 1
Default Re: Doing a learn

What Utopia said++

I guess the most important thing is to make sure that your email password that you used to register is different. If it is the same then someone who gets your username and password to the forum will also get access to all your emails on that account. That may lead to other things as email is very commonly used to reset passwords on other, more important, accounts.

On a simple HTTP link the username and password are only obfuscated, not encrypted, and so gathering them is trivial.

When logging in from home it will be your ISP, GCHQ, and the powers that be in the USA that can see. The server IP address (68.66.240.251) looks to be in the USA.

If you do it from work then the IT folk there can see it and http://www.social-anxiety-community.org will be in the DNS logs and is a bit of a giveaway if you don't want them to know. It will be there even if HTTPS was being used, it is just that they wouldn't know your username and so would have to actively watch you post or something.

If you do it from a free wifi hotspot then who knows who will get it as I guess there is no such thing as a free lunch and your data will be mined for every penny it is worth. (Law? What law?).

As mentioned changing anything will cost money and time so in the first instance it is best to know the risks and mitigate.

There is always the 'You last visited:' at the top right of the page that can highlight an issue if there is one.

Just because I am paranoid doesn't mean they aren't watching me.
Reply With Quote
  #12  
Old 15th September 2018, 18:36
Sisyphus Sisyphus is offline
Member
 
Join Date: Aug 2012
Location: Hiding
Posts: 27
Blog Entries: 1
Default Re: Doing a learn

Hi HH,

Ew, there must be a law against that. Don't leave the videos as evidence, just use two mirrors.

VPNs are good up to a point. It will still be in plaintext from the VPN exit IP address to the server so make sure you use a unique username and password. The classic VPN is tor but that may be over the top for this site. At some point the traffic will be in plaintext unless HTTPS is used.

Don't write anything that can link to anything else that can link back to you and that is really hard.

It is very difficult to stop your browser leaking information and there are so many ways to get tracked.

Most of the time it is simply a matter of being just one in a billion users and hoping that there are easier targets to go for. Some people still fall for the Nigerian scam and I hear that some people are still using something called facebook.

Data mining is very powerful and Google have access to so much data through all the companies they own. I suspect we are all fully profiled already.


ETA: Just thought, even if you are using a VPN, be careful that your machine is using the VPN DNS lookup not your ISP DNS or your ISP will know where you are looking anyway even if they can only see the encrypted VPN traffic.
Reply With Quote
Reply

Thread Tools

Forum Jump


All times are GMT +1. The time now is 19:16.


SAUK Award
Logo designed by abc
Powered by vBulletin
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.