It is 2017 now and a lot of websites already implemented ssl. Either with paid services or projects like Lets Encrypt.
My country does MITM attacks (man in the middle). They simple intercept the connection and gather intel if connection is not secured. If it is secured, they still do that attack by replacing ssl certificates with fake ones. However, this is only done in schools (yet :smiling_imp: ).
I sometimes be mad against stupid policies my country has and write something about it in websites here and there. As an example you can look my post signature.
So,
Implementing SSL will lower the risk of me bringing attention and triggering them for being suspicious. I just do not want to use vpn for everything. And considering there are also people from Russia, China etc. SSL implementation will be useful I think.
And
Since there is a login system in this website, secured connection is a must have. It is too risky to send credentials in any form through non-secured connection.
Legitimate.
In the company im working IT security has been an hot item for over more then 5 years, and booming the last years, and this is a relative easy solution to upgrade the site.
Oh, and don’t let Tayyip read your signature :sunglasses:
Thanks for the request. I’m sure I will eventually implement SSL, but it’s not a priority. A major negative is the additional amount of CPU load generated by the encryption. BLF gets a non-trivial amount of traffic, has a rather large database, and in general has some rather heavy functions in terms of processing power, so SSL isn’t something I can just implement without significant research and planning.
Thank you. First of all I want to say that this is a very good website so please do not break it . I mean the forum script is just on point for a relatively small website like this and user base is cancer-free.
What I want to say about the topic is this
Please look at Lets Encrypt project or a similar alternative which is supported by major browsers when the implementation time comes. This way you will not pay anything at all for certificates.
The second option I have heard is using Cloudflare which you probably already know. It may have some ssl solutions.
I hope it will be implemented before 2019 though (election date). At that date my country will probably be a true dictatorship country. And if that happens it will be way worse than North Korea.
It is too late . That signature alone is sufficient to get in jail for at least 10 years. However, who cares?
A bit off topic but I want to escalate this topic for general awareness.
A 14-15 years old Syrian immigrant who came here in a recent year. Said to news agency this “Living in Turkey is worse than drowning in the ocean.” And I certainly agree. Because at least in ocean you are “free”.
lol even Wikipedia is blocked here :smiling_imp: :laughing:
I definitely need to get out of here as soon as possible. But since low-IQ ignorant Turkish people make the mass in Europe. Europe probably will not welcome me there thinking me as a muslim & a guy from the group I have defined. I am not a muslim or a ignorant motherf* like those guys (If you are from Netherlands, you probably know these guys ) but not welcoming me would be normal given that I am a Turkish and Europe are familiar with “Turkish” people.
By the way, a good password policy (never use your pw twice!), two step verification on email accounts and logical sense, will solve pretty much most of the described problems.
If my pw was catched, i just request a new one and since i am using two step verification, i am feeling a lot safer.
Hey OP. I don’t think any snooping agency has issues with BLF, politics and religion are simply no go here, just edit your political sig and you’ll be fine.
If this was a prepper forum, I would see your point as legit, but the only thing we prep for is moah lumens
Would you at least consider HTTPS for the login requests? As of now, my password is sent in clear text over the internet when I login to BLF.
Applying HTTPS for logins only shouldn’t add any considerable load on the CPU.
@aeroden - The thing is, the login block appears on all pages. So that would require removing the login block and only having a single dedicated page for logging in.
Just a public service announcement: You should always use a unique password for each site that that is sensitive or important to you, whether it uses SSL or not. HTTPS is not a magic bullet to protect your online security, and there’s many more documented cases of identity theft from weak or reused passwords (typed into “secure” sites with a big green padlock in the URL bar) than there are from connection hijacking and wiretapping. Another massive attack vector is malware that logs and phones home passwords that are typed into the browser before they ever hit the wire, be it an encrypted connection or not. Then there’s the question of how the “secure” site actually stores the password on their servers after the HTTPS connection is finished, which on the server side is often far from being truly secure against people hacking directly into the server. Case in point are the sites that have massive lists of compromised passwords, which were stolen directly from the databases of compromised servers. I should also mention that I take the security of the BLF server very seriously and am extremely proactive at applying security patches, and I use accepted best practice techniques to maintain the integrity of the server.
@sb56637 - not necessarily. Changing the form post action to HTTPS version will do the trick. Again, only the form POST action, then it will redirect back to the plain http.
In the highlighted above it can be http*s*://budgetlightforum.com/frontpage?destination=frontpage
How does it sound to you?
Regarding your last paragraph - I fully agree with your points and thank you again for keeping this treasure online. I think adding SSL for logins will really close the gap so to speak since this is the only private piece of information on this public forum probably with the exception of private messages. IMHO every service should do its best to protect private data and leave it to users to decide how conscious they want to be about their privacy.
@sb56637 It works the other way around - when you have a page loaded over HTTP*S* and some content on that page is loaded through HTTP, then you get a warning. In our case we do the opposite and there is no problem with that. For example in my above post the image was loaded from Imgur through HTTPS. Actually we don’t even load any content through HTTPS - we only POST login form data through HTTPS and then it would need to redirect us back to HTTP.
In hindsight, I think this whole idea is a bit pointless, since after login I get a session cookie to authorize future requests and if someone can get that cookie through eavesdropping he can actually access the site in full as if it was me (My IP is not of a session cookie hash, and that’s not really secure anyway).
But…. Instead I think I have a much better idea. I see you host this site on lunanode.com and they provide Load Balancer service that will do the SSL termination for you and for your usage metrics it will be even free of charge. So the server will still serve plain HTTP traffic while the Load Balancer will do the certificate provisioning (for free through LetsEncrypt) and SSL termination forwarding the plain HTTP traffic back to the server. Here are the docs: Load Balancers
I personally would always appreciate better security, though the content of this site is generally impersonal. Perhaps if people are sending shipping addresses etc via private message, that would be a risk.
