SSL for BudgetLightForum.com (Request)

23 posts / 0 new
Last post
fuzun
Offline
Last seen: 1 month 3 hours ago
Joined: 02/11/2017 - 13:37
Posts: 197
SSL for BudgetLightForum.com (Request)

Hello,

It is 2017 now and a lot of websites already implemented ssl. Either with paid services or projects like Lets Encrypt.

My country does MITM attacks (man in the middle). They simple intercept the connection and gather intel if connection is not secured. If it is secured, they still do that attack by replacing ssl certificates with fake ones. However, this is only done in schools (yet Evil ).

I sometimes be mad against stupid policies my country has and write something about it in websites here and there. As an example you can look my post signature.

So,

Implementing SSL will lower the risk of me bringing attention and triggering them for being suspicious. I just do not want to use vpn for everything. And considering there are also people from Russia, China etc. SSL implementation will be useful I think.

And

Since there is a login system in this website, secured connection is a must have. It is too risky to send credentials in any form through non-secured connection.

Yokiamy
Yokiamy's picture
Offline
Last seen: 3 hours 12 min ago
Joined: 10/18/2016 - 15:47
Posts: 2662
Location: Netherlands

Legitimate.
In the company im working IT security has been an hot item for over more then 5 years, and booming the last years, and this is a relative easy solution to upgrade the site.

Oh, and don’t let Tayyip read your signature Cool

sb56637
sb56637's picture
Offline
Last seen: 7 hours 48 min ago
Joined: 01/08/2010 - 09:29
Posts: 6840
Location: The Light

Thanks for the request. I’m sure I will eventually implement SSL, but it’s not a priority. A major negative is the additional amount of CPU load generated by the encryption. BLF gets a non-trivial amount of traffic, has a rather large database, and in general has some rather heavy functions in terms of processing power, so SSL isn’t something I can just implement without significant research and planning.

Budget Light Forum ...where Frugal meets with Flashlight!

fuzun
Offline
Last seen: 1 month 3 hours ago
Joined: 02/11/2017 - 13:37
Posts: 197

sb56637 wrote:
Thanks for the request. I’m sure I will eventually implement SSL, but it’s not a priority. A major negative is the additional amount of CPU load generated by the encryption. BLF gets a non-trivial amount of traffic, has a rather large database, and in general has some rather heavy functions in terms of processing power, so SSL isn’t something I can just implement without significant research and planning.

Thank you. First of all I want to say that this is a very good website -so please do not break it Smile -. I mean the forum script is just on point for a relatively small website like this and user base is cancer-free.

What I want to say about the topic is this

Please look at Lets Encrypt project or a similar alternative which is supported by major browsers when the implementation time comes. This way you will not pay anything at all for certificates.
The second option I have heard is using Cloudflare which you probably already know. It may have some ssl solutions.

I hope it will be implemented before 2019 though (election date). At that date my country will probably be a true dictatorship country. And if that happens it will be way worse than North Korea.

fuzun
Offline
Last seen: 1 month 3 hours ago
Joined: 02/11/2017 - 13:37
Posts: 197

Yokiamy wrote:
Legitimate.
In the company im working IT security has been an hot item for over more then 5 years, and booming the last years, and this is a relative easy solution to upgrade the site.

Oh, and don’t let Tayyip read your signature Cool

It is too late Smile . That signature alone is sufficient to get in jail for at least 10 years. However, who cares?

A bit off topic but I want to escalate this topic for general awareness.

A 14-15 years old Syrian immigrant who came here in a recent year. Said to news agency this “Living in Turkey is worse than drowning in the ocean.” And I certainly agree. Because at least in ocean you are “free”.

lol even Wikipedia is blocked here Crazy LOL

I definitely need to get out of here as soon as possible. But since low-IQ ignorant Turkish people make the mass in Europe. Europe probably will not welcome me there thinking me as a muslim & a guy from the group I have defined. I am not a muslim or a ignorant motherf***** like those guys (If you are from Netherlands, you probably know these guys Smile ) but not welcoming me would be normal given that I am a Turkish and Europe are familiar with “Turkish” people.

So, which state is the best? LOL

sb56637
sb56637's picture
Offline
Last seen: 7 hours 48 min ago
Joined: 01/08/2010 - 09:29
Posts: 6840
Location: The Light

Hi, please avoid political discussions in this thread and throughout BLF. Thanks.

Budget Light Forum ...where Frugal meets with Flashlight!

Yokiamy
Yokiamy's picture
Offline
Last seen: 3 hours 12 min ago
Joined: 10/18/2016 - 15:47
Posts: 2662
Location: Netherlands

By the way, a good password policy (never use your pw twice!), two step verification on email accounts and logical sense, will solve pretty much most of the described problems.

If my pw was catched, i just request a new one and since i am using two step verification, i am feeling a lot safer.

everydaysurvivalgear
everydaysurvivalgear's picture
Offline
Last seen: 1 day 4 hours ago
Joined: 07/31/2015 - 10:25
Posts: 3630
Location: sydney australia (GMT+10)

Can’t you use a VPN to surf safer?

The Miller
The Miller's picture
Offline
Last seen: 10 months 4 weeks ago
Joined: 12/14/2015 - 12:08
Posts: 9908
Location: Charente France

Hey OP. I don’t think any snooping agency has issues with BLF, politics and religion are simply no go here, just edit your political sig and you’ll be fine.
If this was a prepper forum, I would see your point as legit, but the only thing we prep for is moah lumens Big Smile

aeroden
Offline
Last seen: 6 hours 38 min ago
Joined: 09/30/2020 - 09:55
Posts: 32
Location: Melbourne, AU

sb56637,

Would you at least consider HTTPS for the login requests? As of now, my password is sent in clear text over the internet when I login to BLF.
Applying HTTPS for logins only shouldn’t add any considerable load on the CPU.

Thoughts?

TimMc
TimMc's picture
Offline
Last seen: 9 hours 48 min ago
Joined: 06/26/2020 - 02:22
Posts: 134
Location: Australia
aeroden
Offline
Last seen: 6 hours 38 min ago
Joined: 09/30/2020 - 09:55
Posts: 32
Location: Melbourne, AU

They meant “slow” as in “taking toll on server CPU

sb56637
sb56637's picture
Offline
Last seen: 7 hours 48 min ago
Joined: 01/08/2010 - 09:29
Posts: 6840
Location: The Light

@aeroden – The thing is, the login block appears on all pages. So that would require removing the login block and only having a single dedicated page for logging in.

Just a public service announcement: You should always use a unique password for each site that that is sensitive or important to you, whether it uses SSL or not. HTTPS is not a magic bullet to protect your online security, and there’s many more documented cases of identity theft from weak or reused passwords (typed into “secure” sites with a big green padlock in the URL bar) than there are from connection hijacking and wiretapping. Another massive attack vector is malware that logs and phones home passwords that are typed into the browser before they ever hit the wire, be it an encrypted connection or not. Then there’s the question of how the “secure” site actually stores the password on their servers after the HTTPS connection is finished, which on the server side is often far from being truly secure against people hacking directly into the server. Case in point are the sites that have massive lists of compromised passwords, which were stolen directly from the databases of compromised servers. I should also mention that I take the security of the BLF server very seriously and am extremely proactive at applying security patches, and I use accepted best practice techniques to maintain the integrity of the server.

Budget Light Forum ...where Frugal meets with Flashlight!

aeroden
Offline
Last seen: 6 hours 38 min ago
Joined: 09/30/2020 - 09:55
Posts: 32
Location: Melbourne, AU

@sb56637 – not necessarily. Changing the form post action to HTTPS version will do the trick. Again, only the form POST action, then it will redirect back to the plain http.

In the highlighted above it can be http*s*://budgetlightforum.com/frontpage?destination=frontpage

How does it sound to you?

Regarding your last paragraph – I fully agree with your points and thank you again for keeping this treasure online. I think adding SSL for logins will really close the gap so to speak since this is the only private piece of information on this public forum probably with the exception of private messages. IMHO every service should do its best to protect private data and leave it to users to decide how conscious they want to be about their privacy.

sb56637
sb56637's picture
Offline
Last seen: 7 hours 48 min ago
Joined: 01/08/2010 - 09:29
Posts: 6840
Location: The Light

@aeroden: Thanks, but wouldn’t that make most browsers throw warnings about mixed HTTP and HTTPS content on the same page?

Budget Light Forum ...where Frugal meets with Flashlight!

aeroden
Offline
Last seen: 6 hours 38 min ago
Joined: 09/30/2020 - 09:55
Posts: 32
Location: Melbourne, AU

@sb56637 It works the other way around – when you have a page loaded over HTTP*S* and some content on that page is loaded through HTTP, then you get a warning. In our case we do the opposite and there is no problem with that. For example in my above post the image was loaded from Imgur through HTTPS. Actually we don’t even load any content through HTTPS – we only POST login form data through HTTPS and then it would need to redirect us back to HTTP.

aeroden
Offline
Last seen: 6 hours 38 min ago
Joined: 09/30/2020 - 09:55
Posts: 32
Location: Melbourne, AU

In hindsight, I think this whole idea is a bit pointless, since after login I get a session cookie to authorize future requests and if someone can get that cookie through eavesdropping he can actually access the site in full as if it was me (My IP is not of a session cookie hash, and that’s not really secure anyway).

But…. Instead I think I have a much better idea. I see you host this site on lunanode.com and they provide Load Balancer service that will do the SSL termination for you and for your usage metrics it will be even free of charge. So the server will still serve plain HTTP traffic while the Load Balancer will do the certificate provisioning (for free through LetsEncrypt) and SSL termination forwarding the plain HTTP traffic back to the server. Here are the docs: https://www.lunanode.com/features/loadbalancers

Sounds compelling?

agnelucio
agnelucio's picture
Offline
Last seen: 1 day 13 hours ago
Joined: 01/04/2015 - 12:36
Posts: 142
Location: UK

Aeroden seems to be onto something there.

I personally would always appreciate better security, though the content of this site is generally impersonal. Perhaps if people are sending shipping addresses etc via private message, that would be a risk.

aeroden
Offline
Last seen: 6 hours 38 min ago
Joined: 09/30/2020 - 09:55
Posts: 32
Location: Melbourne, AU

@sb56637 so what do you think about load balancer approach?

caramba
caramba's picture
Offline
Last seen: 15 hours 9 min ago
Joined: 11/09/2016 - 14:43
Posts: 565

Fuzun, would a groupbuy for a VPN be a simple solution?

aeroden
Offline
Last seen: 6 hours 38 min ago
Joined: 09/30/2020 - 09:55
Posts: 32
Location: Melbourne, AU

How does VPN help here?

sb56637
sb56637's picture
Offline
Last seen: 7 hours 48 min ago
Joined: 01/08/2010 - 09:29
Posts: 6840
Location: The Light

@aeroden Thanks for the interesting idea, I’ll definitely look into it.

Budget Light Forum ...where Frugal meets with Flashlight!

dave1010
dave1010's picture
Online
Last seen: 2 min 5 sec ago
Joined: 07/04/2017 - 02:38
Posts: 95
Location: Dorset, United Kingdom

Have you looked at things like Cloudflare that provide SSL by proxying your HTTP site? Cloudflare’s pricing starts at free. There’s a few similar providers around too.

https://davestechreviews.wordpress.com/ / Email: <my BLF username>@gmail.com