Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Eeeewwww!

  1. #1
    Senior Member r4z0r7o3's Avatar
    Join Date
    Jul 2015
    Location
    Raleigh, North Carolina
    Posts
    1,250

    Eeeewwww!

    Using the wrong SSL/TLS Cert is worse than using no cert.:

    Code:
    www.alloyavenue.com uses an invalid security certificate. The certificate is only valid for the following names: *.hostgator.com, hostgator.com Error code: SSL_ERROR_BAD_CERT_DOMAIN
    I'm betting 99.999% of the people here just ignore the warning, add an exception, and blindly continue. However, the (unwritten) security-implication here: Anybody with a system hosted on hostgator.com, now or in the future, is then able to silently MITM scrape everyone's usernames, e-mail address, passwords, etc.

    This is worse than having no-cert at all, because then there's no illusion of security (now and in the future).

    OTOH, I realize certs. aren't cheap. I own one for a personal domain, and pony up around $230/year, others are more/less expensive.

    Maybe we get some members to pool funds and get a real one?

    I'd certainly chip-in along with 10-20 other people.

    To me, $10-20/year is a bargain for the help available here. How about we pool via via https://www.patreon.com ?
    "Things that are complex are not useful, things that are useful are simple."
    - Mikhail Kalashnikov

  2. #2
    Administrator Site Admin
    Join Date
    Dec 2005
    Location
    Huatulco, Mexico
    Posts
    3,133
    I don't understand. Probably 95% of the other people here don't either. I suspect what you say is valuable. The use of abbreviations and acronyms might as well be ancient Greek to those of us who are uninitiated. In short: what are you talking about? And is there something I (as administrator) should do about it?

    Richard
    When I die, Heaven can wait—I want to go to McMaster-Carr.

  3. #3
    Senior Member Wolfcreek-Steve's Avatar
    Join Date
    Apr 2014
    Location
    Central Wisconsin
    Posts
    1,100
    What Rasper said!
    What is that squeaking noise?

  4. #4
    Senior Member Robert's Avatar
    Join Date
    Sep 2008
    Location
    Charlotte, Nascarolina
    Posts
    2,986
    I have never gotten that error. Should I have seen it?
    R
    "Whether you think that you can, or that you can't, you are usually right."
    - Henry Ford (1863-1947)

    Forklift Project
    Sand Mixer

  5. #5
    Moderator DavidF's Avatar
    Join Date
    Jan 2012
    Location
    Wilmington DE
    Posts
    2,578
    did someone say free beer???
    A calm sea does not make a skilled sailor...
    http://thehomefoundry.org

  6. #6
    I use the Firefox browser. If you click on the i just to the left of the URL you'll see the following:

    Fox1.pngFox2.png

    And in Chrome:

    Screen Shot 2017-03-31 at 11.54.04 PM.png

    if you click on the learn more it sends you here:

    https://support.google.com/chrome/an...indicator&rd=1

    It is a security risk. How big of one I'm not sure. I'm not really a security expert. But I'm guessing that if for some reason a hacker wanted to they could intercept anything sent to this website. Usernames, passwords and post content. What that would get them I don't know... I guess they could spam the board and it's users that way.

    if you look at the Google URL above and the one for this post you'll see the Google address has an https and AlloyAvenue only has an http.

    http://www.alloyavenue.com/vb/showth...12965-Eeeewwww!

    The s stands for security. I don't think they could get into anyone's personal computer because of this vulnerability or get into the web host in order to change the site dramatically. However, it might be possible to intercept an admin's user name and password giving them control over the board. Once again why would they bother to do that? Shrug, some people just live to be a-holes.

    How big of a risk this is I don't know. I'm not even 100% sure I'm correct in all the details because, as I say, I'm no security expert. If you're really concerned I would find a webmaster forum and ask there. DO NOT POST what board you're talking about though. That's just inviting trouble. Just say that you post to a forum that doesn't have a security certificate and you want to know how vulnerable the board is. If they press you as to which board be honest and say you don't want advertise their vulnerabilities.

  7. #7
    Senior Member Wolfcreek-Steve's Avatar
    Join Date
    Apr 2014
    Location
    Central Wisconsin
    Posts
    1,100
    Out of all the forums I post on, none have the https, so I don't think this is a problem, the only places that do (my favorites) are my bank, ebay, and youtube
    What is that squeaking noise?

  8. #8
    Member
    Join Date
    Apr 2016
    Location
    Adelaide Sth Australia
    Posts
    82
    I am wondering if these forums [ i belong to 3 insecure forums ] are where shysters are getting my email address from, i send and receive few emails but get a heck of a lot of obviously scams and unwanted advertising, was going to change my address but seems that wont work.
    Just tonight i googled for signs of dehydration in adults and clicking on the "I " showed 23 cookies were left on my computer from this sight alone, so i will delete all cookies each time i turn off.

  9. #9
    Quote Originally Posted by hamilton View Post
    I am wondering if these forums [ i belong to 3 insecure forums ] are where shysters are getting my email address from, i send and receive few emails but get a heck of a lot of obviously scams and unwanted advertising, was going to change my address but seems that wont work.
    Just tonight i googled for signs of dehydration in adults and clicking on the "I " showed 23 cookies were left on my computer from this sight alone, so i will delete all cookies each time i turn off.
    I dont get any spam in my email usually, and Ive been on here for a few years. I noticed that backyard metalcasting's site, or some of the pages on there was showing invalid certificate and not letting me into the page. Expecially if you looked up the propane burner on there.

  10. #10
    Senior Member r4z0r7o3's Avatar
    Join Date
    Jul 2015
    Location
    Raleigh, North Carolina
    Posts
    1,250
    Quote Originally Posted by Wolfcreek-Steve View Post
    Out of all the forums I post on, none have the https, so I don't think this is a problem, the only places that do (my favorites) are my bank, ebay, and youtube
    I don't know of any current security problem, rather my argument is with the setup in general.

    HTTPS with a wrong/bad cert. gives the illusion of security. In layman's terms, it's like having a really really good lock on your door...with the keys always dangling on the other side. In firefox/chrome, if you add a site exception (to the wrong/bad cert.), this is analogous to forever ignoring the fact that the keys are dangling right there. Now, if the HTTPS certificate is valid (see links above) that's like removing the keys, so the occupants KNOW they're safe, now and in the future. There is no illusion of security.

    OTOH (on the other hand) if the site simply / only supported HTTP (and not HTTPS), everybody understands that means there's no security whatsoever. There's no illusion, and we can plan accordingly with our e-mail addresses, names and passwords. So, it's like not having a door (or windows) at all. The occupants of the house are aware it's unsafe, and under no illusions about somebody just walking right in.

    That's why having bad HTTPS is worse than having no HTTPS (only HTTP). There is no illusion of security. My recommendation is port 443 (HTTPS) be closed, or, get a HTTPS cert. that matches the hostname (www.alloyavenue.com).
    Last edited by r4z0r7o3; 04-01-2017 at 09:58 PM.
    "Things that are complex are not useful, things that are useful are simple."
    - Mikhail Kalashnikov

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •