SSL on Forums

allster101 · #1 03-18-2015

"Hello caller, you're on the air!"

Hello everyone, long time listener, first time caller.

I'll cut right to the chase: why isn't there an SSL certificate on the forums? I mean, we're logging in on every single page, and any attacker can intercept our traffic, which includes logins. So, without SSL, any attacker can see our login info.

Also, implementing an SSL cert on vBulletin isn't that hard, a la this link.

So, why not?

Thanks.

MM78 · #2 03-18-2015

Why would we need them? perhaps that would be your best argument in actually implementing them.....

allster101 · #3 03-18-2015

Quote:

Originally Posted by MM78

Why would we need them? perhaps that would be your best argument in actually implementing them.....

Why? Because it's security for the website. Right now, any hacker with the right skills can see your login information and anything you type onto this website. With an SSL certificate installed, all data is encrypted so nobody can see your username, password, or anything else you type in.

There are very cheap SSL certificates available (less than $10/year). There's even a free one. Not very much configuration is required to get it working.

It gives everyone on the forum much greater security. At this point, there's no excuse not to.

**aspkin** · #4 03-19-2015

The website doesn't interact with 3rd party services that would make SSL necessary. Login details do not pass on to other websites. I could only see a use on the local level but even that would be overkill.

Sure it's easy to add but making sure SSL wouldn't be broken or break anything, would be a headache.

It's not really needed at this time but possibly in the future as I have thought about it for other reasons.

unkown5454 · #5 03-19-2015

Uber cheap certs == false sense of security

GreenBean · #6 03-19-2015

Welcome to the forums.

Good Luck as you learn more of stealth ways.

rsot · #7 03-19-2015

Welcome to the forums - all the best with stealth

allster101 · #8 03-19-2015

Quote:

Originally Posted by aspkin

The website doesn't interact with 3rd party services that would make SSL necessary. Login details do not pass on to other websites. I could only see a use on the local level but even that would be overkill.

Sure it's easy to add but making sure SSL wouldn't be broken or break anything, would be a headache.

It's not really needed at this time but possibly in the future as I have thought about it for other reasons.

Users can login at any page on this site. Usernames and passwords are transmitted in plain text from the user's computer to the server, and can be intercepted anywhere along that path. Especially you, aspkin - what if an attacker got your login info? Imagine what kind of havoc could be wreaked upon this forum.

Quote:

Originally Posted by unkown5454

Uber cheap certs == false sense of security

All certs (unless you buy some old cert with old technology like TLS 1.0 or 128-bit encryption) use the same encryption technology. The only thing that differs is the name and warranty.

MM78 · #9 03-19-2015

Lets be honest, any website can be hacked at any given time.....All that's required is perseverance and time.

allster101 · #10 03-19-2015

Quote:

Originally Posted by MM78

Lets be honest, any website can be hacked at any given time.....All that's required is perseverance and time.

Right. But having an SSL certificate on a website will decrease that chance dramatically.

GreenBean · #11 03-19-2015

Quote:

Originally Posted by allster101

Right. But having an SSL certificate on a website will decrease that chance dramatically.

Why are you second guessing what aspkin has told YOU about the forum HE runs?

Think you should appreciate that aspkin will have the best interests of the forum in hand at all times.

unkown5454 · #12 03-19-2015

Since you are obsessed with security, do tell me what information you would gain from siphoning information here? Information that is basically all public. Anyone can sign up here and do whatever they want.

This is not some financial or medical institution where all users have private information that needs to be encrypted.

MM78 · #13 03-19-2015

Quote:

Originally Posted by unkown5454

Since you are obsessed with security, do tell me what information you would gain from siphoning information here? Information that is basically all public. Anyone can sign up here and do whatever they want.

This is not some financial or medical institution where all users have private information that needs to be encrypted.

Someone could steal our post count!!!!! rsot would be devastated!

rsot · #14 03-19-2015

Quote:

Originally Posted by MM78

Someone could steal our post count!!!!! rsot would be devastated!

Hamsters would go homeless omgzor! Time to move back into MM78's dungeon

GreenBean · #15 03-20-2015

NNNNNNNNNNNNNNNNNNNNNOOOOOOOOOOOOOOOOOOOOOOOOOOOO! !!!!!

We aint goin' to no stinky dungeon again.

GreenBean · #16 03-20-2015

Not a horrible dungeon. PLEASE. We'll pedal so darn hard to stay away from there. PLEASE.

muzzie · #17 03-20-2015

SSL is not for hiding posts, as anyone can register and read them. SSL is for protecting login details, as currently anyone can sniff traffic / make a phake website, and steal some sensitive login details.

unkown5454 · #18 03-20-2015

Nothing here is sensitive. This has been the point the whole time muzzie.

No one conducts transactions or any person information through this site. Getting access to someone's forum account is completely useless.

MM78 · #19 03-20-2015

Quote:

Originally Posted by muzzie

SSL is not for hiding posts, as anyone can register and read them. SSL is for protecting login details, as currently anyone can sniff traffic / make a phake website, and steal some sensitive login details.

I think we all know that, what I said was meant as a joke.......apparently not everyone got the joke

.