@30, I do know that mysql is an open port. That does not mean you use it. Just because a port is open does not mean it is used. As for reasons why HTTPS is better than HTTP... I should not have to explain why. After all, you, cartertem, the oh-so-knowledgeable security expert of the 21st century, you should already know... right? But, I guess you don't; check out https://www.brightlocal.com/2017/01/06/ … s-website, https://trevellyan.biz/why-your-website … d-of-http, https://www.entrepreneur.com/article/281633, and you can google the rest. I'll agree -- I'm no security expert either, so I'll shut down that little argument of yours before you can even type it. Really, the reasons why SSL should be used should be quite obvious, especially since for his website HTTP tracing is enabled. Of course, his PHP configuration is already available, giving a malicious user plenty of opportunities to do lots of damage. You say you have access to all his source code and can assert that he uses mysql... then mind telling me in vague terms what he uses it for? His website returns valid HTTP responses with junk HTTP methods, which for some browsers, if configured for security over accessibility, could generate false positives. If you go talk to a security expert about why you should use HTTPS vs. HTTP, and you explain your reasons why you feel HTTP is better, they'll shoot you down with a hole list of reasons why HTTPS should be used at all times.
Now, to answer yoru questions:
1. How does bringing up the past invalidate an argument? In fact, it serves to strengthen it. Ever heard the saying history repeats itself? Unless their are drastic changes, your flawed logic and insistence would lead one to believe your just repeating yourself.
I personally find bringing up the passed to justify your reasons (without, of course, a valid reason) dishonorable debating. If you want to argue about something, you should probably come armed and prepared whenever you post. Also, considering the fact that I haven't taken down his website since, your statement of "history repeats itself" is false, and will remain so.
2. I don't see a reason for anyaudio/samtupy.com to use SSL. Sure it could be nice, but I see no legit security implications here. When making a payment, you are automatically redirected to paypal to enter info, which is in fact using HTTPs. Paypal transactions are securely handled serverside anyway, so even if an attacker was able to sniff packets they wouldn't get much. Please describe in detail how an attack could be performed in this manner.
Again, I already described this in post 28; the main transaction is carried out through PayPal, which is secure, but PDT stuff is sent from a secure connection (i.e. PayPal) to an insecure connection, opening up a potential vulnerability for sniffing once its left the encrypted connection. For anyaudio, this should be quite obvious: it would be possible to sniff usernames and passwords (even admin ones) since its all over HTTP.
3. Read post 25, according to him payment data is *not* stored in text documents. Proof please?
Payments aren't stored in text documents? Bullshit. Tell me then how the server and client could exchange purchase IDs?
4. yet, read post 25 again. Sam clearly said he was using mysql. I quite frankly don't care if you believe it or not. Being one who has access to the code of anyaudio I can personally vouch for him. Also, if you do a simple nmap scan on anyaudio.net, mysql shows up as an open port. Of course not definitive proof, but I'd say that, along with the word of two with the code holds more weight than your clearly uneducated doubt, huh?
Again, I've explained my reasons already. Just because a port is open does not mean its being used. That's like saying that if a mauls door is open that means its fully manned, staffed, and full of business life and transactions (even though it just might happen to be empty). Since I'm supposedly uneducated in this department (even though I have taken a security class and am going into cybersecurity as a secondary degree in college), tell me, without researching it, do you know what XSS is? How about XST? Let's not forget that he's vulnerable to OSVDB-877, OSVDB-3092, OSVDB-3268, and OSVDB-3233. These vulnerability database IDs are a bit obscure, so I'll indicate them for you: OSVDB-877 indicates that HTTP tracing is enabled; OSVDB-3092 indicates a directory that is available that shouldn't be (though, in this case, its /dev, so it should be fine), OSVDB-3268 indicates that directory indexing was enabled in a place it should not be, and OSVDB-3233 indicates a file was found that shouldn't be there. In the case of OSVDB-3268, this directory is /icons/, which contains apache's default icons, and for OSVDB-3233 indicates it found /icons/readme, which is a default apache file. And as for your insults, TBH, I really could care less what you think I should do. Your "thoughts" of what I should do (in particularly the first one) show just how immature you are. "Ethonic stupidity"? My, my, what an ego you have! If you're going to post insults and bullshit, you might as well not post at all. I've told Sam (as have many others) to do particular things (i.e. get a terms-of-service and learn to actually administrate properly) but he never listens. Say hello to the guy who thinks he knows more than absolutely everyone else, even lawyers. If you look up "should I get a terms of service for my website?" on Google, you'll find plenty of reasons why you should. But Sam thinks he's above all the pros who (yes) smarter than you, me, Sam, etc.
"On two occasions I have been asked [by members of Parliament!]: 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out ?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." — Charles Babbage.
My Github