2019-01-05 11:27:43 (edited by EternalGamer 2019-01-05 11:29:16)

Hi!
Is it true that forum.audiogames.net does not force https, even on the login page, thus potentially exposing passwords?
If so, I recommend this hole be closed asap so we can all live happily everafter.
In the meantime, everyone should update their bookmarks to https://forum.audiogames.net/
Sorry for the alarmist tone but it's for valid reasons.
Greetings,
EG

In the hands of a gamer, word becomes weapon, argument becomes shield, and life becomes a quest.

2019-01-05 11:31:14

yes it is and i agree

2019-01-05 13:33:52

I think this topic should be moved.

2019-01-05 13:34:55

Hi.
I agree as well. But, the thing is: The moderators can't fix that on their own. They need to contact the guy who are hosting the site.

Best regards SLJ.
Feel free to contact me privately if you have something in mind. If you do so, then please send me a mail instead of using the private message on the forum, since I don't check those very often.
Facebook: https://facebook.com/sorenjensen1988
Twitter: https://twitter.com/soerenjensen

2019-01-06 07:01:52

Darn it, was hoping for someone to go on some 20 page long thingy about security in this topic.

2019-01-06 11:18:38

I honestly don't see the big deal.  this site does not hold any sensitive information.  It's a public forum and user accounts don't store any personal information.  Forcing people to use ssl is great, when it's needed, but it isn't really needed here. 
That being said, I wouldn't exactly be against being forced to use ssl.  I'm all for it.  I just don't think people should start freaking out about it or anything.
Sorry if this is very disjointed.  It's like 2 in the morning and I'm half asleep at my keyboard.

I'm probably gonna get banned for this, but...

2019-01-06 11:56:29 (edited by EternalGamer 2019-01-06 12:00:41)

Hi!
Here is a good explanation why it matters, even for sites with little or no sensitive data:
https://developers.google.com/web/funda … /why-https
No reason to panic if you:
1. Don't use the same password on different sites, and
2. check with people personally if you think something is weird.
Best,
EG

In the hands of a gamer, word becomes weapon, argument becomes shield, and life becomes a quest.

2019-01-06 12:09:56

@aaron77: I get your point, but I don't agree.
The forum can be hacked, which means:
1. Hackers can post from your account.
2. Everything can be screwed up if the admin accounts gets hacked. All posts and rooms can be hacked.

Best regards SLJ.
Feel free to contact me privately if you have something in mind. If you do so, then please send me a mail instead of using the private message on the forum, since I don't check those very often.
Facebook: https://facebook.com/sorenjensen1988
Twitter: https://twitter.com/soerenjensen

2019-01-06 14:29:56

Not just that SLJ, Passwords. If you use the same password for multiple sites.....ya.

Warning: Grumpy post above
Also on Linux natively

2019-01-06 20:10:57 (edited by Chris 2019-01-06 20:26:03)

I agree that the site should default to HTTPS. Someone needs to contact Sander who I believe is the owner/maintainer of the website. By the way, this should be moved to the off-topic or site feedback areas of the site.

You can also get free SSL certificates that automatically renew every 90 days from https://letsencrypt.org/

Grab my Adventure at C: stages Right here.

2019-01-06 20:24:26

I have already brought this topic up in this topic over here.

To the last several posts, the matter of the forum using https has no baring on whether the forum can be hacked or accounts compromised. sites are hacked all the time and accounts taken over everyday on sites that have https. This does not mean that it doesn't matter.

One thing that https or tls gives a site is a defense against middleman spoofing attacks. This also doesn't mean that it still couldn't happen, as this happens to Google and Microsoft 365 sites all the time, but it is one defense. Also, with https a site doesn't have to worry that it's pages  aren't being tampered with in transit from the webserver to the visiter's browser. A non-https page has no guarantee. This is apart of a middleman attack.

I don’t believe in fighting unnecessarily.  But if something is worth fighting for, then its always a fight worth winning.
check me out on Twitter and on GitHub

2019-01-06 21:09:08

The odd thing is that the main site does allow you to switch to HTTPS, but the forum doesn't and redirects to HTTP. So it seems that a certificate might be there but the implementation is incomplete.

Oh no! Somebody released the h key! Everybody run and hide!

2019-01-06 23:26:28

I think it's a good time to remind people, ssl or not, for the love of all that's good get a password manager. In this day and age there is simply no excuse to use the same password on every site. To give you a good example, an extra 5 or some minutes of setting up a new phone/factory wiping is spent typing in my google password. I agree the site should force https, but since same passwords were brought up I thought I'd remind folks.

2019-01-07 00:18:25

The fact of the matter is, SSL or not, if you're using the same password for everything, you're screwed.  It doesn't matter how secure your connection to the site is. 
Keep in mind that this forum is over a decade old, and it hasn't been managed by a group of administrators.  It's one or two guys that keep it running for the sake of the community but otherwise are pretty hands off, from my understanding.
I'm betting that none of the data on the forum is even encrypted in the first place, though I could be wrong.  If that is the case though, ssl will do nothing to improve it, as all a hacker has to do is find a way to acquire the database if they even care to.

I'm probably gonna get banned for this, but...

2019-01-07 00:34:16

exactly Aaron77. while https would be nice, and it can help in many cases, it is not the be all end all of security solutions.

I don’t believe in fighting unnecessarily.  But if something is worth fighting for, then its always a fight worth winning.
check me out on Twitter and on GitHub

2019-01-07 00:41:03

The only thing I fear will push the admins over the edge is if browsers stoped connecting to http sites by default. But then knowing the blindy community, people will just say never update your browser past some future version of chrome or Firefox. Which is way worse and much more insecure than browsing to one http site.

I don’t believe in fighting unnecessarily.  But if something is worth fighting for, then its always a fight worth winning.
check me out on Twitter and on GitHub

2019-01-09 20:21:17

Even if someone got the database, PunBB passwords are protected by not only hashing the password but also salting it. I don't remember where the code is to hash PunBB passwords since it's been quite a few years since I've had to poke in their source code but I do remember feeling more secure after seeing how they encrypt their passwords.

SSL will not protect the database from being hacked. It's only meant to secure the connection from your browser to the server.

As far as "not having any sensitive information," I disagree with this philosophy, since people are entering passwords here. Hell, I had the TDV account logins go over SSL when it was commercial (both for the website and for the server) for this very reason. Anywhere where there is a password involved, you should consider it as containing sensitive information, or eventually we'll be saying that "well, this site only asks for your ssn, so it doesn't handle sensitive information."

The rule of thumb in the software world is to always assume the user is not smart and to do what you can to protect the user. So we can't assume that people on here are actually smart and do use different passwords. Not everyone will have a "fun-only, throwaway password" for things like AG like I do.

2019-01-10 01:56:53

There is an ssl cert on the site (installed in 2018), but it is not used for the actually sensitive page, namely login.
@aaron77:
https://www.troyhunt.com/heres-why-your … eds-https/

2019-01-14 11:49:11

Hi, the site and forum should now automatically enforce https.
There used to be an issue that caused errors when posting to the forum (and today I found out that only occurred for admins and moderators).

2019-01-14 13:26:33

Holy cow! I honestly thought this would never happen.

I don’t believe in fighting unnecessarily.  But if something is worth fighting for, then its always a fight worth winning.
check me out on Twitter and on GitHub

2019-01-14 21:08:23

Speaking of "security," here's the strange message I get when "only!" using the "Seamonkey" browser on Windows 10 with this entire site.
The version is 2.4.9:

403 Forbidden
Request forbidden by administrative rules.

2019-01-15 04:01:20

Well, here's nother weird one! This time, while loging in to this site using the Opera Browser:

400 Bad Request
The plain HTTP request was sent to HTTPS port

cloudflare

2019-01-15 11:25:18

queenslight wrote:

Well, here's nother weird one! This time, while loging in to this site using the Opera Browser:

400 Bad Request
The plain HTTP request was sent to HTTPS port

cloudflare

After submitting the login credentials, go to:
https://forum.audiogames.net/

I confirmed this issue and was logged in in spite of the error message.
I'm currently updating the webhost SSL certificate to overcome these problems.

2019-01-15 11:30:55

i get this error on my iphone, useing safari
Error 525 Ray ID: 49974f992f32c869 • 2019-01-15 09:28:13 UTC
SSL handshake failed
You
Browser Working
Amsterdam
Cloudflare Working
forum.audiogames.net
Host
Error
What happened?
Cloudflare is unable to establish an SSL connection to the origin server.
What can I do?
If you're a visitor of this website:
Please try again in a few minutes.
If you're the owner of this website:
It appears that the SSL configuration used is not compatible with Cloudflare. This could happen for a several reasons, including no shared cipher suites. Additional troubleshooting information here.
Cloudflare Ray ID: 49974f992f32c869
Your IP: 95.184.23.219
Performance & security by Cloudflare
i got it one time though

2019-01-15 21:58:19

mazen wrote:

i get this error on my iphone, useing safari
Error 525 Ray ID: 49974f992f32c869 • 2019-01-15 09:28:13 UTC
SSL handshake failed
i got it one time though

Hi! I adapted the settings, which took a few seconds to update.