[ANSWERED] Are we ever going to get TLS on this site?

Post a reply

Confirmation code
Enter the code exactly as it appears. All letters are case insensitive.
Smilies
:points: :-D :eyeroll: :neutral: :nmr: :razz: :raging: :-) ;) :( :sick: :o :? 8-) :x :shock: :lol: :cry: :evil: :?: :smirk: :!:
View more smilies

BBCode is ON
[img] is ON
[flash] is OFF
[url] is OFF
Smilies are ON

Topic review
   

If you wish to attach one or more files enter the details below.

Expand view Topic review: [ANSWERED] Are we ever going to get TLS on this site?

Re: Are we ever going to get TLS on this site?

by A_Tin_Can » Mon Jan 29, 2018 11:47 am

The answer to the question in the OP is "probably not", I'm afraid.

Re: Are we ever going to get TLS on this site?

by peterlund » Mon Jan 15, 2018 7:59 pm

One main reason for TLS is that you do REALLY NOT like to send passwords of any kind (not even webdip passwords) on an unencrypted line, since people tend to reuse passwords on multiple sites.

The CA part is less important as long as people trust the site.

Re: Are we ever going to get TLS on this site?

by Kremmen » Mon Jan 15, 2018 1:28 am

One of the problems with these alarmist "it's possible" scenarios is that they fail to consider the real likelihood of anyone spending the massive resources necessary. When you visit your local shop, there could be a dozen armed men there waiting to abduct a random person and hold them for ransom, who happens to be you. There could, but it's really unlikely. They're going to target someone they know, who's of high value. Unknown people with unknown hardware with unknown value to a criminal? There are a hell of a lot better targets to hack than this web site.

Re: Are we ever going to get TLS on this site?

by jmo1121109 » Mon Jan 15, 2018 12:20 am

And that's excellent for you. You're still hackable, literally everyone is if you're a target. If you're honestly concerned that people are going to target you specifically on unsecured networks to install malicious code on your machine then please don't use us on unsecured networks. I would advise not using your banking over a public network, but to each their own.

The issue discovered a couple days ago requires physical access to a laptop or device, but does give access in a stunningly short amount of time. https://mspoweruser.com/new-intel-issue ... 0-seconds/ There are a million and one ways for someone to compromise your computer quickly with minimal effort.

Anyways, posting what *is* alarmist style posts is not the correct way to get changes done when I've already directed you to the issues location on our open source repository. You're welcome to post there or contact the mod team about the problem.

Re: Are we ever going to get TLS on this site?

by Aereaux » Mon Jan 15, 2018 12:03 am

I don't think that it's alarmist. This is a real thing that could happen. You mentioned meltdown and spectre, without saying how exactly they are relevant. For each, an attacker needs to be able to execute code on my machine. This is where javascript comes into play. For most websites, I disable javascript using the NoScript browser extension, to mitigate spectre and other possible problems. I whitelist some websites that I use that make extensive use of javascript, so that I can use them. Most of the sites that I do this for are delivered over https, so I can be reasonably sure that the code that my browser receives to execute is the code that the website meant to send me. Because webdip requires javascript, I whitelist javascript here, but as it is delivered over http someone could, as described before, add hostile javascript code that takes advantage of spectre or some other problem to escape the sandbox that my browser runs the javascript code in. This could be mitigated by delivering the site over https.

I'd be perfectly fine doing banking over unsecured WiFi, as my bank's website uses https to communicate with my browser. Meltdown, spectre, and other similar problems have many effects, and delivering this website over https would mitigate one of them. I don't think it is a problem with me or whatever connection I am using, it is a problem with the website not supporting a secure protocol. Even if I am on my home WiFi, I don't control all of the computers routing my traffic between me and the site, so I can't totally trust that connection either.

I am not too familiar with how webdip is hosted, and how hard it would be to tell it to use a TLS certificate, but if there is anything I can help with by contributing to the code, let me know.

PS: Would you mind pointing me to the problem that was found two days ago? I don't think I heard about that one.

Re: Are we ever going to get TLS on this site?

by jmo1121109 » Sun Jan 14, 2018 11:28 pm

Aereaux wrote:
Sun Jan 14, 2018 7:05 pm
Jamiet99uk wrote:
Sun Jan 14, 2018 6:59 pm
Is this true? Is webDip particularly vulnerable to viruses?
It's not webdip in particular, it's any non-https website. If I'm on an unsecured WiFi, or one administered by someone I don't trust (or potentially some other scenarios), it's possible for people to see and modify the content of that website I'm viewing. They could add javascript that (for example) tries to infect your computer with a virus, using a web browser flaw.
Free free to take the alarmist mentality elsewhere. Every single site, http or https is vulnerable right now due to the various problems like meltdown and spectre. Not to mention yet another one found 2 days ago. Don't use unsecured wifi's with your banking devices. That is computer security 101.

Those aren't the site being vulnerable though, it's you being vulnerable when you're using a public wifi connection that someone else controls. There has yet to be in over 10 years, any security issue involving this site excepting someone finding a flaw that let them post while silence (which was corrected).

That said, we're an open source repository that you're welcome to contribute too if you find anything not up to speed and want to help, then please do so. Issues can be submitted here: https://github.com/kestasjk/webDiplomacy

Re: Are we ever going to get TLS on this site?

by Jamiet99uk » Sun Jan 14, 2018 9:35 pm

I'm deeply concerned and frankly quite shocked.

Re: Are we ever going to get TLS on this site?

by Aereaux » Sun Jan 14, 2018 7:05 pm

Jamiet99uk wrote:
Sun Jan 14, 2018 6:59 pm
Is this true? Is webDip particularly vulnerable to viruses?
It's not webdip in particular, it's any non-https website. If I'm on an unsecured WiFi, or one administered by someone I don't trust (or potentially some other scenarios), it's possible for people to see and modify the content of that website I'm viewing. They could add javascript that (for example) tries to infect your computer with a virus, using a web browser flaw.

Re: Are we ever going to get TLS on this site?

by Jamiet99uk » Sun Jan 14, 2018 6:59 pm

Aereaux wrote:
Sun Jan 14, 2018 6:49 pm
That's not the point, though. Someone can inject javascript to infect my computer with a virus or read other information stored on my computer or mine cryptocurrency for themselves.
Is this true? Is webDip particularly vulnerable to viruses?

Re: Are we ever going to get TLS on this site?

by Aereaux » Sun Jan 14, 2018 6:49 pm

That's not the point, though. Someone can inject javascript to infect my computer with a virus or read other information stored on my computer or mine cryptocurrency for themselves.

Re: Are we ever going to get TLS on this site?

by jmo1121109 » Sun Jan 14, 2018 6:21 pm

Yeah I don't really see a need for this either considering the type of information the site stores we aren't a worthwhile target for any effort based attack. There's nothing to steal...all donation info is handled externally.

Re: Are we ever going to get TLS on this site?

by Jamiet99uk » Sun Jan 14, 2018 4:51 pm

I still don't think Kestas is very interested.

Re: Are we ever going to get TLS on this site?

by Aereaux » Sun Jan 14, 2018 4:46 pm

By you I mean in general. And you don't need to, because it's free.

Re: Are we ever going to get TLS on this site?

by Jamiet99uk » Sun Jan 14, 2018 4:43 pm

I'm not going to pay them anything.

Re: Are we ever going to get TLS on this site?

by Aereaux » Sun Jan 14, 2018 4:39 pm

50% of the amount you pay them.

Re: Are we ever going to get TLS on this site?

by Jamiet99uk » Sun Jan 14, 2018 4:36 pm

How much commission will you receive from LetsEncrypt if you can seal this deal?

Re: Are we ever going to get TLS on this site?

by Aereaux » Sun Jan 14, 2018 4:14 pm

LetsEncrypt is a genuine, respected CA, sponsored by major tech organizations (including the EFF and Mozilla). I think that they automate most of the process of getting a certificate, which makes it cheaper. Frankly, I'd trust LetsEncrypt certificates over many other CAs, and there really is no downside to getting a certificate for this site. This is pretty much the last site that I use that doesn't support TLS, and if you need a specific use case for this, the app that I would like to use for accessing webdip on my phone (so I don't need to start up a full browser) only support HTTPS. Anyways, even if this site wouldn't itself be a target of MITM attacks, people (especially on insecure or untrusted WiFi networks) could inject javascript code to attack vulnerabilities or mine cryptocurrency.

Re: Are we ever going to get TLS on this site?

by kestasjk » Sun Jan 14, 2018 3:34 pm

And if it was considered of real value we could afford a proper certificate from a genuine CA, however I personally think it would be a waste of donor cash. I just don't consider this site a real target for the MITM attacks that TLS would guard against.

Re: Are we ever going to get TLS on this site?

by kestasjk » Sun Jan 14, 2018 3:32 pm

Certificates are free with trustycertificates.ru as well, the question is are they a respected certificate authority, and how can they actually validate people for free?

Re: Are we ever going to get TLS on this site?

by RagingIke297 » Thu Jan 04, 2018 9:01 pm

My computer was very unhappy with me when I wanted to allow mafia.peterlund.se to sign its own certs

Top