[ANSWERED] Are we ever going to get TLS on this site?

Members can make suggestions for improving the site and improving the forum as well as submit bug reports to be reviewed by our support team here.
Message
Author
Aereaux
Posts: 50
Joined: Sun Dec 31, 2017 12:28 am
Karma: 4

[ANSWERED] Are we ever going to get TLS on this site?

#1 Post by Aereaux » Thu Jan 04, 2018 4:11 pm

Certificates are free with LetsEncrypt.

peterlund
Gold Donator
Gold Donator
Posts: 1039
Joined: Thu Oct 19, 2017 4:52 pm
Location: Sverige
Karma: 369
Contact:

Re: Are we ever going to get TLS on this site?

#2 Post by peterlund » Thu Jan 04, 2018 8:44 pm

Interesting stuff indeed! First time I heard about a free CA. I will check it out for my mafia bot that currently uses self signed certs when GMs login...

RagingIke297
Posts: 2282
Joined: Fri Sep 29, 2017 3:35 pm
Location: Locked in Bo_Sox's Basement
Karma: 849
Contact:

Re: Are we ever going to get TLS on this site?

#3 Post by RagingIke297 » Thu Jan 04, 2018 9:01 pm

My computer was very unhappy with me when I wanted to allow mafia.peterlund.se to sign its own certs

kestasjk
Co-Owner
Co-Owner
Posts: 261
Joined: Tue Mar 14, 2017 8:13 pm
Location: Perth, Australia
Karma: 528
Contact:

Re: Are we ever going to get TLS on this site?

#4 Post by kestasjk » Sun Jan 14, 2018 3:32 pm

Certificates are free with trustycertificates.ru as well, the question is are they a respected certificate authority, and how can they actually validate people for free?

kestasjk
Co-Owner
Co-Owner
Posts: 261
Joined: Tue Mar 14, 2017 8:13 pm
Location: Perth, Australia
Karma: 528
Contact:

Re: Are we ever going to get TLS on this site?

#5 Post by kestasjk » Sun Jan 14, 2018 3:34 pm

And if it was considered of real value we could afford a proper certificate from a genuine CA, however I personally think it would be a waste of donor cash. I just don't consider this site a real target for the MITM attacks that TLS would guard against.

Aereaux
Posts: 50
Joined: Sun Dec 31, 2017 12:28 am
Karma: 4

Re: Are we ever going to get TLS on this site?

#6 Post by Aereaux » Sun Jan 14, 2018 4:14 pm

LetsEncrypt is a genuine, respected CA, sponsored by major tech organizations (including the EFF and Mozilla). I think that they automate most of the process of getting a certificate, which makes it cheaper. Frankly, I'd trust LetsEncrypt certificates over many other CAs, and there really is no downside to getting a certificate for this site. This is pretty much the last site that I use that doesn't support TLS, and if you need a specific use case for this, the app that I would like to use for accessing webdip on my phone (so I don't need to start up a full browser) only support HTTPS. Anyways, even if this site wouldn't itself be a target of MITM attacks, people (especially on insecure or untrusted WiFi networks) could inject javascript code to attack vulnerabilities or mine cryptocurrency.

Jamiet99uk
Posts: 22430
Joined: Sat Dec 30, 2017 11:42 pm
Location: Durham, UK
Karma: 14601
Contact:

Re: Are we ever going to get TLS on this site?

#7 Post by Jamiet99uk » Sun Jan 14, 2018 4:36 pm

How much commission will you receive from LetsEncrypt if you can seal this deal?

Aereaux
Posts: 50
Joined: Sun Dec 31, 2017 12:28 am
Karma: 4

Re: Are we ever going to get TLS on this site?

#8 Post by Aereaux » Sun Jan 14, 2018 4:39 pm

50% of the amount you pay them.

Jamiet99uk
Posts: 22430
Joined: Sat Dec 30, 2017 11:42 pm
Location: Durham, UK
Karma: 14601
Contact:

Re: Are we ever going to get TLS on this site?

#9 Post by Jamiet99uk » Sun Jan 14, 2018 4:43 pm

I'm not going to pay them anything.

Aereaux
Posts: 50
Joined: Sun Dec 31, 2017 12:28 am
Karma: 4

Re: Are we ever going to get TLS on this site?

#10 Post by Aereaux » Sun Jan 14, 2018 4:46 pm

By you I mean in general. And you don't need to, because it's free.

Jamiet99uk
Posts: 22430
Joined: Sat Dec 30, 2017 11:42 pm
Location: Durham, UK
Karma: 14601
Contact:

Re: Are we ever going to get TLS on this site?

#11 Post by Jamiet99uk » Sun Jan 14, 2018 4:51 pm

I still don't think Kestas is very interested.

jmo1121109
Developer
Developer
Posts: 1094
Joined: Fri Sep 29, 2017 4:20 pm
Karma: 2919
Contact:

Re: Are we ever going to get TLS on this site?

#12 Post by jmo1121109 » Sun Jan 14, 2018 6:21 pm

Yeah I don't really see a need for this either considering the type of information the site stores we aren't a worthwhile target for any effort based attack. There's nothing to steal...all donation info is handled externally.

Aereaux
Posts: 50
Joined: Sun Dec 31, 2017 12:28 am
Karma: 4

Re: Are we ever going to get TLS on this site?

#13 Post by Aereaux » Sun Jan 14, 2018 6:49 pm

That's not the point, though. Someone can inject javascript to infect my computer with a virus or read other information stored on my computer or mine cryptocurrency for themselves.

Jamiet99uk
Posts: 22430
Joined: Sat Dec 30, 2017 11:42 pm
Location: Durham, UK
Karma: 14601
Contact:

Re: Are we ever going to get TLS on this site?

#14 Post by Jamiet99uk » Sun Jan 14, 2018 6:59 pm

Aereaux wrote:
Sun Jan 14, 2018 6:49 pm
That's not the point, though. Someone can inject javascript to infect my computer with a virus or read other information stored on my computer or mine cryptocurrency for themselves.
Is this true? Is webDip particularly vulnerable to viruses?

Aereaux
Posts: 50
Joined: Sun Dec 31, 2017 12:28 am
Karma: 4

Re: Are we ever going to get TLS on this site?

#15 Post by Aereaux » Sun Jan 14, 2018 7:05 pm

Jamiet99uk wrote:
Sun Jan 14, 2018 6:59 pm
Is this true? Is webDip particularly vulnerable to viruses?
It's not webdip in particular, it's any non-https website. If I'm on an unsecured WiFi, or one administered by someone I don't trust (or potentially some other scenarios), it's possible for people to see and modify the content of that website I'm viewing. They could add javascript that (for example) tries to infect your computer with a virus, using a web browser flaw.

Jamiet99uk
Posts: 22430
Joined: Sat Dec 30, 2017 11:42 pm
Location: Durham, UK
Karma: 14601
Contact:

Re: Are we ever going to get TLS on this site?

#16 Post by Jamiet99uk » Sun Jan 14, 2018 9:35 pm

I'm deeply concerned and frankly quite shocked.

jmo1121109
Developer
Developer
Posts: 1094
Joined: Fri Sep 29, 2017 4:20 pm
Karma: 2919
Contact:

Re: Are we ever going to get TLS on this site?

#17 Post by jmo1121109 » Sun Jan 14, 2018 11:28 pm

Aereaux wrote:
Sun Jan 14, 2018 7:05 pm
Jamiet99uk wrote:
Sun Jan 14, 2018 6:59 pm
Is this true? Is webDip particularly vulnerable to viruses?
It's not webdip in particular, it's any non-https website. If I'm on an unsecured WiFi, or one administered by someone I don't trust (or potentially some other scenarios), it's possible for people to see and modify the content of that website I'm viewing. They could add javascript that (for example) tries to infect your computer with a virus, using a web browser flaw.
Free free to take the alarmist mentality elsewhere. Every single site, http or https is vulnerable right now due to the various problems like meltdown and spectre. Not to mention yet another one found 2 days ago. Don't use unsecured wifi's with your banking devices. That is computer security 101.

Those aren't the site being vulnerable though, it's you being vulnerable when you're using a public wifi connection that someone else controls. There has yet to be in over 10 years, any security issue involving this site excepting someone finding a flaw that let them post while silence (which was corrected).

That said, we're an open source repository that you're welcome to contribute too if you find anything not up to speed and want to help, then please do so. Issues can be submitted here: https://github.com/kestasjk/webDiplomacy

Aereaux
Posts: 50
Joined: Sun Dec 31, 2017 12:28 am
Karma: 4

Re: Are we ever going to get TLS on this site?

#18 Post by Aereaux » Mon Jan 15, 2018 12:03 am

I don't think that it's alarmist. This is a real thing that could happen. You mentioned meltdown and spectre, without saying how exactly they are relevant. For each, an attacker needs to be able to execute code on my machine. This is where javascript comes into play. For most websites, I disable javascript using the NoScript browser extension, to mitigate spectre and other possible problems. I whitelist some websites that I use that make extensive use of javascript, so that I can use them. Most of the sites that I do this for are delivered over https, so I can be reasonably sure that the code that my browser receives to execute is the code that the website meant to send me. Because webdip requires javascript, I whitelist javascript here, but as it is delivered over http someone could, as described before, add hostile javascript code that takes advantage of spectre or some other problem to escape the sandbox that my browser runs the javascript code in. This could be mitigated by delivering the site over https.

I'd be perfectly fine doing banking over unsecured WiFi, as my bank's website uses https to communicate with my browser. Meltdown, spectre, and other similar problems have many effects, and delivering this website over https would mitigate one of them. I don't think it is a problem with me or whatever connection I am using, it is a problem with the website not supporting a secure protocol. Even if I am on my home WiFi, I don't control all of the computers routing my traffic between me and the site, so I can't totally trust that connection either.

I am not too familiar with how webdip is hosted, and how hard it would be to tell it to use a TLS certificate, but if there is anything I can help with by contributing to the code, let me know.

PS: Would you mind pointing me to the problem that was found two days ago? I don't think I heard about that one.

jmo1121109
Developer
Developer
Posts: 1094
Joined: Fri Sep 29, 2017 4:20 pm
Karma: 2919
Contact:

Re: Are we ever going to get TLS on this site?

#19 Post by jmo1121109 » Mon Jan 15, 2018 12:20 am

And that's excellent for you. You're still hackable, literally everyone is if you're a target. If you're honestly concerned that people are going to target you specifically on unsecured networks to install malicious code on your machine then please don't use us on unsecured networks. I would advise not using your banking over a public network, but to each their own.

The issue discovered a couple days ago requires physical access to a laptop or device, but does give access in a stunningly short amount of time. https://mspoweruser.com/new-intel-issue ... 0-seconds/ There are a million and one ways for someone to compromise your computer quickly with minimal effort.

Anyways, posting what *is* alarmist style posts is not the correct way to get changes done when I've already directed you to the issues location on our open source repository. You're welcome to post there or contact the mod team about the problem.

Kremmen
Posts: 53
Joined: Sun Dec 31, 2017 2:14 am
Karma: 41

Re: Are we ever going to get TLS on this site?

#20 Post by Kremmen » Mon Jan 15, 2018 1:28 am

One of the problems with these alarmist "it's possible" scenarios is that they fail to consider the real likelihood of anyone spending the massive resources necessary. When you visit your local shop, there could be a dozen armed men there waiting to abduct a random person and hold them for ransom, who happens to be you. There could, but it's really unlikely. They're going to target someone they know, who's of high value. Unknown people with unknown hardware with unknown value to a criminal? There are a hell of a lot better targets to hack than this web site.

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest