SubSim.com and SSL

[CDR DPH]

Are there any plans to implement https (or get it working again)?

Not a lot of personal info at risk here but we are submitting passwords at login. A serious website that doesn't offer https connections is a rarity these days.

Rgds.

[Eichhörnchen]

I think I only worry about a site not having a SSL cert if I'm buying from them online; I don't know whether a repeat subscription to Subsim counts as such...

[CDR DPH]

I don't see no SSL as a deal breaker here on SubSim even if my ISP or "the 5 Eyes" can intercept my posts. However, for those that use similar logons on other sites (I know, they have been told umpteen times not to do this), someone being able to snag logon credentials being sent in the clear could contribute to a compromised account somewhere else.

[Eichhörnchen]

I don't understand all of this anyway, so the only way I feel more relaxed about things is not to do any business online which requires me to divulge my main credi/debit card numbers; we keep a separate bank account for buying stuff on ebay which never has much money in it... only £30 or so at the most.

I don't keep any money in my business or personal Paypal accounts either

But if people want to steal my identity well I think they'll probably have plenty of other ways to do that... and in the UK our banks are obliged to refund any funds fraudulently removed from your account just so long as you haven't been reckless over security

[Onkel Neal]

I've been meaning to switch, but it will require a sizable time commitment, so hopefully I can schedule some vacation time off from work.

[Catonga]

Quote:

Originally Posted by CDR DPH

Are there any plans to implement https (or get it working again)?

Not a lot of personal info at risk here but we are submitting passwords at login. A serious website that doesn't offer https connections is a rarity these days.

Rgds.

I agree.
With "Let's encrypt" certificates there is really no excuse today to not use SSL encryption.
You can get a "let's encrypt certifcate" for free:
https://letsencrypt.org/
https://en.wikipedia.org/wiki/Let%27s_Encrypt


Also, if i enter https:// in front of the forum url, i get a certifacte error because the used certificate is only for the domains server.subsim.com and www.server.subsim.com, but not www.subsim.com.

You can try it on your own, this is the link:
https://www.subsim.com/radioroom/index.php

And this is the error message:
SSL_ERROR_BAD_CERT_DOMAIN

Without ssl, passwords can be read in cleartext and thus accounts can be stolen.
If an intruder does have the accounts, he also does have the email address related to the account and then the email address will be used for spam.


This should really be changed and because the server is also communicating with people from the EU it is also a must, according to the "General Data Protection Regulation" which is a law, where violating against it can get very expensive. Even if the server is not in the EU.

Read here for more information:
https://en.wikipedia.org/wiki/Genera...ion_Regulation

[Onkel Neal]

I converted Subsim to https security, let me know if you have any issues.

[Catonga]

Thanks, the most important part of the website seems to be encrytped now.
But you are still using mixed content, which means, one part is encrypted via https but the other part is not.


This for example is listed in the developer mode of Firefox in the console as warning messages when loading this page:

Code:

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/images/ranks/gunner.jpg” on a secure pageshowthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/imag...of2018_sm.png” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/images/icons/icon1.png” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/pict...ictureid=9932” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/pict...ictureid=6331” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/imag...14_small2.png” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/imag...f_2017_sm.png” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/imag...of2018_sm.png” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/imag...come_icon.png” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/images/icons/icon1.png” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/imag...ks/gunner.jpg” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/imag...of2018_sm.png” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/images/icons/icon1.png” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/pict...ictureid=9932” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/pict...ictureid=6331” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/imag...14_small2.png” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/imag...f_2017_sm.png” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/imag...of2018_sm.png” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/imag...come_icon.png” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/images/icons/icon1.png” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/pict...ictureid=7827” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/images/icons/icon1.png” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/pict...ctureid=10285” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/imag...s/swabbie.jpg” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/images/icons/icon1.png” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/pict...ictureid=7827” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/images/icons/icon1.png” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/pict...ctureid=10285” on a secure page
showthread.php

Although this other part consistent only of passive data like images and not active data like javascript files but an attacker could still compromise these passive data.
He could for example exchange the images with others.
And, much more worse, if the browser engine of a user does have a security bug in the image processing part, he could use that to brake into the users browser process by manipulating the image data that is sent to the user.

To fix this, you will need to put a https before all the image loading urls in your html and php code.

Here are some more infos about that topic:


And here:
https://support.mozilla.org/en-US/kb...ocking-firefox

[Onkel Neal]

Yes, thanks, I am still working on it. 1600 files have to be opened and converted, it's a long process

I love the video about using https, looks like google.com/au is still using http

How about another evaluation? What does your dev console tell you now?