SUBSIM Radio Room Forums


SUBSIM: The Web's #1 BBS for all submarine and naval simulations since 1997

Go Back   SUBSIM Radio Room Forums > General > Comments to SUBSIM Review
Forget password? Reset here

Reply
 
Thread Tools Display Modes
Old 01-07-2019, 02:04 PM   #1
CDR DPH
Gunner
 
Join Date: Jun 2018
Posts: 97
Downloads: 18
Uploads: 0


Default SubSim.com and SSL

Are there any plans to implement https (or get it working again)?

Not a lot of personal info at risk here but we are submitting passwords at login. A serious website that doesn't offer https connections is a rarity these days.

Rgds.
CDR DPH is offline   Reply With Quote
Old 01-12-2019, 04:12 AM   #2
Eichhörnchen
Starte Das Auto
 
Eichhörnchen's Avatar
 
Join Date: Aug 2014
Location: The Fens
Posts: 12,036
Downloads: 5
Uploads: 0


Default

I think I only worry about a site not having a SSL cert if I'm buying from them online; I don't know whether a repeat subscription to Subsim counts as such...
__________________
<img src=http://www.subsim.com/radioroom/image.php?type=sigpic&userid=329818&dateline=1428780552 border=0 alt= />
Eichhörnchen is online   Reply With Quote
Old 01-18-2019, 04:50 PM   #3
CDR DPH
Gunner
 
Join Date: Jun 2018
Posts: 97
Downloads: 18
Uploads: 0


Default

I don't see no SSL as a deal breaker here on SubSim even if my ISP or "the 5 Eyes" can intercept my posts. However, for those that use similar logons on other sites (I know, they have been told umpteen times not to do this), someone being able to snag logon credentials being sent in the clear could contribute to a compromised account somewhere else.
CDR DPH is offline   Reply With Quote
Old 01-19-2019, 05:58 AM   #4
Eichhörnchen
Starte Das Auto
 
Eichhörnchen's Avatar
 
Join Date: Aug 2014
Location: The Fens
Posts: 12,036
Downloads: 5
Uploads: 0


Default

I don't understand all of this anyway, so the only way I feel more relaxed about things is not to do any business online which requires me to divulge my main credi/debit card numbers; we keep a separate bank account for buying stuff on ebay which never has much money in it... only £30 or so at the most.

I don't keep any money in my business or personal Paypal accounts either

But if people want to steal my identity well I think they'll probably have plenty of other ways to do that... and in the UK our banks are obliged to refund any funds fraudulently removed from your account just so long as you haven't been reckless over security
__________________
<img src=http://www.subsim.com/radioroom/image.php?type=sigpic&userid=329818&dateline=1428780552 border=0 alt= />
Eichhörnchen is online   Reply With Quote
Old 01-22-2019, 05:12 PM   #5
Onkel Neal
Born to Run Silent
 
Onkel Neal's Avatar
 
Join Date: Jan 1997
Location: Cougar Trap, Texas
Posts: 17,836
Downloads: 397
Uploads: 200


Default

I've been meaning to switch, but it will require a sizable time commitment, so hopefully I can schedule some vacation time off from work.
__________________
Would you like to join my Wolfpack crew? Friend me on STEAM, my username is SUBSIM.
Good hunting and don't forget to close the hatch!

Onkel Neal is online   Reply With Quote
Old 02-11-2019, 01:03 PM   #6
Catonga
Swabbie
 
Join Date: Nov 2002
Posts: 6
Downloads: 2
Uploads: 0
Default

Quote:
Originally Posted by CDR DPH View Post
Are there any plans to implement https (or get it working again)?

Not a lot of personal info at risk here but we are submitting passwords at login. A serious website that doesn't offer https connections is a rarity these days.

Rgds.
I agree.
With "Let's encrypt" certificates there is really no excuse today to not use SSL encryption.
You can get a "let's encrypt certifcate" for free:
https://letsencrypt.org/
https://en.wikipedia.org/wiki/Let%27s_Encrypt


Also, if i enter https:// in front of the forum url, i get a certifacte error because the used certificate is only for the domains server.subsim.com and www.server.subsim.com, but not www.subsim.com.

You can try it on your own, this is the link:
https://www.subsim.com/radioroom/index.php

And this is the error message:
SSL_ERROR_BAD_CERT_DOMAIN

Without ssl, passwords can be read in cleartext and thus accounts can be stolen.
If an intruder does have the accounts, he also does have the email address related to the account and then the email address will be used for spam.


This should really be changed and because the server is also communicating with people from the EU it is also a must, according to the "General Data Protection Regulation" which is a law, where violating against it can get very expensive. Even if the server is not in the EU.

Read here for more information:
https://en.wikipedia.org/wiki/Genera...ion_Regulation

Last edited by Catonga; 02-11-2019 at 01:31 PM.
Catonga is offline   Reply With Quote
Old 06-24-2019, 09:04 AM   #7
Onkel Neal
Born to Run Silent
 
Onkel Neal's Avatar
 
Join Date: Jan 1997
Location: Cougar Trap, Texas
Posts: 17,836
Downloads: 397
Uploads: 200


Default

I converted Subsim to https security, let me know if you have any issues.
__________________
Would you like to join my Wolfpack crew? Friend me on STEAM, my username is SUBSIM.
Good hunting and don't forget to close the hatch!

Onkel Neal is online   Reply With Quote
Old 06-29-2019, 11:15 AM   #8
Catonga
Swabbie
 
Join Date: Nov 2002
Posts: 6
Downloads: 2
Uploads: 0
Default

Thanks, the most important part of the website seems to be encrytped now.
But you are still using mixed content, which means, one part is encrypted via https but the other part is not.


This for example is listed in the developer mode of Firefox in the console as warning messages when loading this page:
Code:
Loading mixed (insecure) display content “http://www.subsim.com/radioroom/images/ranks/gunner.jpg” on a secure pageshowthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/imag...of2018_sm.png” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/images/icons/icon1.png” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/pict...ictureid=9932” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/pict...ictureid=6331” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/imag...14_small2.png” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/imag...f_2017_sm.png” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/imag...of2018_sm.png” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/imag...come_icon.png” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/images/icons/icon1.png” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/imag...ks/gunner.jpg” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/imag...of2018_sm.png” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/images/icons/icon1.png” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/pict...ictureid=9932” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/pict...ictureid=6331” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/imag...14_small2.png” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/imag...f_2017_sm.png” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/imag...of2018_sm.png” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/imag...come_icon.png” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/images/icons/icon1.png” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/pict...ictureid=7827” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/images/icons/icon1.png” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/pict...ctureid=10285” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/imag...s/swabbie.jpg” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/images/icons/icon1.png” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/pict...ictureid=7827” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/images/icons/icon1.png” on a secure page
showthread.php

Loading mixed (insecure) display content “http://www.subsim.com/radioroom/pict...ctureid=10285” on a secure page
showthread.php
Although this other part consistent only of passive data like images and not active data like javascript files but an attacker could still compromise these passive data.
He could for example exchange the images with others.
And, much more worse, if the browser engine of a user does have a security bug in the image processing part, he could use that to brake into the users browser process by manipulating the image data that is sent to the user.

To fix this, you will need to put a https before all the image loading urls in your html and php code.

Here are some more infos about that topic:


And here:
https://support.mozilla.org/en-US/kb...ocking-firefox
Catonga is offline   Reply With Quote
Old 07-13-2019, 03:24 PM   #9
Onkel Neal
Born to Run Silent
 
Onkel Neal's Avatar
 
Join Date: Jan 1997
Location: Cougar Trap, Texas
Posts: 17,836
Downloads: 397
Uploads: 200


Default

Yes, thanks, I am still working on it. 1600 files have to be opened and converted, it's a long process

I love the video about using https, looks like google.com/au is still using http

How about another evaluation? What does your dev console tell you now?
Attached Images
File Type: jpg Capturessssa.JPG (57.9 KB, 1 views)
__________________
Would you like to join my Wolfpack crew? Friend me on STEAM, my username is SUBSIM.
Good hunting and don't forget to close the hatch!

Onkel Neal is online   Reply With Quote
Reply

Tags
https , ssl , subsim connection

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 11:20 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
Copyright © 1995- 2019 Subsim