Jump to content

Rate this topic

Recommended Posts

Salam,

I noticed that the forum continues to work on http while logging in and after it too, I'm sure someone on who works on the technical side for the website understand the risks of this from a security point of view, it's not too difficult and simple to setup SSL/HTTPS if the person knows what they're doing(which they probably do considering they run and maintain this website). I feel it's crucial as people are expressing their personal problems & issues on the forum(which a person with the wrong intentions can use in all sorts of ways), while a lot of people do take precautions online, many don't and this is one of the ways we are able to protect them.

Below is an explanation for those to understand who came across the topic and aren't from a technical background:
 

What is SSL?

SSL (Secure Sockets Layer) is a standard technology behind establishing an encrypted connection between a web server (host) and a web browser (client). This connection between the two makes sure that all the data passed between them remain private and intrinsic. SSL is an industry standard and is used by millions of websites to protect their online transactions with their customers. If you have ever visited a website using the https:// in the address bar you were creating a secure connection via SSL. If you have an eshop or sell items via your website, SSL helps in establishing trust with your customers.

Understanding how the SSL connection protects your data

Secure SSL connection protects against intrusion

Using an SSL certificate creates an encrypted connection between the user's web browser and the web server. This means that any data transmitted between the web server and the web browser can not be read without first being decrypted. This protects the data from being spied upon by someone else on the internet because they will not be able to understand the encrypted data.

How the encrypted connection is established

Secure SSL connection illustration

There a few basic steps that occur when you attempt to establish secure connection. Here's a summary of the steps:

  1. You type in or select the secure URL (e.g. "https://abcdefg.com")
  2. The web server receives your request and then submits a reply that attempts to establish trusted connection between the web browser and the web server - also called the "SSL handshake."
  3. After the SSL certificate is verified through the SSL handshake, the data transferred between the web server and web browser is encrypted to keep it private and secure.

How to tell if a site is using SSL

While the details of the SSL protocol are not displayed to the visitor, most browsers will display a lock or some other form of identification in the address bar. This will indicate if you are currently protected by an SSL encrypted session. If you would like the details of the SSL certificate you can simply click on the lock.

What does the SSL mean to visitors?

Most SSL Certificates contain the domain name, company name, address, city, state, and country. It also contains an expiration date of the certificate and the details of the Certificate Authority (the company who issued the SSL). When a browser attempts to establish an SSL connection to a website it checks to make sure the certificate is not expired, has been issued by a trusted authority, and is being used for the correct website. If any of these checks fails your web browser will display a warning letting the user know that the site is not secured by SSL.

Source: 

http://www.inmotionhosting.com/support/website/ssl/what-is-ssl-and-why-is-it-important

Let me know if I can be of any help in this regard.

Ws

@Ali

Share this post


Link to post
Share on other sites

Salam Alaykum brother.

Bismillah.

Thank you so much for sharing this, I still don't know whats going on lol. Can someone change the pass word to my computer if the remote assistance was mark on? A while back my computer was let say was doing something that I knew it wasn't right. I do not know who turned that on, but I did have a tech support to fix the slow connection, but I gave them my password so they can get on the computer, after my computer was acting up, I saw that the remote assistance was mark yes, I didn't have any problems after that. I just know the simple stuff like emailing, surfing the net but other than that I am a computer illiterate.

Wasalam.

Share this post


Link to post
Share on other sites
13 hours ago, 12reasons4truth. said:

Salam Alaykum brother.

Bismillah.

Thank you so much for sharing this, I still don't know whats going on lol. Can someone change the pass word to my computer if the remote assistance was mark on? A while back my computer was let say was doing something that I knew it wasn't right. I do not know who turned that on, but I did have a tech support to fix the slow connection, but I gave them my password so they can get on the computer, after my computer was acting up, I saw that the remote assistance was mark yes, I didn't have any problems after that. I just know the simple stuff like emailing, surfing the net but other than that I am a computer illiterate.

Wasalam.

Walaikum Salam,

I suggest you post a separate detailed topic for this at the Community Helpdesk sub-forum as it is more appropriate that way and you're likely to get more responses, you should mention the name of your OS(windows 7/8/8.1/vista/xp or Mac etc) and how remote assistance was provided(ie directly through the operating systems built in remote assistance functionality or through a software such as teamviewer). 

Share this post


Link to post
Share on other sites

Salams.

Its an open forum where the content being posted is available for all to see online which is the nature of an online forum.  I still fail to see encryption would be required.  There are countless topics posted online advising members not to share private information and assume everything is out in the open.

Share this post


Link to post
Share on other sites
On 3/17/2016 at 6:55 PM, Ali said:

Salams.

Its an open forum where the content being posted is available for all to see online which is the nature of an online forum.  I still fail to see encryption would be required.  There are countless topics posted online advising members not to share private information and assume everything is out in the open.

The user credentials are sent in clear-text. The user's session cookies (ips4_IPSSessionFront etc...) are also sent in clear text. 

Many users access the forum over public wifi, which is not encrypted. It would be trivial for an attacker to obtain the user's credentials or their session in order to impersonate them (using methods like: DNS poisoning, ARP poisoning, MITM and other vectors).

Also, by continuing to use http, you expose the user's to attacks by state actors (Saudi/Bahrain/Pakistan intelligence) or determined attackers. An attacker can launch a MITM and replace shiachat's javascript files with ones containing malicious code, which could be used to track the user, find their identity, or compromise their other social media accounts (reflective XSS/escaping browser sandbox).

All of this would not be possible if shiachat switched everything to https since modern browsers will throw certificate errors in case of MITM or warn users when an https page loads http content. 

Finally, its really hard to justify not getting a cert to make the forum secure given that it is available for zero dollars (google: lets encrypt). Setting it up should be trivial (nginx has a pretty straight forward setup). And it will cost 2% more cpu (as per google's research).

Edited by ajam123

Share this post


Link to post
Share on other sites
On 16/03/2016 at 10:55 PM, Ali said:

Salams.

Its an open forum where the content being posted is available for all to see online which is the nature of an online forum.  I still fail to see encryption would be required.  There are countless topics posted online advising members not to share private information and assume everything is out in the open.

Are passwords sent in plain text?

Edited by Muhammed Ali

Share this post


Link to post
Share on other sites

Salams.  This forum uses md5 + salt encryption.

As for SSL, I will take your suggestions into consideration.  I don't disagree, I'm just trying to see the value behind it.  ShiaChat isn't the only site out there that doesn't use SSL.

Share this post


Link to post
Share on other sites

Yes, you cannot send passwords securely over a web browser without using SSL.  But again, that's if you have an insecure wireless network or you're connected to a LAN that has someone capturing packets with wire shark or what not..  A little overkill for someone trying to get your ShiaChat account.  Admins should be more concerned ;)

Share this post


Link to post
Share on other sites
On 2/4/2016 at 8:24 AM, ajam123 said:

Also, by continuing to use http, you expose the user's to attacks by state actors (Saudi/Bahrain/Pakistan intelligence) or determined attackers. An attacker can launch a MITM and replace shiachat's javascript files with ones containing malicious code, which could be used to track the user, find their identity, or compromise their other social media accounts (reflective XSS/escaping browser sandbox).

this was very common in pakistan in the early 2000s - salafists set up discussion forums similar to shiachat to lure unwitting shia into debates, then used all sorts of tools and social engineering to identify shia users in order to get their addresses and assasinate them. 

this was 16 years ago, imnagine how advanced these maloons are now. 

Share this post


Link to post
Share on other sites
On 4/3/2016 at 9:14 PM, Ali said:

Salams.  This forum uses md5 salted hash.

As for SSL, I will take your suggestions into consideration.  I don't disagree, I'm just trying to see the value behind it.  ShiaChat isn't the only site out there that doesn't use SSL.

FTFY

Md5? That is quite antiquated, given that SHA1 has already been phased out. Md5 has been broken since around 2005. Although a salted md5 is probably too expensive to crack, I think you should still upgrade to SHA2.

Probably the strongest argument for SSL is the proliferation of easy-to-use sniffing/snooping tools out there. They are available to novices (script kiddies) or stalkers (which the forum warns users against). Also the reliance of most users on WIFI and their lack of understanding of network security and internet security in general. I wager that most users here use one master password for all their online accounts, including shiachat. Furthermore, and more importantly, administrators/moderators logging in can be a victim of snooping as well.

Lastly, its free: https://letsencrypt.org/:)

 

 

 

Share this post


Link to post
Share on other sites

 

On 4/5/2016 at 6:46 AM, Ali said:

Yes, you cannot send passwords securely over a web browser without using SSL.  But again, that's if you have an insecure wireless network or you're connected to a LAN that has someone capturing packets with wire shark or what not..  A little overkill for someone trying to get your ShiaChat account.  Admins should be more concerned ;)

Basically if someone is capturing packets, they'll take and use whatever they can get their hands on, and some people on here discuss matters which are of private nature, they can link it to a person and find out details, this is only one of the many ways how someone might get harmed, another thing is that while it maybe very rare that someone does this, it's still worth it because technically it wouldn't require much effort, and certificates aren't that expensive and even free by agreement with the providers sometimes if you own you're own dedicated servers.

Share this post


Link to post
Share on other sites

Are we saying that SSL will protect users of this forum from being hacked by extremists who will trace their personal details (Names, addresses) and try to harm them? Honestly, I don't think that is the purpose of SSL nor does it provide such kind of protection. It is more helpful when a site has forms or e-commerce or passwords e.t.c It establishes some sense of trust between users and the owner of website. As for hackers, they generally attack the server or users directly which cannot be prevented by SSL. But techy guys are welcome to enlighten us. 

I must point out that for a forum this size, having SSL would mean significant slow down of speed for all users. I don't think members would want that. 

Share this post


Link to post
Share on other sites
1 hour ago, Abbas. said:

Are we saying that SSL will protect users of this forum from being hacked by extremists who will trace their personal details (Names, addresses) and try to harm them? Honestly, I don't think that is the purpose of SSL nor does it provide such kind of protection. It is more helpful when a site has forms or e-commerce or passwords e.t.c It establishes some sense of trust between users and the owner of website. As for hackers, they generally attack the server or users directly which cannot be prevented by SSL. But techy guys are welcome to enlighten us. 

I must point out that for a forum this size, having SSL would mean significant slow down of speed for all users. I don't think members would want that. 

I wasn't referring to extremists or a specific group which may target the server directly, let say it's your neighbour and you have unsecured wifi, or you're at work or a coffee shop or a public place, someone who somehow has access to your(the user's) network and would use this to their advantage, maybe it's a guy who steals details of people from his local coffee shop, without SSL if someone is in your network they can very easily take the users details who are also on that network, people post all sorts of things and even though their usernames won't say anything but their email(or maybe they wrote something identifiable in a pm) could probably be matched to their identity, again the thing isn't how likely would it cause damage, it is how much it can cause and how much effort(not much) it requires to set it up, but your point about the forum slowing down maybe valid, I don't about the structure of your backend so I can't comment but to get real results of how much it could slow down, you could try ssl on a replicated test environment. 

Share this post


Link to post
Share on other sites
On 6/10/2016 at 2:36 PM, Abbas. said:

Are we saying that SSL will protect users of this forum from being hacked by extremists who will trace their personal details (Names, addresses) and try to harm them? Honestly, I don't think that is the purpose of SSL nor does it provide such kind of protection. It is more helpful when a site has forms or e-commerce or passwords e.t.c It establishes some sense of trust between users and the owner of website. As for hackers, they generally attack the server or users directly which cannot be prevented by SSL. But techy guys are welcome to enlighten us. 

I must point out that for a forum this size, having SSL would mean significant slow down of speed for all users. I don't think members would want that. 

- Yes. That is precisely what we are saying.

- No, SSL is not only for e-commerce. And shiachat has forms/password fields!

- Hackers would find the easiest way in. And right now, it is fairly trivial to steal an admin's password to shiachat. Not to mention all the countless proxies (on cell networks) that have logged the admin passwords when they login on their phones! 

- "Significant slow down due to SSL" is not true. SSL costs 2% of additional load. 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×