https
category: general [glöplog]
What would it take for us to have the joy of https?
It's quite relevant for those sharing access points and logging on from insecure locations.
Even a self signed cert would do for the moment I guess...
It's quite relevant for those sharing access points and logging on from insecure locations.
Even a self signed cert would do for the moment I guess...
too much of a hassle...
...also what for, please?
i dont have anything to hide here...you?
SFW-problems?
...also what for, please?
i dont have anything to hide here...you?
SFW-problems?
It is probably doable, depends heavily on Redhound though.
As for the login, SceneID will eventually shift over to some sort of SSO solution (probably OAuth-based) somewhere down the line when I got rid of all the deprecated functionality, etc.
As for the login, SceneID will eventually shift over to some sort of SSO solution (probably OAuth-based) somewhere down the line when I got rid of all the deprecated functionality, etc.
hardy: not necessarily SFW problems but wouldn't it be strange if my account suddenly started adding invalid prods in the database for no apparent reason? i believe security is the most important aspect here...
https won't prevent any prod submission...
If your accounts starts to act weird, you should first suspect your girlfriend, then your neighbours.
maybe they hacked your wifi?
lol
Everybody got something to hide, you don't take a crap with the door open right?
(It's ok with me if you do, just don't do it here please.)
(It's ok with me if you do, just don't do it here please.)
Quote:
[...] just don't do it here please.
Plenty of people already do, sadly.
Quote:
too much of a hassle...
...also what for, please?
i dont have anything to hide here...you?
SFW-problems?
HTTPS isn't about obscuring content from the public, it's about providing protection from man in the middle attacks (where login credentials can be stolen, or traffic can be analysed for other purposes) and verifying the identity of the service you are connecting to.
It's pretty trivial to capture data from an open wi-fi network - if you went to a demoparty and scraped all the traffic there you wouldn't struggle to find some credentials to use or abuse. Lets not also forget people often re-use passwords across services too. (Man in the middle attack).
Another scenario would be if someone set up their own access point at a demoparty that served up a fake pouet login page. As there is no certificate associated with it, you'd have no way of knowing whether your login was snatched or not. (Verifying the identity of the web server).
I feel more than ever that if any online service requires authentication, then it's really in everyone's interest that the transaction is a secure one.
An example of using un-encrypted connections for stealing user sessions:
https://en.wikipedia.org/wiki/Firesheep
Quote:
I feel more than ever that if any online service requires authentication, then it's really in everyone's interest that the transaction is a secure one.
^ FUCKING THIS ^
Quote:
As there is no certificate associated with it, you'd have no way of knowing whether your login was snatched or not.
...which kinda means that having a self-signed certificate is just as good as not having one, doesn't it? (Given that you can't tell the difference between the two.) I mean I agree in principle, but I don't think a self-signed cert is a solid solution, and I'm not sure what kind of entity Pouet needs to be to get an actual one.
[quote]Another scenario would be if someone set up their own access point at a demoparty that served up a fake pouet login page.[/qoute]
Why the hell would sb want to do this? To post an grumpy cat picture under your name in the random image thread?!
Why the hell would sb want to do this? To post an grumpy cat picture under your name in the random image thread?!
v3nom: well if you happen to be a gloperator/moderator/etc. you can possibly wreck some stuff.
v3nom: If you re-used your credentials on another site, someone could try v3nom@hotmail.com and presto, E-Mail! Repeat for PayPal, banking and it's a phish party for all.
Gargaj: Just having the self-signed cert would help by encrypting the connection even if it doesn't verify identity, which is nice even despite the browser warnings.
Gargaj: Just having the self-signed cert would help by encrypting the connection even if it doesn't verify identity, which is nice even despite the browser warnings.
Quote:
I'm not sure what kind of entity Pouet needs to be to get an actual one.
None whatsoever if the server is not running as a name-based virtual host. You could use CAcert, although most users would still have to install the root certificate (but it's better than nothing, and than a self-signed cert), or StartCOM's free certs (which are recognised everywhere)
Gargaj: That's right, i haven't thought of this case.
ruari: Alright, although you really shouldn't re-use your credentials everywhere. i for one have 4-5 credentials and use one of them for spam mail, some for less secure stuff, and for high secure stuff like paypal or bank i use only uniqe pws.
so pouet is on a low-sec branch for me, and when someone steals my pw here, maybe he would gain access to some random forums and stuff, if he really tries.
btw. i would embrace more secure connections throughout the net, but just don't see pouet as a primary attack vector - atleast sceners don't hack other sceners, right?!
ruari: Alright, although you really shouldn't re-use your credentials everywhere. i for one have 4-5 credentials and use one of them for spam mail, some for less secure stuff, and for high secure stuff like paypal or bank i use only uniqe pws.
so pouet is on a low-sec branch for me, and when someone steals my pw here, maybe he would gain access to some random forums and stuff, if he really tries.
btw. i would embrace more secure connections throughout the net, but just don't see pouet as a primary attack vector - atleast sceners don't hack other sceners, right?!
I guess the easy short term solution might be self-signed cert, and let us add https: if we're worried about it. Option in accounts.php to make it the default would be a welcome bonus.
v3nom:
You're asking a community that makes utterly pointless products for entertainment and assuming people are going to need a reason other than "because it's fun" :D
v3nom:
Quote:
Why the hell would sb want to do this?
You're asking a community that makes utterly pointless products for entertainment and assuming people are going to need a reason other than "because it's fun" :D
psonice: it could be made default for everyone i guess... i'm not aware of any browser that does not support HTTPS.
v3nom: i would embrace more secure connections throughout the net, so i would embrace it for pouet as well. also it's a nice facepalm: wut? they don't event have https? even poeut has it...
also, if only "important" communication is encrypted then it's pretty easy to tell which packets belong to such a communication and thus give a pretty good hint on what to actually attack. so please encrypt everything, at least fills the NSA's harddisks ;)
v3nom: i would embrace more secure connections throughout the net, so i would embrace it for pouet as well. also it's a nice facepalm: wut? they don't event have https? even poeut has it...
also, if only "important" communication is encrypted then it's pretty easy to tell which packets belong to such a communication and thus give a pretty good hint on what to actually attack. so please encrypt everything, at least fills the NSA's harddisks ;)
why exactly is a self signed cert a bad thing? i mean you accept and save it once and if it changes anytimer after (i.e. someone is intercepting or rerouting your connection) the browser will alert that the cert changed.
the way i see it buying certs is just for getting a browser whitelistet CA-signature so the warning message disappears... (and yeah it probably also makes sense anywhere business, money and trust is involved, e.g. online banking - but they have even stricter (and more expensive) CAs).
but when it comes to the actual encryption and security of the data stream on the ssl layer, what difference does it make?
the way i see it buying certs is just for getting a browser whitelistet CA-signature so the warning message disappears... (and yeah it probably also makes sense anywhere business, money and trust is involved, e.g. online banking - but they have even stricter (and more expensive) CAs).
but when it comes to the actual encryption and security of the data stream on the ssl layer, what difference does it make?
Quote:
you accept and save it once
You can't save it under Chrome which means you will have to accept it every time - so if it changes, you won't notice the difference.
well, you could write down the fingerprint... is there no certificate manager extension for chrome?!
Well, while we're at security, with plans of browser manufacturers to disallow any HTTP material to be embedded in a HTTPS page, this could help in cases where the Russian Business Network hacks the servers again and embed some javascript exploits from some Russian non-HTTPS domains again. ;)
