[Resolved] HTTP/Plain is a security risk! HTTPS/TLS is the way to go.

[Xeevis]

Update: Cloudflare service has been successfully deployed and https is from now on enforced, insecure http is now forcefully redirected to secure communication.

It appears authentication password for Ember forums is currently going through potentially insecure channels in plain text which can be stolen in transit.

Risks:

Mild annoyance: Member loses access to account until mods help him restore it.
Major threat: Member is using same password here as everywhere else so somebody snatching the password while in transit can cascade to loosing access to his email account and then other services (would also defeat email two-way authentication - not that it matters much at this point ).

Solution:

1. Obtain SSL certificate
   • Pros: Easy to maintain and setup
   • Cons: Costs money (quite enough with wildcard cert)
2. Move to CloudFlare reverse proxy
   • Pros: FREE, Fast/Easy to setup, TLS communication, very little maintenance, DDOS protection, Content delivery network, saves bandwidth
   • Cons: None that I can think of (I'm using it myself).
3. Implement Let's Encrypt certificates
   • Pros: FREE, automated, open, backed and sponsored by many major companies
   • Cons: Can be difficult to setup, certificate needs to be reissued every 3 months manually if automation isn't implemented.

 

[Grummz]

Yes, I agree. Wanna help me get it set up so I can work on the other stuff? Cert is free with Gandi, basic cert.

But actually I prefer Cloudflare. Just didnt' have time to get that set up.

 

[Grummz]

I've enlisted Xeevis as a volunteer to help me with our increasing tech load here on the forums and elsewhere. Tks, Xeevis!

 

[Xeevis]

Thank you Mark, I'm honored.

Gandi gives just 1 standard certificate and it's free only for the first year. Also since sub-domains are used here, down the road it would probably require wildcard certificate which goes around $200/yr. Cloudflare is probably the best option to try first and see if that works for us, no commitment, no costs.

 

[Vilento]

This thread is full of win.

 

[Jansin3]

I really appreciate that Xeevis found time to help out the forum security. It's rare when that happens (I mean helping). Thanks Xeevis!

 

[Grummz]

Thanks for the update to cloudflare, Xeevis! Keep an eye out for bugs.

 

[Xeevis]

New Update: Cloudflare service has been successfully deployed and https protocol should be working for everyone (you can tell by a green padlock next to address bar). Please note there is no permanent redirect to it as of yet as part of testing grace period. You can switch to it manually by changing the http:// to https:// or just click "Home" in the navbar.

 

[Col. Kernel]

If you are concerned about getting your email hijacked, let me recommend Protonmail. I could give you the PW to my Protonmail account and it wouldn't do you a bit of good because the contents are encrypted. You must enter a 2nd PW to access any of the emails.

The site staff at Protonmail do not have, and can not reset, your encryption PW. If you lose that, you will have to wipe your entire email box and start over.

Edit:
Where are my manners? Thanks for volunteering and fixing this, Xeevis!

 

[Xeevis]

If you are concerned about getting your email hijacked, let me recommend Protonmail. I could give you the PW to my Protonmail account and it wouldn't do you a bit of good because the contents are encrypted. You must enter a 2nd PW to access any of the emails.

The site staff at Protonmail do not have, and can not reset, your encryption PW. If you lose that, you will have to wipe your entire email box and start over.

Edit:
Where are my manners? Thanks for volunteering and fixing this, Xeevis!

Thank you. Many email hosting providers give option for 2-step verification, but at increased security you are also increasing complexity and potentially risk loosing access yourself. Of course most experienced IT users don't have problems, but it's something casual users don't do. So even though ideally everyone should be in control of their own security, we should also make every effort to help protect users who don't have such a strong grip.

 

[Ronyn]

Yay Xeevis

 

[Xeevis]

New Update: HTTPS is from now on enforced, insecure HTTP is now forcefully redirected to secure channels.

(And not just for forums but the entire domain.)

 

[Grummz]

TY, @Xeevis for getting all this set up. We are all more secure for your efforts

 

[Col. Kernel]

Thank you. Many email hosting providers give option for 2-step verification, but at increased security you are also increasing complexity and potentially risk loosing access yourself. Of course most experienced IT users don't have problems, but it's something casual users don't do. So even though ideally everyone should be in control of their own security, we should also make every effort to help protect users who don't have such a strong grip.

I didn't mean to imply that what you are doing is unnecessary if people follow my advice (nor did I take it that you were implying what... well you get it, not going into that tail swallowing sentence).

However, I do encourage people to find a secure mail system (and I do NOT mean Yahoo, Google, Hotmail/Outlook). Today's Internet is an insecure place, folks need to be responsible for their own security and not trust others. See also the DNC email leaks. (PLEASE do NOT start a political discussion on this, my comment is SOLELY about the insecure means the DNC used to protect their email! Thank you!)

 

[GentlePuppet]

I guess you forgot to do this for your links you send out in all your emails.

 

[Pandagnome]

I guess you forgot to do this for your links you send out in all your emails.

View attachment 5901

Hopefully this is a straight forward tweak because if anyone can Reaper X can!