[Resolved] HTTP/Plain is a security risk! HTTPS/TLS is the way to go.

Xeevis

Max Kahuna
Max Kahuna
Forum Tech
Jul 26, 2016
105
541
93
www.emberbot.com
#1
Update: Cloudflare service has been successfully deployed and https is from now on enforced, insecure http is now forcefully redirected to secure communication.

It appears authentication password for Ember forums is currently going through potentially insecure channels in plain text which can be stolen in transit.

Risks:

Mild annoyance: Member loses access to account until mods help him restore it.
Major threat: Member is using same password here as everywhere else so somebody snatching the password while in transit can cascade to loosing access to his email account and then other services (would also defeat email two-way authentication - not that it matters much at this point :cool:).

Solution:
  1. Obtain SSL certificate
    • Pros: Easy to maintain and setup
    • Cons: Costs money (quite enough with wildcard cert)
  2. Move to CloudFlare reverse proxy
    • Pros: FREE, Fast/Easy to setup, TLS communication, very little maintenance, DDOS protection, Content delivery network, saves bandwidth
    • Cons: None that I can think of (I'm using it myself).
  3. Implement Let's Encrypt certificates
    • Pros: FREE, automated, open, backed and sponsored by many major companies
    • Cons: Can be difficult to setup, certificate needs to be reissued every 3 months manually if automation isn't implemented.
 
Last edited:

Grummz

$6k package
Community Manager
Ember Dev
Jul 25, 2016
808
6,719
93
#2
Yes, I agree. Wanna help me get it set up so I can work on the other stuff? Cert is free with Gandi, basic cert.

But actually I prefer Cloudflare. Just didnt' have time to get that set up.
 

Xeevis

Max Kahuna
Max Kahuna
Forum Tech
Jul 26, 2016
105
541
93
www.emberbot.com
#4
Thank you Mark, I'm honored.

Gandi gives just 1 standard certificate and it's free only for the first year. Also since sub-domains are used here, down the road it would probably require wildcard certificate which goes around $200/yr. Cloudflare is probably the best option to try first and see if that works for us, no commitment, no costs.
 

Grummz

$6k package
Community Manager
Ember Dev
Jul 25, 2016
808
6,719
93
#7
Thanks for the update to cloudflare, Xeevis! Keep an eye out for bugs.
 

Xeevis

Max Kahuna
Max Kahuna
Forum Tech
Jul 26, 2016
105
541
93
www.emberbot.com
#8
New Update: Cloudflare service has been successfully deployed and https protocol should be working for everyone (you can tell by a green padlock next to address bar). Please note there is no permanent redirect to it as of yet as part of testing grace period. You can switch to it manually by changing the http:// to https:// or just click "Home" in the navbar.
 
Jul 28, 2016
144
137
43
#9
If you are concerned about getting your email hijacked, let me recommend Protonmail. I could give you the PW to my Protonmail account and it wouldn't do you a bit of good because the contents are encrypted. You must enter a 2nd PW to access any of the emails.

The site staff at Protonmail do not have, and can not reset, your encryption PW. If you lose that, you will have to wipe your entire email box and start over.

Edit:
Where are my manners? Thanks for volunteering and fixing this, Xeevis!
 
Likes: Xeevis

Xeevis

Max Kahuna
Max Kahuna
Forum Tech
Jul 26, 2016
105
541
93
www.emberbot.com
#10
If you are concerned about getting your email hijacked, let me recommend Protonmail. I could give you the PW to my Protonmail account and it wouldn't do you a bit of good because the contents are encrypted. You must enter a 2nd PW to access any of the emails.

The site staff at Protonmail do not have, and can not reset, your encryption PW. If you lose that, you will have to wipe your entire email box and start over.

Edit:
Where are my manners? Thanks for volunteering and fixing this, Xeevis!
Thank you. Many email hosting providers give option for 2-step verification, but at increased security you are also increasing complexity and potentially risk loosing access yourself. Of course most experienced IT users don't have problems, but it's something casual users don't do. So even though ideally everyone should be in control of their own security, we should also make every effort to help protect users who don't have such a strong grip.
 
Likes: Col. Kernel
Jul 28, 2016
144
137
43
#14
Thank you. Many email hosting providers give option for 2-step verification, but at increased security you are also increasing complexity and potentially risk loosing access yourself. Of course most experienced IT users don't have problems, but it's something casual users don't do. So even though ideally everyone should be in control of their own security, we should also make every effort to help protect users who don't have such a strong grip.
I didn't mean to imply that what you are doing is unnecessary if people follow my advice (nor did I take it that you were implying what... well you get it, not going into that tail swallowing sentence).

However, I do encourage people to find a secure mail system (and I do NOT mean Yahoo, Google, Hotmail/Outlook). Today's Internet is an insecure place, folks need to be responsible for their own security and not trust others. See also the DNC email leaks. (PLEASE do NOT start a political discussion on this, my comment is SOLELY about the insecure means the DNC used to protect their email! Thank you!)