SCS Software

message board
It is currently 28 Apr 2017 10:21

All times are UTC + 1 hour [ DST ]




Post new topic Reply to topic  [ 57 posts ]  Go to page Previous  1, 2, 3, 4, 5, 6  Next
Author Message
PostPosted: 29 Mar 2017 08:47 
Offline

Joined: 05 Feb 2013 07:16
Posts: 386
Location: Minnesota
careless because no money being exchanged on the website read both sides do the debate leave as is. Don't like how security website is set up delete your account. Uncle Sam or Vlad know everything you do online do point worrying about it. Nothing is 100% secure anyways. Slower running website just for security not worth it.


Top
 Profile  
 
PostPosted: 29 Mar 2017 08:57 
Offline
User avatar

Joined: 16 Dec 2015 21:03
Posts: 472
My thoughts are that SSL should be enabled all places where possible in the modern world, there really is no excuse not to. The server overhead on modern hardware is minimal (For example if your server CPU supports AES and your server OS is Linux using OpenSSL the overhead is almost eliminated entirely.. almost all modern CPUs support this now).

Sure, old hardware (pre-2010) would in some cases show a difference between SSL and non-SSL in terms of speed but with almost all modern hardware there is no difference.

Now I know what you're thinking "But SSL costs money!". This is where you are actually wrong now.

SSL can be implemented for free entirely using Let's Encrypt:
https://letsencrypt.org/

The advantage of this is if it is configured you never even have to manually renew your certificate, you set it up once and forget.

So why not?

_________________
World of Trucks - Screenshots - ATS Mods - ETS2 Mods


Top
 Profile  
 
PostPosted: 29 Mar 2017 11:24 
Offline
User avatar

Joined: 22 Oct 2013 09:55
Posts: 7219
Location: The Lost Coast
tbar wrote:
Not much privacy anymore eh Axe?

I don't think there was any real privacy on the Internet in the first place. Like I said, the Internet started out as ARPANET (an acronym for Advanced Research Projects Agency NETwork), the US Military network. It's well known that programmers put "backdoors" in software that only they know about, and those programmers of ARPANET programmers most likely did not remove them when they turned ARPANET into the Internet.

I can't comment on laws anywhere else, but in the US, the law says they need a warrant for access to your email, but not for the IP addresses of the computers used to check your mail or use the Internet. The American Civil Liberties Union says these records are kept for at least a year, possibly longer. Depending on the age of records, they may not even need a warrant. If they are over 180 days old, all they need is a subpoena.

In a 2007 Case, Federal Prosecutors convinced the US Court of Appeals, Ninth Circuit that that tracking IP addresses was no different than tracking phone calls, which was already legal at the time. Investigators only need a Judge to issue a subpoena claiming that the data they're trying to find is important to an investigation. Essentially, they got the Court to agree that applying tracking IP addresses was the same standard as obtaining cell phone records, email records, etc. No warrant is required.

Sure, you can register for websites with fake names, etc. But if a law enforcement agency wants you and they know you go online a lot, they can get your "electronic trail" easy enough. You could go to a public library and use one of their computers, but those usually require your library card to use them, thus making you easily identifiable, and some libraries keep track of what you do on their computers. Anywhere with free WiFi is a better option, if you have a cell phone or laptop, but even then your activities can be traced. Considering that terrorists use the Internet as a primary means of communication, the Federal government wants to tighten up those free lines of communication.

In the end, if you want 100% privacy the best option you have is to disconnect the Internet.

_________________
You can call me Ax

Image


Top
 Profile  
 
PostPosted: 29 Mar 2017 12:33 
Offline
User avatar

Joined: 12 Jan 2014 05:08
Posts: 418
angrybirdseller wrote:
Slower running website just for security not worth it.


So you don't use antivirus on your computer? :shock: See BlackBloodRums post about modern hardware. It's time to upgrade if it makes a noticeable difference.



@Axel Slingerland Sorry Axe,disconnecting the internet wouldn't do the job. There are still numerous ways you are tracked.

Cell phones
RFIDs in your shoes and clothing
CCD cameras
Facial recognition software
Retinal scanning at DOL
License plates
Drivers license
Smart appliances
Smart power meters
Chipped credit cards
Chipped 100 dollar bills

The list grows larger.

_________________
Image


Top
 Profile  
 
PostPosted: 30 Mar 2017 11:01 
Offline
User avatar

Joined: 22 Oct 2013 09:55
Posts: 7219
Location: The Lost Coast
All very true, but I was specifically referring to the Internet. But you left out that your entire life history is on the Internet whether you're connected to it or want it there or not. At least that's the way it is in the US...

Have you ever seen "Person Of Interest"? It's based on the concept that "The government has a secret system: a machine that spies on you every hour of every day." It's a bit far fetched, and obviously written by a gung ho conspiracy theorist getting a paycheck for turning his wild ideas into a TV series, but it's a great show. Image

_________________
You can call me Ax

Image


Top
 Profile  
 
PostPosted: 30 Mar 2017 11:49 
Offline
User avatar

Joined: 15 Nov 2016 23:54
Posts: 58
Location: Netherlands
A point of attention:
Of course the mean reason of using SSL is to prevent goverments monitoring what you doing on the internet. But goverments don't like those kind of secure connections. They can't monitoring the data. And they want that: to see if a terrorist is planning a attack to the country. That's one of the reasons that for example the US goverment wanted always the posibility to tap the connection.
They seek a method to make that possible. You can count on that. It's a cat and mouse game, we call that in the Netherlands.

On the other site I see people completely freaked out when they visiting a site that is not SSL and they must type their username and password. My opinion is that it is not realistic.
My experience is that criminals don't listening to the connection, but take another methods:
- hack the victims computer with spyware, so they can using a keylogger to monitoring what the victim is typing on the keyboard.
- the most used method: brute force attack to the website server via database injection to getting acces to the database or steal the database to getting acces to the information in the database.

My concern as a website owner or website administrator is NOT having a SSL connection, but how I can prevent that criminals getting access to the database via database injection.
So a server needs more than only a SSL connection.

A personal note:
I can't stand people who completely freaked out if the connection is not a SSL because they affraid their privacy, but meanwhile everything posting at Facebook etc.


Top
 Profile  
 
PostPosted: 30 Mar 2017 15:05 
Offline
User avatar

Joined: 09 Dec 2014 05:21
Posts: 1941
Hi mates,

Ufff, another long post! :D

BlackBloodRum wrote:
My thoughts are that SSL should be enabled all places where possible in the modern world, there really is no excuse not to.

Completely agree. Technologies are available for everybody, not using them is not the best idea.

BlackBloodRum wrote:
Now I know what you're thinking "But SSL costs money!".

Running a business company include costs, that's how the world is. If you want a company with no costs, don't have a company and problem solved.
Anyway, the cost of implementing SSL/TLS for a company is like the cost of a candy for an employee, or even less. Don't worry, no company will run out of business due to SSL/TLS implementation for a few basic web sites.

Murph wrote:
Fundamentally, these forums do not need SSL protection, as there should never be any sensitive information which requires that level of protection.

It's your opinion, and I respect it.
IMHO, there are privacy reasons that justify the adoption of encrypted traffic.
I don't know what you call these forums, but THIS FORUM allows people to interact with others, and interactions tend to make some kind of personal information to be shared: companies that users worked or are working for, computer details, what cars you drive, opinions, experiences, etc. As you can see, a lot of private information.
If what you suggest is that this forum should be about technical support only, then it should include only an interface to make support questions and be answered, nothing else.

marcel-dutch wrote:
Of course the mean reason of using SSL is to prevent goverments monitoring...

Not for everybody. Governments could have data anyway. The main problem, at least in certain countries, could be regular crime.

marcel-dutch wrote:
My experience is that criminals don't listening to the connection

No, they can pay others for that task.
Saying criminals is a generalization that doesn't make much sense, because crime is very diverse, and depends on each country (even zone) and epoch.
In countries with a lot of crime, it would not be a rare case that some criminals, for example, pay ISP network admins for traffic contents that could be useful for them, so posting a simple sentence such as "I own three of these trucks and they are fantastic", in one country means nothing, but in other countries could mean that you are a possible target for kidnapping or assault, because you have more money than a low-salary employee (because trucks are unaffordable for a low-salary employee).
As you can see, it has no relation to government agencies, it is regular crime.
So, saying "how the crime is" implies that you have researched how it is around the world, and know every detail, because it depends on many factors and is very variated.
Perhaps The Netherlands is a paradise with low crime statistics, so the only concern is governments. I'm sure that regular crime is the main concern in other countries. Some criminals could be very creative.

marcel-dutch wrote:
My concern as a website owner or website administrator is NOT having a SSL connection, but how I can prevent that criminals getting access to the database via database injection.

BOTH (and many others) protections should be implemented, not one or the other.
In the other hand, if you post as user XXX, even if they get the entire database from the forum, they won't know who is XXX (unless you post your personal data).
If traffic is captured for other people that know who the traffic belongs to (such as ISPs, or any organization that knows about you that is in the middle of your traffic), the problem is concrete, is real. No more, XXX, they know your name, and possibly more personal data. That is when traffic encryption becomes a must.

marcel-dutch wrote:
I can't stand people who completely freaked out if the connection is not a SSL because they affraid their privacy, but meanwhile everything posting at Facebook etc.

I care about my privacy, and don't make public everything at Facebook.
FYI, using generalizations as argument is a formal fallacy, known as Fallacy of Accident or Fallacy of Sweeping Generalization. (see here).

angrybirdseller wrote:
Don't like how security website is set up delete your account.

It's like saying "don't like how games are, don't buy them".
Supposedly, our feedback could help SCS to improve the games and make them better, as well as our feedback can help SCS to improve their services (in this case, the forum) and make them better.

Kind regards.

_________________
My ETS2 album.
My ATS album.
My WOT page.


Top
 Profile  
 
PostPosted: 07 Apr 2017 14:57 
Offline
User avatar

Joined: 11 Apr 2013 13:57
Posts: 78
Location: Prague, Czech Republic
I'm working on moving all websites to new servers, I'll set up certbot for Let's Encrypt certificates, enable HSTS etc.

TLS should be used for everything.

_________________
I collect weird games and tweet weird things


Top
 Profile  
 
PostPosted: 07 Apr 2017 15:21 
Offline
User avatar

Joined: 05 Mar 2014 19:52
Posts: 5611
Location: United Kingdom
Good to hear :P

_________________
ImageImage
ImageImage


Top
 Profile  
 
PostPosted: 07 Apr 2017 16:33 
Offline
User avatar

Joined: 23 Oct 2014 17:55
Posts: 746
Location: East Bound and Down
For duck's sale!* That is good news.

* toned down for green reasons


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 57 posts ]  Go to page Previous  1, 2, 3, 4, 5, 6  Next

All times are UTC + 1 hour [ DST ]


Who is online

Users browsing this forum: deco13 and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to: