SCS Insecure website.

The forum dedicated to site issues, problems and wishes.
angrybirdseller
Posts: 500
Joined: 05 Feb 2013 05:16
Location: Minnesota

Re: SCS Insecure website.

#41 Post by angrybirdseller » 29 Mar 2017 06:47

careless because no money being exchanged on the website read both sides do the debate leave as is. Don't like how security website is set up delete your account. Uncle Sam or Vlad know everything you do online do point worrying about it. Nothing is 100% secure anyways. Slower running website just for security not worth it.

User avatar
BlackBloodRum
Posts: 553
Joined: 16 Dec 2015 19:03
Location: Libertalia
Contact:

Re: SCS Insecure website.

#42 Post by BlackBloodRum » 29 Mar 2017 06:57

My thoughts are that SSL should be enabled all places where possible in the modern world, there really is no excuse not to. The server overhead on modern hardware is minimal (For example if your server CPU supports AES and your server OS is Linux using OpenSSL the overhead is almost eliminated entirely.. almost all modern CPUs support this now).

Sure, old hardware (pre-2010) would in some cases show a difference between SSL and non-SSL in terms of speed but with almost all modern hardware there is no difference.

Now I know what you're thinking "But SSL costs money!". This is where you are actually wrong now.

SSL can be implemented for free entirely using Let's Encrypt:
https://letsencrypt.org/

The advantage of this is if it is configured you never even have to manually renew your certificate, you set it up once and forget.

So why not?

User avatar
Axel Slingerland
Global moderator
Posts: 8028
Joined: 22 Oct 2013 07:55
Location: The Lost Coast

Re: SCS Insecure website.

#43 Post by Axel Slingerland » 29 Mar 2017 09:24

tbar wrote:Not much privacy anymore eh Axe?
I don't think there was any real privacy on the Internet in the first place. Like I said, the Internet started out as ARPANET (an acronym for Advanced Research Projects Agency NETwork), the US Military network. It's well known that programmers put "backdoors" in software that only they know about, and those programmers of ARPANET programmers most likely did not remove them when they turned ARPANET into the Internet.

I can't comment on laws anywhere else, but in the US, the law says they need a warrant for access to your email, but not for the IP addresses of the computers used to check your mail or use the Internet. The American Civil Liberties Union says these records are kept for at least a year, possibly longer. Depending on the age of records, they may not even need a warrant. If they are over 180 days old, all they need is a subpoena.

In a 2007 Case, Federal Prosecutors convinced the US Court of Appeals, Ninth Circuit that that tracking IP addresses was no different than tracking phone calls, which was already legal at the time. Investigators only need a Judge to issue a subpoena claiming that the data they're trying to find is important to an investigation. Essentially, they got the Court to agree that applying tracking IP addresses was the same standard as obtaining cell phone records, email records, etc. No warrant is required.

Sure, you can register for websites with fake names, etc. But if a law enforcement agency wants you and they know you go online a lot, they can get your "electronic trail" easy enough. You could go to a public library and use one of their computers, but those usually require your library card to use them, thus making you easily identifiable, and some libraries keep track of what you do on their computers. Anywhere with free WiFi is a better option, if you have a cell phone or laptop, but even then your activities can be traced. Considering that terrorists use the Internet as a primary means of communication, the Federal government wants to tighten up those free lines of communication.

In the end, if you want 100% privacy the best option you have is to disconnect the Internet.
You can call me Ax

Image

User avatar
tbar
Posts: 450
Joined: 12 Jan 2014 03:08

Re: SCS Insecure website.

#44 Post by tbar » 29 Mar 2017 10:33

angrybirdseller wrote: Slower running website just for security not worth it.
So you don't use antivirus on your computer? :shock: See BlackBloodRums post about modern hardware. It's time to upgrade if it makes a noticeable difference.



@Axel Slingerland Sorry Axe,disconnecting the internet wouldn't do the job. There are still numerous ways you are tracked.

Cell phones
RFIDs in your shoes and clothing
CCD cameras
Facial recognition software
Retinal scanning at DOL
License plates
Drivers license
Smart appliances
Smart power meters
Chipped credit cards
Chipped 100 dollar bills

The list grows larger.
Image

User avatar
Axel Slingerland
Global moderator
Posts: 8028
Joined: 22 Oct 2013 07:55
Location: The Lost Coast

Re: SCS Insecure website.

#45 Post by Axel Slingerland » 30 Mar 2017 09:01

All very true, but I was specifically referring to the Internet. But you left out that your entire life history is on the Internet whether you're connected to it or want it there or not. At least that's the way it is in the US...

Have you ever seen "Person Of Interest"? It's based on the concept that "The government has a secret system: a machine that spies on you every hour of every day." It's a bit far fetched, and obviously written by a gung ho conspiracy theorist getting a paycheck for turning his wild ideas into a TV series, but it's a great show. Image
You can call me Ax

Image

User avatar
marcel-dutch
Posts: 188
Joined: 15 Nov 2016 21:54
Location: Netherlands
Contact:

Re: SCS Insecure website.

#46 Post by marcel-dutch » 30 Mar 2017 09:49

A point of attention:
Of course the mean reason of using SSL is to prevent goverments monitoring what you doing on the internet. But goverments don't like those kind of secure connections. They can't monitoring the data. And they want that: to see if a terrorist is planning a attack to the country. That's one of the reasons that for example the US goverment wanted always the posibility to tap the connection.
They seek a method to make that possible. You can count on that. It's a cat and mouse game, we call that in the Netherlands.

On the other site I see people completely freaked out when they visiting a site that is not SSL and they must type their username and password. My opinion is that it is not realistic.
My experience is that criminals don't listening to the connection, but take another methods:
- hack the victims computer with spyware, so they can using a keylogger to monitoring what the victim is typing on the keyboard.
- the most used method: brute force attack to the website server via database injection to getting acces to the database or steal the database to getting acces to the information in the database.

My concern as a website owner or website administrator is NOT having a SSL connection, but how I can prevent that criminals getting access to the database via database injection.
So a server needs more than only a SSL connection.

A personal note:
I can't stand people who completely freaked out if the connection is not a SSL because they affraid their privacy, but meanwhile everything posting at Facebook etc.

User avatar
golcan
Posts: 1942
Joined: 09 Dec 2014 03:21

Re: SCS Insecure website.

#47 Post by golcan » 30 Mar 2017 13:05

Hi mates,

Ufff, another long post! :D
BlackBloodRum wrote:My thoughts are that SSL should be enabled all places where possible in the modern world, there really is no excuse not to.
Completely agree. Technologies are available for everybody, not using them is not the best idea.
BlackBloodRum wrote:Now I know what you're thinking "But SSL costs money!".
Running a business company include costs, that's how the world is. If you want a company with no costs, don't have a company and problem solved.
Anyway, the cost of implementing SSL/TLS for a company is like the cost of a candy for an employee, or even less. Don't worry, no company will run out of business due to SSL/TLS implementation for a few basic web sites.
Murph wrote: Fundamentally, these forums do not need SSL protection, as there should never be any sensitive information which requires that level of protection.
It's your opinion, and I respect it.
IMHO, there are privacy reasons that justify the adoption of encrypted traffic.
I don't know what you call these forums, but THIS FORUM allows people to interact with others, and interactions tend to make some kind of personal information to be shared: companies that users worked or are working for, computer details, what cars you drive, opinions, experiences, etc. As you can see, a lot of private information.
If what you suggest is that this forum should be about technical support only, then it should include only an interface to make support questions and be answered, nothing else.
marcel-dutch wrote:Of course the mean reason of using SSL is to prevent goverments monitoring...
Not for everybody. Governments could have data anyway. The main problem, at least in certain countries, could be regular crime.
marcel-dutch wrote:My experience is that criminals don't listening to the connection
No, they can pay others for that task.
Saying criminals is a generalization that doesn't make much sense, because crime is very diverse, and depends on each country (even zone) and epoch.
In countries with a lot of crime, it would not be a rare case that some criminals, for example, pay ISP network admins for traffic contents that could be useful for them, so posting a simple sentence such as "I own three of these trucks and they are fantastic", in one country means nothing, but in other countries could mean that you are a possible target for kidnapping or assault, because you have more money than a low-salary employee (because trucks are unaffordable for a low-salary employee).
As you can see, it has no relation to government agencies, it is regular crime.
So, saying "how the crime is" implies that you have researched how it is around the world, and know every detail, because it depends on many factors and is very variated.
Perhaps The Netherlands is a paradise with low crime statistics, so the only concern is governments. I'm sure that regular crime is the main concern in other countries. Some criminals could be very creative.
marcel-dutch wrote:My concern as a website owner or website administrator is NOT having a SSL connection, but how I can prevent that criminals getting access to the database via database injection.
BOTH (and many others) protections should be implemented, not one or the other.
In the other hand, if you post as user XXX, even if they get the entire database from the forum, they won't know who is XXX (unless you post your personal data).
If traffic is captured for other people that know who the traffic belongs to (such as ISPs, or any organization that knows about you that is in the middle of your traffic), the problem is concrete, is real. No more, XXX, they know your name, and possibly more personal data. That is when traffic encryption becomes a must.
marcel-dutch wrote:I can't stand people who completely freaked out if the connection is not a SSL because they affraid their privacy, but meanwhile everything posting at Facebook etc.
I care about my privacy, and don't make public everything at Facebook.
FYI, using generalizations as argument is a formal fallacy, known as Fallacy of Accident or Fallacy of Sweeping Generalization. (see here).
angrybirdseller wrote:Don't like how security website is set up delete your account.
It's like saying "don't like how games are, don't buy them".
Supposedly, our feedback could help SCS to improve the games and make them better, as well as our feedback can help SCS to improve their services (in this case, the forum) and make them better.

Kind regards.

User avatar
Timmy
Duck thief
Posts: 123
Joined: 11 Apr 2013 11:57
Location: Prague, Czech Republic
Contact:

Re: SCS Insecure website.

#48 Post by Timmy » 07 Apr 2017 12:57

I'm working on moving all websites to new servers, I'll set up certbot for Let's Encrypt certificates, enable HSTS etc.

TLS should be used for everything.

User avatar
SimulatorSam
Global moderator
Posts: 5754
Joined: 05 Mar 2014 17:52
Location: United Kingdom
Contact:

Re: SCS Insecure website.

#49 Post by SimulatorSam » 07 Apr 2017 13:21

Good to hear :P
ImageImage
ImageImage

User avatar
Bandit & The Snowman
Posts: 877
Joined: 23 Oct 2014 15:55
Location: East Bound and Down
Contact:

Re: SCS Insecure website.

#50 Post by Bandit & The Snowman » 07 Apr 2017 14:33

For duck's sale!* That is good news.

* toned down for green reasons

Post Reply

Return to “SCS Site”

Who is online

Users browsing this forum: craig86, Glutinous Rice, radmik, thunderhawk, towa and 18 guests