zompist bboard

a congress of convoluted conworldery
It is currently Wed May 24, 2017 2:58 am

All times are UTC - 6 hours [ DST ]




Post new topic Reply to topic  [ 19 posts ] 
Author Message
 Post subject: How secure is the ZBB?
PostPosted: Sat Mar 18, 2017 6:39 am 
Šriftom
Šriftom
User avatar

Joined: Wed Oct 30, 2002 4:43 pm
Posts: 7747
Location: does anybody know?
Am I the only one who gets warned about the connection being insecure when I log in?

_________________
"You're a very silly man and I'm not going to interview you."


Top
 Profile  
 
PostPosted: Sat Mar 18, 2017 7:23 am 
Avisaru
Avisaru
User avatar

Joined: Mon Feb 29, 2016 6:34 am
Posts: 810
Location: The North
alice wrote:
Am I the only one who gets warned about the connection being insecure when I log in?


When i log in through a Chromebook it does, but when I'm at home on my laptop and using chrome there it doesn't.

_________________
https://frislander.tumblr.com/

First known on here as Karero


Top
 Profile  
 
PostPosted: Sun Mar 19, 2017 11:37 am 
Smeric
Smeric
User avatar

Joined: Thu Oct 29, 2015 6:44 am
Posts: 1913
Location: suburbs of Mrin
alice wrote:
Am I the only one who gets warned about the connection being insecure when I log in?
Nope. Although It only started happening yesterday, when I upgraded to the latest version of Firefox.

_________________
ìtsanso, God In The Mountain, may our names inspire the deepest feelings of fear in urkos and all his ilk, for we have saved another man from his lies! I welcome back to the feast hall kal, who will never gamble again! May the eleven gods bless him!
kårroť


Top
 Profile  
 
PostPosted: Sun Mar 19, 2017 12:34 pm 
Sumerul
Sumerul
User avatar

Joined: Wed Mar 08, 2006 5:00 pm
Posts: 4124
Location: Braunschweig, Germany
mèþru wrote:
alice wrote:
Am I the only one who gets warned about the connection being insecure when I log in?
Nope. Although It only started happening yesterday, when I upgraded to the latest version of Firefox.


The same happened to me. Updated Firefox, and the warnings began to appear. It is apparently nothing else than a new security feature of Firefox.

_________________
...brought to you by the Weeping Elf
Tha cvastam émi cvastam santham amal phelsa. -- Friedrich Schiller
ESTAR-3SG:P human-OBJ only human-OBJ true-OBJ REL-LOC play-3SG:A


Top
 Profile  
 
PostPosted: Mon Mar 20, 2017 11:15 am 
Smeric
Smeric

Joined: Tue Jul 25, 2006 10:12 pm
Posts: 1152
WeepingElf wrote:
mèþru wrote:
alice wrote:
Am I the only one who gets warned about the connection being insecure when I log in?
Nope. Although It only started happening yesterday, when I upgraded to the latest version of Firefox.


The same happened to me. Updated Firefox, and the warnings began to appear. It is apparently nothing else than a new security feature of Firefox.


I get the warning using Chrome on a desktop.


Top
 Profile  
 
PostPosted: Mon Mar 20, 2017 11:25 am 
Smeric
Smeric
User avatar

Joined: Thu Oct 29, 2015 6:44 am
Posts: 1913
Location: suburbs of Mrin
In addition to Firefox on Windows, I also use a Chromebook. I don't get any warnings on it.

_________________
ìtsanso, God In The Mountain, may our names inspire the deepest feelings of fear in urkos and all his ilk, for we have saved another man from his lies! I welcome back to the feast hall kal, who will never gamble again! May the eleven gods bless him!
kårroť


Top
 Profile  
 
PostPosted: Mon Mar 20, 2017 1:24 pm 
Šriftom
Šriftom
User avatar

Joined: Mon Jun 20, 2005 12:47 pm
Posts: 7571
Location: Milwaukee, US
They must have recently removed a root certificate used by Firefox and Chrome.

_________________
Dibotahamdn duthma jallni agaynni ra hgitn lakrhmi.
Amuhawr jalla vowa vta hlakrhi hdm duthmi xaja.
Irdro. Irdro. Irdro. Irdro. Irdro. Irdro. Irdro.


Top
 Profile  
 
PostPosted: Tue Mar 21, 2017 12:15 pm 
Lebom
Lebom
User avatar

Joined: Sun Feb 24, 2013 3:21 pm
Posts: 234
The ZBB doesn't even use HTTPS, so it's as insecure as it gets.

_________________
Warning: displaying my avatar may be illegal in totalitarian states.


Top
 Profile  
 
PostPosted: Tue Mar 21, 2017 1:48 pm 
Osän
Osän
User avatar

Joined: Thu Aug 30, 2007 10:45 pm
Posts: 11728
Location: Santiago de Chile
i spose its cause the browser detects a password login screen that's not behind htpps, which it reasonably suspects *could* be physhing. i've grown so accustomed to the little i in a circle up there that its become part of the landscape.

_________________
Articles on Suenu - Amphitrite


Top
 Profile  
 
PostPosted: Sat Mar 25, 2017 8:59 am 
Smeric
Smeric
User avatar

Joined: Sat Feb 11, 2012 9:50 am
Posts: 2129
alice wrote:
Am I the only one who gets warned about the connection being insecure when I log in?

You are not the only one, and it's because the connection is, duh, insecure.

Which means, among others, that when logging in while using wi-fi, anyone (within the same network) can see your password.

_________________
Zalejmy to gówno betonem
tak szczelnie by nie było widać co pod spodem
jak ktoś to odkopie to dowiesz się człowieku
jak było chujowo w dwudziestym pierwszym wieku


Top
 Profile  
 
PostPosted: Fri Apr 07, 2017 9:08 am 
Osän
Osän
User avatar

Joined: Thu Aug 30, 2007 10:45 pm
Posts: 11728
Location: Santiago de Chile
ah, yes: don't use your bank or email password for internet forums. it's generally advisable to at least have two passwords, one for high security stuff like your gmail account and whatever, and another for stuff you don't mind getting hacked so much.

_________________
Articles on Suenu - Amphitrite


Top
 Profile  
 
PostPosted: Fri Apr 07, 2017 3:26 pm 
Lebom
Lebom

Joined: Tue Oct 22, 2013 8:15 pm
Posts: 190
Even better: have a different password for everything you do. A password manager (I like 1Password) can help you keep track of them.

I wouldn't mind this site transitioning to HTTPS.


Top
 Profile  
 
PostPosted: Fri Apr 07, 2017 5:13 pm 
Boardlord
Boardlord

Joined: Thu Sep 12, 2002 8:26 pm
Posts: 10282
Location: In the den
This site suggests that making phpBB use SSL is pretty easy:

http://www.fastcomet.com/tutorials/phpbb3/enabling-ssl

That would encrypt passwords, but not (I think) make the URL into https.

Would that be a good move?


Top
 Profile  
 
PostPosted: Fri Apr 07, 2017 5:33 pm 
Šriftom
Šriftom
User avatar

Joined: Mon Jun 20, 2005 12:47 pm
Posts: 7571
Location: Milwaukee, US
Protecting even just the passwords would be a positive move, as it would keep people from skimming off the passwords and attempting to use them on other sites (as we all share passwords amongst different sites, do we?); there conversely is little need to make the body of the ZBB encrypted, because of course anyone can read the site without logging in, and the only thing that would really gain any security are PMs.

_________________
Dibotahamdn duthma jallni agaynni ra hgitn lakrhmi.
Amuhawr jalla vowa vta hlakrhi hdm duthmi xaja.
Irdro. Irdro. Irdro. Irdro. Irdro. Irdro. Irdro.


Top
 Profile  
 
PostPosted: Fri Apr 07, 2017 7:08 pm 
Osän
Osän
User avatar

Joined: Thu Aug 30, 2007 10:45 pm
Posts: 11728
Location: Santiago de Chile
Axiem wrote:
Even better: have a different password for everything you do. A password manager (I like 1Password) can help you keep track of them.

I wouldn't mind this site transitioning to HTTPS.



yeah, well, sure, and we should all floss three times a day and eat a lot more vegetables than we do

_________________
Articles on Suenu - Amphitrite


Top
 Profile  
 
PostPosted: Sat Apr 08, 2017 11:19 pm 
Lebom
Lebom

Joined: Tue Oct 22, 2013 8:15 pm
Posts: 190
Travis B. wrote:
Protecting even just the passwords would be a positive move, as it would keep people from skimming off the passwords and attempting to use them on other sites (as we all share passwords amongst different sites, do we?); there conversely is little need to make the body of the ZBB encrypted, because of course anyone can read the site without logging in, and the only thing that would really gain any security are PMs.


Putting the whole site under HTTPS wouldn't particularly be any more secure, no, but it would provide an element of privacy in terms of browsing habits. Currently, my ISP (and anyone who owns network hardware 'twixt my computer and the server) can see the full URL of every thing I look at. Under HTTPS, they would only know that I'm hitting the domain, with no further insight into what exactly is going on in terms of reading/posting.

For a hobby sort of thing like this, it's probably harmless to have that information known (and potentially sold), though I tend to be on the side of "the principle of the matter" on this one. Besides, I set up Let's Encrypt on my domains and the whole process took something like 5 minutes (at least, through Dreamhost); YMMV.

And no, I don't share passwords amongst different sites. I haven't since even before I started using 1Password with my spouse a couple of years ago; prior to that, I had a "password generation algorithm" if you will, where the password was based on the name of the site. So for example, my Amazon password might be something like "Pass12MAZ34word", where the "MAZ" are the 2nd through 4th letters of the site in question.

That said, 1Password has been nothing but fantastic. And their Families/Teams offerings are incredibly useful at home and at work, respectively.


Top
 Profile  
 
PostPosted: Sun Apr 09, 2017 12:03 am 
Šriftom
Šriftom
User avatar

Joined: Mon Jun 20, 2005 12:47 pm
Posts: 7571
Location: Milwaukee, US
You obviously haven't tried accessing sites from multiple computers, where you may not own all of them. I am not going to try on some password management tool that needs to be installed on every device I use, including my work computer, where technically I should not be installing software (even though everyone does it anyway).

_________________
Dibotahamdn duthma jallni agaynni ra hgitn lakrhmi.
Amuhawr jalla vowa vta hlakrhi hdm duthmi xaja.
Irdro. Irdro. Irdro. Irdro. Irdro. Irdro. Irdro.


Top
 Profile  
 
PostPosted: Sun Apr 09, 2017 1:44 pm 
Lebom
Lebom

Joined: Tue Oct 22, 2013 8:15 pm
Posts: 190
That's why I have 1Password on my phone: so when I use a computer that isn't mine (like everything at work, because we pair and swap around), I still have my passwords there for reference.


Top
 Profile  
 
PostPosted: Sun Apr 09, 2017 5:20 pm 
Lebom
Lebom
User avatar

Joined: Sun Feb 24, 2013 3:21 pm
Posts: 234
zompist wrote:
This site suggests that making phpBB use SSL is pretty easy:

http://www.fastcomet.com/tutorials/phpbb3/enabling-ssl

That would encrypt passwords, but not (I think) make the URL into https.

Would that be a good move?
No, it doesn't do shit by itself. If you turn that on, browsers won't send cookies unless the whole site is served over HTTPS, which means people won't be able to stay logged in. Passwords will still be sent in plaintext.

You need to get the hosting to serve the site over HTTPS (you can use Let's Encrypt to get a free cert), and then turn that setting on.

Axiem wrote:
Putting the whole site under HTTPS wouldn't particularly be any more secure, no, but it would provide an element of privacy in terms of browsing habits. Currently, my ISP (and anyone who owns network hardware 'twixt my computer and the server) can see the full URL of every thing I look at.
And steal the session cookies, and your ZBB password. Sure, if you don't reuse passwords, your accounts on other sites won't be affected, but your ISP can still give that password to Eddy.

_________________
Warning: displaying my avatar may be illegal in totalitarian states.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 19 posts ] 

All times are UTC - 6 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group