Re: Where's HTTP SSL on Hexus?
Quote:
Originally Posted by
Dashers
... They are not in the habit of sniffing packets randomly for passwords due to the shear volume of data that is handled. ...
And their security is utterly impenetrable with no risk of compromise at all.
Oh, wait, that's not true, is it?
No password-accepting site is low value, due to people's tendency to reuse passwords and usernames. Yes, there are FAR easier ways to get someone's password, and yes, there are far more vulnerable attack vectors that you also need to protect against, but something as straightforward as having your log-in page forced onto HTTPS is trivial to implement and takes one attack vector out of the equation. More security is better than less security, particularly when there is very little additional cost to implement that security. HTTPS for a forum log in page might not seem important, and on its own it might not stop me using a site, but it would certainly make me stop and think for a few minutes.
Trying to claim that plaintext transmission of passwords poses no security risk is, at very best, remarkably naive.
Re: Where's HTTP SSL on Hexus?
Thanks Jim, summarises my thought process perfectly! :)
Re: Where's HTTP SSL on Hexus?
Just a thought - I recently had someone try and log into my Farcebook account which is one of the few accounts still using the old, least secure password I also use for Hexus. Luckily Farcebook detected that I was unlikely to be in Bangcock and locked my account, alerting me through the phone "app" and demanding I change my password. This password is in use only on things where security isn't top of my list of concerns (although perhaps Farcebook should be higher up, I'm just lazy I think) and I can only think that it was somehow picked up due to the insecure Hexus site as I'm not silly enough to be phished (I hope). I haven't used that password on anything else recently. It's a random sequence of letters, not a word so it's very doubtful someone guessed it.
Re: Where's HTTP SSL on Hexus?
I'd have thought SSL across the entire site would have been standard by now (especially considering this thread was started 2 months ago, not like there was no notice) - what's the problem?
Don't forget GDPR comes in to force in May as well, reckon someone there needs to start reading up on that - vBulletin doesn't seem too hot on it either.
Re: Where's HTTP SSL on Hexus?
Hi all
We will migrate soon as we can, and as soon as we have it exactly right.
We have a whole new site in dev, with our own proprietary CMS .... with a new forum back end too.
takes time, and it need to be spot on. But won't be long
Re: Where's HTTP SSL on Hexus?
Quote:
Originally Posted by
Zak33
our own proprietary CMS
Any particular reason for not adapting an existing open source solution instead?
Re: Where's HTTP SSL on Hexus?
I don't think GDPR changes anything in this context. Under existing data protection laws the Hexus is obligated to keep personal data secure. GDPR brings in a lot of good things, but doesn't really change that fundamental.
That said, I don't have an issue with my Hexus logon not being encrypted.
Re: Where's HTTP SSL on Hexus?
Quote:
Originally Posted by
Output
Any particular reason for not adapting an existing open source solution instead?
This is a good question, we have always built things ourselves. We have also acquired a couple of titles over the last 3 years which brings a few headaches to the mix.
So within the group we have a fair few publications and in our eyes it's bettter to be a codebase which we know, own, and can control. When we acquired one of the publications it was running on Ruby had a ton of code which we had to work with, if something broke it took a long time to fix. Now this title is on our new platform and it's very quick for us to tinker with.
We have had to manage stuff on Ruby, Python, PHP and Drupal a right mixture. We decided 18 months ago to build our own CMS which could cater for all, without the clutter of others which we would have to take out/change. We have the inhouse capabilities to do this, we have a team of designers, and developers working daily, but it's not just HEXUS stuff.
We went live with the first public run of the platform, and it is impressive, of course a few teething problems but they were resolved quickly as we built it and could identify the issue.
We have 2 sites on it already, HEXUS is scheduled to go on to it - but we are constantly developing and improving it - so the build HEXUS goes on will be very different to what we have now as it evolves. To migrate a site like HEXUS with the content there is a lot to line up so many custom bits like competition integration, newsletter integration, alerts, forum login integration, forum comments integration, thevault and HEXUS trust - it's a lot to make sure works perfectly.
Oh and some fun - we will also be changing the forum to Xenforo which again, we have already done on one of our publications. This is why we are waiting to get HTTPS running, the challenge on vB of course is the fact there is a ton of content such as images embedded which aren't https links and will break it further.
Right now the HEXUS codebase works - we will move when we can and we do want https just like the rest of you
Re: Where's HTTP SSL on Hexus?
That all makes sense, thanks for the insight. :)
Re: Where's HTTP SSL on Hexus?
Quote:
Originally Posted by
Dashers
I don't think GDPR changes anything in this context. Under existing data protection laws the Hexus is obligated to keep personal data secure. GDPR brings in a lot of good things, but doesn't really change that fundamental.
That said, I don't have an issue with my Hexus logon not being encrypted.
How we've interpreted that is if the data moves between the client to the server and it's not encrypted, then it's not secure, regardless of how well encrypted it is further down the stack.
Personally I don't have an issue either, my password here is unique even if it is at risk. Just under the microscope of an audit, or a real-world attack - things could crumble.
I also think for the sake of a days work and trivial cost, SSL could easily be implemented here. Just promising it'll be sorted out "at some point in the future" when a new system is deployed sounds like a fob-off
Edit: posted after DRs response as I left the tab open and went for a wander. Can't you just add a rule in your http server to rewrite any non-ssl requests to the ssl equivalent for assets that use static links?
Re: Where's HTTP SSL on Hexus?
Quote:
Originally Posted by
virtuo
How we've interpreted that is if the data moves between the client to the server and it's not encrypted, then it's not secure, regardless of how well encrypted it is further down the stack.
Personally I don't have an issue either, my password here is unique even if it is at risk. Just under the microscope of an audit, or a real-world attack - things could crumble.
I also think for the sake of a days work and trivial cost, SSL could easily be implemented here. Just promising it'll be sorted out "at some point in the future" when a new system is deployed sounds like a fob-off
Thanks for the respectful comment in regards to us "fobbing off" I was very transparent.
Re: Where's HTTP SSL on Hexus?
Quote:
Originally Posted by
virtuo
Edit: posted after DRs response as I left the tab open and went for a wander. Can't you just add a rule in your http server to rewrite any non-ssl requests to the ssl equivalent for assets that use static links?
We are looking at this already - it comes down to having a a timeline which we thought we could reach so didn't spend time tinkering but with the timeline moving and other more pressing tasks coming up it's something which we are certainly looking at. No doubt it will break, you will tell us how awful we are and it will take a few days to sort.
Re: Where's HTTP SSL on Hexus?
Quote:
Originally Posted by
philehidiot
Just a thought - I recently had someone try and log into my Farcebook account which is one of the few accounts still using the old, least secure password I also use for Hexus. Luckily Farcebook detected that I was unlikely to be in Bangcock and locked my account, alerting me through the phone "app" and demanding I change my password. This password is in use only on things where security isn't top of my list of concerns (although perhaps Farcebook should be higher up, I'm just lazy I think) and I can only think that it was somehow picked up due to the insecure Hexus site as I'm not silly enough to be phished (I hope). I haven't used that password on anything else recently. It's a random sequence of letters, not a word so it's very doubtful someone guessed it.
So the only option is an insecure HEXUS? Here are a few other options, your connection was sniffed (there's nothing SSL could of done as it can be stripped), One of the alphabet boys wanted your password so used one of their tools (Not likely), Someone brute forced the account (Unlikely as FB have got pretty good at defeating this in the last few years.), your pc has already been hacked, you did use the password somewhere else and they were "hacked" or it was a friend/family member. Saying this could've only been because of HEXUS is a joke.
Re: Where's HTTP SSL on Hexus?
Quote:
Originally Posted by
virtuo
Edit: posted after DRs response as I left the tab open and went for a wander. Can't you just add a rule in your http server to rewrite any non-ssl requests to the ssl equivalent for assets that use static links?
If it was that easy, it would have been done at least 4 years ago.
Re: Where's HTTP SSL on Hexus?
Quote:
Originally Posted by
Jonatron
If it was that easy, it would have been done at least 4 years ago.
Careful! That line of reasoning sounds like a certain rail company to a certain transport minister attempting to explain why the trains still aren't running properly. You don't want to be lumped in with them.
Re: Where's HTTP SSL on Hexus?
Shall we keep this thread as a be nice to HEXUS thread? We are working on things, fear not people.
