Results 1 to 7 of 7

Thread: HTTPS?

  1. #1
    Join Date
    Jun 2011
    Location
    Vegas
    Posts
    6,717
    Feedback Score
    5 (100%)

    HTTPS?

    Can m4carbine.net default to https?

    I tried https://www.m4carbine.net/ and it doesn't really work. Tons of mixed (non-HTTPS) content including images and scripts, which causes the site to be broken. Plus, all the links from the HTTPS version go to the regular HTTP version of the site.

    While I'm asking questions, what about an upgrade to vB5? I'm really not comfortable with vB4's password hash implementation of MD5(MD5($password)+$salt). MD5 has been considered broken since 2010, but has shown problems as early as 1996. And that's not even taking into account key stretching, or rather the lack thereof.

    Also, due to the lack of HTTPS, when you log in to the site, your password is locally MD5 hashed, then sent along with your username. That makes anyone using M4Carbine.net on public internet vulnerable to a pass-the-hash attack, and the md5 hash can be stored for later cracking or lookup via rainbow table. HTTPS more or less solves all of this, if implemented correctly.

    Mods, feel free to delete this and reply via PM if you want to discuss further
    Last edited by Koshinn; 09-19-16 at 17:56.

  2. #2
    Join Date
    Jun 2011
    Location
    Vegas
    Posts
    6,717
    Feedback Score
    5 (100%)
    So, it's been about 6 months...

    Anything?
    "I never learned from a man who agreed with me." Robert A. Heinlein

  3. #3
    Join Date
    Jun 2011
    Location
    Vegas
    Posts
    6,717
    Feedback Score
    5 (100%)
    So...ISPs can now sell your internet traffic history. HTTPS can protect against this. I'm guessing most people here don't use a VPN.

    HTTPS is free: https://letsencrypt.org/
    "I never learned from a man who agreed with me." Robert A. Heinlein

  4. #4
    Join Date
    Apr 2014
    Location
    South West
    Posts
    940
    Feedback Score
    17 (100%)
    OP, thanks for pointing out the elephant in the room. If my vote counts, I am all for upgrading to a more secure platform. I spend a great deal time on public networks and using mobile devices, so https and personal VPN are on my study more & take action list.

  5. #5
    Join Date
    May 2010
    Location
    midwest
    Posts
    8,217
    Feedback Score
    4 (100%)
    I think that a right-wing gun forum should definitely do what it can to protect its members, but my understanding is the HTTPS only encrypts posting content. It doesn't do anything to hide browsing history, which is what internet vendors want.
    Last edited by Hmac; 04-01-17 at 13:23.

  6. #6
    Join Date
    Apr 2014
    Location
    South West
    Posts
    940
    Feedback Score
    17 (100%)
    Quote Originally Posted by Hmac View Post
    I think that a right-wing gun forum should definitely do what it can to protect its members, but my understanding is the HTTPS only encrypts posting content. It doesn't do anything to hide browsing history, which is what internet vendors want.
    Excellent points. With the doxing of CCW holders in/around NYC following Sandy Hook as just one example, any protections we can take for ourselves here is IMO necessary. I know the published names/addresses in my example were taken from unprotected public records and not forum membership, but as we have seen, no holds barred is the name of the game with the people who wish to drive agenda at any cost.

  7. #7
    Join Date
    Jul 2012
    Posts
    39
    Feedback Score
    2 (100%)
    Quote Originally Posted by Hmac View Post
    I think that a right-wing gun forum should definitely do what it can to protect its members, but my understanding is the HTTPS only encrypts posting content. It doesn't do anything to hide browsing history, which is what internet vendors want.
    My understanding is that it goes further than that. With HTTPS, your ISP would only see that you are visiting m4carbine.net, without being able to see the individual posts that you read because the URL request for the individual posts are sent over the encrypted connection. In other words, with HTTPS both your reading and posting history would be protected.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •