Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


https / SSL for LEB & LET?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

https / SSL for LEB & LET?

Hi

Would it be possible to enable https / ssl on LET and - while we are at it - on LEB?

A 1024 cert would be better than nothing and wouldn't cost much ressources...

If it's not possible, what's the reason?

(Currently https://lowendtalk.com redirects (301) to http://lowendtalk.com)

Thanks, and I'm glad to be part of this community, hi everybody :D

Thanked by 1luissousa
«1

Comments

  • MassNodesMassNodes Member
    edited April 2014

    It's a forums where information is public. Yes it's nice, but is our admin willing to add the CPU overhead?

  • netomxnetomx Moderator, Veteran

    There are several threads with this petition, without luck

  • wychwych Member

    What @netomx said...

    Thanked by 1netomx
  • @MassNodes said:
    It's a forums where information is public. Yes it's nice, but is our admin willing to add the CPU overhead?

    It's sponsored by ColoCrossing, I'm sure they have enough resources.

  • akzakz Member

    isnt there another thread regarding this a week ago?

  • wychwych Member

    @Floris said:

    They have the resources (we are now in a cluster)... but what purpose would having SSL serve?

  • MassNodesMassNodes Member
    edited April 2014

    @Floris said:

    I didn't know that. That's awesome.

  • NekkiNekki Veteran

    @MassNodes said:
    I didn't know that. That's awesome.

    Wat?

  • @wych said:
    They have the resources (we are now in a cluster)... but what purpose would having SSL serve?

    More secure, less chance of a man in the middle attack or such things.

    Why is this important? The nature of the Internet means that your customers will often be sending information through several computers. Any of these computers could pretend to be your website and trick your users into sending them personal information.  It is only possible to avoid this by using a proper Public Key Infrastructure (PKI), and getting an SSL Certificate from a trusted SSL provider.
  • wychwych Member
    edited April 2014

    @Floris said:

    Why is this important? The nature of the Internet means that your customers will often be sending information through several computers. Any of these computers could pretend to be your website and trick your users into sending them personal information.  It is only possible to avoid this by using a proper Public Key Infrastructure (PKI), and getting an SSL Certificate from a trusted SSL provider.

    Its a bl**dy forum, not even a sensitive one at that.

    @MassNodes said:
    I didn't know that. That's awesome.

    CC purchased it off @Liam

  • @wych said:
    CC purchased it off Liam

    Off @chief

  • Other offers were barely considered back then though.

    Thanked by 1netomx
  • wychwych Member

    @INIZ said:
    Off chief

    Thanks for clarification :)

  • Since there is no ssl when you login its all plain text so very easy to coffee shop attack. Simply put taking someones cokkies off wifi and then making fake offers as that person would not be to hard. So yes the infomation is public but ur reputation as a host or a buyer can be compermised.

  • IshaqIshaq Member

    After heartbleed? hah. Good timing.

    Thanked by 1exhnozoaa
  • jbilohjbiloh Administrator, Veteran

    We tried installing a certificate on LET before but it broke some of the site's functionality.

  • wojons said: Since there is no ssl when you login its all plain text so very easy to coffee shop attack. Simply put taking someones cokkies off wifi and then making fake offers as that person would not be to hard. So yes the infomation is public but ur reputation as a host or a buyer can be compermised.

    Wouldn't it be better for the individual using open wifi to take steps to protect all of his/her browsing activity, rather than depend on websites to do it for him (/her)? It would be easier I think than demanding that every website use SSL....

    Thanked by 1Pwner
  • PwnerPwner Member

    @sleddog said:

    Agreed, if the person seriously cares about their data's security then they will take measures through their own methods to protect their data. Going on a public network and then complaining about the host not being secure is just being an ass on the client's end.

  • skagerrakskagerrak Member
    edited April 2014

    @sleddog said:
    Wouldn't it be better for the individual using open wifi to take steps to protect all of his/her browsing activity, rather than depend on websites to do it for him

    Does something come into your mind--without throwing oneself into the hands of unknown people? A VPN won't be of any help as it can't ensure the integrity of requested data at source. It can just help to somehow increase security with the transfer of the data.

  • VPNVPN Member

    There is no logical or justifiable reason to add the burden of SSL to the cluster.

    If you're really sharing data too sensitive for HTTP then share it over email privately or Skype - not on a PUBLIC forum.

  • skagerrak said: Does something come into your mind--without throwing oneself into the hands of unknown people? A VPN won't be of any help as it can't ensure the integrity of requested data at source. It can just help to somehow increase security with the transfer of the data.

    Hell, I'm not a security expert by no means :) When I'm on public/open wifi I create an ssh tunnel to a vps and use that for browsing. Maybe that's not protecting me... see I said I wasn't a security expert :)

  • skagerrakskagerrak Member
    edited April 2014

    @sleddog said:
    Hell, I'm not a security expert by no means :) When I'm on public/open wifi I create an ssh tunnel to a vps and use that for browsing. Maybe that's not protecting me... see I said I wasn't a security expert :)

    TBH, that's perfectly fine as it's just a VPN. However, it does not defeat the reason for SSL. The VPN just tries to protect the transport from the contacted source to your endpoint. Whatever that source is. With SSL you can somehow make sure that the source is what you expected (except MITMed traffic).

    Ofc, that does not explain why one might need SSL on a public forum. I haven't yet found a reason why one could. But I also haven't thought about it long enough.

    Thanked by 1sleddog
  • tchentchen Member

    @skagerrak said:
    Ofc, that does not explain why one might need SSL on a public forum. I haven't yet found a reason why one could. But I also haven't thought about it long enough.

    So I can use the same password as my online banking, silly.

  • VPNVPN Member

    @skagerrak said:
    Ofc, that does not explain why one might need SSL on a public forum. I haven't yet found a reason why one could. But I also haven't thought about it long enough.

    The fact that no decent reason comes to your mind straight away shows it would be a pointless task lol.

  • @OkieDoke said:
    The fact that no decent reason comes to your mind straight away shows it would be a pointless task lol.

    Well, no question is too dumb to be asked ;-)

  • @sleddog said:

    @Pwner said:

    Does not mean the website should not use ssl at all. How can you take steps to keep it safe if it still travels over the open internet. Short of somehow getting a vm on the same rack as lowendtalk to then be ur vpn tunnel your going to be SOL. One factory security is not the best but adding more layers is always better.

  • tchentchen Member

    @wojons said:
    One factory security is not the best but adding more layers is always better.

    Security implementation is always a tradeoff. SSL termination is easily DDoS'd since it's got such a nice leverage factor.

  • raindog308raindog308 Administrator, Veteran
    edited April 2014

    @MassNodes said:
    Yes it's nice, but is our admin willing to add the CPU overhead?

    "Our admin" is "third party hosted vanillaforums.com" in this case, no?

    I would think for the ridiculous prices VF charges, a little hand-holding to install SSL would be included.

    OkieDoke said: There is no logical or justifiable reason to add the burden of SSL to the cluster.

    With modern CPUs...seriously? People are talking about SSL like it's 1995 and you need special cards to offload the massive mathematical processing.

    But in this case - who cares? It's not LET paying the CPU toll.

  • raindog308 said: "Our admin" is "third party hosted vanillaforums.com" in this case, no?

    No...

  • @tchen said:
    Security implementation is always a tradeoff. SSL termination is easily DDoS'd since it's got such a nice leverage factor.

    From the looks of it lowendtalk is using cloudflare. They can have the ssl termated there and if there is "ddos" it will happen on cloudfalres side"

    Thanked by 1tchen
Sign In or Register to comment.