https

Questions, suggestions or remarks about this forum.

https

Postby roheve » Thu Jan 02, 2014 11:01 am

I noticed that the forum does not use https, not even when editing preferences and changing the password.
I am in the proces of transfering the data from my password protected spreadsheet file to a passwordsafe tool, that is why I noticed while changing the password.

For https you need a certificate. With a self-signed certificate, you get anoying warnings (and the user has to take action to suppress the warnings). There are free certs, but only valid for a year (so Mr. BWired needs to jump to certificate refresh hoops every year, when he is busy with other things :) etc ... ). But it would be a bit safer.

The thing is about password and cookie sniffing. the risk is low (it is not a bank), but still. When logged in, the connection should be secured.

What do others think?

BTW, Would passwords or hashes be exposed, if there is a breach?
roheve
Starting Member
Starting Member
 
Posts: 47
Joined: April 2011

Re: https

Postby sj3fk3 » Thu Jan 02, 2014 4:23 pm

I agree an SSL certificate would not be a bad idea and renewing once a year is not really a big effort... I've had good experience with https://www.startssl.com/
Kind Regards,
Greg.
User avatar
sj3fk3
Member
Member
 
Posts: 119
Joined: April 2012
Location: Abcoude

Re: https

Postby Bwired » Thu Jan 02, 2014 6:52 pm

I will check it out, but probably costing me more, forum and server are not bringing me any money, but costing only :)
there is nothing on this forum which is secret and passwords are stored encrypted in the database.
User avatar
Bwired
Administrator
Administrator
 
Posts: 5307
Joined: March 2006
Location: Netherlands

Re: https

Postby roheve » Sat Jan 04, 2014 4:32 pm

Bwired wrote:I will check it out, but probably costing me more [...]

Yes, it will cost you mainly some time, and a yearly update. See How to obtain and install an SSL/TLS certificate, for free for a preview of what to do, it is a nice read too. I do find the things you need to do for validation a bit messy, but it seems to work.

On the other hand, with an expensive certificate, you only have to do that once every 2 or 3 years, but because you do that less often, you get less experience with it and it will take you longer to upgrade.

The free cert with yearly updates would be an alternative for a hobby site, as it does not cost money. But, as it is now, it also works. My password is now truly random and not (a similar one) used at other sites anymore.
roheve
Starting Member
Starting Member
 
Posts: 47
Joined: April 2011

Re: https

Postby raymonvdm » Tue Jan 07, 2014 9:31 am

You can buy SSL certificates for arround 60 dollars. I bought mine at ssl.nu for 69 euro`s and this is a wildcard certificate for all subdomains i use (more expensive). So i can use it for my webmail / website and all other webbased services i use (HomeSeer should be working also but haven`t tried it yet.

SSL wil only prevent interception of plaintext password between website and end user and for this forum it would be a nice thing to have (more secure) When using my bank website it is vital :-)
Running HS3PRO on PC with Z-Wave / OpenTherm / Plugwise / RFXcom / MQTT / XAP400 / Logitech Media Server and Squeezelite on PI`s
raymonvdm
Senior Member
Senior Member
 
Posts: 1147
Joined: December 2011

Re: https

Postby sj3fk3 » Tue Jan 07, 2014 10:01 am

Bwired wrote:I will check it out, but probably costing me more, forum and server are not bringing me any money, but costing only :)
there is nothing on this forum which is secret and passwords are stored encrypted in the database.


I'm sure you want to do things on your own, but I'm going to say it anyway :) I've got my own 8core, 12Gb, server with with a 1Gb/s uplink in NL's best datacenter and I could easily host this forum for free for you. I also willing to do sys-admin stuff like fixing SSL certificates and/or hardening phpBB, no sweat at all.

p.s.
Encrypting passwords in the DB but sending them in clear over the line is kinda defeating the purpose, with goodies like https://www.cookiecadger.com/ around...
Kind Regards,
Greg.
User avatar
sj3fk3
Member
Member
 
Posts: 119
Joined: April 2012
Location: Abcoude

Re: https

Postby Bwired » Tue Jan 07, 2014 11:48 pm

Thanks Greg
i have my own dedicated server as well where the forum is running on also:)
I will put https on my todo list
User avatar
Bwired
Administrator
Administrator
 
Posts: 5307
Joined: March 2006
Location: Netherlands

Re: https

Postby jeroen_ » Thu Jan 09, 2014 8:57 am

I suggest you go for the startcom trick which is cheap as it is free (they just want your name/address); or if you really want to go for a (paid) wildcard cert we tend to use the bit-more-expensive gandi.net/ssl.

Note that with apache and nginx you can host multiple different SSL certificates from the same ip/port using SNI (Server Name Indication) which is supported by most browsers nowadays (unless one still uses a very old browser, but then you are out of luck anyway).

For really good SSL parameters (especially cipher selection) check out (cut & paste configs, but also the explanation of why to select those):
http://blog.rlove.org/2013/12/strong-ssl-crypto.html

You can verify that all is working great using https://www.ssllabs.com/

And if you are on the subject of security anyways, read the excellent (but in progress) PDF at:
https://bettercrypto.org/

And of course if you have a real SSL cert, then you can just as well enforce HTTPS for the website.


Another thing for your TODO list that can be very interesting for remote-control and thus home-automation too is of course IPv6; if you don't get it natively yet (xs4all offers that as one of the few ones in .nl, check https://www.sixxs.net/faq/connectivity/?faq=native for a list) then get a tunnel, see previous link for that (or ask me here for some details *wink*)

If you need config help, don't hesitate to shoot a question here or DM.
jeroen_
Member
Member
 
Posts: 105
Joined: February 2013
Location: Switzerland

Re: https

Postby sj3fk3 » Thu Jan 09, 2014 9:04 am

jeroen_ wrote:(or ask me here for some details *wink*)

I was always under the impression that all sixxs related questions had to be mailed to info at sixxs on pain of death? ;-)
Kind Regards,
Greg.
User avatar
sj3fk3
Member
Member
 
Posts: 119
Joined: April 2012
Location: Abcoude

Re: https

Postby raymonvdm » Thu Jan 09, 2014 9:15 am

I think 99% of the colocation company`s is providing ipv6 now a days. If not you`re in the wrong place anyway :D
Running HS3PRO on PC with Z-Wave / OpenTherm / Plugwise / RFXcom / MQTT / XAP400 / Logitech Media Server and Squeezelite on PI`s
raymonvdm
Senior Member
Senior Member
 
Posts: 1147
Joined: December 2011

Re: https

Postby jeroen_ » Thu Jan 09, 2014 9:17 am

sj3fk3 wrote:
jeroen_ wrote:(or ask me here for some details *wink*)

I was always under the impression that all sixxs related questions had to be mailed to info at sixxs on pain of death? ;-)


Nope, the forum is the better place, other people who might help out in answering them. mail is only for 'I messed up, here is the valid stuff, please change it' kind of things.
jeroen_
Member
Member
 
Posts: 105
Joined: February 2013
Location: Switzerland

Re: https

Postby sj3fk3 » Thu Jan 09, 2014 9:24 am

jeroen_ wrote:Nope, the forum is the better place, other people who might help out in answering them. mail is only for 'I messed up, here is the valid stuff, please change it' kind of things.

I was joking about the tantrums Pim would throw if you asked him anything on irq or his personal email :)
Kind Regards,
Greg.
User avatar
sj3fk3
Member
Member
 
Posts: 119
Joined: April 2012
Location: Abcoude

Re: https

Postby jeroen_ » Thu Jan 09, 2014 11:26 am

sj3fk3 wrote:
jeroen_ wrote:Nope, the forum is the better place, other people who might help out in answering them. mail is only for 'I messed up, here is the valid stuff, please change it' kind of things.

I was joking about the tantrums Pim would throw if you asked him anything on irq or his personal email :)


I nicely redirect folks too to the faq/forums/wiki depending on the question.

Answering 40.000 people privately does not scale, hence why we point there.

Note that if you google a bit a lot of people hate me and not Pim as I can be a lot harsher and handle a lot more messages (be that email/forum/etc).
And that some people think they are special and can have private treatment..... well, thou art not a unique special snowflake.
jeroen_
Member
Member
 
Posts: 105
Joined: February 2013
Location: Switzerland

Re: https

Postby sj3fk3 » Thu Jan 09, 2014 11:35 am

jeroen_ wrote:Note that if you google a bit a lot of people hate me and not Pim as I can be a lot harsher

No worries, your reputation precedes google :) We just used to take the micky out of Pim while we where all working at bit.nl

Anyway: On topic: I'm still a happy sixxs user and totally agree that all things domotica should use IPV6 and that includes this forum :)
Kind Regards,
Greg.
User avatar
sj3fk3
Member
Member
 
Posts: 119
Joined: April 2012
Location: Abcoude

Re: https

Postby roheve » Sat Jan 11, 2014 3:05 pm

raymonvdm wrote:I think 99% of the colocation company`s is providing ipv6 now a days. If not you`re in the wrong place anyway :D
From looking at the IP, domoticaforum is running at a Hetzner DataCenter, so IPv6 should be there, just not enabled for the website, it seems.
roheve
Starting Member
Starting Member
 
Posts: 47
Joined: April 2011

Next

Return to Suggestions, Questions & Feedback

Who is online

Users browsing this forum: No registered users and 1 guest