6502.org Forum  Projects  Code  Documents  Tools  Forum
It is currently Fri Nov 22, 2024 10:54 am

All times are UTC




Post new topic Reply to topic  [ 22 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: HTTPS for 6502.org?
PostPosted: Mon Oct 03, 2022 8:15 pm 
Offline
User avatar

Joined: Sun Dec 26, 2021 8:27 pm
Posts: 182
Personally I’m afraid I’ll forget to connect to a VPN the next time I’m on an open airport/hotel Wi-Fi and someone will snatch my forum credentials - or someone else’s for that matter. Plaintext passwords through the air is scary and I have to jump through hoops to make my password manager fill in my password on http sites.

Is Mike not actively maintaining the website?

Since letsencrypt is free it’s hard to find a good reason not to enable SSL.
Anything I/we can do to help?

_________________
---
New new new new new video out! Serial Bootloader for my 65uino
Also, check out: I2C on a 6502 Single Board Computer
and Complete hardware overview of my 6502 SBC R1 :)


Top
 Profile  
Reply with quote  
 Post subject: Re: HTTPS for 6502.org?
PostPosted: Mon Oct 03, 2022 8:37 pm 
Offline
User avatar

Joined: Fri Aug 30, 2002 1:09 am
Posts: 8543
Location: Southern California
He does. He admits he gets behind in reading, but I expect he'll eventually see this. I think the logic is that the site isn't taking any sensitive information like credit-card numbers, bank accounts, medical records, etc., and hackers probably won't be interested in the 6502 anyway and it's no problem for anyone genuinely interested to set up their own "account." (I put "account" in quotes because there's no payment or any other such thing involved.) We get a few spammers that find ways to bypass the protections, and we detect that throw them out and ban them usually before their first post.

_________________
http://WilsonMinesCo.com/ lots of 6502 resources
The "second front page" is http://wilsonminesco.com/links.html .
What's an additional VIA among friends, anyhow?


Top
 Profile  
Reply with quote  
 Post subject: Re: HTTPS for 6502.org?
PostPosted: Mon Oct 03, 2022 9:20 pm 
Offline
User avatar

Joined: Sun Dec 26, 2021 8:27 pm
Posts: 182
Still, a lot of scammers love impersonating trusted members of small communities.

If “Garth Wilson offers to sell you all his stuff for 50$ in a PM” to everyone on the site that could do a lot of damage.
Literally broadcasting usernames and passwords to any switch between you and a website in plain text will get someone burnt eventually - maybe not in 2003, but definitely in 2022.

Eventually we can also expect browsers to completely shun http sites, so I really hope we can get it fixed. Not that we care much about the SEO penalty - not that much competition around XD

_________________
---
New new new new new video out! Serial Bootloader for my 65uino
Also, check out: I2C on a 6502 Single Board Computer
and Complete hardware overview of my 6502 SBC R1 :)


Top
 Profile  
Reply with quote  
 Post subject: Re: HTTPS for 6502.org?
PostPosted: Mon Oct 03, 2022 9:38 pm 
Offline
User avatar

Joined: Sat Jul 24, 2021 1:37 pm
Posts: 282
The risk with credentials over HTTP is most people re-use their passwords. It would be quite easy for a malicious actor to pivot to someone's email, banking or social media accounts if they happen to sniff a login to this site. So that's the main issue, and it is not about how sensitive this particular website's content is.

It is also annoying with Firefox, having to whitelist the site after every restart.

_________________
BB816 Computer YouTube series


Top
 Profile  
Reply with quote  
 Post subject: Re: HTTPS for 6502.org?
PostPosted: Mon Oct 03, 2022 10:41 pm 
Offline
User avatar

Joined: Fri Aug 30, 2002 1:09 am
Posts: 8543
Location: Southern California
akohlbecker wrote:
The risk with credentials over HTTP is most people re-use their passwords.

I forgot about that. But please everyone, do not re-use passwords! I have about a hundred passwords. I started the sign-up process on LinkedIn years ago, at the recommendation of a friend, but then said "You're asking for way too much information that's none of your business," and I aborted the process and cancelled the account. However, as many of you know, LinkedIn got hacked later, and the crackers got the email addresses and passwords of millions of users, and I got a lot of emails saying "We have your password _______ and we'll ruin you if you don't send us <so much> by bitcoin..." But no, the only place I used that password was LinkedIn, and it doesn't go to anything else. So https or not, I think you need to avoid re-using passwords.

_________________
http://WilsonMinesCo.com/ lots of 6502 resources
The "second front page" is http://wilsonminesco.com/links.html .
What's an additional VIA among friends, anyhow?


Top
 Profile  
Reply with quote  
 Post subject: Re: HTTPS for 6502.org?
PostPosted: Tue Oct 04, 2022 11:53 pm 
Offline

Joined: Sat Dec 30, 2017 3:19 pm
Posts: 116
Location: Detroit, Michigan, USA
LastPass is a few bucks a month and totally worth every penny. There's a plugin for your browser and for your phone, all synced up but encrypted with your passphrase, and it autofills login forms for you.

Of course some sites try really hard to make it hard to use password managers, by breaking autofill and/or breaking cut & paste so that you can't even paste your long random password. And don't get me started on Roku channels that force you to type in your whole password on the remote...

That being said, setting up letsencrypt on a web site takes about 5 minutes and is pretty much "set and forget".


Top
 Profile  
Reply with quote  
 Post subject: Re: HTTPS for 6502.org?
PostPosted: Wed Oct 05, 2022 9:28 pm 
Offline
User avatar

Joined: Thu Dec 11, 2008 1:28 pm
Posts: 10985
Location: England
(I know Mike is aware of a need, eventually, to go to HTTPS, and is aware of LetsEncrypt and similar, but it's evidently not a priority. I've offered to help, too. It feels best not to keep bugging him about it!)


Top
 Profile  
Reply with quote  
 Post subject: Re: HTTPS for 6502.org?
PostPosted: Mon Oct 17, 2022 6:49 pm 
Offline
User avatar

Joined: Wed Aug 17, 2005 12:07 am
Posts: 1250
Location: Soddy-Daisy, TN USA
GARTHWILSON wrote:
...and hackers probably won't be interested in the 6502 anyway


I ran a FreeBSD web server for 3 years back in the late 90's. Believe me when I say hackers are interested in any bit of information they can obtain. It's amazing how well they can take seemingly harmless information (bits here, bits there) and compose them into larger collections of information that can be phished with other sites like banks. I can only imagine their capabilities these days.

I'm very security minded yet I had about $3000 stolen from my bank account a few years ago through AWS. Even though Amazon admitted it wasn't any one thing I did wrong (they never would tell me how the hackers got my encryption keys). And AWS took their sweet time refunding my money.

This site needs to be on an up-to-date SSL certificate, etc.

_________________
Cat; the other white meat.


Top
 Profile  
Reply with quote  
 Post subject: Re: HTTPS for 6502.org?
PostPosted: Mon Oct 17, 2022 7:52 pm 
Offline
User avatar

Joined: Fri Aug 30, 2002 1:09 am
Posts: 8543
Location: Southern California
cbmeeks, my own site used to be hosted on our son's server here at home. Hackers were always trying to break in (for who-knows-what reason, as there was nothing private), and he could see their efforts; but even without https:, the efforts were never successful. They were always looking for files that Windows systems use, but we haven't used Windows in many years, and he never used it on his server or any of his computers. Also, three wrong password attempts in a row make it quit responding to that IP address, so the password cannot be brute-forced. The only thing private and really sensitive here on 6502.org are passwords, and if people wouldn't use the same passwords across various accounts, there wouldn't be any threat. The site does not accept any admin efforts from outside Mike's own IP address, even if the hackers had his passwords. He implemented this and other safety measures after the break-in that happened a decade or more ago. Someone here was criticizing Mike for not updating the forum section of the site to a newer phpBB version, saying the newer one would be more secure; so he updated, and guess what— the new version is what the hackers were looking for. If he had kept the older version, they would have just skipped over it and moved on. Even then though, the only "damage" they did was to set up their own site within 6502.org, without paying for hosting. It sounds to me kind of like driving 100 miles for a free meal.

Mike does intend to make this https:, but apparently it's a lot more complicated than some people realize, at least for this situation. He pays monthly, out of his own pocket, to keep the site operational, which is very much appreciated of course. He does maintain the site, and is, at the moment, working on a huge pile of data sheets to add to the data-sheets section.

_________________
http://WilsonMinesCo.com/ lots of 6502 resources
The "second front page" is http://wilsonminesco.com/links.html .
What's an additional VIA among friends, anyhow?


Top
 Profile  
Reply with quote  
 Post subject: Re: HTTPS for 6502.org?
PostPosted: Mon Oct 17, 2022 8:16 pm 
Offline
User avatar

Joined: Sat Jul 24, 2021 1:37 pm
Posts: 282
As a stopgap, if setting up this webserver with TLS is too complex, maybe he can use a service like Cloudflare.
They provide free HTTPS for any website and you can be running in minutes after a few clicks. No change is necessary on the website's server. Only the DNS servers of the domain have to change. The connection is encrypted between users and Cloudflare, and then Cloudflare gets pages over plain HTTP from 6502.org.

This way user traffic is at least encrypted where it is at risk of being sniffed, on the user's machine and network.

As a bonus, you get additional protection from spammers, bots, etc, which are filtered by Cloudflare.

https://www.cloudflare.com/ssl/ (not affiliated, I'm just a satisfied user)

_________________
BB816 Computer YouTube series


Top
 Profile  
Reply with quote  
 Post subject: Re: HTTPS for 6502.org?
PostPosted: Tue Oct 18, 2022 1:53 pm 
Offline
User avatar

Joined: Wed Aug 17, 2005 12:07 am
Posts: 1250
Location: Soddy-Daisy, TN USA
Well, yeah I agree people should use different passwords (and maybe account names) for different sites.

For example, I don't use "cbmeeks" for any banking sites. In fact, my banking user names don't even reflect my real name in any way.

But what an attacker could do on this site is intercept passwords, log in as an admin, and erase content or worse, spam the boards with a known user. A clever hacker would go in and alter old posts slightly to include website links. This would be tricky to detect for a good long while.

_________________
Cat; the other white meat.


Top
 Profile  
Reply with quote  
 Post subject: Re: HTTPS for 6502.org?
PostPosted: Tue Oct 18, 2022 2:08 pm 
Offline
User avatar

Joined: Thu Dec 11, 2008 1:28 pm
Posts: 10985
Location: England
Can we perhaps agree that this is Mike's call? We can offer help - we have. We can make sure he's aware - he is.

After that, we're just being annoying, and I don't think that's a good idea.


Top
 Profile  
Reply with quote  
 Post subject: Re: HTTPS for 6502.org?
PostPosted: Tue Oct 18, 2022 7:41 pm 
Offline
User avatar

Joined: Fri Aug 30, 2002 1:09 am
Posts: 8543
Location: Southern California
cbmeeks wrote:
But what an attacker could do on this site is intercept passwords, log in as an admin, and [...]

That's not possible on this site, because Mike has set it up so the server will not accept any admin stuff from any IP address other than his own. Even he himself would not be able to log in from a hotel, internet cafe, etc..

_________________
http://WilsonMinesCo.com/ lots of 6502 resources
The "second front page" is http://wilsonminesco.com/links.html .
What's an additional VIA among friends, anyhow?


Top
 Profile  
Reply with quote  
 Post subject: Re: HTTPS for 6502.org?
PostPosted: Wed Oct 19, 2022 6:31 pm 
Offline
User avatar

Joined: Wed Aug 17, 2005 12:07 am
Posts: 1250
Location: Soddy-Daisy, TN USA
Yeah, this is certainly Mike's decision and I would be happy to offer any help.


GARTHWILSON wrote:
cbmeeks wrote:
But what an attacker could do on this site is intercept passwords, log in as an admin, and [...]

That's not possible on this site, because Mike has set it up so the server will not accept any admin stuff from any IP address other than his own. Even he himself would not be able to log in from a hotel, internet cafe, etc..



Well, that's not totally what I was getting at. I just meant an attacker could read YOUR password, or mine, or someone else's and log in as that person. Then, find some old post and edit that post to include some spam URL. It would take a while to find that and fix it. We've had to deal with these kind of attacks before at some places I've worked.

Anyway, I was just making a general statement. In 2022, all sites should use SSL. :-)

_________________
Cat; the other white meat.


Top
 Profile  
Reply with quote  
 Post subject: Re: HTTPS for 6502.org?
PostPosted: Mon Apr 10, 2023 10:41 pm 
Offline

Joined: Mon Mar 13, 2023 9:38 pm
Posts: 80
In case it's not already known, I remind you that previously you had to buy SSL certificates to configure HTTPS but that for a few years it is free thanks to Let's Encrypt.

https://letsencrypt.org/


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 22 posts ]  Go to page 1, 2  Next

All times are UTC


Who is online

Users browsing this forum: Google [Bot] and 15 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to: