HTTPS for 6502.org?

[AndersNielsen]

Personally I’m afraid I’ll forget to connect to a VPN the next time I’m on an open airport/hotel Wi-Fi and someone will snatch my forum credentials - or someone else’s for that matter. Plaintext passwords through the air is scary and I have to jump through hoops to make my password manager fill in my password on http sites.

Is Mike not actively maintaining the website?

Since letsencrypt is free it’s hard to find a good reason not to enable SSL.
Anything I/we can do to help?

[GARTHWILSON]

He does.  He admits he gets behind in reading, but I expect he'll eventually see this.  I think the logic is that the site isn't taking any sensitive information like credit-card numbers, bank accounts, medical records, etc., and hackers probably won't be interested in the 6502 anyway and it's no problem for anyone genuinely interested to set up their own "account."  (I put "account" in quotes because there's no payment or any other such thing involved.)  We get a few spammers that find ways to bypass the protections, and we detect that throw them out and ban them usually before their first post.

[AndersNielsen]

Still, a lot of scammers love impersonating trusted members of small communities.

If “Garth Wilson offers to sell you all his stuff for 50$ in a PM” to everyone on the site that could do a lot of damage.
Literally broadcasting usernames and passwords to any switch between you and a website in plain text will get someone burnt eventually - maybe not in 2003, but definitely in 2022.

Eventually we can also expect browsers to completely shun http sites, so I really hope we can get it fixed. Not that we care much about the SEO penalty - not that much competition around XD

[akohlbecker]

The risk with credentials over HTTP is most people re-use their passwords. It would be quite easy for a malicious actor to pivot to someone's email, banking or social media accounts if they happen to sniff a login to this site. So that's the main issue, and it is not about how sensitive this particular website's content is.

It is also annoying with Firefox, having to whitelist the site after every restart.

[GARTHWILSON]

akohlbecker wrote:

The risk with credentials over HTTP is most people re-use their passwords.

I forgot about that.  But please everyone, do not re-use passwords!  I have about a hundred passwords.  I started the sign-up process on LinkedIn years ago, at the recommendation of a friend, but then said "You're asking for way too much information that's none of your business," and I aborted the process and cancelled the account.  However, as many of you know, LinkedIn got hacked later, and the crackers got the email addresses and passwords of millions of users, and I got a lot of emails saying "We have your password _______ and we'll ruin you if you don't send us <so much> by bitcoin..."  But no, the only place I used that password was LinkedIn, and it doesn't go to anything else.  So https or not, I think you need to avoid re-using passwords.

[jmthompson]

LastPass is a few bucks a month and totally worth every penny. There's a plugin for your browser and for your phone, all synced up but encrypted with your passphrase, and it autofills login forms for you.

Of course some sites try really hard to make it hard to use password managers, by breaking autofill and/or breaking cut & paste so that you can't even paste your long random password. And don't get me started on Roku channels that force you to type in your whole password on the remote...

That being said, setting up letsencrypt on a web site takes about 5 minutes and is pretty much "set and forget".

[BigEd]

(I know Mike is aware of a need, eventually, to go to HTTPS, and is aware of LetsEncrypt and similar, but it's evidently not a priority. I've offered to help, too. It feels best not to keep bugging him about it!)

[cbmeeks]

GARTHWILSON wrote:

...and hackers probably won't be interested in the 6502 anyway

I ran a FreeBSD web server for 3 years back in the late 90's. Believe me when I say hackers are interested in any bit of information they can obtain. It's amazing how well they can take seemingly harmless information (bits here, bits there) and compose them into larger collections of information that can be phished with other sites like banks. I can only imagine their capabilities these days.

I'm very security minded yet I had about $3000 stolen from my bank account a few years ago through AWS. Even though Amazon admitted it wasn't any one thing I did wrong (they never would tell me how the hackers got my encryption keys). And AWS took their sweet time refunding my money.

This site needs to be on an up-to-date SSL certificate, etc.

[GARTHWILSON]

cbmeeks, my own site used to be hosted on our son's server here at home.  Hackers were always trying to break in (for who-knows-what reason, as there was nothing private), and he could see their efforts; but even without https:, the efforts were never successful.  They were always looking for files that Windows systems use, but we haven't used Windows in many years, and he never used it on his server or any of his computers.  Also, three wrong password attempts in a row make it quit responding to that IP address, so the password cannot be brute-forced.  The only thing private and really sensitive here on 6502.org are passwords, and if people wouldn't use the same passwords across various accounts, there wouldn't be any threat.  The site does not accept any admin efforts from outside Mike's own IP address, even if the hackers had his passwords.  He implemented this and other safety measures after the break-in that happened a decade or more ago.  Someone here was criticizing Mike for not updating the forum section of the site to a newer phpBB version, saying the newer one would be more secure; so he updated, and guess what—the new version is what the hackers were looking for.  If he had kept the older version, they would have just skipped over it and moved on.  Even then though, the only "damage" they did was to set up their own site within 6502.org, without paying for hosting.  It sounds to me kind of like driving 100 miles for a free meal.

Mike does intend to make this https:, but apparently it's a lot more complicated than some people realize, at least for this situation.  He pays monthly, out of his own pocket, to keep the site operational, which is very much appreciated of course.  He does maintain the site, and is, at the moment, working on a huge pile of data sheets to add to the data-sheets section.

[akohlbecker]

As a stopgap, if setting up this webserver with TLS is too complex, maybe he can use a service like Cloudflare.
They provide free HTTPS for any website and you can be running in minutes after a few clicks. No change is necessary on the website's server. Only the DNS servers of the domain have to change. The connection is encrypted between users and Cloudflare, and then Cloudflare gets pages over plain HTTP from 6502.org.

This way user traffic is at least encrypted where it is at risk of being sniffed, on the user's machine and network.

As a bonus, you get additional protection from spammers, bots, etc, which are filtered by Cloudflare.

https://www.cloudflare.com/ssl/ (not affiliated, I'm just a satisfied user)

[cbmeeks]

Well, yeah I agree people should use different passwords (and maybe account names) for different sites.

For example, I don't use "cbmeeks" for any banking sites. In fact, my banking user names don't even reflect my real name in any way.

But what an attacker could do on this site is intercept passwords, log in as an admin, and erase content or worse, spam the boards with a known user. A clever hacker would go in and alter old posts slightly to include website links. This would be tricky to detect for a good long while.

[BigEd]

Can we perhaps agree that this is Mike's call? We can offer help - we have. We can make sure he's aware - he is.

After that, we're just being annoying, and I don't think that's a good idea.

[GARTHWILSON]

cbmeeks wrote:

But what an attacker could do on this site is intercept passwords, log in as an admin, and [...]

That's not possible on this site, because Mike has set it up so the server will not accept any admin stuff from any IP address other than his own.  Even he himself would not be able to log in from a hotel, internet cafe, etc..

[cbmeeks]

Yeah, this is certainly Mike's decision and I would be happy to offer any help.

GARTHWILSON wrote:

cbmeeks wrote:

But what an attacker could do on this site is intercept passwords, log in as an admin, and [...]

That's not possible on this site, because Mike has set it up so the server will not accept any admin stuff from any IP address other than his own. Even he himself would not be able to log in from a hotel, internet cafe, etc..

Well, that's not totally what I was getting at. I just meant an attacker could read YOUR password, or mine, or someone else's and log in as that person. Then, find some old post and edit that post to include some spam URL. It would take a while to find that and fix it. We've had to deal with these kind of attacks before at some places I've worked.

Anyway, I was just making a general statement. In 2022, all sites should use SSL.

[Alex1]

In case it's not already known, I remind you that previously you had to buy SSL certificates to configure HTTPS but that for a few years it is free thanks to Let's Encrypt.

https://letsencrypt.org/