Sign in to follow this  
Followers 0
Blaine0002

SSL Certificate

14 posts in this topic

I posted this in r3v too, you guys really need to install an SSL cert on this site, its not really ok to have any login in a non secured website in this day and age.

Share this post


Link to post
Share on other sites

It certainly isn't going to hurt adding an ssl cert and at some point should get done to "check the box" so to speak, but pragmatism would suggest it's a low priority on WIBimmers for many reasons. If Chris has a short to-do list, I'm sure it'll get done soon, though. 

m42b32 likes this

Share this post


Link to post
Share on other sites
4 hours ago, i_love_cars said:

but pragmatism would suggest it's a low priority on WIBimmers for many reasons.

I couldn't disagree more. any website with a password field should be secure no matter the excuse.

Share this post


Link to post
Share on other sites
35 minutes ago, Blaine0002 said:

I couldn't disagree more. any website with a password field should be secure no matter the excuse.

I have no doubt we'll get a cert installed. "Secure" is a pretty vague notion that's often used by security teams as an excuse to blindly throw security tools and monitoring software at systems without having any metrics on real risk or threat analysis. SSL is of course a standard operation of known quantity - I'm just saying there's likely plenty of other security vulnerabilities laying around on the site that are unknown. Security goes a lot deeper than preventing traffic sniffing, but I'd like to hope you know that or you wouldn't be asking for an ssl cert in the first place.

This is a low-risk site and the host's firewalls are going to block the standard automated attacks that directly test the backend vulnerability of servers around the world every day and never muster any real threat. So given that it's practically nil that something automated's going to crack the backend and steal passwords which I'm sure are stored in some encryption anyway, and the fact that it isn't on anyone's radar to sniff traffic on WIbimmers because we have 37 active members which is basically nothing, and the fact nobody's password has been sniffed and stolen here over X number of years the site has been live, your main risk is someone getting keylogged.

Your point is valid and noted, and a cert will get installed, but the fact remains there is no measure by which to suggest this is some immediate thing that needs to be done today.

Chris, let me know if you need a hand - although ssl setup is pretty straightforward I'm sure you can handle it. 

Bassboy3313 and dastuz like this

Share this post


Link to post
Share on other sites

Well yes, as a very active vbulletin mod developer in the past im aware of its extensive history in being exploited

and as a senior software engineer that focuses on web development im well aware an improperly set up server may have plenty of other vulnerabilities that may or may not give access to hopefully hashed and hopefully even more so salted password values in the database (pretty sure newer versions of vb require the salt but its been awhile for me)

but why are any of these valid reasons to downplay the fact that you are broadcasting sensitive data in plain text

its the most basic thing to fixed (and no doubt it will im sure, im not arguing that) but its also probably the most important.

this conversation is silly.

Share this post


Link to post
Share on other sites
16 hours ago, Blaine0002 said:

its the most basic thing to fixed (and no doubt it will im sure, im not arguing that) but its also probably the most important.

this conversation is silly.

That's why I said your point is valid, noted, and a cert will definitely get installed. Just that the world isn't ending because it's not getting done this instant ;) I'm sure we'll wake up one of these mornings and when I sit down to read about all the E30's that aren't yet running like I always do, I'll see a nice little green lock icon :D

m42b32 likes this

Share this post


Link to post
Share on other sites

Notes taken! Yes it's a short to do list that I never get around to haha. I have a few updates to apply too when I find the time. 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0