Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Fri 17 Nov 2017, 19:34
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Why is the Murga Forum not https ?
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [8 Posts]  
Author Message
purple379

Joined: 04 Oct 2014
Posts: 75

PostPosted: Thu 28 Sep 2017, 09:17    Post subject:  Why is the Murga Forum not https ?
Subject description: Curious, I am sure there is a good reason
 

I think the subject line explains what I am curious about
Back to top
View user's profile Send private message 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 12699
Location: Arizona USA

PostPosted: Thu 28 Sep 2017, 10:36    Post subject:  

What can I say? It's just not.

It's up to John Murga. I do think the login process may be encrypted, or protected from eavesdropping in some way.
Back to top
View user's profile Send private message 
Moose On The Loose


Joined: 24 Feb 2011
Posts: 773

PostPosted: Thu 05 Oct 2017, 10:55    Post subject: Re: Why is the Murga Forum not https ?
Subject description: Curious, I am sure there is a good reason
 

purple379 wrote:
I think the subject line explains what I am curious about


I don't think there is any real need for HTTPS.
This comment can be read by anyone who cares to so there is no good reason to make it secure.

It looks to me, looking at the page source that the password travels unprotected. Thus it is not good to use the same password as elsewhere.

There is a trick that uses JavaScript to make a password effectively encrypted. Not even that is being done.

The trick for those who care is:
Each time the form is sent, it comes with a hashing key.
The keys don't repeat.
The JavaScript applies the hash before submitting the form.
The receiving site knows how to undo the hash but this is kept secret.
Back to top
View user's profile Send private message 
belham2

Joined: 15 Aug 2016
Posts: 1282

PostPosted: Thu 05 Oct 2017, 12:02    Post subject: Re: Why is the Murga Forum not https ?
Subject description: Curious, I am sure there is a good reason
 

Moose On The Loose wrote:
purple379 wrote:
I think the subject line explains what I am curious about


I don't think there is any real need for HTTPS.



Hey Moose,

I think you're missing the forest for the trees Wink No one I know on murga cares one bit about comments, or passwords, or their account. The big worry is the literally thousands of scripts, gz. files and such that are populated throughout the murga site and are hosted on the same server the forum is. We all download the things, and they are far more populous than people who upload their stuff to secure download sites. I'm fairly sure, no, I'm positive, John isn't spending the coin to have separate servers--especially a data-hardened server (which is where all that stuff should be residing, but it is not). Still to this day, people will say "oh, that's what md5 sums and such are for..." nope, not even close by a country mile. That stuff is about file integrity, and nothing to do with security. That fact of the matter is, many downloads from this forum could be getting re-directed and the receiver would never know. That's what https guards against, and it is the main reason this conversation should be discussed more. It also guards against getting spoofed when logging in and out or murga, like having crap deposited on your rig/computer.

Problem is, like I said, the coin is not going to be spent for it to happen. Plus, everyone thinks a little bit like the hapless blokes at Equifax: it couldn't possibly happen here, in Murga land. Just no way..... Rolling Eyes
Back to top
View user's profile Send private message 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 12699
Location: Arizona USA

PostPosted: Thu 05 Oct 2017, 19:54    Post subject:  

As far as I know, John Murga pays for this forum out of his own pocket. He might be open to suggestions if we'd all contribute something to make the improvement worth his while. Smile
Back to top
View user's profile Send private message 
Mike Walsh


Joined: 28 Jun 2014
Posts: 3131
Location: King's Lynn, UK.

PostPosted: Fri 06 Oct 2017, 06:42    Post subject:  

Flash wrote:
As far as I know, John Murga pays for this forum out of his own pocket. He might be open to suggestions if we'd all contribute something to make the improvement worth his while. Smile


^^^ +1!! Touchè.....


Mike. Wink

_________________
If I've helped you.....please say 'Thanks'!
MY PUPPY PACKAGES
--------------------------------------

Back to top
View user's profile Send private message Visit poster's website 
belham2

Joined: 15 Aug 2016
Posts: 1282

PostPosted: Fri 06 Oct 2017, 08:50    Post subject:  

Flash wrote:
As far as I know, John Murga pays for this forum out of his own pocket. He might be open to suggestions if we'd all contribute something to make the improvement worth his while. Smile



Any possibility you could open a dialog with John and:

1) see if he'd be willing to have the forum moved to "https" (if he doesn't want to be bothered with it, need t know that ahead of time), and;

2) if he is willing, can he ask and get a figure put on how much he'd want? It's not a question of costs, as if it murga and associated sites were mine, I'd had them up on https early "last" year at no cost. This is about whether John wants it done and will take the steps and planning and commit to the changes being done. If he has to actually hire someone, they ask him to put it out there, and come up with a $$$$ they would charge him to move everything to "https". Then convey this information to us here.


I have had a few sites at businesses moved over the past few years to "https", the cost is the hours involved in doing it and testing it. Thus John's gotta want to do it and be committed to it. Getting a new SSL certificate (cost is about ~$15) is first thing required, and then that's it. Structuring things on the host side, converting all (not just some but all) links on the website to https, set up 301 redirects, etc, etc, and then slowly test it all. But, imho, it is way more than worth. There's no excuse for any site NOT to be https nowadays..and thuis includes the murga family. Google (and others) are rightfully highlighting and publicly scolding site operators who are dragging their heels on this. Eventually, any http site should be banned by all world search providers and all browsers should block them too. There's a reason: https is not 100% foolproof, but it is the best thing in over a decade to have happened for general use of the Internet. People can argue about this till their blue in the face, they simply don't know what they're talking about it they say https is not worth it.

Let us know, Flash, what you find out.
Back to top
View user's profile Send private message 
Moose On The Loose


Joined: 24 Feb 2011
Posts: 773

PostPosted: Tue 10 Oct 2017, 11:02    Post subject: Re: Why is the Murga Forum not https ?
Subject description: Curious, I am sure there is a good reason
 

belham2 wrote:
Moose On The Loose wrote:
purple379 wrote:
I think the subject line explains what I am curious about


I don't think there is any real need for HTTPS.



Hey Moose,

I think you're missing the forest for the trees Wink No one I know on murga cares one bit about comments, or passwords, or their account. The big worry is the literally thousands of scripts, gz. files


So long as passwords are encrypted and not given away, nobody can pretend to be me. This way you would never see a script claimed to be from me that didn't really come from me. This also applies to my random babbling but security on that matters less.
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 1 [8 Posts]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0696s ][ Queries: 12 (0.0045s) ][ GZIP on ]