Secure version of the forum

[EEVblog]

Hi Dave, yes it is, but please be aware that the way that CF have implemented it is broken and should not be trusted, I would not advertise that the site is on SSL unless you are prepared to buy a SSL cert for the server and then enable Strict SSL in the CF interface.

Yep, I expected it would be half arsed.
I don't see any need for SSL on a forum.

[johansen]

I don't see any need for SSL on a forum.

on this forum, i agree,

head over to sciencemaddness.. there's a thread at least once a month about some unlucky folk getting his house raided because he bought some bs online.
within 10 years oscopes will be in the same regard as heating mantles.

[gxti]

You don't need to buy a "real" certificate to take advantage of secured transport between CloudFlare and your backend server. A self-signed certificate is sufficient unless you put CF in strict mode; this is what I'm doing for my own (tiny, irrelevant) sites.

I think they mentioned in a blog post that they'd have support for certificate pinning at some point in the future, which would make the backend transport actually more secure than using a CA-signed cert while also being free. But for the time being, the unverified certificate is still a lot more secure than a plaintext connection, because passive snoopers are by far the biggest threat.

[gnif]

You don't need to buy a "real" certificate to take advantage of secured transport between CloudFlare and your backend server. A self-signed certificate is sufficient unless you put CF in strict mode; this is what I'm doing for my own (tiny, irrelevant) sites.

At the moment this is sub optimal since CF wont verify the self-signed cert is valid. An attacker could perform a MITM attack since there is no way to verify the certificate is valid, or has been intercepted and changed.

[tjb1]

Yep, I expected it would be half arsed.
I don't see any need for SSL on a forum.

After your Element 14 order was held up for extra terrorism checks? Could be random or systematic I suppose, or could be your name is on a list due to profiling...

You never fail to make me money on my aluminum foil stocks, thanks!

[gxti]

Sub-optimal maybe, but 99% as good. MITMing traffic between two servers is incredibly difficult. Raising the difficulty of stealing data from "tap the fiber and vacuum up all the data" to active, detectable attacks like cache poisoning or tampering with connections is a huge win. Security is always about tradeoffs, and this huge benefit of denying passive attacks comes at a cost of zero dollars.

Or to think about it from the opposite angle -- the added verification of using strict mode is that the attacker needs a certificate signed by a real CA. Attackers who can do MITMs on inter-server traffic are probably state actors who can procure a false CA certificate in seconds anyway. Having a non-CA method of verifying the certificate, e.g. checking the certificate fingerprint against a whitelist, is much much more secure. This is called "certificate pinning" and I'm looking forward to CF rolling it out in the future.

[miguelvp]

Not that hard if you get shell access in one of those data centers.
And of course the do offer shell access, or a dedicated server, some others allow co-location and others virtual machines hosting.

So it's not that difficult, the thing is who should you worry about? Eve (the Evesdroper?) Chuck (malicious intent but without a lot of capabilities) or Mallory (malicious attacker with unknown agenda and capabilities).

I think Eve although it infringes in our privacy would be the least of our concerns, and Eve might help us to fend Chuck out, but the Mallory's out there are what will cause the most harm and Eve sometimes is lucky getting rid of those too.

A lot of money is involved with all this white,grey,black hats, it's fascinating the money all of that generates for the security sector of the industry.

[gnif]

Sub-optimal maybe, but 99% as good. MITMing traffic between two servers is incredibly difficult. Raising the difficulty of stealing data from "tap the fiber and vacuum up all the data" to active, detectable attacks like cache poisoning or tampering with connections is a huge win. Security is always about tradeoffs, and this huge benefit of denying passive attacks comes at a cost of zero dollars.

I am stating that while they have raised the difficulty slightly, they are providing a false sense of security, point and case. This is a BAD idea, CF should default to strict SSL so that they do not make people that are uneducated start advertising that they have SSL enabled when really, they only have it 1/2 enabled. This is also not at all hard to do... just setup a nginx reverse proxy and proxy to CF... nobody would even know the extra proxy is there.

Or to think about it from the opposite angle -- the added verification of using strict mode is that the attacker needs a certificate signed by a real CA. Attackers who can do MITMs on inter-server traffic are probably state actors who can procure a false CA certificate in seconds anyway. Having a non-CA method of verifying the certificate, e.g. checking the certificate fingerprint against a whitelist, is much much more secure. This is called "certificate pinning" and I'm looking forward to CF rolling it out in the future.

It is NOT hard to do MITM on inter-server traffic, just rent a server in the same datacenter and start sniffing the wire, that doesnt work? Get a shell on a target box that can see the traffic on the network. The certificate pinning is well understood by those in the industry, there is no need to explain it here, it is however a mute point as at current CF does not support it.

[gxti]

I am stating that while they have raised the difficulty slightly, they are providing a false sense of security, point and case. This is a BAD idea, CF should default to strict SSL so that they do not make people that are uneducated start advertising that they have SSL enabled when really, they only have it 1/2 enabled. This is also not at all hard to do... just setup a nginx reverse proxy and proxy to CF... nobody would even know the extra proxy is there.

You're arguing against unencrypted backends, and I'm arguing in favor of the unvalidated encrypted backends as a 99% good enough improvement. I do agree that the unencrypted mode is probably misguided on CF's part.

It is NOT hard to do MITM on inter-server traffic, just rent a server in the same datacenter and start sniffing the wire, that doesnt work? Get a shell on a target box that can see the traffic on the network.

Not since the late 90s, which was the last time that hubs were useful. You cannot passively sniff unicast traffic if you are connected to a switch because switches only send packets to the correct port. There are abnormal circumstances in which traffic can be leaked (MAC tables full, STP topology changes causing a flush), and there are active attacks like ARP poisoning that let you take control of a stream if you are in the right place. Competent providers wall customers off from each other using VLANs so they can't do nasty stuff to each other, and monitor for nefarious activity, but even the dumb ones (which most likely is most of them) would have to try really hard to let a passive sniffer see other people's traffic.

[miguelvp]

Actually now they have hardware load balancers and they keep the PAT set so it can talk to the same server if it's multiserver, but even if it's a single server it will be mapped.

Anyways, you are assuming they have big switches instead of hubs, you can't really assume that, and even if they did, once you are on the datacenter network then other things are viable.

For example, I did get a notification about one of my databases affecting the performance of other sites, and I fixed it, does that mean my database lives on the same place as others? Why will a bad table that I did affect other customers.

Granted this was for hostmonster, but they are located on the same datacenter as hostgator, so it might be even share other things.

Now we are not talking Terramark, or Google cloud or AWS, or Rackspace or the other dozen billion dollar + companies, we are talking about hostgator and hostmonster.

[miguelvp]

For example, I did get a notification about one of my databases affecting the performance of other sites, and I fixed it, does that mean my database lives on the same place as others? Why will a bad table that I did affect other customers.

Virtual servers running out of cpu/memory or bandwidth limits in the network. You share resources.
This does not mean you can gather access to the data/network packets of other customers.

Again, we are not talking about the dozen big player names here. we are talking about hostmonster and hostgator. I just opened an ssh session to my server and did a netstat at the prompt.

So far is listing 1000 connections and it's resolving who is connected, they are shared servers not virtual ones.

The difference between < $10 month or over $100 for a virtual server is cheaper infrastructure. I guess I could do a tcpdump or nmap to prove it but I don't want to raise any alarms at my provider

but ifconfig returns 65 different servers on my server, so I could intercept anything that is going on at least on those servers, maybe even their full network.


Edit: BTW my server which has no traffic other than once in a blue moon, the ethernet port has transmitted 11.6 TiB (hate that term) so 10.55 TB  and received 1.27 TB of data and that is bytes not bits. I don't get that much traffic on my puny server

[ve7xen]

Again, we are not talking about the dozen big player names here. we are talking about hostmonster and hostgator. I just opened an ssh session to my server and did a netstat at the prompt. You may be able to see in-flight connection state, but that's about it and certainly doesn't amount to sniffing traffic.

So far is listing 1000 connections and it's resolving who is connected, they are shared servers not virtual ones.

Dave's server is dedicated. On a shared server, you won't have permissions to sniff traffic without compromising the server, which is out of scope of this discussion.

The difference between < $10 month or over $100 for a virtual server is cheaper infrastructure. I guess I could do a tcpdump or nmap to prove it but I don't want to raise any alarms at my provider

No, you're revealing your ignorance. You clearly have no idea what you're talking about. Nobody uses hubs any more, at any price point. They are literally extinct and haven't been made for 20 years or more. On a switched LAN passive attacks are not practical. Active attacks are possible, but pretty non-trivial and disruptive and someone will likely notice. That still requires you be on the same layer 2 segment as the attacker, which is fairly unlikely.

but ifconfig returns 65 different servers on my server, so I could intercept anything that is going on at least on those servers, maybe even their full network.

No you can't.

Edit: BTW my server which has no traffic other than once in a blue moon, the ethernet port has transmitted 11.6 TiB (hate that term) so 10.55 TB  and received 1.27 TB of data and that is bytes not bits. I don't get that much traffic on my puny server

xiB = base 2. Your unit conversion is wrong.

By a massive margin, the likely attack is on the access side. Open wifi, office networks with unscrupulous IT folks or just asshole bosses. Nobody is going to bother going to the extent required to sniff the traffic between CloudFlare and a small-time operator. Maybe if they make themselves a target like LavaBit or something, but the bar is many, many orders of magnitude higher than running aircap on a laptop at a busy Starbacks and seeing what you get.

Will it protect you against the knowledgable, well-funded attacker making a specific effort to see your traffic? No. But it certainly doesn't hurt against that attacker, and will protect you completely from the kid in the coffee shop, who for most people is probably the only threat they ever face.

I agree it's probably not a good default configuration for CF, and it would be nice if there were a way to indicate "crypto not used everywhere" in the browser, but it's ridiculous to say that it doesn't do anything for security. It's a massive difference in risk than doing nothing at all.

[miguelvp]

Again, we are not talking about the dozen big player names here. we are talking about hostmonster and hostgator. I just opened an ssh session to my server and did a netstat at the prompt. You may be able to see in-flight connection state, but that's about it and certainly doesn't amount to sniffing traffic.

So far is listing 1000 connections and it's resolving who is connected, they are shared servers not virtual ones.

Dave's server is dedicated. On a shared server, you won't have permissions to sniff traffic without compromising the server, which is out of scope of this discussion.

The difference between < $10 month or over $100 for a virtual server is cheaper infrastructure. I guess I could do a tcpdump or nmap to prove it but I don't want to raise any alarms at my provider

No, you're revealing your ignorance. You clearly have no idea what you're talking about. Nobody uses hubs any more, at any price point. They are literally extinct and haven't been made for 20 years or more. On a switched LAN passive attacks are not practical. Active attacks are possible, but pretty non-trivial and disruptive and someone will likely notice. That still requires you're on the same segment as the attacker, which is fairly unlikely.

but ifconfig returns 65 different servers on my server, so I could intercept anything that is going on at least on those servers, maybe even their full network.

No you can't.

Edit: BTW my server which has no traffic other than once in a blue moon, the ethernet port has transmitted 11.6 TiB (hate that term) so 10.55 TB  and received 1.27 TB of data and that is bytes not bits. I don't get that much traffic on my puny server

xiB = base 2. Your unit conversion is wrong.

Ok, so xiB is base 2 but it's not my fault they decided to change it.

on the other things yes I can, I did a capture and I get all the traffic for all 65 nodes by targeting eth0 where all those domains where.

as far as hubs vs switches I get what you are saying, you can't even purchase hubs for home products, but  rack mount they are still deployed, that said, I'm not about to sniff the network beyond my server because it's just the wrong thing to do. Edit: but if they use modern equipment I'll give you that, they are using switches but still I'm on the network and there are other attack angles once i'm in there

as far as Dave's server even if hostmonster is on the same data center as hostgator, the only thing preventing me for potentially sniffing those packets is that he is hosted by cloudflare so I don't know the ip of his server in the data center, do I want to take this further? nope, I rather not. but if, and only if I would attempt to capture network events on my host and I was successful, it will be just a  matter of sending a message and parsing for it, because the SSL/TLS handshake is just between the client and CF, it will be in the clear on the server. But I'm at good stands with hostmonster so I'm not willing to sniff their network beyond the server I'm at, and just did a 10 second capture and discard it after the fact just check if I could capture what is going on without going to the actual network, could I attempt to capture packets in their network? I guess I could but don't want to.

Anyways, hostmonster and hostgator are not on the same realm as Azure, AWS and the like. It's not virtualized and I'm doubting they even have hardware load balancers after all.

[miguelvp]

on another note, I can get detailed info from within the network on the hardware used, I guess I could look for exploits based on the version reported to my server, still not breaking their policies, anymore effort from me will break those policies so I won't try to go further.

Edit: and of course I can get access to all the system's memory, can't change it but I can read it

Edit again: And just found a cert in one of the ports, since I have access to the memory I guess I could find the private key, nah, I'm going to sleep and keep working on the seek because today it was a wash regarding my progress on that subject.

[ve7xen]

on the other things yes I can, I did a capture and I get all the traffic for all 65 nodes by targeting eth0 where all those domains where.

How did you perform a capture on shared infrastructure? If you have root, the infrastructure is pwned anyway and talk of crypto is moot. If you don't, you can't do a packet capture. Come on man, stop with the BS.

as far as hubs vs switches I get what you are saying, you can't even purchase hubs for home products, but  rack mount they are still deployed, that said, I'm not about to sniff the network beyond my server because it's just the wrong thing to do. Edit: but if they use modern equipment I'll give you that, they are using switches but still I'm on the network and there are other attack angles once i'm in there

They are not still deployed in any scenario. There are other attack angles indeed, most of them will cause network disruptions for the target and will only work in some scenarios. At a large data centre, your odds of having everything line up to "steal" a specific machine's traffic are pretty low. And that's if they don't protect their customers from these kind of attacks as competent networks should. This is not low-hanging fruit. It's the kind of attack that needs to be targeted and pulled off by a well-funded adversary. You can't just rent a server at the same DC and expect the traffic to come to you. It doesn't work like that.

as far as Dave's server even if hostmonster is on the same data center as hostgator, the only thing preventing me for potentially sniffing those packets

You are hopeless and don't understand networking, just give it up. This is not possible.

Anyways, hostmonster and hostgator are not on the same realm as Azure, AWS and the like. It's not virtualized and I'm doubting they even have hardware load balancers after all.

Shared hosting is not very secure and there are probably other easy ways to attack a site that is hosted such, but you will not be able to capture traffic in/out of a shared machine without root.

[linux-works]

at this point in the internet's lifecycle, EVERYTHING should go encrypted.

first of all, ISP's love to spy on you and some want to inject ads or change your packets on the fly.  if you run https, they can't do that.

second, its no one's business what you do online.  that includes the company are are at during the day, the isp and also your government.

the question is not about why you would want to have a secure end-to-end link, its why NOT have one?  what harm does it do to have a secure link to all your endpoints?  if you don't care about privacy, encryption does not hurt you in any way; but for those who want to see the net be less spyable by various agencies and corps, https is, right now, the only way forward.

please consider offering https.  its the way forward for all network resources.  get onboard or get passed over.

[miguelvp]

You don't need root, just root group access. If you think sys admins button up their servers you'll be amazed on how many things are left as the default configuration.

[ve7xen]

You don't need root, just root group access. If you think sys admins button up their servers you'll be amazed on how many things are left as the default configuration.

You need root permission, it doesn't matter if that comes from logging in as uid 0 or using sudo or similar. Unless the administrator has intentionally done something monumentally stupid, you won't have that on a shared server, even a poorly administered one. If you do have such, the crypto (or lack thereof) that we're talking about is moot anyway, since you can just look at the unencrypted stream or the data right in the database/filesystem.

Your initial argument was that it was easy to sniff traffic on the server side just by being in the same data centre. It's not. It takes a very knowledgeable and dedicated attacker, and some particular luck and/or failure on the service provider's side.

[miguelvp]

I guess I did imply easy for someone that knows what they are doing and there are plenty out there that can come up with hundreds of attack vectors once they are inside the datacenter.
which btw some offer colocation services.

[Rick Law]

You don't need root, just root group access. If you think sys admins button up their servers you'll be amazed on how many things are left as the default configuration.

No. A professional installed system is up-to-date, patched, hardened, maintained and well administrated. But, of course, you can always find bad examples.

For large corp which likely are more bureaucratic, setup and maintenance are the type of work that may not attract too many creative types nor hard-driving types.

From what I've seen, I would suspect at least 50% of the "professionals" doing set-up are probably vocational school trained or college student interns and don't know the difference between IP address vs MAC address.  They do the setup, then it get checked by "a more experienced guy" - who is in a race to see if he can complete the entire check between a single breath.

What have you seen?  Perhaps my observations are atypical.

Rick

[EEVblog]

please consider offering https.  its the way forward for all network resources.  get onboard or get passed over.

Can you point to another similar BBS forum that runs entire https ?
Also, can you cite an example of why it's important? i.e. forums where any useful user info has been stolen because they didn't use https?

[gnif]

please consider offering https.  its the way forward for all network resources.  get onboard or get passed over.

Can you point to another similar BBS forum that runs entire https ?
Also, can you cite an example of why it's important? i.e. forums where any useful user info has been stolen because they didn't use https?

These people believe that encryption should be enabled just because... the only vunerable point is when someone logs into the website, their password might get stolen. This topic IMO should be locked and closed as this discussion is just ridiculous for a forum that is 100% public and does not process any sensitive information.

Worse case: Someone steals a user's password and spams the forum with their account.
Easier option: Someone creates an account and spams the forum with it.

If you are using this website from a location where the internet is controlled/monitored then perhaps you are using this site where you should not be. If this is a concern, use a SSH tunnel, or tor, or a VPN, or some other means of encrypting your link.

I also know of many organisations I have worked for that monitor the internet install a trusted root CA to all their office computers. They perform a trick similar to squid's SSL bump allowing them to filter and monitor SSL traffic. They generate certificates on the fly that match the requested domain name and auto sign them with their locally trusted key. Think this is a privacy issue? well think again, most corporate contracts have an acceptible use segment that dictate your usage of the work network, which usually includes allowing them to monitor and filter the network traffic.

How many of you honestly have actually bothered to even check if your local root key store has any unknown keys in there?

[EEVblog]

These people believe that encryption should be enabled just because... the only vunerable point is when someone logs into the website, their password might get stolen. This topic IMO should be locked and closed as this discussion is just ridiculous for a forum that is 100% public and does not process any sensitive information.

Yep.
The crux of it is that hardly anyone is going to care whether or not this forum uses SSL, and for the couple who do care for whatever reason, I'd be willing to bet they wouldn't be using it correctly anyway. And then, at best it's protecting just their password, which should be a one-off for this forum anyway. And as you said, worst case someone spams the forum with their account, which hasn't even happened yet in 5 years on this unsecured forum to my knowledge. And if that happens, it can be detected and fixed easily. So it's all just pointless.

[alimirjamali]

If this is a concern, use a SSH tunnel, or tor, or a VPN, or some other means of encrypting your link.

I do not recommend using tor as CloudFlare detects it and asks user to solve an annoying reCAPTCHA even for reading. If you take time while posting, you may have to solve another reCAPTCHA and you will lose your post.

Socks 5 tunnel over SSH or VPN will be fine as VPS prices are dirt cheap these days. I also think that this topic should be closed. Otherwise people will start to ask for Forum as a tor hidden service .
p.s. There is nothing fancy in the hidden Support Lounge of Forum. Only a bunch of nerds planning to take over the world .

[linux-works]

please consider offering https.  its the way forward for all network resources.  get onboard or get passed over.

Can you point to another similar BBS forum that runs entire https ?
Also, can you cite an example of why it's important? i.e. forums where any useful user info has been stolen because they didn't use https?

I think soylent news (spinoff of slashdot) allows https.

but my point is to just let users choose.  provide both port 80 and 443.  why not??  for those that want end to end privacy, they will go 443 and for those who don't care, give them 80.  everyone's happy.

do I enjoy the fact that my isp, comcast, listens in on every packet I send?  is it any of their business to see this?  why would you, the site operator, want to have any say in how much privacy I want in my net comms?

I find it odd to have to argue for privacy in net comms these days.  one should never have to justify why they want to avoiding having to run a network protocol in the clear. 

ISPs (like verizon) are being caught trimming your packets, removing starttls flags, injecting ads, collecting your connectivity matrix.  why encourage isp's to keep spying and data-collecting on you?

please don't trot out the old and faded 'if you are doing nothing wrong, you have nothing to hide' bs.  please don't.  if you don't want network privacy in your data links, that's your choice, but please consider offering it to those that DO want it.

you watch: over the next few years, the internet set of protocols will start to include more encrypted and authenticated streams.  people don't like DPI and being spied on.  people don't like their packets changed on the fly by some 3rd party.  the days of trusted cleartext online are going to end and we'll see secure protocols starting to be preferred.