HTTPS - secure HTTP connection for HMF?

Continuing the discussion from Support Hitmanforum:

I was wondering why you want this. I’m not sure what the consequences, costs and benefits would be.
Please elaborate?

1 Like

there are a few free ssl providers and https://letsencrypt.org - also a bit more server load

Too long didn’t read.

Transport data safely.

WIK :game_die:

2 Likes

I think you should do this, then get a donation button setup on the site. This means everything is more secure and your users are better protected.

From what I see, you’ll have to purchase a SSL certificate.

Connection is not encrypted. If someone wanted, they could see people’s PM etc.

Passwords can be at risk also.


[quote]Using HTTP with SSL will make your life much easier and you can rest at
ease very smart people (smarter than me at least!) have scrutinized this
method of confidential communication for years.[/quote]

WIK :game_die:

1 Like

Basically WIK covered a lot of the problems with HMF not having HTTPS protection.

An attacker can see all the content I’m sending & receiving from & to HitmanForum through man in the middle attacks ect.

Even the moderation accounts are at risk.

2 Likes

The only things stored in a Session are username (or id no) and some sort of variable to validate logged in. The password should never be sent in, besides, even if it is sent in, a password is never stored as a normal sting, it will be encrypted by the time the sever validates it.

But I do agree that if you are going to do a login screen safely, an https makes doubly sure that it’s encrypted because the data is encrypted twice.

Still, even as it stands I don’t think there are any real major risks because as I said, if you validate the login correctly, then it will be hard to steal information.

1 Like

Yes you’re correct. I hope I didn’t sound too paranoid :blush:
I just wanted to bring every issue up even if they aren’t severe risks.

WIK :game_die:

I never noticed that HF was being served over HTTP. Throughout my schooling, I was always taught to serve sites over HTTPS if they included any login system or received any sort of identifying information from the client. Not only does SSL provide encryption across the internet to prevent a host of man in the middle attacks, it also gives users the confidence that the web page page being served to them is legitimate and not being spoofed by a third-party. You simply can’t assume that all of your users are sitting at home on their own password-protected connections. For HTTP-only websites, public internet connections are very nasty.

You’re right, but you skipped over a huge part. When it comes to passwords, encryption happens on server side, not client side. If it happened client side, that means it would probably be written in Javascript and the algorithm would be easily readable by just looking at the source code. The password is initially sent in plain text and then the server itself encrypts the data before storing it in the database so that not even the administrators can see your password. This is why the connection itself must be secure - to protect that form data when you hit submit. (On a side note, if you ever forget your password to a site, and you are able to receive an email that tells you your password rather than forcing you to reset it, that means they aren’t encrypting your password in their database, which is a really bad practice).

I personally don’t care if you change HF to HTTPS because I have nothing to lose. I use a different password for everything I use, so a potential “hacker” wouldn’t have a master key. TBH, the only thing that makes me uncomfortable is the fact that we do have game developers that come in to our forums and use it. It’s highly unlikely that this site would be attacked, but if someone really did want to tarnish things, we would lose a tremendous amount of integrity if one of the devs’ accounts was taken over. You ask any competent and professional web developer and they’ll tell you HTTPS definitely falls into best practices when it comes to login systems, especially ones that have important people floating around in them.

But like I said, it’s still highly unlikely.

2 Likes

Don’t get me wrong, https is the way to go for a login system, but it’s still highly unlikely to get attacked just because you aren’t using https. Besides, you can also protect against session attacks and I am sure HMF has protection against those sort attacks. Yeah you’re still exposed because there isn’t enough encryption between the data sent (through http), but I still find it unlikely that we are at risk because we’re no using https.

There is not HTTPs, if you login or create a new account the Password is submitted via plaintext:

It’s not about being attacked, the big problem is that if you are a specific location, let’s say an internet cafe everyone with little knowledge can “take over” the AP (man in the middle attack) and sniff the traffic and see your login information and more.

Since they support authentication with 3th party tokens (twitter, facebook) and they use https, this isn’t a huge problem - so long you use them, but “everyone” can still read your PMs or private forms if you open them.

From the Privacy Page: http://www.hitmanforum.com/privacy

How do we protect your information?
We implement a variety of security measures to maintain the safety of your personal information when you enter, submit, or access your personal information.

:unamused:

Right, that’s what I meant.

Is it really worth it though? None of us have adequate information about the workload that the servers cope with, so how can you anticipate the impact of implementing a HTTPS layer? Forum visitors will complain about the reduction in response times and diminished end user experience.

It’s good to emphasize best practices - however this is a fansite maintained by just one guy with his day job and commitments, this is not a corporate site that deals with commercial transactions.

Also, the sniffer output above, isn’t that from your local machine when registering? I understand the concern for developer / IOI accounts, but in order to take over their accounts your reconnaissance should be more advanced because you would need the exploit to spy on a dev’s local machine, and then snoop on the http requests from that particular machine to the HM Forum when they are registering for their accounts (which is after the fact anyway).

Correct me if I’m wrong or have misread anything.

What is a dev’s local machine? You can read this Traffic if you have access to a Network (Switch/Router) or connected to any wlan and sproof an Access Point.

No, https load is minmal and also can be used for the login only. And yes its “worth” it o.O

I don’t think you understand my post, but that’s ok.

Do you have experience applying SSL in distributed commercial environments with 3rd party integrations?

@ampburner @codinghorror

Would it be possible for this to get another look at?
There’s no reason for a website with a login page in this day and age not to be using https

4 Likes

@HHCHunter +1 :thumbsup:

Yeah, you can find a certificate for free with Let’s Encrypt.

Encrypted websites protect our privacy, data submitted and are significantly faster nowadays with HTTP/2 and a good compression algorithm like Brotli. https://www.httpvshttps.com/

Hey guys,

It is my understanding that there are some minor risks of running Hitmanforum without SSL (so called man in the middle attack)

  • a third party may be able see your traffic if traffic passes through channels which are controlled by that party. for example if you use an untrusted access point in a public space like a coffee shop
  • this traffic can include user names, passwords, private message content.

this only applies if you submit your password (submit the log in form) and/or access private messages at the same time that you are using those channels.

In order to avoid / reduce these risks, users can

  • use facebook or google social log-in, both are secured with an SSL certificate
  • avoid using the site through a wifi access point that they do not trust
  • use a unique password for this website (you should different passwords for each site you use anyway)
  • use a vpn

We’ve recently moved Hitmanforum over to managed hosting (meaning it is hosted for us by discourse.org) so that means that I do not manage the server or software personally.
Discourse.org do offer SSL / HTTPS, and in order to add it to Hitmanforum I would just have to enable it through the control panel It’s priced at an additional $20/month

I definitely think that HTTPS would a be good way to secure Hitmanforum more, however I see the lack of HTTPS as a only minor risk. I would really like to enable HTTPS however currently the hosting costs are greater than the income generated by our patreon account.

If we can raise enough income to break even (raise the patreon income to $70/month) then I’ll definitely enable it.

can you post a link to the Patreon?
EDIT:
found it

1 Like

I renewed my pledge.

47$ :grinning:

2 Likes