Update Best Posts in Thread: Forum Security Certs Updated

This one snuck up on me. The SSL certificate (which gives you the green "https" in the address bar) expires tomorrow. It usually takes a couple days to get the new one. Tonight I'll generate my own SSL cert and install it until they email me the new cert. The site will be just as secure but your browser won't agree with that and will show a security warning because I'm not an registered trusted agent....or some nonsense like that. I might decide to just go back to regular ol' http to avoid any user confusion.....if I can remember where I put all those redirects to https a year ago.

Sorry about that. I thought I had until the 12th for some reason.

 

That's because I was in the process of installing the new certificate. Managed to get the certificate verified and emailed to me in 20 minutes with Comodo (last time it took 2 days). The problem lasted for around 15 minutes because I jumped the gun and deleted the old cert but when I put in the new one I couldn't find where I saved the private key that goes with it on my computer. Obviously I found it....it did make me start to sweat a bit though.

Spoiler: New Certificate/Side Comments:

Here is why the forum has it:

1. To prevent MITM attacks against forum users on public wifi networks. (Here is a video of me "hijacking" a login made on my computer from a mobile phone. Anyone can easily do this if you're on the same wifi and visiting non-https websites. I removed this app after Date In Asia finally secured their site...messin' with the hoes on DIA and then seeing the reactions when they saw the profile "modifications" and/or replies/forwards sent to all the guys they were milking for cash was tons of fun! lol )
2. To keep usernames, passwords, private messages and any other sensitive data encrypted while it travels through the internets.......making it much harder for certain agencies and groups that like to secretly (and illegally IMO) collect massive amounts of data and build profiles on people. (I really don't want them to be reading my PMs! )
3. To prevent phishing attacks. (If you don't see the green address bar it's not DI and you should not attempt to log in! Going to add some additional trust indicators later on.)
4. Google likes it enough to reward sites that have SSL 2048-bit certs.
5. And mainly: I think that not doing it when you have user accounts is at best irresponsible (if you are completely clueless) and at worst completely unethical (if you are aware of the risks).

I'm actually a little surprised at the number of websites/forums that don't use it. It only costs around $10/year and setting it up is not that difficult (fixing all the server vulnerabilities to get the high security rating takes a bit research, time and root access to the server though). The certs that cost $100s and even $1000s per year don't have any better encryption than the $10 ones; all SSL certs consist of is two very large prime numbers (private key) and the sum of those two primes (public key)......all the expensive ones do is verify the company that applied for the cert actually exists/is legit.

I believe everything should be good on security until next year. When tested there was a green in Chrome (desktop and mobile), Firefox and Opera. Microsoft's Explorer and Edge are showing a gray but locked padlock, that is just Microsoft being Microsoft. No idea about Safari but compatibility tests show all modern browsers should be working.

I have added the HSTS security policy telling browsers they should only use the site in https to protect again protocol downgrade attacks. This improved DI's security grade from the"A" it got last year to:



If anyone has problems please let me know.

Spoiler: Not DI Stuff:

Just for fun I thought I'd look at some other site's scores to see how DI servers compared.

Date In Asia:


Facebook:


Amazon:


CIA:


NSA :


All sites surveyed last month.

(Not sure if I should be happy about being in that 3.1% or if I should go get a life. )