HTTPS?


  • -LnT-

    Hello,

    I noticed that the website, and more importantly the forums don't use any form of HTTPS. Because the login uses plain HTTP it should be considered insecure. Passwords could be stolen if a MitM (Man-in-the-Middle) attack is done.

    From what I've seen this forum probably runs NodeBB with Express.js web application for NodeJS. Based on that I would like to suggest things that could be done to improve security of the site overall (and the forums in particular).

    The first thing I would like to suggest is running a reverse-proxxy server (like Nginx or Apache) and setting up HTTPS with Let's Encrypt using EFF's Certbot. A thing to note about this: certificates from Let's Encrypt are given out for 3 months after which they have to be renewed. This can be automated with Certbot using their documentation.

    I hope this is something that can be looked and that the info given is useful. If you have any questions about anything I told above, I'll try to explain to the best of my abilty.

    Thanks.


  • Generals



  • fix it fix it fix it


  • Generals

    @The-Packwood lol you would .. When mav gets home he will be able to look into this if need be



  • In my opinion this isn't a big of a deal that it's made out to be. Yes the information isn't encrypted and yes someone could pontentionally get everyone's login information but your general run of the mill script kiddy who might hate us won't be able to do that. As we grow into a larger and larger community it might be worth looking into. With that being said since raffles and donations are done through PayPal all that information is already secure so those of us who do donate don't have that to worry about.



  • @darkberry91 You're right, but it's still better to get it out of the way now in opinion



  • i was being a goof, in this use https is not a real need. If you had real/more transactions through this platform it would be a needed thing.



  • Yeah it is definitely a plus to have the site encrypted but like anything decent you have to pay for it so you got to look at cost as well.


  • Senior Server Admin

    @TheDDGo HTTPS is on our road map to be implemented since it is a security best practice to have any authentication portal encrypted using TLSv1.1 or higher..we will likely go with Let's Encrypt because, hell, its free..we've always talked about getting mandatory TLS redirect set up, just haven't gotten around to it since the likelihood of a MiTM attack occurring is low and even if it did, it's not like we store 'sensitive' information on our site. (all payment portals are a full redirect to paypal)


    @darkberry91 An attackers would only be able to get the person who was part of the MiTM attack and no one else's credentials. And yup - Everything we consider 'sensitive' is run through paypal.


    @TheDDGo For the reverse proxy point...although it is a good idea to use a reverse proxy or WAF between client and ANY server back end (not just NodeBB sites) Its a little overkill in this instance. Again, like mentioned above, if we were running a site where we directly accept payments or stored sensitive information, then sure this extra layer of security is worth it...but since we dont its not worth the overhead cost...a 'hacker' will of spent an awful lot of time attempting to compromise our site only to read about us making fun of each other or talking about video games. (most of which they would get access to by simply playing with us for a week or two and applying, would probably take less time too)


  • -LnT-

    @MAV

    Thanks for reply. I can understand your point about maybe not wanting to use a reverse proxy, but sure does it make it easier to implement HTTPS to this site (in my opinion). There are a lot of guides that show to do so. NodeBB also has documentation about how to implement HTTPS using Node.js itself.

    The main thing why I was talking about securing the forums with HTTPS, is the fact that people tend to re-use passwords on multiple websites. So In case that a hacker gets access he might be able to hack accounts of the same user on other websites aswell. The risk of a MiTM is, as you said, low but should still be prevented per the re-use of password of users.


  • Senior Server Admin

    @TheDDGo Yep, its on the roadmap, HTTPS would need to implemented through Node.js (also webserver would need to be configured to redirect HTTP traffic to HTTPS) and the certificate would be from Let's Encrypt. Its not that we don't care about security, as I can tell you security is very important to me, I periodically do exploit testing on the site.

    We have a long list of feature requests and we try to get to all of them when we can while still enjoying gaming in our free time!


  • Generals

    Also I'd like to note that @Havok and myself will be evaluating solutions for our own ecommerce platform. HTTPS solutions will definitely be implemented if we do serve it ourselves.


  • Senior Server Admin

    @nuchin Please involve me in those conversations. There is a little more involved then meets the eye which includes PCI DSS compliance. (which I specialize in)


  • Generals

    @MAV Of course!


Log in to reply