DRUMMERWORLD OFFICIAL DISCUSSION FORUM

DRUMMERWORLD OFFICIAL DISCUSSION FORUM (http://www.drummerworld.com/forums/index.php)
-   DrummerWorld Site News (http://www.drummerworld.com/forums/forumdisplay.php?f=26)
-   -   Drummerworld and SSL -- It's time (http://www.drummerworld.com/forums/showthread.php?t=139510)

KamaK 11-21-2017 09:06 AM

Drummerworld and SSL -- It's time
 
Bernhard,

I'd gladly chip in the $7.50 for the first year and 30 mins to show you how to set up SSL/HTTPS. I feel like a chump every time I type something here (including my password) because anyone with wire access can see it. Heck, I'd chip in $20 for a 3-year cert.

I get that there are drawbacks (the yearly expense, performance overhead, requirement of technical expertise to add a rewrite rule so old links work, periodic renewals, registration). But a number of us check in from hotel wifi, bar wifi, and other public places and would greatly appreciate the increase in privacy.

Note: Looks like COMODO resellers are ~9/yr these days.

Dr_Watso 11-21-2017 08:43 PM

Re: Drummerworld and SSL -- It's time
 
The port is open on the firewall, but the default apache page with self-signed is what you get.

Since I don't use this password anywhere else I'm not that worried about it and other than passwords, I think someone snooping this data stream would be pretty disappointed. If you're going to do it, make sure to re-direct http to https or it's pretty useless for anyone but you, I and other folks with IT sec on their minds.

KamaK 11-21-2017 09:01 PM

Re: Drummerworld and SSL -- It's time
 
Quote:

Originally Posted by Dr_Watso (Post 1533958)
If you're going to do it, make sure to re-direct http to https or it's pretty useless for anyone but you, I and other folks with IT sec on their minds.

Indeed, though it's generally best to use a rule instead of a redir, so that the string beyond the domain name is preserved, and all of the links on the board continue working.

Something simple like:


Code:

    RewriteEngine on
    RewriteCond  %{SERVER_PORT}  !^443$
    RewriteRule ^/(.*)$ https://www.drummerworld.com/$1 [L,R]


KamaK 02-09-2018 10:01 PM

Re: Drummerworld and SSL -- It's time
 
Bernhard,

You going to be ready for July?

https://arstechnica.com/gadgets/2018...as-not-secure/

Ping me if you need a hand.

Dr_Watso 02-09-2018 11:07 PM

Re: Drummerworld and SSL -- It's time
 
Quote:

Originally Posted by KamaK (Post 1546007)
Bernhard,

You going to be ready for July?

https://arstechnica.com/gadgets/2018...as-not-secure/

Ping me if you need a hand.

The cynic in me thinks that immediately following this update, google with start selling SSL certs.

KamaK 02-10-2018 03:45 AM

Re: Drummerworld and SSL -- It's time
 
Quote:

Originally Posted by Dr_Watso (Post 1546034)
The cynic in me thinks that immediately following this update, google with start selling SSL certs.

Indeed.

Luckily, enough cynics felt this way a few years back and created their own CA.

http://www.cacert.org/

Pocket-full-of-gold 02-10-2018 03:55 AM

Re: Drummerworld and SSL -- It's time
 
There are times when I'm privy to a discussion and feel nothing but an utter friggen' moron.

This is one of those times.

Dr_Watso 02-10-2018 04:23 AM

Re: Drummerworld and SSL -- It's time
 
Quote:

Originally Posted by Pocket-full-of-gold (Post 1546113)
There are times when I'm privy to a discussion and feel nothing but an utter friggen' moron.

This is one of those times.

As simplified as I can, since it's an important topic, and maybe you'll find it interesting. It's certainly more complicated than I'll make it out to be, and please feel free to ask questions if you like.

Websites that begin with "https://www.example.com" rather than the regular http are "secured" by utilizing a tech called SSL which is what Kamak is talking about for DW.

Think of SSL kind of like "pig latin". Two people can communicate without using real english, but still understand each other on the basis that they both realize you just re-arrange the letters to each word in a set way. If an outsider who doesn't have the "code" tries to listen in, say a small child who hasn't figured it out yet, they'll be confused.

That's a long way of saying it's a literal cipher key. Just like radio cipher or my previous example of the "pig latin" code, using SSL/HTTPS can help prevent a nefarious fellow who's trying to listen into the data exchange and get passwords, or what have you.

Since we don't exchange credit card numbers or do business on this site, it's not that big of a deal, but using it is certainly best practice and helps with security.

Dr_Watso 02-10-2018 04:29 AM

Re: Drummerworld and SSL -- It's time
 
Quote:

Originally Posted by KamaK (Post 1546112)
Indeed.

Luckily, enough cynics felt this way a few years back and created their own CA.

http://www.cacert.org/

Hey, that's cool! Thanks!

I don't think I would trust it as much for something critical, but for general use like this that's neat!

KamaK 02-10-2018 08:48 AM

Re: Drummerworld and SSL -- It's time
 
Quote:

Originally Posted by Dr_Watso (Post 1546118)
I don't think I would trust it as much for something critical, but for general use like this that's neat!

On the flip side, we can trust that Verisign/Symantec/Thawte/Entrust trusts their customers just enough to be willing to take their money. Sigh, the uncanny intermingling of capitalism and privacy... I guess it's hard to complain with my mouth full.

Jeremy Bender 02-12-2018 06:23 PM

Re: Drummerworld and SSL -- It's time
 
I don't understand what any of this means. Is the future use of this forum in danger of a security breach to our own computers? Will we start having to pay to be members?
Thanks. I know very little about these things.

KamaK 02-12-2018 08:37 PM

Re: Drummerworld and SSL -- It's time
 
Quote:

Originally Posted by Jeremy Bender (Post 1546566)
I don't understand what any of this means. Is the future use of this forum in danger of a security breach to our own computers? Will we start having to pay to be members?
Thanks. I know very little about these things.

Ultimately, it means that anyone on your local network or anyone on DWorlds network can see anything you submit to the site, and know what you've been looking at. It also means that any DW data passing through your ISP is automatically being routed through a mystery closet and analyzed by the NSA.

(no, really, not being paranoid or making this up, there really is a government closet at your ISP analyzing absolutely everything you see and post).

Not an issue for 95% of the content here, but this includes your user/password and PM's.

Dr_Watso 02-12-2018 09:03 PM

Re: Drummerworld and SSL -- It's time
 
Quote:

Originally Posted by KamaK (Post 1546600)
Not an issue for 95% of the content here, but this includes your user/password and PM's.

Yep, this is really the only "worry". People often use similar username and password combos on multiple sites, so the fact that someone can snoop our passwords on this site as we use them could be an issue for some.

For the time being, everyone reading this should make sure the password they use here is not the same as one for something critical or financial.

Dr_Watso 02-12-2018 09:05 PM

Re: Drummerworld and SSL -- It's time
 
Quote:

Originally Posted by KamaK (Post 1546149)
On the flip side, we can trust that Verisign/Symantec/Thawte/Entrust trusts their customers just enough to be willing to take their money. Sigh, the uncanny intermingling of capitalism and privacy... I guess it's hard to complain with my mouth full.

I almost stated such in my response, but meh.

I think I only feel "safer" because we're paying for it with the big providers. Makes me feel like they will have better, more secure and more redundant/consistent service. If that's true or not is hard to say in the grand scheme, but at least I can sue!

DrumEatDrum 02-13-2018 08:05 AM

Re: Drummerworld and SSL -- It's time
 
I'd settle for not using the same 10 year old version of V-bulletin and adding some modern features around here.

I love this forum, but it's stuck in internet past.

Jeremy Bender 02-13-2018 08:59 PM

Re: Drummerworld and SSL -- It's time
 
What if you use "incognito" mode on Chrome?

Dr_Watso 02-13-2018 09:03 PM

Re: Drummerworld and SSL -- It's time
 
Quote:

Originally Posted by Jeremy Bender (Post 1546804)
What if you use "incognito" mode on Chrome?

All that does is prevent your computer from storing info locally on the hard drive about visited sites and all that jazz.

It does not change the fact that passwords here are sent to the server un-encrypted and "snoopable". Please don't use common passwords here and change any passwords that you share with this site and others.

T.Underhill 02-13-2018 10:54 PM

Re: Drummerworld and SSL -- It's time
 
1 Attachment(s)
This is what your Internet traffic would look like when you login to the site via http not https. The username and password is shown in "clear text" meaning readable to whoever is capturing your traffic. I know this has been stated, but the visual is interesting. This traffic is likely to only be compromised if you're on a public network like an open WiFi connection.


All times are GMT +2. The time now is 05:53 AM.

Powered by vBulletin® Version 3.8.0
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Bernhard Castiglioni's DRUMMERWORLD.com