HTTPS for forums?

#1

recently i found out about a project called Lets Encrypt: https://letsencrypt.org/
Its a service that gives out free unlimited HTTPS certificates, now officially a trusted source ( you can check for yourself, my website uses it now https://pxtst.com/ )
this is really significant because HTTPS certs cost a ton, like hundreds of dollars a year for a site like vexforum.com, its basically just a monopoly since it costs relatively nothing for them to sign certs

I was wondering now that there are free certs that vexforum can finnaly use https, it makes people feel a lot safer when browsing on insecured networks

0 Likes

#2

I second this. Without HTTPS, passwords are transferred over plain (unencrypted) text, which leaves VEX Forum users vulnerable to having their passwords stolen.

Mozilla has a nice document about this security issue.

0 Likes

#3

Something that might discourage them from using letsencrypt is that letsencrypt-auto doesnt support automatically configuring nginx yet, so what i did was i ran “sudo service nginx stop&&./letsencrypt-auto certonly&&sudo service nginx start” make sure you have 443 forwarded for the authentication proccess, it has a graphical that asks you what domains you want certs for and everything is automatic

and then once you have certs, just update the nginx site configuration

first i added a redirect to https

server {
    listen 80 default_server;

    location / {
        rewrite ^(.*)$ https://pxtst.com$1 permanent;
    }
}

and then switched my default domain over to ssl


server {
    listen 443 default_server;
    listen ::]:443 default_server;
    ssl on;
    ssl_certificate /etc/letsencrypt/live/pxtst.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/pxtst.com/privkey.pem;
    ...

hope it helps

also note, for security reasons the certs are only valid for 3 months so until letsencrypt automates the process you just have to simply run letsencrypt-auto manually or set up a script to do it

0 Likes

#4

I actually did notice this. I use a “unique” password for the forums, if anyone manages to discover it they’d be in for a laugh.

Oh well, use a unique password for important stuff, bank accounts, email, etc.

0 Likes

#5

I always use correct horse battery staple. No one will ever guess it. It’s the most secure password in the world.

0 Likes

#6

:frowning: and im here using hunter2

0 Likes

#7

What? All I’m seeing is *******.

1 Like

#8

Oh man…seeing this joke still alive is like an early Christmas present.

Bravo, well played indeed.

0 Likes

#9

For people out of the loop…

http://www.bash.org/?244321

0 Likes

#10

I’m with Cody about passwords. I use a multiword password and then leet code it with numbers and special characters

Forum sites get a simple password like R0b0ts!
Sites that I order from get minor complex R0b0t0rd3r
Email sites is the next complex: G00gl3f0$t3rm@1l! since email is the backup for lost passwords on most sites.
Banking sites are even longer phrases. My Swiss bank password is 6 words long. :wink:

You should be worried about the “security questions” that sites ask for. Mother’s maiden name, street where you grew up, year you graduated from high school, fathers middle name, pet’s name, etc. With social media and the cross references of census and genealogy references it’s easy to figure lots of this stuff out. My suggestion is to do a memorized swap. Mother’s maiden name becomes your father’s middle name. His middle name becomes her maiden name. Swap a sibling for pet info. As long as you do it all the time it becomes easy to remember. Or you can use a phrase instead of the info: “Mother’s maiden name” -> baby ducks". But be careful, I had a friend that made it “it’s a secret”, and then had an interesting discussion with a live agent before he could get them to type in “it’s a secret” to get the account unlocked.

I’m not too worried about https: here, but expect it to be on shopping sites, banks, etc. I’d rather see the VEX guys spend more time on the next generation controller.

And for those that missed Tabor’s reference on his password: It is this XKCD cartoon

0 Likes

#11

I approach this problem by having created a completely fictitious family, complete with pets, biographies, favorite rooms, childhood friends, electric chairs, flamethrowers for toys, etc.

0 Likes

#12

Snicker, I’ve used 1313 Mockingbird Lane, Munster IN 46321 as my throwaway address for years. (That’s the Munster address, not FullMetal’s Adam’s family shown above.)

0 Likes