https
category: general [glöplog]
Well, they could steal login/password and try to use it on another website. Provided one uses the same password on many websites.
Quote:
well...pouet and 100,000 other low-profile websites that require simple user login?
No. However "low-profile" they may be, that's not a good excuse.
encrypt all the things.
really, its not so much about having something to hide, more about sending letters instead of postcards.
apart from that rising the amount of encrypted connections on the net is generally a good idea if you dont want to make yourself suspicious just by encrypting your traffic one day...
really, its not so much about having something to hide, more about sending letters instead of postcards.
apart from that rising the amount of encrypted connections on the net is generally a good idea if you dont want to make yourself suspicious just by encrypting your traffic one day...
Quote:
psonice: agreed, yet who the hell would bother impersonate another user on pouet in a way that becomes serious matter? :)
added on the 2013-07-09 20:38:04 by g.
Are you against seatbelts too? I mean most cars don't crash, right?
allright,
here is my contribution to the discussion then: I issued certified certificates for planet-d thanks to StartSSL free plan.
would that work for pouet?
here is my contribution to the discussion then: I issued certified certificates for planet-d thanks to StartSSL free plan.
would that work for pouet?
g.: COOL - although you don't actually have any forms on your web site as yet.
Sub-domains will require certificates of their own unless you opt for a wildcard certificate - ¥€$$$$....
The thing is, seeing how easy it is to install one you could potentially offer certificate installation to people using your hosting service should they need it.
Good job though, yeah! :)
Sub-domains will require certificates of their own unless you opt for a wildcard certificate - ¥€$$$$....
The thing is, seeing how easy it is to install one you could potentially offer certificate installation to people using your hosting service should they need it.
Good job though, yeah! :)
secured part are: www (useless indeed), mail, adminer and piwik
that's 4 certificates in total
that's 4 certificates in total
Quote:
psonice: agreed, yet who the hell would bother impersonate another user on pouet in a way that becomes serious matter? :)
Well, we might get somebody stealing somebody else's login for a laugh, but there are more general security issues that are more of a concern.
Let's say I'm a young, upcoming hacker trying to make a living from the trade. I have a nice little botnet doing bitcoin mining, DDOS for hire and such.
And I like to steal money or valuable data. To do that, I need logins to useful sites, paypal, gmail, facebook and so on. How do I get them? I can hack sites and steal databases, hard but sometimes rewarding. Or..
I can set my phone/laptop up as a public access point whenever I go out, and leave it running a packet sniffer. Whenever somebody connects and logs into one of those 100,000 or so smaller sites that doesn't use https, I get myself a new username + password combo.
So I keep adding those usernames + passwords to a dictionary. I send the dictionary out to my botnet. Those computers try to login to a big list of sites with a random user/pass from the dictionary. Eventually they're pretty much guaranteed to find somebody who used their pouet user/pass combo on some other, more important site. And my bank balance goes up, somebody else takes a hit.
Considering that basically all of that can be automated, and actually happens, and that there is definitely some hacker/demoscene crossover (i.e. at any decent sized party you're sure to get a few hackers present), and it's worth adding that https to the login at the very least.
Cool to see you've already taken that step on planet-d :)
or don't use your sceneid for gmail, paypal, facebook?
I don't, but some people do. It's impossible to remember a complex password for every site. Either you use some service to generate + store all your passwords (most don't), or you share passwords between sites.
Even if you've just used your pouet account for various 'unimportant' stuff, still, if you combine the info across those sites you might have something worthwhile, or perhaps enough info for a decent spear phishing attack that gets you into the sites with a different password.
Even if you've just used your pouet account for various 'unimportant' stuff, still, if you combine the info across those sites you might have something worthwhile, or perhaps enough info for a decent spear phishing attack that gets you into the sites with a different password.
Quote:
Jcl: and then someone compromises scene.org and mitms the hell out of nearest demoparty.
That's right... and if someone compromises verisign, we better close teh internets!
but but but, i liked logging in as shane/fearmoths back in the days :(
I THINK THE NSA ARE FUCKING CUNTS!! [they cant read this, mhuwhauhauhauhauhaha]
hooray for boobies!
thx garg (and redhound probably too)
thx garg (and redhound probably too)
Redhound only.
AWESOME. Thank you Redhound!
Top effort!
thanks redhound!
will you make it default?
Excellent! I have added the S.
Apparently you missed the bit where they put flaws in the encryption https uses, and can actually decrypt it in realtime. And now they've read that, and they're coming to get you ;)
On the other hand, decrypting https on the fly isn't as cheap as just capturing the packets by a long, long way. They'd have to specifically request this stream to be tapped to get it decrypted, they can't decrypt *everything* all at once. So the more https links we're all using, the less we all get monitored.
Quote:
I THINK THE NSA ARE FUCKING CUNTS!! [they cant read this, mhuwhauhauhauhauhaha]
Apparently you missed the bit where they put flaws in the encryption https uses, and can actually decrypt it in realtime. And now they've read that, and they're coming to get you ;)
On the other hand, decrypting https on the fly isn't as cheap as just capturing the packets by a long, long way. They'd have to specifically request this stream to be tapped to get it decrypted, they can't decrypt *everything* all at once. So the more https links we're all using, the less we all get monitored.
i also missed the bit that i posted it on a public forum. but so did you i guess. and hopefully so will nsa!
is this a placebo btw? that extra code isn't worth the shit. what is everybody scared of? lol
yumeji: read the thread.
ruairi: i don't care. the question stands.