Thank you for this post @techscorpion. As a system administrator, I’m always paranoid about using a service which isn’t secured (especially when I spend lots of hours on it weekly). But I didn’t want to be the one-man crusader (at least, for a while). I know the Bigcabal guys know the importance of implementing SSL and the confidence that lovely “green bar” or “green padlock” gives to users.
PS: If Bigcabal runs a dedicated server with NGINX for all their websites, I can help them install Let’s Encrypt SSL certificates (on all their sites) free of charge as part of my contributions to this community.
SSL certificate is not important… the security of a website depends on
how it was programmed.
the skill of the person hacking your website
if anyone with admin access has been compromised.
how secure the admin’s password is.
If a site owner wants to make other people with the same attitude as @techscorpion and @Ndianabasi feel safe using the site then SSL can be used but it does not determine how secure a website is.
I can’t tell if you are joking or not but what you’ve written is completely false and dangerous.
There are many layers of security and SSL certificates play an important role. They are not just for protecting the integrity of your credit card details or password mid transit. They protect the totality of your data communications which in some cases are far more important than financial data.
Let’s examine your ill-thought out statement line by line.
###How it was programmed
The software in question is a web based forum management system which uses cookies and passwords to identify users. The data is currently sent in the clear with no client side encryption. There are no symmetric keys used and using such will be incorrect in this context anyway. So we know how it is programmed and can tell that it contains vulnerabilities that can be exploited unless SSL encryption is used. Point 1 discredited.
###The skill of the person hacking your website
The barrier to entry to setting up a MITM is very low. Freely available software will allow you deep-packet inspect any clear text traffic. Heck, even tcpdump will do it. Commercial companies exist that are actively, openly, and successfully shopping their MITM/Phishing/Virus Injection goods to state actors and have thus reduced the barrier to entry even further. Point 2 discredited.
###If anyone with admin access is compromised
One of the points of SSL encryption is to reduce the chance of the admin(s) being compromised. Your point actually corroborates mine. Point 3 discredited.
###How secure the admin password is
This is irrelevant because even the strongest 64 character alphanumeric + special characters password is as useless as the term password if it is transmitted in the clear. Again, that’s why SSL encryption is important. Point 4 discredited.
Three things worry me now:
That you @godmode wrote all that rubbish and there are hapless people out there that possibly see you as as an IT expert/developer/specialist, and may actually give you some non-trivial work to do.
That you @godmode had the chutzpah to write what you did on a public forum even though you demonstrate zero background or integrity in IT security.
The sys admins on this site have not implemented the recommendations almost 20 hours after it was pointed out.
Personally, I advise you to just go ahead and delete your earlier reply.
Protection of data depends on how well the Discourse software was written…
Every web software has both client and server encryption. Unless you’ve read the discourse code line by line. you can’t know what type of encryption they used.
FBI had to beg or take Apple court to give them access to their encrypted data.
Every OS comes with a spyware and putting unverified(foreign) scripts on a website is dangerous bcos no one has the time to go through their code.
There is no Facebook, Instagram and other popular social networks in China bcos they develop their own and can’t trust what some big shot tech companies that aren’t Chinese are saying is secure…
If Discourse includes a “custom” encryption protocol, then I’ll be extremely worried. The data is not encrypted using established standards. Anything that’s not peer reviewed and audited is wrong.
You are off by a mile and half. The reason why the FBI needed Apple’s help was because the data they were trying to access was encrypted with a symmetric key that was at risk of being deleted after a few incorrect passcode attempts. Symmetric keys are extremely sensitive and should be stored in secure elements or vaults. Discourse’s client side code does not contain any symmetric keys because transmitting it over a cleartext network defeats the purpose, and there’s no way for sandboxed Javascript code to directly access any secure vault implementation on the client.
I’ll end by with this food for thought.
The only true wisdom is in knowing you know nothing.
- Socrates
Discourse is a web application and relies on TCP which is an insecure networking protocol. Your security is as good as the weakest link. I rather have the communication between client and server encrypted than assume that discourse is secure enough.
The FBI had a hard time breaking into the iPhone because the data was encrypted at rest and after 10 failed password attempts an iPhone will wipe all the data. SSL protects data in transit, which is what we are discussing here. Maybe discourse or the admins provide encryption for data stored on the server (which I doubt), our information is still vulnerable when it is in transit between our devices and the server.
With these few points of yours, we are convinced that we should implement SSL/HTTPS as soon as possible. Sorry I didn’t reply this as soon as I saw it, it’s been a long week(end). Bless.
Every programming language has its own custom encryption framework. FBI needed Apple’s help bcos they couldn’t bypass it without consequences…
I’ll stop here, I’m not here to pour sand into anyone’s garri… This comment of yours just revealed that you’ve never used any programming language before and you’re all talk
There’s not just a security imperative here, there is also an SEO necessity. Huge parts of the web are procrastinating about something that Google has made a defacto web standard. I don’t mind caving to pressure from members of the community that care about it, but it turns out that in the end, there is one than one compelling case for this.
Its only important for site owners that depend on Google… site owners from countries that have their own search engines depend more on their local search engines than Google. Google is making https a standard for its own search engine not for the internet…
If Nigeria had a local search engine every Nigerian site owner would prefer to rank higher on the local search engine than Google. Google is just another internet company it does not dictate the internet standard.
