SSL certificate

Rowlers

Massive Member
Staff member
Hi Peter
It is not something that we have looked into to be honest.
But, as we are not dealing with any financial or other confidential information it is not something we are looking to implement in the near future.
Not ruling it out though...
 

slapo

It's... alive!
Hi Rowlers,

please consider these points:
- in case of a man in the middle attack ('man' in the middle likely being a program or a script), they could collect unencrypted passwords and logins and attempt to use them elsewhere - people are known for using weak passwords and the same passwords on several websites - some could use the same password on, say, Amazon or eBay.
- in case there's a bug in XenForo (there are bound to be some), an attacker obtains login and password combinations via a man in the middle attack, then logs in as one of the users and exploits the bug. The nature of the bug could vary - SQL injection vulnerability, a missing filtering/escaping of text before injecting it into a template etc.
- it's better to err on the side of caution - if they were to obtain an admin's credentials and use it to inject some malicious code into e. g. a template, which would then affect quite a few users before someone would take it down... unless the attacker changes all admin passwords and email addresses.

It's really to protect the fora themselves and users who don't follow/are unaware of sound security practices. That there are no financial/strictly confidential information being stored here doesn't mean it can't lead to something nasty eventually. Besides, there's BST and PM which may contain information that are better hidden from the outside world for one reason or another.

If it's a no for now, then it's a no, but extra security should do no harm.

On a somewhat related note, the Cuckoo's egg by Cliff Stoll is a pretty fun, light reading and can highlight some issues of weaker security in systems that are deemed non-critical that can lead to larger issues. It's a real life story and well worth reading, IMO.

Cheers,

Peter
 

Nico1970

Forum GOD!
Many thanks @slapo for your considered representations.

You are absolutely correct to err on the side of caution. We are looking at a number of other aspects of the site at the moment and, as Lee @Rowlers has said, whilst SSL is not on the list of immediate absolute priorities, your suggestions are appreciated and noted.

We have a number of other things in the mix, as it were, and we need to close these out in the first instance. Of course, we'll be looking at augmenting the site security in due course. That said, we hope you enjoy the site and trust you'll encourage your friends and colleagues to take up 'proper shaving' and support us all on our journey :okay:
 

slapo

It's... alive!
Sorry chaps if I came across as pushy, and I understand there are bound to be other things that require attention.
I suppose I have a bit of paranoia (which should probably be much stronger, really) that the black hat side has their own men in black suites mostly in shade, smoking while giving warnings to their agents in between slightly creepy music jingles, pushing them toward doing creepier and creepier things... (goes off to play the X-files theme). ;-)
 
Top