+- Madison Motorsports (https://forum.mmsports.org)
+-- Forum: Official (https://forum.mmsports.org/forumdisplay.php?fid=5)
+--- Forum: Site Suggestions/Status (https://forum.mmsports.org/forumdisplay.php?fid=15)
+--- Thread: Insecure / Unencrypted Logins (/showthread.php?tid=11890)
Pages:
1
2
Insecure / Unencrypted Logins - Evan - 04-23-2019
![[Image: 7yjyq9z.png]](https://i.imgur.com/7yjyq9z.png)
Did the cert expire? Has it always been this way and nobody noticed or cared? Is Firefox wrong and logins are actually SSL encrypted?
There are free options for ssl certs to fix it. Unencrypted plaintext password submissions are pretty terrible.
Hope nobody uses common passwords.
RE: Insecure / Unencrypted Logins - Apoc - 04-23-2019
Chrome has been trowing errors for months; I don't remember exactly when it started.
I've always had a password for this site that has absolutely zero resemblance of every other password I have ever used because I always feared it would get compromised.
RE: Insecure / Unencrypted Logins - JPolen01 - 04-23-2019
I noticed this many moons ago but forgot to bring it up. I don't even know what my password is for this site. It was saved years ago in chrome and I never log out.
RE: Insecure / Unencrypted Logins - Senor_Taylor - 04-23-2019
I'll share this in the "web admin" chat.
RE: Insecure / Unencrypted Logins - Jake - 04-23-2019
(04-23-2019, 12:02 AM)Evan Wrote:
Did the cert expire? Has it always been this way and nobody noticed or cared? Is Firefox wrong and logins are actually SSL encrypted?
There are free options for ssl certs to fix it. Unencrypted plaintext password submissions are pretty terrible.
Hope nobody uses common passwords.
The site has never had a cert for SSL. This falls into the "I'm too busy to do anything with it" bucket given nobody else has offered help with labor or finances to keep this site and forum alive for the last ten years.
I know we'd talked about moving the whole thing to Discourse a while back. Would be great to do that and address the security concerns, but I have 0% interest in doing that by myself.
RE: Insecure / Unencrypted Logins - JPolen01 - 04-23-2019
(04-23-2019, 09:01 AM)Jake Wrote: The site has never had a cert for SSL. This falls into the "I'm too busy to do anything with it" bucket given nobody else has offered help with labor or finances to keep this site and forum alive for the last ten years.
I can't help with any of the actual work, but if you feel like putting together the costs of keeping this thing running I'm sure we could crowd fund enough to cover it from those of us who regularly use it. It's kind of something I never really think about when using the forum. I'd be happy to contribute, but I would prefer to have an idea of how much money is needed and where it is going.
RE: Insecure / Unencrypted Logins - Jake - 04-23-2019
I think the club can/should pay for it and Brandon is on board to move the financial aspect of it to the MM bank account.
We're discussing what to do about SSL, as well as the future of the site in general, right now. Taylor is willing to help with SSL so that can be taken care of easily enough.
RE: Insecure / Unencrypted Logins - Senor_Taylor - 04-23-2019
Working with Adam on a plan here. I'll hold off on purchasing a cert unless someone has a cheap resource for them because we may not need with what Adam has proposed.
RE: Insecure / Unencrypted Logins - JPolen01 - 04-23-2019
Good call on the club funding the forum. Seems like they have a surplus these days from what has been tossed around here. Thanks for all those involved.
RE: Insecure / Unencrypted Logins - Evan - 04-23-2019
(04-23-2019, 09:33 AM)Senor_Taylor Wrote: Working with Adam on a plan here. I'll hold off on purchasing a cert unless someone has a cheap resource for them because we may not need with what Adam has proposed.
LetsEncrypt offers free SSL certs
https://letsencrypt.org/
https://www.sslforfree.com/
Its by the Linux foundation and backed by Mozilla, Cisco,Amamai, Facebook , etc, so its not some sketchy provider.
first priority should be getting ssl set up on the current site. That's a "shouldn't be online at all without it" kind of thing.
Longer term, Im still willing to set up a discourse server if there is interest. (there was not last I mentioned it). Im sure adam could do it as well.
Using in production will require reasonable hosting cost, but probably more than what you are paying now.
RE: Insecure / Unencrypted Logins - Senor_Taylor - 04-23-2019
(04-23-2019, 10:12 AM)Evan Wrote:(04-23-2019, 09:33 AM)Senor_Taylor Wrote: Working with Adam on a plan here. I'll hold off on purchasing a cert unless someone has a cheap resource for them because we may not need with what Adam has proposed.
LetsEncrypt offers free SSL certs
https://letsencrypt.org/
https://www.sslforfree.com/
Its by the Linux foundation and backed by Mozilla, Cisco,Amamai, Facebook , etc, so its not some sketchy provider.
first priority should be getting ssl set up on the current site. That's a "shouldn't be online at all without it" kind of thing.
Longer term, Im still willing to set up a discourse server if there is interest. (there was not last I mentioned it). Im sure adam could do it as well.
Using in production will require reasonable hosting cost, but probably more than what you are paying now.
The current hosting service doesn't support letsencrypt. We're looking into switching hosting services. Talk to Adam if you'd like to have a direct conversation about this. We have a groupchat.
I think it'd be great to maybe get web admin responsibilities handed off to someone outside MM so we don't have this roundabout of trying to find someone to do things and we've asked a lot of Jake to handle it for the last decade.
RE: Insecure / Unencrypted Logins - Evan - 04-24-2019
(04-23-2019, 10:21 AM)Senor_Taylor Wrote: The current hosting service doesn't support letsencrypt. We're looking into switching hosting services. Talk to Adam if you'd like to have a direct conversation about this. We have a groupchat.Even if you don't have shell access, you can still get a free cert via sslforfree. They issue certs using the letsencrypt authority that you can install via cpanel just like a cert you would buy.
https://www.youtube.com/watch?v=K90RxdQp9OE
Ive reached out to Adam via PM for some server info, and plan to get the discourse server up in the next few days so we can evaluate it.
RE: Insecure / Unencrypted Logins - Senor_Taylor - 04-24-2019
(04-24-2019, 08:48 AM)Evan Wrote:Seemed Discourse is out of the question due to cost?(04-23-2019, 10:21 AM)Senor_Taylor Wrote: The current hosting service doesn't support letsencrypt. We're looking into switching hosting services. Talk to Adam if you'd like to have a direct conversation about this. We have a groupchat.Even if you don't have shell access, you can still get a free cert via sslforfree. They issue certs using the letsencrypt authority that you can install via cpanel just like a cert you would buy.
https://www.youtube.com/watch?v=K90RxdQp9OE
Ive reached out to Adam via PM for some server info, and plan to get the discourse server up in the next few days so we can evaluate it.
Sent from my Pixel 3 XL using Tapatalk
RE: Insecure / Unencrypted Logins - Evan - 04-24-2019
(04-24-2019, 09:52 AM)Senor_Taylor Wrote:(04-24-2019, 08:48 AM)Evan Wrote:Seemed Discourse is out of the question due to cost?(04-23-2019, 10:21 AM)Senor_Taylor Wrote: The current hosting service doesn't support letsencrypt. We're looking into switching hosting services. Talk to Adam if you'd like to have a direct conversation about this. We have a groupchat.Even if you don't have shell access, you can still get a free cert via sslforfree. They issue certs using the letsencrypt authority that you can install via cpanel just like a cert you would buy.
https://www.youtube.com/watch?v=K90RxdQp9OE
Ive reached out to Adam via PM for some server info, and plan to get the discourse server up in the next few days so we can evaluate it.
Sent from my Pixel 3 XL using Tapatalk
Is it? What is your budget? Discourse on DigitalOcean would be about $10/ month.
Insecure / Unencrypted Logins - Senor_Taylor - 04-24-2019
Adam already spoke to them and we need a business license to migrate existing data over. Which is like $3000
Sent from my Pixel 3 XL using Tapatalk
RE: Insecure / Unencrypted Logins - Evan - 04-24-2019
(04-24-2019, 10:39 AM)Senor_Taylor Wrote: Adam already spoke to them and we need a business license to migrate existing data over. Which is like $3000
Sent from my Pixel 3 XL using Tapatalk
Their migration scripts are open source on GitHub. They only charge if they migrate the data for you.
I'm checking out on this, doesn't sound like you guys are interested in help.
RE: Insecure / Unencrypted Logins - Senor_Taylor - 04-24-2019
(04-24-2019, 10:55 AM)Evan Wrote:We definitely welcome help. I just want to make sure you're not duplicating effort if Adam already explored an avenue you're planning on looking into.(04-24-2019, 10:39 AM)Senor_Taylor Wrote: Adam already spoke to them and we need a business license to migrate existing data over. Which is like $3000
Sent from my Pixel 3 XL using Tapatalk
Their migration scripts are open source on GitHub. They only charge if they migrate the data for you.
I'm checking out on this, doesn't sound like you guys are interested in help.
Sent from my Pixel 3 XL using Tapatalk
Evan, can you join the web admin group chat so we can talk about this? I'm looking through the migration scripts and just want to be in the loop here.
https://github.com/discourse/discourse/blob/master/script/import_scripts/mybb.rb
Insecure / Unencrypted Logins - JPolen01 - 10-09-2019
Did anything ever come of this? I can no longer access the forum on my work computer because our virus protection thinks it's a malicious site. My assumption is because the site is not secure. I could be completely wrong.
1st world problem, I know.
If resources are needed I am willing to contribute towards needed expenses.
Insecure / Unencrypted Logins - Senor_Taylor - 10-09-2019
We looked into moving this to discourse and the cost to have it moved over was pretty outrageous. Adam looked into doing it himself and it was a lot of work and his test runs didn't pan out.
I also think we're approaching a crossroads here as I think Jake doesn't want to own the hosting of this anymore. Someone will need to take it over.
If Evan wants to give it a shot, I'm down to work together on it. A couple of us also sent Jake money since he's been paying for the hosting for a while. (We checked the AdSense account a few years ago and took the money out I believe)
The most simple option is the just pay for the SSL cert (the current host provider doesn't allow free certs). I'm okay with doing this.
Sent from my Pixel 3 XL using Tapatalk
RE: Insecure / Unencrypted Logins - Jake - 10-14-2019
I also got the "suspicious site danger will robinson!" message at my client site last week. It's back to working now.
I need to move the hosting and maintenance of the site to someone who's not myself. Everything renews in March 2020 so we need to complete this project by then.
I'd love to see something that was a homepage, forum and chat solution all in one. Discourse sounds like the way to go about implementing this. If we avoid Discourse, we can keep the mix of Wordpress, myBB and GroupMe although it's clunky and doesn't provide the best overall experience IMO. I'm down to help, but on someone else's dime and with me not being the project lead or key point of contact. So, who wants to PM this and get started?