Secure Login

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Ideas Centre
User avatar
Lumpy Burgertushie
Registered User
Posts: 69223
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: Secure Login

Post by Lumpy Burgertushie »

It is still only securing information during transfer. what is the point of securing html and css when the browser requests it for a normal page load? Isn't the sensitive info, whatever that might be, only transferred when the form is submitted ? It is usually only one way is it not?


and , whether anybody is actually stating that SSl protects your static data or not, they certainly do imply it with all the scare tatics about how all websites should be SSL protected and will be penalized if they are not.


robert
Premium phpBB 3.3 Styles by PlanetStyles.net

I am pleased to announce that I have completed the first item on my bucket list. I have the bucket.
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: Secure Login

Post by Techie-Micheal »

Lumpy Burgertushie wrote: Thu Feb 02, 2017 10:08 pm It is still only securing information during transfer. what is the point of securing html and css when the browser requests it for a normal page load? Isn't the sensitive info, whatever that might be, only transferred when the form is submitted ? It is usually only one way is it not?

robert
Sure. Let's take a step back to information you already know and let me build on that.

When the client (web browser) asks for www.phpbb.com/community/, it sends a request to the server. The response to that is the HTML. Actually, technically speaking, multiple requests are made for each resource, but let's stick to just one request for the purposes of this discussion.

This is where the bi-directional communication I'm talking about comes in. This is not just request, request, request, it is request-response, request-response, request-response. Bi-directional. When that communication is not encrypted with TLS (formerly SSL), an attacker can inject in to the request stream as well as the response stream and manipulate the content that the browser is sending (cookies and form submissions). An attacker can also manipulate the response from the server to the client and inject their own content. This can be injecting their own images, their own JavaScript, or change the text on the web page. In 2011, this attack was publicized, well before "#fakenews" became a Twitter-trending topic.

The benefit to an attacker manipulating the response from the server is actually worthwhile. I, as an attacker, can inject JavaScript or images with exploits and break in to the victim's computer. I can make "#fakenews" happen by manipulating content from otherwise-trusted news sources.

I touched on the cookies. When you have a session with phpBB, or any other website that maintains sessions, cookies are used. An attacker able to see those cookies is able to become you and take over your account because your request to the server contains those cookies. This happens on GET and POST requests, of course.

If you protect only the login page and no other pages, you are opening yourself to Man-in-the-Middle attacks. Cookies can be sniffed, content can be manipulated, it isn't worth it to protect only the login page.

https://www.httpvshttps.com/ is a fun place to see just how faster HTTPS is compared to HTTP. The benefits far outweigh any reasons to not have HTTPS everywhere.
Proven Offensive Security Expertise. OSCP - GXPN
digitaltoast
Registered User
Posts: 105
Joined: Thu Oct 18, 2007 9:33 am

Re: Secure Login

Post by digitaltoast »

EDIT: Looks like Techie-Micheal beat me to what I was typing, and explained it better too! Here what I had anyway...
Lumpy Burgertushie wrote: Thu Feb 02, 2017 10:08 pmIsn't the sensitive info, whatever that might be, only transferred when the form is submitted ? It is usually only one way is it not?
Because if you are an admin and someone intercepts your login data or session cookies/data after you've logged in that person now has your entire user database, private messages and so on.

TLS also makes it far harder to inject fake iframes, spoof logins and so-on. And as I said before, it greatly improves speed and efficiency.

And if you're not able to easily install a free certificate from LetsEncrypt, then just use the free Cloudflare service.

There's no reason NOT to use it, so... why not use it?
User avatar
AmigoJack
Registered User
Posts: 6106
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Secure Login

Post by AmigoJack »

digitaltoast wrote: Thu Feb 02, 2017 10:28 pmif you are an admin and someone intercepts your login data or session cookies/data after you've logged in that person now has your entire user database, private messages and so on
This isn't true either: phpBB checks the session against the IPv4 address, so it would be invalidated unless the attacker is within the same block. Also I don't know how an administrator is able to access PMs - if you're refering to exporting the database then I have to say: good luck with one that easily eats 4 GiB in a backup file.
  • "The problem is probably not my English but you do not want to understand correctly. ... We will not come anybody anyway, nevertheless, it's best to shit this." Affin, 2018-11-20
  • "But this shit is not here for you. You can follow with your. Maybe the question, instead, was for you, who know, so you shoved us how you are." axe70, 2020-10-10
  • "My reaction is not to everyone, especially to you." Raptiye, 2021-02-28
User avatar
Seibertron
Registered User
Posts: 57
Joined: Tue Oct 01, 2002 7:54 pm
Location: Chicago, IL
Contact:

Re: Secure Login

Post by Seibertron »

FYI ... a few hours back, I figured out how to get my whole domain running under https. Courtesy of Plesk Onyx, Let's Encrypt is now available as an extension. After a few modifications to Plesk, htaccess and phpBB, my domain shows as "secure" now.

If you run Plesk, instructions for how to setup SSL for your domain can be found here: https://www.plesk.com/blog/lets-encrypt-plesk/

Here's my secure phpBB forum: [REMOVED UNNECESSARY LINK]

Now, if I can just figure out how to handle external images that users post in their topic replies so that the mixed content doesn't throw an error.
Last edited by bonelifer on Sat Feb 04, 2017 4:58 am, edited 1 time in total.
Reason: Removed unecessary link
Seibertron.com
http://www.seibertron.com
The Ultimate Transformers Fansite
User avatar
Ger
Registered User
Posts: 2107
Joined: Wed Jan 02, 2008 7:35 pm
Location: 192.168.1.100
Contact:

Re: Secure Login

Post by Ger »

Seibertron wrote: Fri Feb 03, 2017 8:18 am Now, if I can just figure out how to handle external images that users post in their topic replies so that the mixed content doesn't throw an error.
You might want to check here. Paul points to an extension created by phpBB for this issue.
My extensions:
Simple CMS, Feed post bot, Avatar Resize, Modbreak, Magic OGP, Live topic update, Modern Quote, Quoted Where (GDPR) and Autoresponder.
Newest: FAQ manager for 3.2

Like my work? Buy me a coffee to keep it coming. :ugeek:

-Don't PM me for support-
Saint_hh
Registered User
Posts: 363
Joined: Thu Mar 31, 2005 5:16 pm
Location: Hamburg / Germany
Name: Kevin
Contact:

Re: Secure Login

Post by Saint_hh »

Very interesting topic!
Techie-Micheal wrote: Thu Feb 02, 2017 10:22 pm[...] to see just how faster HTTPS is compared to HTTP. The benefits far outweigh any reasons to not have HTTPS everywhere.
How about the server load compared between http and https?
For every connection the server has to do the encryption additionally, correct? Will it increase the load significantly?
I'm asking, because I had a discussion with my host about installing free certificates to use https. And he had concerns, that the load on the servers will grow way higher.
digitaltoast
Registered User
Posts: 105
Joined: Thu Oct 18, 2007 9:33 am

Re: Secure Login

Post by digitaltoast »

Saint_hh wrote: Fri Feb 03, 2017 1:48 pm How about the server load compared between http and https?
For every connection the server has to do the encryption additionally, correct? Will it increase the load significantly?
The "cost" of encrypting that first connection is negligible - around 5ms (0.005 seconds) and around 1% increase in CPU.
BUT offset against that is that once that connection is made, you can multiplex and send a whole lot more in one go.
https://www.keycdn.com/blog/https-performance-overhead/
https://www.maxcdn.com/blog/ssl-performance-myth/
digitaltoast
Registered User
Posts: 105
Joined: Thu Oct 18, 2007 9:33 am

Re: Secure Login

Post by digitaltoast »

AmigoJack wrote: Fri Feb 03, 2017 8:01 am
digitaltoast wrote: Thu Feb 02, 2017 10:28 pmif you are an admin and someone intercepts your login data or session cookies/data after you've logged in that person now has your entire user database, private messages and so on
This isn't true either: phpBB checks the session against the IPv4 address, so it would be invalidated unless the attacker is within the same block.
Hmmm, I'm on flaky rural broadband and I get disconnected about 3 times a day; twice so far today, and I get completely different IP blocks 94.9.66.x and 94.12.191.x
which is unusual because I often end up with a 2.x.x.x. addresse, and yet I haven't had to login to phpbb or my own forum for ages (running 3.2).

Also, isn't there the "x-forwarded-for" attack possible?
AmigoJack wrote: Fri Feb 03, 2017 8:01 am Also I don't know how an administrator is able to access PMs - if you're refering to exporting the database then I have to say: good luck with one that easily eats 4 GiB in a backup file.
Why? Straight to "database backup" in ACP, run a backup, select for download - should take a matter of minutes with a broadband connection.
User avatar
noth
Registered User
Posts: 2528
Joined: Fri Jan 07, 2005 7:10 pm
Location: North Surrey
Contact:

Re: Secure Login

Post by noth »

Pony99CA wrote: Mon Feb 03, 2014 9:19 pm While I realize that the responses saying that HTTPS is worthless for boards are old, you will notice that phpbb.com now uses HTTPS. :D

Steve
yeah and have done for a while

Why was the decision made to have phpbb.com use https. what's the rationale behind this?

have you seen this news report from last week? sheeeesh kebab :o
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: Secure Login

Post by Techie-Micheal »

AmigoJack wrote: Fri Feb 03, 2017 8:01 am
digitaltoast wrote: Thu Feb 02, 2017 10:28 pmif you are an admin and someone intercepts your login data or session cookies/data after you've logged in that person now has your entire user database, private messages and so on
This isn't true either: phpBB checks the session against the IPv4 address, so it would be invalidated unless the attacker is within the same block.
In a typical MitM attack, they would be. The "coffee house attack" would have the attacker egress from the same internet connection as the victim, giving the attacker and the victim the same IP address.
Proven Offensive Security Expertise. OSCP - GXPN
User avatar
noth
Registered User
Posts: 2528
Joined: Fri Jan 07, 2005 7:10 pm
Location: North Surrey
Contact:

Re: Secure Login

Post by noth »

it seems that if you go the https route you have to also need to be legacy compatible. You need to ensure that someone with an old Android tablet or one they bought that doesn't have Google's software available to be able to visit using a browser that can't use certificates or might have difficulty rendering sites that have them
But we also need to be legacy compatible. We want someone with an old Android tablet or one they bought that doesn't have Google's software available to be able to visit using a browser that can't use certificates or might have difficulty rendering sites that have them. If you visit http://www.androidcentral.com (notice the use of http versus https) you'll see the info icon. You can click on that icon and it will tell you that your connection isn't secured.

Many sites are this way, so be sure to update all your bookmarks to use the https address!

Chrome isn't the only browser that helps make sure you're safe on the web. Microsoft, Mozilla, Apple and everyone else wants your experience to be the best it can be so you keep using their products. But Chrome gives plenty of details to help you know what's going on and we want to make sure you know how to find them.
Just reading an Android news article which includes their view that your site should keep an http version for old old tablets and PCs but have an https version for those who sneer at http

My thoughts are if you are going to place a forced redirect on all users who try and use your old http address (to the new https one you just created) then that is not going to run with Android's ideas of having 2 separate versions
User avatar
AmigoJack
Registered User
Posts: 6106
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Secure Login

Post by AmigoJack »

noth wrote: Sun Feb 05, 2017 9:57 amMy thoughts are if you are going to place a forced redirect on all users who try and use your old http address (to the new https one you just created) then that is not going to run with Android's ideas of having 2 separate versions
Not only that: it'd be inconsistent. If you don't want to serve HTTP then don't listen to HTTP requests at all. That would be a better idea for websites whose only response is a redirect to a HTTPS location.

It's like having a telephone number in the city to appear being a local company, which then just forwards the call across half of the country. With the same advantages and disadvantages.

Techie-Micheal wrote: Sat Feb 04, 2017 5:03 amThe "coffee house attack" would have the attacker egress from the same internet connection as the victim
Yes, of course: HTTPS is a solution to a problem which should be avoided in the first place: using administrator credentials thru a third party network. Given all the VPN and cloud usage I wonder if even a fraction of users understand that they're prone to this scenario as well.

digitaltoast wrote: Fri Feb 03, 2017 2:19 pmshould take a matter of minutes with a broadband connection.
Creating the backup is not bound to the broadband connection. And PHP timeouts either. Have you actually tried to do that on the given size, or are you just assuming?
  • "The problem is probably not my English but you do not want to understand correctly. ... We will not come anybody anyway, nevertheless, it's best to shit this." Affin, 2018-11-20
  • "But this shit is not here for you. You can follow with your. Maybe the question, instead, was for you, who know, so you shoved us how you are." axe70, 2020-10-10
  • "My reaction is not to everyone, especially to you." Raptiye, 2021-02-28
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: Secure Login

Post by Techie-Micheal »

AmigoJack wrote: Sun Feb 05, 2017 11:28 am
noth wrote: Sun Feb 05, 2017 9:57 amMy thoughts are if you are going to place a forced redirect on all users who try and use your old http address (to the new https one you just created) then that is not going to run with Android's ideas of having 2 separate versions
Not only that: it'd be inconsistent. If you don't want to serve HTTP then don't listen to HTTP requests at all. That would be a better idea for websites whose only response is a redirect to a HTTPS location.
The usability factor would be significantly reduced. There is nothing wrong from a security standpoint to have the redirect from HTTP to HTTPS. I, and many other security practitioners encourage having that redirect.
AmigoJack wrote: Sun Feb 05, 2017 11:28 amIt's like having a telephone number in the city to appear being a local company, which then just forwards the call across half of the country. With the same advantages and disadvantages.
Sorry, but I disagree. It's like having a phone number that people know and don't have to update or change any behavior to continue using the service.

AmigoJack wrote: Sun Feb 05, 2017 11:28 am
Techie-Micheal wrote: Sat Feb 04, 2017 5:03 amThe "coffee house attack" would have the attacker egress from the same internet connection as the victim
Yes, of course: HTTPS is a solution to a problem which should be avoided in the first place: using administrator credentials thru a third party network. Given all the VPN and cloud usage I wonder if even a fraction of users understand that they're prone to this scenario as well.
Let's back up. TLS serves two main roles: encryption in transit and integrity checking.

Your statement assumes most people use VPNs. They don't, at least not here in the US. Secondly, as I outlined above, sending the administrator credentials is not the only issue here.
an attacker can inject in to the request stream as well as the response stream and manipulate the content that the browser is sending (and receiving)
Even if your website has completely static content, TLS provides the ability to prevent someone from injecting malicious or misleading content.
Proven Offensive Security Expertise. OSCP - GXPN
User avatar
Seibertron
Registered User
Posts: 57
Joined: Tue Oct 01, 2002 7:54 pm
Location: Chicago, IL
Contact:

Re: Secure Login

Post by Seibertron »

:D That summed up most of why I made the leap last week. There are few reasons not to make this change. I almost coughed up the $150 for a 3 year SSL with GoDaddy last week just to do it before I accidentally found out that Let's Encrypt was available through Plesk. 4 to 6 hours later, everything was good to go after some troubleshooting and modifying various code on a 17 year old website. I love seeing the word "Secure" in next to my domain's URL in Chrome now. My website/business has a lot of competitors. Figuring out how to do this gives me an edge over their websites if they don't know how or can't afford to do this. In the meantime, my site shows as Secure and the competitors, with one exception, don't show that.

This change is happening whether you want it to or not. Embrace it and figure out how to play with the new rules on the Internet, or be left behind.
Last edited by Seibertron on Wed Feb 08, 2017 4:14 am, edited 2 times in total.
Seibertron.com
http://www.seibertron.com
The Ultimate Transformers Fansite
Post Reply

Return to “phpBB Discussion”