phpBB Team's website forum versions

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
Locked
Heo32
Registered User
Posts: 142
Joined: Sat Jan 07, 2017 10:08 pm

phpBB Team's website forum versions

Post by Heo32 »

These are all of the outdated forums I found of the phpBB Team here, which are all accessible from their profiles:


**links removed**

I have a few questions now:

1. Why are some of you not strictly enforcing the use of TLS with a return 301 redirect for your server like the other 3 with https do?
2. Are any of you planning on updating your forums?
3. Are any of you concerned of the security of your websites?
4. If you are planning on updating, are you waiting until your site and/or forums are compromised, or do you have a plan?
5. Why have a website and advertise it in your profiles if you don't maintain the software and run the latest security protocols?

*Edit*
- Altered the first question regarding TLS. Even though the boards listed above support the default protocol of "http", they also support "https", but it is not strictly enforced with a 301 redirect. This means that their users are being allowed to log into their forums by passing their non-encrypted, plain text passwords over the Internet. If they use their password for other purposes (e.g. banking), then they could be compromised by an attacker.
- Removed 2 boards from the list above that recently updated their CHANGELOG.html file to reflect an up-to-date board. The rest that do not appear to have been updated have remained.
Last edited by JimA on Fri Jan 10, 2020 12:33 pm, edited 2 times in total.
Reason: Links removed
stevemaury wrote:
Sun May 20, 2018 8:16 pm
I went to your board and looked for an hour or so, but did not see the women without underwear.
Is this for you?
Windows + Nginx + PHP + MySQL + phpBB + WordPress + Cloudflare

Content-Security-Policy:
Allow using Content-Security-Policy without unsafe-inline

User avatar
david63
Registered User
Posts: 17041
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: phpBB Team's website forum versions

Post by david63 »

My personal opinion is that it is nothing to do with anyone else as to which version (or even which software) anyone else uses - be them a Team member or not.
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

User avatar
Crizzo
Translations & International Support Teams Manager
Translations & International Support Teams Manager
Posts: 1009
Joined: Thu Apr 23, 2009 1:20 pm
Location: Germany
Name: Christian
Contact:

Re: phpBB Team's website forum versions

Post by Crizzo »

I don't get the point of your topic.

And why did you link my forum at all? I use https and I am on phpBB 3.3.0. To what should I update? :?
My extensions for phpBB: crizzo.de
German phpBB Support at www.phpbb.de

User avatar
HiFiKabin
Community Team Member
Community Team Member
Posts: 4276
Joined: Wed May 14, 2014 9:10 am
Location: Swearing at the PC, UK
Name: James
Contact:

Re: phpBB Team's website forum versions

Post by HiFiKabin »

Despite what that says the HiFi Kabin is running 3.2.9, and some of my other boards are 3.3.0. Not that I see that it matters what version I or any other team member decides to use as their board.

The Docs directory is not a reliable way of checking what version anyone is running anyway so I rarely update it, but if it really matters to you I will update it now.

User avatar
AmigoJack
Registered User
Posts: 5680
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: phpBB Team's website forum versions

Post by AmigoJack »

Heo32 wrote:
Wed Jan 08, 2020 10:25 am
1. Why are some of you not using TLS?
That website supports HTTPS while you seem to insist on using HTTP. Are you sure you understood that security is not a one way street?
Last edited by Mick on Fri Jan 10, 2020 12:56 pm, edited 1 time in total.
Reason: Link removed.
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

Heo32
Registered User
Posts: 142
Joined: Sat Jan 07, 2017 10:08 pm

Re: phpBB Team's website forum versions

Post by Heo32 »

My original topic has been edited. :)
Crizzo wrote:
Wed Jan 08, 2020 11:36 am
I use https and I am on phpBB 3.3.0. To what should I update? :?
You're fine now regarding the the latest phpBB version and https with redirects. As for what else should be updated, I'm glad you asked. Here are few bonuses, yet they don't cover everything:

- Your server is running Apache. So you should disable the server header.
- You don't use Strict-Transport-Security
- You don't use a Content-Security-Policy
- You don't use X-Frame-Options
- You dont use a Feature-Policy
- Source: https://securityheaders.com/?q=https%3A ... directs=on

- The Mozilla Observatory graded your site with an F
- Source: https://observatory.mozilla.org/analyze/www.crizzo.de

- Your site can't be graded for a CSP since it doesn't have one
- Source: https://csp-evaluator.withgoogle.com/

- Your certificates are well implemented, however, your site allows the use use of obsolete TLS cyphers such as 1.0 and 1.1, which are weak and vulnerable. You should only be using 1.2 and 1.3 instead.
- Source: https://www.ssllabs.com/ssltest/analyze ... Results=on

There are more tests that could be run, but I'll leave it at that.
HiFiKabin wrote:
Wed Jan 08, 2020 5:24 pm
The Docs directory is not a reliable way of checking what version anyone is running anyway so I rarely update it
You're right. I see you enforce a https 301 reidirect and your forums are up to date, so your link has been removed from the list. That is not to say there aren't other issues I've found. I'll leave it at that.
AmigoJack wrote:
Thu Jan 09, 2020 11:12 am
Are you sure you understood that security is not a one way street?
Do you want me to evaluate your website next?
Last edited by JimA on Fri Jan 10, 2020 3:05 pm, edited 1 time in total.
Reason: Removed links
stevemaury wrote:
Sun May 20, 2018 8:16 pm
I went to your board and looked for an hour or so, but did not see the women without underwear.
Is this for you?
Windows + Nginx + PHP + MySQL + phpBB + WordPress + Cloudflare

Content-Security-Policy:
Allow using Content-Security-Policy without unsafe-inline

User avatar
bubbathegimp
Registered User
Posts: 81
Joined: Tue Sep 25, 2018 8:02 pm
Location: Bronston
Name: Robert Anderson
Contact:

Re: phpBB Team's website forum versions

Post by bubbathegimp »

If you are on a shared server, it's not always possible to enable some of the security features such as X-Frame options, disabling Apache or Nginx info etc...You need to have access to the server's root configuration, not the configuration files in your little slice of the pie.,......
Been there, tried that..
Old enough to remember when Water was free, and you had to pay for Porn :o

User avatar
AmigoJack
Registered User
Posts: 5680
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: phpBB Team's website forum versions

Post by AmigoJack »

Heo32 wrote:
Thu Jan 09, 2020 11:40 pm
Do you want me to evaluate your website next?
Please don't, as you're still unable to query HTTPS yourself and assume it being absent when querying HTTP.
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

User avatar
david63
Registered User
Posts: 17041
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: phpBB Team's website forum versions

Post by david63 »

@ Heo32

May I enquire who appointed you as the phpBB Internet police and what authority do you have to publish information about other member's websites without their permission?
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

User avatar
warmweer
Registered User
Posts: 3501
Joined: Fri Jul 04, 2003 6:34 am
Location: Van Allen Belt ... well actually Belgium

Re: phpBB Team's website forum versions

Post by warmweer »

david63 wrote:
Fri Jan 10, 2020 8:27 am
@ Heo32

May I enquire who appointed you as the phpBB Internet police and what authority do you have to publish information about other member's websites without their permission?
I don't see any problem with the information published as that info is public anyway, as are the tools being used to get some more "hidden" info.
I do have a problem with the insinuation that the sites are just waiting to be compromised.

Also, thanks to some of the "low-level" security issues mentioned, many, and I emphasise many support issues about members' forums can be solved thanks to some information being sent sometimes allowing a quick and simple identification of the problem's origin.

We're not talking about banking sites are we? Plus, some of the items mentioned are the responsibility of the host and not of the board admin/founder.
Brexit and Trump are old news and currently I have no inspiration for a new signature.
Ow, wait: 3.3 has been released.

Heo32
Registered User
Posts: 142
Joined: Sat Jan 07, 2017 10:08 pm

Re: phpBB Team's website forum versions

Post by Heo32 »

AmigoJack wrote:
Fri Jan 10, 2020 7:21 am
Please don't, as you're still unable to query HTTPS yourself and assume it being absent when querying HTTP.
It is understandable that you are concerned with having your site getting evaluated, and not just for https. I know that you use it. It should redirect all traffic to https by default, but it doesn't, and that's a problem for all your members. There are plenty of other issues I've noticed with your website besides just https, AmigoJack. I won't go into them since you didn't ask, plus this topic was never made for you. You're not a Team Member.
warmweer wrote:
Fri Jan 10, 2020 8:58 am
I don't see any problem with the information published as that info is public anyway, as are the tools being used to get some more "hidden" info.
I do have a problem with the insinuation that the sites are just waiting to be compromised.
I don't see any problem either. Crizzo asked what else he/she should update, so I gave some pointers. All of the sites listed in the topic, which are owned by Team Members of phpBB, could be compromised more easily simply for not using the tools and resources available on the Internet. I've given the links. Now its up to the Team Members to use them. On top of that, getting with the times by using TLS and updating your forums to the latest version would be a smart move, would it not?

Here's a scenario:

Imagine someone that works for Microsoft. Now imagine that they're responsible for fixing bugs in Windows 10. They also happen to be the one that created that big annoying notification that pops up on everyone's monitor to warn them that support for Windows 7 is ending soon, and that they should update to the latest version of Windows 10. Now picture that Microsoft employee running Windows XP at home to surf the Internet. Or better yet, Windows 98SE. That would be hilarious.

*Knock on wood*

I'm still waiting to see if anyone is going to answer any of the original questions I had asked:
1. Why are some of you not strictly enforcing the use of TLS with a return 301 redirect for your server like the other 3 with https do?
2. Are any of you planning on updating your forums?
3. Are any of you concerned of the security of your websites?
4. If you are planning on updating, are you waiting until your site and/or forums are compromised, or do you have a plan?
5. Why have a website and advertise it in your profiles if you don't maintain the software and run the latest security protocols?
Still, nothing yet.
stevemaury wrote:
Sun May 20, 2018 8:16 pm
I went to your board and looked for an hour or so, but did not see the women without underwear.
Is this for you?
Windows + Nginx + PHP + MySQL + phpBB + WordPress + Cloudflare

Content-Security-Policy:
Allow using Content-Security-Policy without unsafe-inline

User avatar
Marc
Development Team Leader
Development Team Leader
Posts: 5441
Joined: Tue Oct 30, 2007 10:57 pm
Location: Munich, Germany
Name: Marc
Contact:

Re: phpBB Team's website forum versions

Post by Marc »

Got to love topics which only seem to have the purpose of publicly shaming team members.

You seem to be demanding answers so let me make it clear that I don't condone any of this and don't expect anyone else to reply to your questions.

Going to answer this for my site cause I think it's rather hilarious:
1. Does not apply
2. Does not apply as already up to date
3. Of course, always
4. Does not apply as already up to date
5. Does not apply

I'll go back to maintaining phpBB now. Thanks for wasting my time.

User avatar
AmigoJack
Registered User
Posts: 5680
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: phpBB Team's website forum versions

Post by AmigoJack »

Heo32 wrote:
Fri Jan 10, 2020 9:55 am
It should redirect all traffic to https by default, but it doesn't, and that's a problem for all your members.
No, it's just that anybody thinks this must be done, when in fact the site also continues to support HTTP for everyone in need of it (i.e. as a guest with a bad internet connection).
Heo32 wrote:
Fri Jan 10, 2020 9:55 am
There are plenty of other issues I've noticed with your website besides just https
I'd like to read all of them in a PM - it's just I assume your interpretation is different from mine.
Heo32 wrote:
Fri Jan 10, 2020 9:55 am
this topic was never made for you. You're not a Team Member.
But it's a topic and you already replied to me without telling me this is not meant to me. Why haven't you started to PM all specific website owners? You know how phpBB works and how the community works.
Heo32 wrote:
Fri Jan 10, 2020 9:55 am
Now picture that Microsoft employee running Windows XP at home to surf the Internet. Or better yet, Windows 98SE. That would be hilarious.
Yet it is possible and it is also possible to do it safely. Don't overly exclude scenarios just because of one of its factors.
Heo32 wrote:
Wed Jan 08, 2020 10:25 am
I have a few questions now:
  1. Because HTTP is still needed. Each login warns a user to switch to HTTP. Enforcing a redirect to HTTPS would break HTTP completely for those queries where HTTPS would not add any protection anyway.
  2. If you mean phpBB wise: no.
  3. Little.
  4. No plan: I can only improve and update what I happen to read upon elsewhere, irregularily.
  5. I do maintain the software and do run "latest" "security" "protocols". Unbound to that I'd also advertize websites which are not maintained thru me and have security issues.
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

User avatar
JimA
Community Team Leader
Community Team Leader
Posts: 7685
Joined: Thu Jul 31, 2008 5:54 am
Location: The Netherlands
Name: Jim Mossing Holsteyn
Contact:

Re: phpBB Team's website forum versions

Post by JimA »

I'm going to be close this topic now, it's gone on longer already than it should have.

I quite agree with Marc that this has started out as a form of public shaming for the sites that you have mentioned. Therefore I have also removed their links from your original posts as well. Next to this shaming, you have moved on further in the topic with forms of personal attacks that look a lot like threats. That's not acceptable here at phpBB.com.

If there's some question that you have for any of this phpBB Team members with regards to their sites, you can send them a private message. It'd be up to them if they reply to you. If you disagree with this decision, feel free to PM me. I would certainly reply to you. :)
Image Jim Mossing Holsteyn - Community Team Leader
Knowledge Base | Documentation | Board rules

If you're having any questions about the rules/customs of this website, feel free to drop me a PM.

Locked

Return to “phpBB Discussion”