Oolite Bulletins

Dear all

I imagine this has been discussed before - though I can't find any such discussion - but why does this board use the insecure http protocol and not rather the secure https? I'd prefer the latter!

I've no idea what that would entail, but it'd be down to Giles (or perhaps Jens) to sort out, and neither are about much.

Yep.. It would be up to Giles, as owner of the domain, to arrange an SSL certificate. Unfortunately, they're not free. Prices typically range from $70 - $250 or more per year, depending on your registrar and what kind of site you run. So there's that to consider also.


Edit: I did a little digging using 'whois', and found Giles' hosting company. Here's a list of their SSL Certificate prices.

Of more importance to me would be repair and upgrade of the forum software - and an alternative colour scheme.

Cody wrote: ↑Mon Oct 23, 2017 12:01 pm

Of more importance to me would be repair and upgrade of the forum software - and an alternative colour scheme.

That gets my vote!

Am I to take it from the image that the site might have SSL already, only not a version that registers in the browser?

Also, what about Let's Encrypt? Can that organisation provide us with free SSL? I don't know how these things work.

Am I to take it from the image that the site might have SSL already, only not a version that registers in the browser?

No idea really, but I expect that's a current price/feature list, and this software hasn't been upgraded properly for a fair while.

I think the most important thing is security (and I don't mind the board interface). We don't want a flood of spam, or people's credentials being stolen. We did hacked by some bot once before, I seem to recall. I am afraid I can't contribute a hosting computer or any relevant programming of systems administration ability but I could donate a few quid if that would help.

UK_Eliter wrote: ↑Mon Oct 23, 2017 4:21 pm

Am I to take it from the image that the site might have SSL already, only not a version that registers in the browser?

No.. even the cheapest option will put a padlock icon in the browser address bar. Pricier options turn the bar green as well. But neither Oolite's BB or the Oolite.org website have a padlock icon.

UK_Eliter wrote: ↑Mon Oct 23, 2017 4:21 pm

Also, what about Let's Encrypt? Can that organisation provide us with free SSL? I don't know how these things work.

Yes, they absolutely can! It would, of course, still need someone with admin rights to the server to set it up.

And thank you SO much for that link! I've been wanting to add SSL encryption to my family's business website for a while now. This means there's one less annual cost involved. Much appreciated!

UK_Eliter wrote: ↑Mon Oct 23, 2017 4:21 pm

Also, what about Let's Encrypt? Can that organisation provide us with free SSL? I don't know how these things work.

Let's Encrypt is an excellent provider - I use them for my sites - but it depends whether the hosting provider supports it.

UK_Eliter wrote: ↑Mon Oct 23, 2017 4:40 pm

I think the most important thing is security (and I don't mind the board interface). We don't want a flood of spam, or people's credentials being stolen. We did hacked by some bot once before, I seem to recall.

I think you may be over-estimating what https can do, a little..

Essentially, it encrypts all data sent between the browser and server, in both directions. From the perspective of a BB like ours, the practical benefit is that member logins would be encrypted. This means that passwords are no longer transmitted in plain text. Plain text logins are easily "sniffed" during transmission, by anyone with the motive and means (not a high barrier) to do so. I'm not privy to the details of the bot hack, but I doubt it was done by sniffing an admin's password. A password guessing bot would be my first guess, and against those, the only defence is a high quality password.

Https is not going to result in a reduction in spam attempts, either. Spam bots will still be able to connect to the account creation page, to try and create an account, and then log in. There are tools and organisations available to help keep almost all spammers out of the forum, and I'm an admin on a forum that uses them. They work very well. But they won't work with the antiquated BB software we use here. The upgrade Cody spoke of would go a long way in helping with that particular problem.

Dizzy: ah, yes, right. But still, especially given the 'KRACK' vulnerability, SSL would indeed - as you'd agree, I think - be good. I believe that the aforementioned vulnerability would be rendered safe by a VPN (but not everyone using these boards has one) and perhaps by operating system and/or router patches (but perhaps not everyone's system would be patched).

By the way: by 'I don't mind the board interface' I didn't mean that I don't how the interface is. Rather I meant I am happy enough with the current interface.

UK_Eliter wrote: ↑Mon Oct 23, 2017 5:24 pm

Dizzy: ah, yes, right. But still, especially given the 'KRACK' vulnerability, SSL would indeed - as you'd agree, I think - be good.

Hmm.. I'd missed seeing that one. And yeah, it's nasty. Yes, SSL would help protect against passwords to the BB being obtained via that attack.

UK_Eliter wrote: ↑Mon Oct 23, 2017 5:24 pm

I believe that the aforementioned vulnerability would be rendered safe by a VPN (but not everyone using these boards has one) and perhaps by operating system and/or router patches (but perhaps not everyone's system would be patched).

In some ways yes, in others no. SSL does essentially the same thing as a VPN, in a more limited way. But a VPN won't stop someone using krack to break into your home wi-fi network, for example.

UK_Eliter wrote: ↑Mon Oct 23, 2017 5:24 pm

By the way: by 'I don't mind the board interface' I didn't mean that I don't how the interface is. Rather I meant I am happy enough with the current interface.

I'm happy enough with the current interface as well.. (APART FROM THE MISSING "LIKE" BUTTON!!!) But unfortunately, this forum software is showing its age. The fact we even need Spam Assassins is proof of that. There are better ways to handle spam.

The fact we even need Spam Assassins is proof of that. There are better ways to handle spam.

That'd be the only way being made redundant could make me happy!