Securification!

Zombie Squad news will be posted here.

Moderator: ZS Global Moderators

Post Reply
User avatar
jnathan
Meat Popsicle
Meat Popsicle
Posts: 1325
Joined: Mon May 05, 2008 11:45 am
Location: Illinois, USA

Securification!

Post by jnathan » Wed Aug 07, 2013 3:34 pm

Hi everyone,

Some of you may have noticed that over the past couple days we've enabled SSL on the forum and the ZS store. When you login to the forums, use the user control panel (UCP), register as a paying ZS member, renew your paid ZS membership and when you checkout using the ZS store your connection will automatically shift from http to https.

If you're not a technophile, this could be summarized as us making a long overdue step at protecting the information you give to us.

Along with these changes will inevitably come a brief period of some additional debugging, and that's where you come in. If you notice strange behavior that you have not noticed in the past, please send a private message to the ZS Admin team by selecting "Administrators" from the Groups box off to the right and then clicking on the "Add" button when you're composing a new private message.

Thanks for helping us improve the ZS forums,

-Jeff
My name is Jeff, not Jonathan. Jonathan would fit...

ZSC:020 Chicagoland | How to search ZS | GHB

Image

williaty
* * * * *
Posts: 1629
Joined: Sun Oct 09, 2011 1:50 am
Location: Midwest

Re: Securification!

Post by williaty » Thu Aug 08, 2013 2:10 am

Since you just turned SSL on, are you doing anything about the fact that SSL has been compromised in the last couple of weeks with the release of the BREACH, CRIME, and BEAST (Why do all these attacks have be named in all caps?) exploits?

User avatar
Horatio_Tyllis
ZS Lifetime Member
ZS Lifetime Member
Posts: 3013
Joined: Mon Apr 26, 2004 12:14 am
Favorite Zombie Movies: Dawn of the Dead 2004
Special Dead
Dead before Dawn 3d
Location: Niagara Falls, Canada
Contact:

Re: Securification!

Post by Horatio_Tyllis » Thu Aug 08, 2013 9:59 am

how do I this? :clap:
Winter driving guide: http://zombiehunters.org/forum/viewtopi ... =6&t=82858" onclick="window.open(this.href);return false;
Zimmy wrote:Intelligent safety conscious fireman snuffing telekinetic golems?
Our heroes are doomed without Gyrojet pistols firing antimatter tipped rockets!

iron_angel
* *
Posts: 172
Joined: Fri Jul 06, 2012 9:50 am
Location: Newport News, VA

Re: Securification!

Post by iron_angel » Thu Aug 08, 2013 10:09 am

williaty wrote:Since you just turned SSL on, are you doing anything about the fact that SSL has been compromised in the last couple of weeks with the release of the BREACH, CRIME, and BEAST (Why do all these attacks have be named in all caps?) exploits?
There's some treatment of the issue here - https://community.qualys.com/blogs/secu ... ach-attack. Most of this is client-side mitigation, so there's not much the server admins can do other than the usual best practices like disabling SSL versions earlier than 3.0, and enabling TLS 1.1 if the server supports it, and using good cipher suites. As a user, you can mitigate your risk somewhat by using a modern browser and keeping it patched, and otherwise follwing safe-browsing best practices. (Seriously, don't use IE <10, unless you're forced to, and don't use old Opera, Firefox or Chrome either. But, as someone who's had to use the tank of dog vomit known as ISNS, and the almost-equally-bad NMCI, I can sympathize with being forced to use bad software...)

The good news is that none of these attacks allow an attacker to grab a random TLS stream and decrypt it at their leisure - they have to mount a fairly targeted, concerted effort against a single user or at least a single site. We're probably not that important a target - though as with all preparations, that's no reason to get complacent.


ETA - Also, for the admins: is there any chance of enabling TLS universally for the entire site, or would that be a bit too heavyweight?
Image

User avatar
crypto
ZS Donor
ZS Donor
Posts: 16633
Joined: Sun Oct 08, 2006 7:37 pm
Location: City of Saint Louis

Re: Securification!

Post by crypto » Thu Aug 08, 2013 10:57 am

williaty wrote:Since you just turned SSL on, are you doing anything about the fact that SSL has been compromised in the last couple of weeks with the release of the BREACH, CRIME, and BEAST (Why do all these attacks have be named in all caps?) exploits?
In a word, yes, we're aware of the new attacks against SSL and we're working on ways to mitigate them, but like every other website on the internet, we don't have a complete fix for it. No one does.

The portions of the store that handle payment info have always been secured, because we just hand the transaction portion off to the payment processor, but we wanted to secure the portions that go to our site, things like mailing address and such.


We figured you assholes would rather not be sending your forum usernames and passwords in cleartext, regardless.
MF'N TEAM LEADER

"Some people think that the best way to stop the leopard is to cut the horns off the gazelle. This, my friends, is insane."

Image
Image

User avatar
jnathan
Meat Popsicle
Meat Popsicle
Posts: 1325
Joined: Mon May 05, 2008 11:45 am
Location: Illinois, USA

Re: Securification!

Post by jnathan » Thu Aug 08, 2013 11:00 am

Hi folks,

I'm an information security researcher by day and while I appreciate the questions, the answers aren't immediately consumable by someone who doesn't do what I do for a living. Our configuration already disabled versions of SSL prior to 3.0 and was likewise configured to use strong ciphers.

If you read the original paper you see that there are really two things that make the most substantial difference in mitigation.
  1. Disable http (GZip compression)
  2. Protect against CSRF (Cross Site Request Forgery)
Our version of phpBB has some protections against CSRF already built in (e.g. anything linked as an image is evaluated to determine its an image and the size of an image before the text composing a post/reply is accepted).

Also, what crypto said. We do this for free for your benefit. :)

-Jeff
My name is Jeff, not Jonathan. Jonathan would fit...

ZSC:020 Chicagoland | How to search ZS | GHB

Image

User avatar
spanningtree
ZS Member
ZS Member
Posts: 320
Joined: Sun Jul 08, 2012 12:57 pm
Favorite Zombie Movies: Resident Evil
Location: LV,NV

Re: Securification!

Post by spanningtree » Thu Aug 08, 2013 11:14 am

Many thanks!

User avatar
crypto
ZS Donor
ZS Donor
Posts: 16633
Joined: Sun Oct 08, 2006 7:37 pm
Location: City of Saint Louis

Re: Securification!

Post by crypto » Thu Aug 08, 2013 11:33 am

Horatio_Tyllis wrote:how do I this? :clap:
You don't do anything, we already made the change and now we're just looking for current weirdness reports to make sure we didnt mess anything up.
MF'N TEAM LEADER

"Some people think that the best way to stop the leopard is to cut the horns off the gazelle. This, my friends, is insane."

Image
Image

kbilly84
* * * * *
Posts: 1352
Joined: Thu Jul 07, 2011 8:24 am

Re: Securification!

Post by kbilly84 » Thu Aug 08, 2013 11:41 am

crypto wrote:You don't do anything, we already made the change and now we're just looking for current weirdness reports to make sure we didnt mess anything up.
The only weirdness I have to report is an issue with logging in. Yesterday, I thought it was just on my work PCs, turns out my Laptop does it too. The solution is to check the "automatically log me in" box, something I usually do on my laptop (hence the lack of issues on my laptop). Then it works all fine-and-dandy. Maybe something to do with the https:// at the front of the URL?

Actually, you and jnathan were trying to help me out on IRC yesterday. (I was logged in there as "kb" instead of my full kbilly84).

ETA: oh, and when I click "Logout" after signing in with that box checked, I get an error screen that says: "You were not logged out, as the request did not match your session. Please contact the board administrator if you continue to experience problems." If I click "logout" from that screen, I'm out no problem, but if I let it go back to the previous screen, and logout, I get the error again.

User avatar
Bearcat
* * * * *
Posts: 3950
Joined: Sun Oct 25, 2009 2:03 pm
Favorite Zombie Movies: Do I have to choose?
Location: Nasty Natti, Ohio

Re: Securification!

Post by Bearcat » Thu Aug 08, 2013 6:10 pm

The only weird thing I've noticed is that some of the outlines that border individual threads are missing. I know it's not a problem with my computer because I've seen it logging in on multiple computers. I don't think it's major issue by any means, but none the less something to report.
Meat N' Taters wrote:Death rays, advanced technology or not, no creature wants to be stabbed in their hoo-hoo.
Jvandenhaus wrote:Zombie squad: If you aren't one of us, you wish you were.

User avatar
Blacksheep
* * * * *
Posts: 1860
Joined: Tue Sep 14, 2010 8:27 pm

Re: Securification!

Post by Blacksheep » Sat Aug 24, 2013 7:23 am

My log in keeps hiccuping... usually takes me a couple tries to get the log in to go through
I never fit in. That's my role in life, to be the outcast.

ATEi

RIP- FiftySticks

Redemption
ZS Member
ZS Member
Posts: 425
Joined: Sat May 22, 2010 9:57 pm
Favorite Zombie Movies: anything with Bruce Campbell
Location: WV

Re: Securification!

Post by Redemption » Sun Sep 08, 2013 10:16 pm

kbilly84 wrote:
crypto wrote:You don't do anything, we already made the change and now we're just looking for current weirdness reports to make sure we didnt mess anything up.
The only weirdness I have to report is an issue with logging in. Yesterday, I thought it was just on my work PCs, turns out my Laptop does it too. The solution is to check the "automatically log me in" box, something I usually do on my laptop (hence the lack of issues on my laptop). Then it works all fine-and-dandy. Maybe something to do with the https:// at the front of the URL?

Actually, you and jnathan were trying to help me out on IRC yesterday. (I was logged in there as "kb" instead of my full kbilly84).

ETA: oh, and when I click "Logout" after signing in with that box checked, I get an error screen that says: "You were not logged out, as the request did not match your session. Please contact the board administrator if you continue to experience problems." If I click "logout" from that screen, I'm out no problem, but if I let it go back to the previous screen, and logout, I get the error again.
Thanks for posting the solution. I too was having trouble staying logged in until selecting "log me on automatically" (or something to that effect). I am on an iPhone most of the time though so that could be the problem.
I'm your Huckleberry.

ITS Bo Yo ^.^
Posts: 16
Joined: Thu Aug 29, 2013 2:25 pm
Favorite Zombie Movies: Dawn of the dead, Shawn of the dead,and zombieland
Location: TN

Re: Securification!

Post by ITS Bo Yo ^.^ » Thu Sep 12, 2013 8:37 pm

Does this apply to me...hmm
Beheading zombies since COD.

User avatar
jnathan
Meat Popsicle
Meat Popsicle
Posts: 1325
Joined: Mon May 05, 2008 11:45 am
Location: Illinois, USA

Re: Securification!

Post by jnathan » Thu Sep 19, 2013 10:57 am

ITS Bo Yo ^.^ wrote:Does this apply to me...hmm
How would I know? (I'm not clairvoyant) :D What do you want to know?

-Jeff
My name is Jeff, not Jonathan. Jonathan would fit...

ZSC:020 Chicagoland | How to search ZS | GHB

Image

Post Reply

Return to “Announcements”