It is currently Thu Apr 26, 2018 6:48 am

All times are UTC - 6 hours [ DST ]




Post new topic Reply to topic  [ 14 posts ] 
Author Message
 Post subject: Securification!
PostPosted: Wed Aug 07, 2013 3:34 pm 
Offline
Meat Popsicle
Meat Popsicle
User avatar

Joined: Mon May 05, 2008 11:45 am
Posts: 1320
Location: Illinois, USA
Has thanked: 11 times
Been thanked: 20 times
Hi everyone,

Some of you may have noticed that over the past couple days we've enabled SSL on the forum and the ZS store. When you login to the forums, use the user control panel (UCP), register as a paying ZS member, renew your paid ZS membership and when you checkout using the ZS store your connection will automatically shift from http to https.

If you're not a technophile, this could be summarized as us making a long overdue step at protecting the information you give to us.

Along with these changes will inevitably come a brief period of some additional debugging, and that's where you come in. If you notice strange behavior that you have not noticed in the past, please send a private message to the ZS Admin team by selecting "Administrators" from the Groups box off to the right and then clicking on the "Add" button when you're composing a new private message.

Thanks for helping us improve the ZS forums,

-Jeff

_________________
My name is Jeff, not Jonathan. Jonathan would fit...

ZSC:020 Chicagoland | How to search ZS | GHB

Image


Share on FacebookShare on TwitterShare on TumblrShare on Google+
Top
 Profile  
Reply with quote  
 Post subject: Re: Securification!
PostPosted: Thu Aug 08, 2013 2:10 am 
Offline
* * * * *

Joined: Sun Oct 09, 2011 1:50 am
Posts: 1629
Location: Midwest
Has thanked: 1 time
Been thanked: 39 times
Since you just turned SSL on, are you doing anything about the fact that SSL has been compromised in the last couple of weeks with the release of the BREACH, CRIME, and BEAST (Why do all these attacks have be named in all caps?) exploits?


Top
 Profile  
Reply with quote  
 Post subject: Re: Securification!
PostPosted: Thu Aug 08, 2013 9:59 am 
Offline
ZS Lifetime Member
ZS Lifetime Member
User avatar

Joined: Mon Apr 26, 2004 12:14 am
Posts: 3013
Location: Niagara Falls, Canada
Has thanked: 32 times
Been thanked: 6 times
how do I this? :clap:

_________________
Winter driving guide: http://zombiehunters.org/forum/viewtopi ... =6&t=82858" onclick="window.open(this.href);return false;

Zimmy wrote:
Intelligent safety conscious fireman snuffing telekinetic golems?
Our heroes are doomed without Gyrojet pistols firing antimatter tipped rockets!


Top
 Profile  
Reply with quote  
 Post subject: Re: Securification!
PostPosted: Thu Aug 08, 2013 10:09 am 
Offline
* *

Joined: Fri Jul 06, 2012 9:50 am
Posts: 172
Location: Newport News, VA
Has thanked: 0 time
Been thanked: 1 time
williaty wrote:
Since you just turned SSL on, are you doing anything about the fact that SSL has been compromised in the last couple of weeks with the release of the BREACH, CRIME, and BEAST (Why do all these attacks have be named in all caps?) exploits?


There's some treatment of the issue here - https://community.qualys.com/blogs/securitylabs/2013/08/07/defending-against-the-breach-attack. Most of this is client-side mitigation, so there's not much the server admins can do other than the usual best practices like disabling SSL versions earlier than 3.0, and enabling TLS 1.1 if the server supports it, and using good cipher suites. As a user, you can mitigate your risk somewhat by using a modern browser and keeping it patched, and otherwise follwing safe-browsing best practices. (Seriously, don't use IE <10, unless you're forced to, and don't use old Opera, Firefox or Chrome either. But, as someone who's had to use the tank of dog vomit known as ISNS, and the almost-equally-bad NMCI, I can sympathize with being forced to use bad software...)

The good news is that none of these attacks allow an attacker to grab a random TLS stream and decrypt it at their leisure - they have to mount a fairly targeted, concerted effort against a single user or at least a single site. We're probably not that important a target - though as with all preparations, that's no reason to get complacent.


ETA - Also, for the admins: is there any chance of enabling TLS universally for the entire site, or would that be a bit too heavyweight?

_________________
Image


Top
 Profile  
Reply with quote  
 Post subject: Re: Securification!
PostPosted: Thu Aug 08, 2013 10:57 am 
Offline
ZS Donor
ZS Donor
User avatar

Joined: Sun Oct 08, 2006 7:37 pm
Posts: 16599
Location: City of Saint Louis
Has thanked: 60 times
Been thanked: 124 times
williaty wrote:
Since you just turned SSL on, are you doing anything about the fact that SSL has been compromised in the last couple of weeks with the release of the BREACH, CRIME, and BEAST (Why do all these attacks have be named in all caps?) exploits?


In a word, yes, we're aware of the new attacks against SSL and we're working on ways to mitigate them, but like every other website on the internet, we don't have a complete fix for it. No one does.

The portions of the store that handle payment info have always been secured, because we just hand the transaction portion off to the payment processor, but we wanted to secure the portions that go to our site, things like mailing address and such.


We figured you assholes would rather not be sending your forum usernames and passwords in cleartext, regardless.

_________________
MF'N TEAM LEADER

"Some people think that the best way to stop the leopard is to cut the horns off the gazelle. This, my friends, is insane."

Image
Image


Top
 Profile  
Reply with quote  
 Post subject: Re: Securification!
PostPosted: Thu Aug 08, 2013 11:00 am 
Offline
Meat Popsicle
Meat Popsicle
User avatar

Joined: Mon May 05, 2008 11:45 am
Posts: 1320
Location: Illinois, USA
Has thanked: 11 times
Been thanked: 20 times
Hi folks,

I'm an information security researcher by day and while I appreciate the questions, the answers aren't immediately consumable by someone who doesn't do what I do for a living. Our configuration already disabled versions of SSL prior to 3.0 and was likewise configured to use strong ciphers.

If you read the original paper you see that there are really two things that make the most substantial difference in mitigation.

  1. Disable http (GZip compression)
  2. Protect against CSRF (Cross Site Request Forgery)

Our version of phpBB has some protections against CSRF already built in (e.g. anything linked as an image is evaluated to determine its an image and the size of an image before the text composing a post/reply is accepted).

Also, what crypto said. We do this for free for your benefit. :)

-Jeff

_________________
My name is Jeff, not Jonathan. Jonathan would fit...

ZSC:020 Chicagoland | How to search ZS | GHB

Image


Top
 Profile  
Reply with quote  
 Post subject: Re: Securification!
PostPosted: Thu Aug 08, 2013 11:14 am 
Offline
ZS Member
ZS Member
User avatar

Joined: Sun Jul 08, 2012 12:57 pm
Posts: 320
Location: LV,NV
Has thanked: 6 times
Been thanked: 2 times
Many thanks!


Top
 Profile  
Reply with quote  
 Post subject: Re: Securification!
PostPosted: Thu Aug 08, 2013 11:33 am 
Offline
ZS Donor
ZS Donor
User avatar

Joined: Sun Oct 08, 2006 7:37 pm
Posts: 16599
Location: City of Saint Louis
Has thanked: 60 times
Been thanked: 124 times
Horatio_Tyllis wrote:
how do I this? :clap:


You don't do anything, we already made the change and now we're just looking for current weirdness reports to make sure we didnt mess anything up.

_________________
MF'N TEAM LEADER

"Some people think that the best way to stop the leopard is to cut the horns off the gazelle. This, my friends, is insane."

Image
Image


Top
 Profile  
Reply with quote  
 Post subject: Re: Securification!
PostPosted: Thu Aug 08, 2013 11:41 am 
Offline
* * * * *

Joined: Thu Jul 07, 2011 8:24 am
Posts: 1352
Has thanked: 0 time
Been thanked: 0 time
crypto wrote:
You don't do anything, we already made the change and now we're just looking for current weirdness reports to make sure we didnt mess anything up.

The only weirdness I have to report is an issue with logging in. Yesterday, I thought it was just on my work PCs, turns out my Laptop does it too. The solution is to check the "automatically log me in" box, something I usually do on my laptop (hence the lack of issues on my laptop). Then it works all fine-and-dandy. Maybe something to do with the https:// at the front of the URL?

Actually, you and jnathan were trying to help me out on IRC yesterday. (I was logged in there as "kb" instead of my full kbilly84).

ETA: oh, and when I click "Logout" after signing in with that box checked, I get an error screen that says: "You were not logged out, as the request did not match your session. Please contact the board administrator if you continue to experience problems." If I click "logout" from that screen, I'm out no problem, but if I let it go back to the previous screen, and logout, I get the error again.


Top
 Profile  
Reply with quote  
 Post subject: Re: Securification!
PostPosted: Thu Aug 08, 2013 6:10 pm 
Offline
* * * * *
User avatar

Joined: Sun Oct 25, 2009 2:03 pm
Posts: 3933
Location: Nasty Natti, Ohio
Has thanked: 3 times
Been thanked: 18 times
The only weird thing I've noticed is that some of the outlines that border individual threads are missing. I know it's not a problem with my computer because I've seen it logging in on multiple computers. I don't think it's major issue by any means, but none the less something to report.

_________________
Meat N' Taters wrote:
Death rays, advanced technology or not, no creature wants to be stabbed in their hoo-hoo.

Jvandenhaus wrote:
Zombie squad: If you aren't one of us, you wish you were.


Top
 Profile  
Reply with quote  
 Post subject: Re: Securification!
PostPosted: Sat Aug 24, 2013 7:23 am 
Offline
* * * * *
User avatar

Joined: Tue Sep 14, 2010 8:27 pm
Posts: 1860
Has thanked: 2 times
Been thanked: 23 times
My log in keeps hiccuping... usually takes me a couple tries to get the log in to go through

_________________
I never fit in. That's my role in life, to be the outcast.

ATEi

RIP- FiftySticks


Top
 Profile  
Reply with quote  
 Post subject: Re: Securification!
PostPosted: Sun Sep 08, 2013 10:16 pm 
Offline
ZS Member
ZS Member

Joined: Sat May 22, 2010 9:57 pm
Posts: 425
Location: WV
Has thanked: 0 time
Been thanked: 1 time
kbilly84 wrote:
crypto wrote:
You don't do anything, we already made the change and now we're just looking for current weirdness reports to make sure we didnt mess anything up.

The only weirdness I have to report is an issue with logging in. Yesterday, I thought it was just on my work PCs, turns out my Laptop does it too. The solution is to check the "automatically log me in" box, something I usually do on my laptop (hence the lack of issues on my laptop). Then it works all fine-and-dandy. Maybe something to do with the https:// at the front of the URL?

Actually, you and jnathan were trying to help me out on IRC yesterday. (I was logged in there as "kb" instead of my full kbilly84).

ETA: oh, and when I click "Logout" after signing in with that box checked, I get an error screen that says: "You were not logged out, as the request did not match your session. Please contact the board administrator if you continue to experience problems." If I click "logout" from that screen, I'm out no problem, but if I let it go back to the previous screen, and logout, I get the error again.


Thanks for posting the solution. I too was having trouble staying logged in until selecting "log me on automatically" (or something to that effect). I am on an iPhone most of the time though so that could be the problem.

_________________
I'm your Huckleberry.


Top
 Profile  
Reply with quote  
 Post subject: Re: Securification!
PostPosted: Thu Sep 12, 2013 8:37 pm 
Offline

Joined: Thu Aug 29, 2013 2:25 pm
Posts: 16
Location: TN
Has thanked: 0 time
Been thanked: 0 time
Does this apply to me...hmm

_________________
Beheading zombies since COD.


Top
 Profile  
Reply with quote  
 Post subject: Re: Securification!
PostPosted: Thu Sep 19, 2013 10:57 am 
Offline
Meat Popsicle
Meat Popsicle
User avatar

Joined: Mon May 05, 2008 11:45 am
Posts: 1320
Location: Illinois, USA
Has thanked: 11 times
Been thanked: 20 times
ITS Bo Yo ^.^ wrote:
Does this apply to me...hmm


How would I know? (I'm not clairvoyant) :D What do you want to know?

-Jeff

_________________
My name is Jeff, not Jonathan. Jonathan would fit...

ZSC:020 Chicagoland | How to search ZS | GHB

Image


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 14 posts ] 

All times are UTC - 6 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group