Switching FC to full-HTTPS

[pittiserria]

What's the issue of neglecting support for https since this issue was brought up on 2016?
There is simply no reason why not to support (not necessarily switch to) https on 2019.

For the admins - I work in InfoSec and I would be happy to provide any assistance or instructions if needed.
For the members - I highly recommend everyone to never use a password in FC which is also used in a different service like your email provider and social media accounts as the password used in FC can be eavesdropped easily.

 

[Hackerman]

The site has no admin so it can't be done.

We have 2 mods with mod privs but no one with administrator privs.

 

[Jill NYC]

What's the issue of neglecting support for https since this issue was brought up on 2016?
There is simply no reason why not to support (not necessarily switch to) https on 2019.

For the admins - I work in InfoSec and I would be happy to provide any assistance or instructions if needed.
For the members - I highly recommend everyone to never use a password in FC which is also used in a different service like your email provider and social media accounts as the password used in FC can be eavesdropped easily.

Thank you @KeroZen for starting this discussion and to all who participated. Security is something that has always been taken seriously here and https is something that we will be implementing in the future. It's not quite as simple as flipping a switch and there are a number of other matters that also require attention, so you patience is appreciated.

As usual the level of knowledge here is impressive and there have been many good points brought up in this thread. I agree that if privacy and security are important to you it's best to take control of them yourself. https is certainly worth using, however it's not a panacea for all your privacy and security concerns. Using a trusted and properly configured VPN setup is the way to go as it encrypts all of your traffic including DNS queries.

Hey @vtac Any chance you are around and have decided on updating the site security?
I think without HTTPS it holds back a lot of valuable people from joining the site/contributing. Not to mention the added security.
There are a lot of knowledgeable people here who have volunteered to help and many others who would be willing to help fund if need be. We would be happy to assist in any way possible, just let us know.

 

[Hackerman]

vtac has not logged on in 14 months. The site could be hacked and one on the mods could be given admin privs but I was told that if I did that, I would be banned. So, I didn't.

 

[pittiserria]

The site has no admin so it can't be done.
We have 2 mods with mod privs but no one with administrator privs.

vtac has not logged on in 14 months. The site could be hacked and one on the mods could be given admin privs but I was told that if I did that, I would be banned. So, I didn't.

This site has no admin - why? I'm not sure I understood the hierarchy, who is the person who pays for the service and has the permission to take over as admin? Once that person provides his permission, I can easily help, there is no need for any hacking, all it takes is to update the permission value in the database for whoever is authorized to be the new admin using SSH or other access. Please let me know how can I help.

Purchasing an SSL certificate for HTTPS is a matter of 8$ per year and if needed I'm willing to pay for it for the benefit of all.

 

[Hackerman]

The site is on self-renew and apparently the payment source is still valid because the domain name just renewed recently. However, the admin has not logged on for over a year.

It's just a matter of time until some script kiddie comes along and takes the site down. It happened to Jorge's site. Some script kiddie who called himself, 'Hitler' took advantage of the outdated software and used an exploit to make himself admin. After that, he did the standard MO. Took the mod's privs away and had total control over the site. I talked to him in PM and convinced him to return the site and he did.Originally, he wanted $500 but eventually he did it for free.

Jorge has been successful in so many ways, he just forgot all about taking care of his web site and.... boom.

I did visit Jorge's site recently and he was there apologizing for the neglect and he hired a new webmaster to maintain his site.

The software this site uses currently has a couple exploits but nothing a script kiddie could handle. There is one easy exploit that allows a mod to up his privs to admin but, again, no one here wanted my help. One of the mods could be an admin by now. I guess they want to wait until AFTER it happens to address it.

Also, as you said, all members private data is at risk here. The script kiddie that hacked Jorge's site dumped the database and uploaded it for all to see. Usernames, passwords.. everything in the database.

 

[pittiserria]

The site is on self-renew and apparently the payment source is still valid because the domain name just renewed recently. However, the admin has not logged on for over a year.

It's just a matter of time until some script kiddie comes along and takes the site down. It happened to Jorge's site. Some script kiddie who called himself, 'Hitler' took advantage of the outdated software and used an exploit to make himself admin. After that, he did the standard MO. Took the mod's privs away and had total control over the site. I talked to him in PM and convinced him to return the site and he did.Originally, he wanted $500 but eventually he did it for free.

Jorge has been successful in so many ways, he just forgot all about taking care of his web site and.... boom.

I did visit Jorge's site recently and he was there apologizing for the neglect and he hired a new webmaster to maintain his site.

The software this site uses currently has a couple exploits but nothing a script kiddie could handle. There is one easy exploit that allows a mod to up his privs to admin but, again, no one here wanted my help. One of the mods could be an admin by now. I guess they want to wait until AFTER it happens to address it.

Also, as you said, all members private data is at risk here. The script kiddie that hacked Jorge's site dumped the database and uploaded it for all to see. Usernames, passwords.. everything in the database.

That's alarming.
Not because the moderators, but because the site owner's identity is unknown and in case his payment method ceases working, FC is going to be wiped out. Don't the 2 moderators have any contact information of the owner? Who are the 2 moderators who refuse to cooperate?

 

[YaMon]

The majority (88.7%) of respondents to the survey on this topic support HTTPS, @vtac @pakalolo @Stu is there any way to escalate this? GoFundMe? I work in IT as well and frankly am concerned I would lose FC as a resource if this is left unaddressed, of course I could always adopt one of their other forums as I believe many have. Thoughts?

 

[Hackerman]

Everyone was on pins and needles a couple months ago when the domain expired. Apparently, the auto-renew worked but this site is a time bomb waiting to explode. And, when it does, this site is gone gone gone. My guess is, there isn't even a backup.

All we can hope for is that it simply expires and dies rather than some script kiddie posting all this personal info on a hacker site. If the database gets corrupted (which is not uncommon) it's all over.

Sad, but true.

Currently, there are no known exploits for this version of Xenforo but, it's just a matter of time. Well, actually, there are a couple exploits but nothing that a script kiddie could do and there's really no reason for an experienced hacker to shut down this site. So, it is probably safe for a few more months or maybe a year. Still, one day, people will come and it will be gone. Too bad, really since a number of the people selling stuff depend on this site for a major source of revenue.

Well, I have been through this with the mods and they told me to mind my own business so.... that's what I'll do.

 

[KeroZen]

The majority (88.7%) of respondents to the survey on this topic support HTTPS

By now you all should have noticed that my poll was completely rigged heh! The way I phrased the initial post meant no sane person should have answered "nay"...

But it was just a mean to get the ball rolling. Unfortunately until @vtac returns (and I'm convinced he will eventually) we're completely stuck.

 

[YaMon]

we're completely stuck.

Brah, I like FC, what can I say. Want it to continue to be a resource, a place to share

 

[analytika]

Unfortunately until @vtac returns (and I'm convinced he will eventually) we're completely stuck.

The thread dates to 2016, and IIRC I (alongside others) weighed in with the outline of how we've done this for several sites, before (?) @vtac last posted in 2018.

Will his return, if it happens, make any difference?

It's a project measured in hours, not days. Piece of cake with a simple proxy wrapper like haproxy, which rewrites every URL delivered by the inner web server to its SSL encrypted counterpart. It would even rewrite every bookmarked URL automatically that comes in without https:// to the proper URL.

Is there no contingency or other last resort?

Wow.

 

[FlyingLow]

Why did Vtac drop off?

 

[pittiserria]

The thread dates to 2016, and IIRC I (alongside others) weighed in with the outline of how we've done this for several sites, before (?) @vtac last posted in 2018.

Will his return, if it happens, make any difference?

It's a project measured in hours, not days. Piece of cake with a simple proxy wrapper like haproxy, which rewrites every URL delivered by the inner web server to its SSL encrypted counterpart. It would even rewrite every bookmarked URL automatically that comes in without https:// to the proper URL.

Is there no contingency or other last resort?

Wow.

Although this thread is about https, I think that https is the least of our concerns in light of the newly discovered information provided by Hackerman in the previous comments.

 

[pakalolo]

Although this thread is about https, I think that https is the least of our concerns in light of the newly discovered information provided by Hackerman in the previous comments.

@Hackerman has been wearing his Chicken Little hat for a long time. There is no newly discovered information that changes anything. Your personal data is no more at risk now than it was when you joined.

We did not tell @Hackerman to "mind his own business", we rejected his idea to hack into FC and acquire elevated privileges. It is neither as easy to do nor as useful as he claims. Ethical considerations aside, gaining an admin account would not get us access to database administration or the server account.

 

[Hackerman]

@Hackerman has been wearing his Chicken Little hat for a long time.

That wasn't a very nice thing to say to me. I was just trying to help. This site is in danger. Anyone with any tech knowledge knows that.

 

[KeroZen]

Worse, now that you are disgruntled, if anything happens all eyes will be on you hehe!

(joking of course, don't take me seriously)

 

[analytika]

That wasn't a very nice thing to say to me. I was just trying to help. This site is in danger. Anyone with any tech knowledge knows that.

I didn't take your comments primarily to emphasize that personal information is in danger from no SSL.

I mean, it is, in some ways. Hard to put a good spin on it. Without SSL (i.e. https://) anyone using the same starbucks WIFI as you can see your FC password / cookie in cleartext. It doesn't matter if it's "secure wifi" WPA2 and such. Same is true for anyone administering an ISP between you and FC -- I jump 13 steps to FC according to traceroute.

I think @Hackerman you're also suggesting that the site might simply have gone dark if someone's credit card payment for renewal of a domain, not in control of the admins, hadn't recently gone through. Is that true, or apocryphal?

And, if I understand you, you're also pointing out that, without regular updates that patch known, published exploits against XenForo and its database backend, a script kiddie can take the site down. In their documentation about possible vulnerabilities, XenForo mentions SQL injection and the risk of remote code execution on our OWN machines.

Obviously, FC isn't the focus of a serious black hat.

It's not a good position to be in, if all that is accurate. Yes, I understand site administrators are not in a position to fix it without the reappearance of one person. Not trying to offend anyone. But we should look technology reality in the face.

I take issue with the statement that personal information is no more at risk than when you joined.

Yes, the theoretical risk was there. But there is so much more malware out there now, so many more people and bots vacuuming up cleartext credentials than just a few years ago, you can't seriously say the risk isn't worse today.

And the risk of a bad actor tying your credentials to your actual personal identity is magnitudes greater today, surely.

ADDED:

To respect the privacy concerns of contributors here, may I please suggest that the site administrators enable individuals to delete not only their account but all of their historical postings, or at least individual postings, made without appreciation of the state of site administration and potential vulnerabilities.

 

[Hackerman]

I think @Hackerman you're also suggesting that the site might simply have gone dark if someone's credit card payment for renewal of a domain, not in control of the admins, hadn't recently gone through. Is that true, or apocryphal?

Here is what happens to a site when the domain name expires. This is a link to Namecheap, this site's host so it's straight from the horses mouth.

https://www.namecheap.com/support/k...at-happens-to-my-domain-name-after-it-expires

And, if I understand you, you're also pointing out that, without regular updates that patch known, published exploits against XenForo and its database backend, a script kiddie can take the site down. In their documentation about possible vulnerabilities, XenForo mentions SQL injection and the risk of remote code execution on our OWN machines.

Absolutely. I used to do it to web sites all the time in my youth and then hosted a web site for years that taught it. There is an entire cult of people who do this and a zillion web sites that support it. Hacking web sites are damn near as plentiful as porn sites. LOL As soon as an exploit is found and published, the script kiddies will be on a search for weak forums. It's a pretty standard MO.)

This forum is currently using version 1.5.13. As far as I know there are currently no simple exploits for this version. When Xenforo announces an update, you can bet that an exploit was found. After that, you can expect something like this...

https://www.marijuanagrowing.com/showthread.php?24956-Hacked

Actually defacing the site or taking it over requires access to the cPanel through the account on namecheap.com. Whomever said upping privs from mod to admin not doing much good was right. It would allow a better administration of the features of the site but it would not allow for any security measures to be installed. However, it would allow the update of the forum software if one comes out.

I believe the outdated software will cause a considerably larger problem than not being https secure. Sure, info is unencrypted without https but that's is not of interest to hardly anyone. Once the forum software gets outdated, the script kiddies will be out like sharks. Just like hitler at Jorge's place.

Only time will tell. Hope I answered your questions.

 

[Alex3oe]

Obviously, FC isn't the focus of a serious black hat.

That's not the point. Automated searches for outdated software with known bugs will lead to this forum sooner or later. An outdated widespread software with connection to the www will get hacked, question is not if, but when

 

[pittiserria]

We did not tell @Hackerman to "mind his own business", we rejected his idea to hack into FC and acquire elevated privileges. It is neither as easy to do nor as useful as he claims. Ethical considerations aside, gaining an admin account would not get us access to database administration or the server account.

A XenForo admin is indeed not very useful, there needs to be a real admin for the server or hosting provider account in order to properly manage it. Can you please clarify some questions:

• Is it true that vtac is the only person who has/had access to manage the server?
• Is it true that only 2 mods (forum moderators) are currently active including yourself?
• Is it true that vtac's identity is unknown even to the 2 remaining mods and that he is unreachable without a sign of life for over a year? Is it possible that vtac is in jail or dead?

Please be aware that even if there is no active server admin account to be found, a XenForo admin is still sufficient to allow full export of the data in order to be imported into a new server in a new URL (e.g. fuck-combustion.com), while adding an automated HTTP redirect from the old server to the new one for existing links containing the old URL (e.g. fuckcombustion.com => fuck-combustion.com) so the server migration would be transparent for all users. Once the new server is active, it can be upgraded to the latest XenForo software + latest server patches + add SSL.

I will be happy to provide every assistance needed.

 

[pakalolo]

A XenForo admin is indeed not very useful, there needs to be a real admin for the server or hosting provider account in order to properly manage it. Can you please clarify some questions:

• Is it true that vtac is the only person who has/had access to manage the server?
• Is it true that only 2 mods (forum moderators) are currently active including yourself?
• Is it true that vtac's identity is unknown even to the 2 remaining mods and that he is unreachable without a sign of life for over a year? Is it possible that vtac is in jail or dead?

Please be aware that even if there is no active server admin account to be found, a XenForo admin is still sufficient to allow full export of the data in order to be imported into a new server in a new URL (e.g. fuck-combustion.com), while adding an automated HTTP redirect from the old server to the new one for existing links containing the old URL (e.g. fuckcombustion.com => fuck-combustion.com) so the server migration would be transparent for all users. Once the new server is active, it can be upgraded to the latest XenForo software + latest server patches + add SSL.

I will be happy to provide every assistance needed.

Only @vtac has access to the server and database administration. It is true that there are only two moderators active, and we do not have the power to add another. It is true that we are not aware of anyone who has had contact with @vtac since last April. His identity is not unknown. There is no point in speculating about his fate.

Thanks for your information and offer.

 

[YaMon]

Very sad

 

[Grobalot]

i have blockers on my browser, like most people should, and FC is the only site i i take HTTPS everywhere off.
using a vpn negates the risk of mim attacks a bit but using TOR on a windows machine is completely stupid. TOR is compromised and very slow. switchin DNS setting at router level or even just on the IPV4/6 settings in windows can negate it. cisco's dns address is pretty safe as an said before, set a unique passwrd that is far removed from any other password used for important stuff.
its a shame migrating the server to azure isn't an option.
sorry if im repeating stuff lol

 

[FlyingLow]

For someone who does not understand computer talk, I don't know what any of that is. Do I need VPN and https?