Security Issue on Forums
#1
Exclamation 
Hi all,

I just signed up on here to ask a few questions about a problem I'm having with PCSX2. However, when I signed up on the forums, I noticed a security issue: everything is set unencrypted over http as opposed to encrypted via https.

This is a serious issue. This means anyone on your network (LAN, Wifi, etc) can see your password in cleartext every time you sign up or log in to the forums. Additionally, Firefox and Chrome are adding warnings for this type of insecurities. See my screenshot below that I got when signing up using Firefox (note how it says the password field is insecure and logins can be compromised):

[Image: gQUguIG.png]


You can read an article about this here: https://arstechnica.com/information-tech...-insecure/

I strongly recommend enabling a SSL certificate. They are free! The admin of the forums can setup LetsEncrypt and get encrypted connections without spending a penny.

The last thing I want is PCSX2's forums having a data breach and ending up on HaveIBeenPwned.com (a database of all the data breaches)!

Thanks for the consideration,
Syn
Reply

Sponsored links

#2
I recommend not using a password you use everywhere else, however if we get pwned that means our database has been dumped however passwords are encrypted and salted, so that's not much of an issue.

Oh and don't put your credit card details in anywhere Tongue2
[Image: ref-sig-anim.gif]

Reply
#3
I agree that this should get a greater priority. Especially now that, as SynAck mentioned, browsers send warnings about unsecured weblogins. The current situation could potentially even scare away some users.
Reply
#4
Maybe we could move the forum to https with lets encrypt?
Reply
#5
We talked about this before, Ref Wink
Reply
#6
(03-16-2017, 11:26 PM)rama Wrote: We talked about this before, Ref Wink

We did, I think Bosit and Falc also talked about it, so I was leaving it up them as they are the web guys Tongue
[Image: ref-sig-anim.gif]

Reply
#7
Yes and as usual we are all waiting for falcon Tongue
[Image: newsig.jpg]
Reply
#8
I have talked with Bositman about this and I have setup a development environment with Mybb and SSL, it's doable however it'd need us to remove support for remote avatars that aren't using SSL (Easy to do with a plugin) to prevent mixed-mode content warnings.
[Image: zRORpDo.png]
Reply
#9
To followup above we setup a test environment and I tested all the configuration which Bositman deployed so the browser security warning will be gone now and we're fixing up the mixed-mode content warnings due to HTTP image embeds.
[Image: zRORpDo.png]
Reply
#10
We fixed a large portion of all the imagfe embeds so this is all resolved now! Much delayed post as did nearly a month back now.
[Image: zRORpDo.png]
Reply




Users browsing this thread: 1 Guest(s)