Dominion Strategy Forum
Meta => Feedback => Topic started by: magnetic on June 04, 2018, 02:09:24 pm
-
The forum isn't protected by HTTPS. This means if we login to the forum on a shared WiFi connection, someone can steal our session and impersonate us. Given that pseudo-offical rulemaking is done on this forum, I think it's a serious issue.
With free (even wildcard) certificates from letsencrypt.org, there's not much of a burden to securing a domain like this these days.
If you need any assistance, give me a PM.
-
But how do we know that you are magnetic right now?
-
Even if I posted this anonymously the report is still true. ;)
-
I mean... is anything we do here really that important? We’re playing a card game. Who cares about the extremely unlikely event that someone steals somebody’s log in in order to... impersonate them here? Which would be really quickly obvious and dealt with?
Plenty of other reasons to use https (mainly for people not smart enough to use multiple passwords for things) but I mean I wouldn’t say it’s particularly urgent.
-
I mean... is anything we do here really that important?
Is anything we do really that important?
-
I mean... is anything we do here really that important?
Is anything we do really that important?
Is anything we do really that important?
-
I mean... is anything we do here really that important? We’re playing a card game. Who cares about the extremely unlikely event that someone steals somebody’s log in in order to... impersonate them here? Which would be really quickly obvious and dealt with?
Plenty of other reasons to use https (mainly for people not smart enough to use multiple passwords for things) but I mean I wouldn’t say it’s particularly urgent.
Although password reuse is frowned upon; I'm pretty sure a lot of people still do it. Meaning that if someone's F.DS password is stolen, then that could cause lots of other issues for a person as well.
-
I mean... is anything we do here really that important? We’re playing a card game. Who cares about the extremely unlikely event that someone steals somebody’s log in in order to... impersonate them here? Which would be really quickly obvious and dealt with?
Plenty of other reasons to use https (mainly for people not smart enough to use multiple passwords for things) but I mean I wouldn’t say it’s particularly urgent.
Although password reuse is frowned upon; I'm pretty sure a lot of people still do it. Meaning that if someone's F.DS password is stolen, then that could cause lots of other issues for a person as well.
I think the modern recommendation is to use a password manager tool.
-
I agree that because of password sharing etc there’s plenty of reason to go to HTTPS when convenient; all I am saying is that the OP’s concerns of someone getting onto the personal WiFi of a prominent FDS user and impersonating them in order to fabricate official rulings is pretty far fetched.
-
I agree that because of password sharing etc there’s plenty of reason to go to HTTPS when convenient; all I am saying is that the OP’s concerns of someone getting onto the personal WiFi of a prominent FDS user and impersonating them in order to fabricate official rulings is pretty far fetched.
The real Chris is me would never say that.
-
FWIW I use DreamHost for my hosting and they have a service where, for free and at the press of a button, they'll get, deploy, and auto-renew Let's Encrypt certificates for you. The f.ds host might have a similar service.
-
I mean... is anything we do here really that important?
Is anything we do really that important?
Is anything we do really that important?
Is anything we do really that important?
-
Are any of these posts actually funny?
-
Are any of these posts actually funny?
Are any of these posts actually funny?
-
Are any of these posts actually funny?
Are any of these posts actually funny?
Are any of these posts actually funny?
-
Is it important that anything we really post is actually that funny?
-
Are any of these posts actually funny?
I laughed. So, probably?
-
I'll agree that my initial reasoning was a bit out there.
Protecting shared passwords is a much better reason. You may notice that SMF only sends them over the wire after hashing them, but without the opportunity for a salt, so a rainbow table attack on these password is still possible.
-
Well, there are more issues than that. For one, if you're able to log in as me, you're able to see all the private messages that I ever received or sent, which could be pretty damn uncomfortable for someone if there was anything confidential in there (there isn't because I just checked and deleted everything of the sort). You're also able to gain access to all the forums that I can access, which is not particularly impressive because I don't have any special privileges to see any more forums than any other regular user, but certain people (e.g. armchair treasure hunters) do have such privileges and if confidential things are being discussed on those forums, that could be very serious as well. You're also able to see my ignore list, which is definitely going to be at least a little uncomfortable for me, although nothing too serious. You're also able to see my forum settings, which you're not really supposed to see, but I can't imagine a plausible scenario where this causes any problems even if there's a breach.
The shared passwords concern is also very real.
Of course, none of this is a problem if people act responsibly on the Internet, but it's still important to maintain security at multiple layers because something is always going to go wrong, especially when people acting responsibly is supposed to be a part of the plan.