2014-05-16, 02:42 | Link #301 |
Member
Join Date: Jun 2009
|
I just changed my password. The previous one was a 5 place mixed letters and digits, not dictionary and easy to remember. I used those on forum sites where I keep no private info.
I dropped the idea of even using those on my mail accounts long ago. More important ones have LastPass generated passwords, and really important (PayPal) sites have 2FA. Of course then I hear of this Heartbleed exploit. I guess it never ends. |
2014-05-16, 04:26 | Link #303 | |
a.k.a. Flammenkrieg
IT Support
Join Date: Apr 2009
Location: Down under...
|
Quote:
Out of curiosity, how difficult is it to update forum software (minor and major versions)?
__________________
|
|
2014-05-16, 10:57 | Link #304 |
Administrator
Administrator
Join Date: Jan 2001
Location: Netherlands
Age: 45
|
So I've been looking into adding HTTPS (SSL) for the forum. I fear however there is going to be one problem, called "Mixed Content Warning". This is basically a browser generated warning regarding loading "insecure" (non-HTTPS) elements on a HTTPS-secured page.
The thing is that forum users tend to embed images a lot in posts, mainly in the image related posts of course, but also elsewhere and through signatures basically everywhere. Due to this, if you were to browse the forum using HTTPS you'd get mixed content warnings everywhere. Now one solution I can think of is a little plugin that will make sure that a [IMG] link like this: Code:
[img]http://www.insecure.com/image.jpg[/img] Code:
<img src="//www.insecure.com/image.jpg" /> However one problem with that solution is that the site being linked to must actually support HTTPS. Fortunately Imgur.com, a popular imagehost does. But Imagebam.com, another imagehost one I've seen used, does not. Such images would fail to load completely. I could "blacklist" such hosts in the plugin and allow HTTP for them, but then you'd get the mixed content warnings again. Another issue is: in what way should HTTPS usage be encouraged? Should it simply be supported but not forced in anyway? Or should people be automatically redirected to the HTTPS version? Anyone have any thoughts about this? (and maybe solutions for the problems I forsee?) |
2014-05-16, 12:20 | Link #306 | |
Operation sneaky sneaks
IT Support
Join Date: Aug 2012
Location: Hic et ubique
|
Quote:
It boils down to purpose, and I don't see it as necessary to make this forum as secure as the servers that hold banking information. For all the work that the admins handle, it is the user's responsibility to make sure that their forum credentials aren't tied to anything important, and if said users use the same credentials for their banking as they do for AnimeSuki, it's their fault if anything should happen.
__________________
|
|
2014-05-16, 12:31 | Link #307 | |
Administrator
Administrator
Join Date: Jan 2001
Location: Netherlands
Age: 45
|
Quote:
Edit: Yeah it would seem Mixed Content warnings are a lot less obnoxious than what I remember them to be in the past. Both Firefox and Chrome will show a visual cue though: both will show a warning triangle on top or in place of the lock icon that would normally be shown for an encrypted page and when you click that they'll warn about partially encrypted content. But that's just a minor inconvenience I suppose. Last edited by GHDpro; 2014-05-16 at 12:50. |
|
2014-05-16, 14:43 | Link #309 | |
Administrator
Join Date: Dec 2003
Age: 42
|
Quote:
There is no tool in vBulletin to read another person's private messages. The only way to do it (absent this "black hat" hack) would be to have direct access to the database, and this is not something that is generally provided to anyone, including admins. Only people who maintain the server have the possibility of accessing this data, and this is not something that they have the time or interest to do. Admins do not read private messages or scan them for content. Nevertheless, vBulletin's database of private messages is not encrypted; it should not be used to send any ultra-secure data (like credit cards, bank passwords, etc.).
__________________
|
|
2014-05-16, 16:23 | Link #310 | |
He Without a Title
Join Date: Feb 2008
Location: The land of tempura
|
Quote:
As for fixing that particular issue maybe a whitelist could be put in place but I reckon that takes some development time.
__________________
|
|
2014-05-16, 16:55 | Link #311 |
I disagree with you all.
Join Date: Dec 2005
|
That... sounds like a lot of effort for what is, sorry, nothing more than a casual discussion forum. What would it protect us from anyway? Phishing, in case someone wants to impersonate us here and put Justin Bieber in our sig?
|
2014-05-16, 18:43 | Link #312 |
Bittersweet Distractor
Join Date: Nov 2007
Age: 32
|
I seem to have lost some of the recent pm's sent to my inbox before the hacking. Is that just a side-effect of whatever reboot you guys did to the site and we lost data?
__________________
Last edited by Reckoner; 2014-05-16 at 19:02. |
2014-05-17, 00:48 | Link #316 | |
One PUNCH!
Administrator
Join Date: Dec 2005
|
Quote:
|
|
2014-05-17, 07:13 | Link #318 | |
Kana Hanazawa ♥
Join Date: Jun 2007
Location: France
Age: 37
|
Quote:
__________________
|
|
2014-05-17, 07:18 | Link #319 |
Yuri µ'serator
Join Date: Nov 2009
Location: FL, USA
Age: 36
|
I am not sure what you've been told or by whom, but Moderators only have the ability to read a PM if it is reported by one of the receiving users since it creates a copy of the PM in the report, we have no way to access the PM box of any other users.
__________________
|
2014-05-17, 07:37 | Link #320 | ||
Kana Hanazawa ♥
Join Date: Jun 2007
Location: France
Age: 37
|
Quote:
Quote:
__________________
|
||
|
|