AnimeSuki Forums

k3fan · 2014-05-16, 02:42

I just changed my password. The previous one was a 5 place mixed letters and digits, not dictionary and easy to remember. I used those on forum sites where I keep no private info.

I dropped the idea of even using those on my mail accounts long ago.

More important ones have LastPass generated passwords, and really important (PayPal) sites have 2FA.

Of course then I hear of this Heartbleed exploit. I guess it never ends.

zero7090 · 2014-05-16, 04:18

Quote:

Originally Posted by ForwardUntoDawn

Considering that this is a forum intended for recreation, I'd love to know why we'd require the same sort of security used to store banking information or intelligence vital to national security.

Because we can. Some people build pc with dual xeon cpu mobo 128gb ram, 15 tb SSD (yes, 14 terabyte ssd, not hdd)water cooled, and in the end of the day, the most cpu intensify task they run is watching youtube.

blaze0041 · 2014-05-16, 04:26

Quote:

Originally Posted by Hiroi Sekai

Don't know why you'd want a LastPass desktop app personally. They've built an extension for basically every major browser out there. I hate using mobile website browsing on the go since so many sites aren't really made super mobile-friendly, so I opt out of the $1/mth fee for the app. I could see how that would be an issue for some though.

I've never even seen a desktop app for LastPass- their installer (aside from installing the browser add-ins) just adds a URL shortcut to the desktop that opens a web page anyway. Nonetheless, I've found it quite handy since the whole Heartbleed bug incident.

Out of curiosity, how difficult is it to update forum software (minor and major versions)?

***GHDpro*** · 2014-05-16, 10:57

So I've been looking into adding HTTPS (SSL) for the forum. I fear however there is going to be one problem, called "Mixed Content Warning". This is basically a browser generated warning regarding loading "insecure" (non-HTTPS) elements on a HTTPS-secured page.

The thing is that forum users tend to embed images a lot in posts, mainly in the image related posts of course, but also elsewhere and through signatures basically everywhere. Due to this, if you were to browse the forum using HTTPS you'd get mixed content warnings everywhere.

Now one solution I can think of is a little plugin that will make sure that a [IMG] link like this:

Code:

[img]http://www.insecure.com/image.jpg[/img]

is translated into this:

Code:

<img src="//www.insecure.com/image.jpg" />

(note the missing protocol: it forces the browser to simply use the same protocol as the page)

However one problem with that solution is that the site being linked to must actually support HTTPS. Fortunately Imgur.com, a popular imagehost does. But Imagebam.com, another imagehost one I've seen used, does not. Such images would fail to load completely. I could "blacklist" such hosts in the plugin and allow HTTP for them, but then you'd get the mixed content warnings again.

Another issue is: in what way should HTTPS usage be encouraged? Should it simply be supported but not forced in anyway? Or should people be automatically redirected to the HTTPS version?

Anyone have any thoughts about this? (and maybe solutions for the problems I forsee?)

sneaker · 2014-05-16, 11:52

Did you test that? I think <img> counts as passive content and is not blocked by default by any of the common browsers.

Infinite Zenith · 2014-05-16, 12:20

Quote:

Originally Posted by zero7090

Because we can. Some people build pc with dual xeon cpu mobo 128gb ram, 15 tb SSD (yes, 14 terabyte ssd, not hdd)water cooled, and in the end of the day, the most cpu intensify task they run is watching youtube.

I somehow doubt that. Most of the people who build über-powerful PCs do so with a specific purpose in mind, such as multi-monitor gaming, running large-scale simulations, video processing or graphics. Funny you should mention those specs, since that's similar to the server machine the lab uses (although, check your references: we don't have single 15 TB SSDs. The largest drives out there are 4 TB, so you'd only be able to achieve a capacity of 15 TB using a combination of drives). We have justification for that kind of power because we use it. Similarly, I built a custom computer a year back that was fine-tuned to my specifications so I could make the most of the machine without shelling out a fortune. On that token, a casual user wouldn't buy such machines knowing he could do the same with a significantly more cost-effective computer.

It boils down to purpose, and I don't see it as necessary to make this forum as secure as the servers that hold banking information. For all the work that the admins handle, it is the user's responsibility to make sure that their forum credentials aren't tied to anything important, and if said users use the same credentials for their banking as they do for AnimeSuki, it's their fault if anything should happen.

***GHDpro*** · 2014-05-16, 12:31

Quote:

Originally Posted by sneaker

Did you test that? I think <img> counts as passive content and is not blocked by default by any of the common browsers.

Hmm... you might be on to something. Sorry for being over-thinking this. I'll test / research a bit further.

Edit: Yeah it would seem Mixed Content warnings are a lot less obnoxious than what I remember them to be in the past. Both Firefox and Chrome will show a visual cue though: both will show a warning triangle on top or in place of the lock icon that would normally be shown for an encrypted page and when you click that they'll warn about partially encrypted content. But that's just a minor inconvenience I suppose.

Gooral · 2014-05-16, 12:56

Quote:

Originally Posted by NightWish

We also suggest you review the private messages you have on the forum to assess the impact of their disclosure to you personally.

In other words - admins can read private messages if they choose to do so. This explains a lot.

***relentlessflame*** · 2014-05-16, 14:43

Quote:

Originally Posted by Gooral

In other words - admins can read private messages if they choose to do so. This explains a lot.

That is not what NightWish was suggesting by the comment; the intruder was able to masquerade as the user to use the download feature you can use, not some sort of admin tool.

There is no tool in vBulletin to read another person's private messages. The only way to do it (absent this "black hat" hack) would be to have direct access to the database, and this is not something that is generally provided to anyone, including admins. Only people who maintain the server have the possibility of accessing this data, and this is not something that they have the time or interest to do. Admins do not read private messages or scan them for content. Nevertheless, vBulletin's database of private messages is not encrypted; it should not be used to send any ultra-secure data (like credit cards, bank passwords, etc.).

Dextro · 2014-05-16, 16:23

Quote:

Originally Posted by GHDpro

So I've been looking into adding HTTPS (SSL) for the forum. I fear however there is going to be one problem, called "Mixed Content Warning". This is basically a browser generated warning regarding loading "insecure" (non-HTTPS) elements on a HTTPS-secured page.

The thing is that forum users tend to embed images a lot in posts, mainly in the image related posts of course, but also elsewhere and through signatures basically everywhere. Due to this, if you were to browse the forum using HTTPS you'd get mixed content warnings everywhere.

Now one solution I can think of is a little plugin that will make sure that a [IMG] link like this:

Code:

[img]http://www.insecure.com/image.jpg[/img]

is translated into this:

Code:

<img src="//www.insecure.com/image.jpg" />

(note the missing protocol: it forces the browser to simply use the same protocol as the page)

However one problem with that solution is that the site being linked to must actually support HTTPS. Fortunately Imgur.com, a popular imagehost does. But Imagebam.com, another imagehost one I've seen used, does not. Such images would fail to load completely. I could "blacklist" such hosts in the plugin and allow HTTP for them, but then you'd get the mixed content warnings again.

Another issue is: in what way should HTTPS usage be encouraged? Should it simply be supported but not forced in anyway? Or should people be automatically redirected to the HTTPS version?

Anyone have any thoughts about this? (and maybe solutions for the problems I forsee?)

I vote for making it optional if possible. The mixed content warning may put off some people.

As for fixing that particular issue maybe a whitelist could be put in place but I reckon that takes some development time.

Anh_Minh · 2014-05-16, 16:55

Quote:

Originally Posted by GHDpro

Anyone have any thoughts about this? (and maybe solutions for the problems I forsee?)

That... sounds like a lot of effort for what is, sorry, nothing more than a casual discussion forum. What would it protect us from anyway? Phishing, in case someone wants to impersonate us here and put Justin Bieber in our sig?

Reckoner · 2014-05-16, 18:43

I seem to have lost some of the recent pm's sent to my inbox before the hacking. Is that just a side-effect of whatever reboot you guys did to the site and we lost data?

kenjiharima · 2014-05-16, 19:23

My own yahoo email was almost compromised because of this, lost all my email there... :/

***relentlessflame*** · 2014-05-16, 20:21

Quote:

Originally Posted by Reckoner

I seem to have lost some of the recent pm's sent to my inbox before the hacking. Is that just a side-effect of whatever reboot you guys did to the site and we lost data?

Yes, the PM table was reverted to an earlier "known good" state, so you will regrettably have lost some recent Private Messages.

Miraluka · 2014-05-17, 00:00

I can't link any picture to the change my avatar since there is no option to insert the url as you normally could. Just the upload option.

***CrowKenobi*** · 2014-05-17, 00:48

Quote:

Originally Posted by Miraluka

I can't link any picture to the change my avatar since there is no option to insert the url as you normally could. Just the upload option.

It's always been that way, at least since that upload option was used as an exploit and crashed the forum in 2005...

***GHDpro*** · 2014-05-17, 01:11

Quote:

Originally Posted by Miraluka

I can't link any picture to the change my avatar since there is no option to insert the url as you normally could. Just the upload option.

This is being looked into. I disabled a specific PHP setting that may have also disabled this feature. But it may be possible to turn it back on a different way.

Kanon · 2014-05-17, 07:13

Quote:

Originally Posted by relentlessflame

That is not what NightWish was suggesting by the comment; the intruder was able to masquerade as the user to use the download feature you can use, not some sort of admin tool.

There is no tool in vBulletin to read another person's private messages. The only way to do it (absent this "black hat" hack) would be to have direct access to the database, and this is not something that is generally provided to anyone, including admins. Only people who maintain the server have the possibility of accessing this data, and this is not something that they have the time or interest to do. Admins do not read private messages or scan them for content. Nevertheless, vBulletin's database of private messages is not encrypted; it should not be used to send any ultra-secure data (like credit cards, bank passwords, etc.).

Wait, are you claiming moderators can't read our PMs? I've been told the very opposite by another mod not so long ago.

Kotohono · 2014-05-17, 07:18

Quote:

Originally Posted by Kanon

Wait, are you claiming moderators can't read our PMs? I've been told the very opposite by another mod not so long ago.

I am not sure what you've been told or by whom, but Moderators only have the ability to read a PM if it is reported by one of the receiving users since it creates a copy of the PM in the report, we have no way to access the PM box of any other users.

Kanon · 2014-05-17, 07:37

Quote:

Originally Posted by Konakaga

I am not sure what you've been told or by whom, but Moderators only have the ability to read a PM if it is reported by one of the receiving users since it creates a copy of the PM in the report, we have no way to access the PM box of any other users.

I must have misunderstood then. I was told this:

Quote:

Actually we can monitor pms.

This is a tricky thing. If they ask you for a link via pm it is not like we go out of our way to monitor them all (that would be a torture), but if we find out about it then we have to act on it, just as we have to act on things when posted "publicly" in the threads of on an individual user's wall.

My understanding was that you can read any PM but that it would be too much of a pain to monitor them all.

2014-05-16, 10:57	Link #304
*GHDpro* Administrator Administrator Join Date: Jan 2001 Location: Netherlands Age: 45	So I've been looking into adding HTTPS (SSL) for the forum. I fear however there is going to be one problem, called "Mixed Content Warning". This is basically a browser generated warning regarding loading "insecure" (non-HTTPS) elements on a HTTPS-secured page. The thing is that forum users tend to embed images a lot in posts, mainly in the image related posts of course, but also elsewhere and through signatures basically everywhere. Due to this, if you were to browse the forum using HTTPS you'd get mixed content warnings everywhere. Now one solution I can think of is a little plugin that will make sure that a [IMG] link like this: Code: [img]http://www.insecure.com/image.jpg[/img] is translated into this: Code: <img src="//www.insecure.com/image.jpg" /> (note the missing protocol: it forces the browser to simply use the same protocol as the page) However one problem with that solution is that the site being linked to must actually support HTTPS. Fortunately Imgur.com, a popular imagehost does. But Imagebam.com, another imagehost one I've seen used, does not. Such images would fail to load completely. I could "blacklist" such hosts in the plugin and allow HTTP for them, but then you'd get the mixed content warnings again. Another issue is: in what way should HTTPS usage be encouraged? Should it simply be supported but not forced in anyway? Or should people be automatically redirected to the HTTPS version? Anyone have any thoughts about this? (and maybe solutions for the problems I forsee?)

2014-05-16, 19:23	Link #313
kenjiharima Mizore-chan Join Date: Jun 2006 Location: Moe Land Age: 43	My own yahoo email was almost compromised because of this, lost all my email there... :/ __________________ Vampire+Sisters

2014-05-16, 02:42	Link #301
k3fan Member Join Date: Jun 2009	I just changed my password. The previous one was a 5 place mixed letters and digits, not dictionary and easy to remember. I used those on forum sites where I keep no private info. I dropped the idea of even using those on my mail accounts long ago. More important ones have LastPass generated passwords, and really important (PayPal) sites have 2FA. Of course then I hear of this Heartbleed exploit. I guess it never ends.

2014-05-16, 11:52	Link #305
sneaker Senior Member Join Date: Dec 2008	Did you test that? I think <img> counts as passive content and is not blocked by default by any of the common browsers.

2014-05-17, 00:00	Link #315
Miraluka Banned Join Date: Jan 2009 Age: 34	I can't link any picture to the change my avatar since there is no option to insert the url as you normally could. Just the upload option.