| Pages:
1
2 |
Marvin
National Hazard
Posts: 995
Registered: 13-10-2002
Member Is Offline
Mood: No Mood
|
|
I accepted the certificate but I still get warnings and hoops to jump in Chrome, it says "Server's certificate does not match the URL". I wasn't
going to mention it but if the certificate is being fiddled with anyway 
SHA-256 Fingerprint 81 41 E0 45 57 2C 95 8A C4 34 3C 44 DC 38 2D 5D
BB A4 72 B9 3E E8 38 D2 7B 1C 21 55 30 D2 8C 3C
|
|
|
bfesser
Resident Wikipedian
Posts: 2114
Registered: 29-1-2008
Member Is Offline
Mood: No Mood
|
|
I didn't want to start a new topic for this; but I wonder if anyone else has noticed that the server time appears to be off by maybe two or three
minutes (ahead).
Compare my system time to the "posted on" timestamp above.
12:44:30 CST
[edit] I'm also CST, but have to set EST in my profile to get the correct hour...
[2nd edit] GMT? Seriously? This forum software is beyond hope.
[Edited on 16.10.13 by bfesser]
|
|
|
Polverone
Now celebrating 21 years of madness
Posts: 3186
Registered: 19-5-2002
Location: The Sunny Pacific Northwest
Member Is Offline
Mood: Waiting for spring
|
|
I will try to get a better matching certificate when I next regenerate it.
Quote: Originally posted by bfesser  | I didn't want to start a new topic for this; but I wonder if anyone else has noticed that the server time appears to be off by maybe two or three
minutes (ahead).
Compare my system time to the "posted on" timestamp above.
12:44:30 CST
[edit] I'm also CST, but have to set EST in my profile to get the correct hour...
[2nd edit] GMT? Seriously? This forum software is beyond hope.
[Edited on 16.10.13 by bfesser] |
The forum software does not appear to handle daylight savings time correctly. It shows non-DST times year round. I added a cron job for daily NTP
synchronization. The server previously got the value once at boot time but would then drift until the next reboot, which could be many months.
PGP Key and corresponding e-mail address
|
|
|
bfesser
Resident Wikipedian
Posts: 2114
Registered: 29-1-2008
Member Is Offline
Mood: No Mood
|
|
Alright, thanks for the clarification, <strong>Polverone</strong>. I noticed while posting earlier that my own computer's NTP
synchronization doesn't seem to be working properly. I'm going to have to look into fixing it. Goddamn Linux Mint... it's 2013 and they can't even
get the clock right‽ It's downright ridiculous. This is why Windows die-hards think Linux is a joke. Oh well, at least I don't have to fight
with USB drivers.
|
|
|
Crowbar
Harmless
Posts: 13
Registered: 13-3-2009
Member Is Offline
Mood: No Mood
|
|
Hey Polverone,
First, your server still accepts some weak ciphers. See https://www.ssllabs.com/ssltest/analyze.html?d=sciencemadnes...
It's also reporting an issue with PFS.
Furthermore, there are other server settings that affect security. An ultra-concise reference that includes recommended configs for the common web
servers: https://cipherli.st/
Second, when your next annual self-signed certificate reissue time rolls around, how does anyone of us know we're not being man-in-themiddled and that
the new certificate actually comes from you?
Consider providing some out-of-band method for us to verifying the site's new certificates, such as publishing a hash of the key on multiple other
channels.
Alternately, sign the site certificates with a root certificate you create, and publish the root (and revocation list) elsewhere. Setting up is just a
few openssl commands, and it has the important benefit that the root key can be kept off the hosted site machine: you only use it on your own secure
system to sign the site certificates.
In general, I don't see why you reissue your certificates annually. The only idea I have is if you intend to use this as a warrant canary in case
you're gagged by a national security letter. Which also begs the question of why you'd use a US-based host in the first place. Numerous companies and
organizations with far tamer content than this site have moved their data elsewhere. It may be the cautious thing to do to follow suit.
|
|
|
WangleSpong5000
Hazard to Others
Posts: 129
Registered: 3-11-2017
Location: Oz
Member Is Offline
Mood: Curious
|
|
Bump
I'm learning a lot in this thread about net security, I'm a self taught web dev student who studies the front end a tad more than the back. I must say
though I completely disagree when it comes to drawing ones attention to one self by using heightened levels of security. I use a VPN everytime i log
on (almost) on principle. It's a matter of Liberty which to me is more important than almost everything. But I digress... it appears phpBB version 3.2
has vulnrabilties just as the older versions had. SQL injection is still an issue to a lesser extent as is cross script attacks... I have much to
learn on the subject but I would like to test out the new site regardless... with the Admins permission of course.
Hyperbole be thy name
|
|
|
katyushaslab
Hazard to Self
Posts: 81
Registered: 19-1-2021
Member Is Offline
Mood: precipitating
|
|
So I work as a security consultant in my day job most of the time. If the owners/admins would like any help with securing the forum, threat modelling,
etc, I'd be more than happy to lend my time freely.
Edit:
If there is a way to send like, a VM/container or other "copy" of the SM setup with a dummy database as opposed to the actual user data, this could
tie in with the "forum modernisation" thread.
As it stands, in 2021, there is no reason to not enforce SSL/TLS. SSL/TLS is now the default for the internet. Encrypted web traffic is no longer the
standout - its the norm.
[Edited on 20-1-2021 by katyushaslab]
|
|
|
| Pages:
1
2 |
![[*]](images/xpblue/default_icon.gif){kind=icon}
