Please provide HTTPS support (mandatory for login, ideally for the whole site).

Any problems with the site? How can we improve KVR?
RELATED
PRODUCTS

Post

SSL (https) serves more than one purpose. SSL allows the data flow between the client and server to be encrypted for purposes of securing user names, passwords, etc. It is also used to authenticate the identity of server, and also clients, although this is hardly ever used. A digital certificate from an untrusted authority is useless for authenticating the server. I could use openSSL and generate a certificate for kvraudio.com and install it on my server. Trusted certifying authorities always verify with the domain owner if they requested the certificate before issuing it.

Certificates aren't expensive, aren't hard top set up, and do make your website access more secure. There aren't many reasons not to use them.

SSL does NOT prevent your site from being hacked. But if I can steal an admins credentials, I can log in and do pretty much anything I want. Including capturing user account information, and advertisers data. If you think you have no valuable user information to be stolen, you are wrong. All information about you has value to hackers.

I don't find the OPs post ignorant in anyway. I don't need to be a medical researcher to ask a doctor if I need shots before traveling abroad. The question starts the dialog, and that's how we learn and make decisions. Every business decision involves cost benefit analysis, but not many business decisions will be proposed, analyzed, and decided in a single post. You have to start somewhere.

I have been working in cyber-security for over 15 years, and find the "ignorant" ones are those that make statements like "I'm not a target", or "nobody want's my information". Everyone is a target, and even if you have no directly valuable information, that information can be used to get other information that is more valuable. The Internet is like one huge neighborhood watch program - we all have to do our part to keep the neighborhood safe.

Post

aMUSEd wrote:
koalaboy wrote: There used to be the certificate cost... this is now irrelevant thanks to https://letsencrypt.org/
So does this mean any scammer can now create a HTTPS site? I thought the whole point of the licensing was to promote trust? One of the things I look for if I think I've been directed to a spoofed site is HTTPS certification.
it was possible to get a free SSL cert before (StartCom comes to mind).
aciddose wrote:Ultimately you are responsible for your own security. Don't use a public bulletin board if you aren't willing to accept the risks.

If you have confidential information you need to exchange, use encrypted email with a secure key exchange, such as a physical key exchange.
in a perfect world, that would make sense. unfortunately, encryption is never easy. if the encryption is easy to use - it's insecure. moreover, if the site doesn't allow secure login, you can't really "manage your own security" - logging in securely is not an option (well, technically you could use VPN, but are we really going to force people to use VPN's just because they want encrypted login?).
I don't know what to write here that won't be censored, as I can only speak in profanity.

Post

Ciberithm wrote: I have been working in cyber-security for over 15 years
Well, maybe you're seeing things from your perspective then. I mean, in the end, you make your money with people getting hacked, so you hardly will argue that security is not an issue. ;) No offense. But i think especially the security branche, antivirus solution companies etc. have a definite interest in scaring the crap out of people. Not saying you do, just generally speaking. And when i read then that things aren't at all as easy as it seems, and hackers have to do this and that, if the user does this and that, and if that case is valid for this situation, then it makes me wonder if there's as big as an issue as it was claimed to be.

That said, again, if security can be improved here, and it's in the interest of the site owners, and doable, then it should be done of course.

Post

chk071 wrote:And when i read then that things aren't at all as easy as it seems, and hackers have to do this and that, if the user does this and that, and if that case is valid for this situation, then it makes me wonder if there's as big as an issue as it was claimed to be.
unfortunately, yes it is. the things you think are not easy to do, are only "not easy" to do for you. they're not that hard to do for a skilled, experienced attacker. hell, some of those are very easy for me to do, and it's not even my area of expertise at all.
I don't know what to write here that won't be censored, as I can only speak in profanity.

Post

Burillo wrote:
chk071 wrote:And when i read then that things aren't at all as easy as it seems, and hackers have to do this and that, if the user does this and that, and if that case is valid for this situation, then it makes me wonder if there's as big as an issue as it was claimed to be.
unfortunately, yes it is. the things you think are not easy to do, are only "not easy" to do for you. they're not that hard to do for a skilled, experienced attacker.
Tbh, i fail to believe so with this and other sites up and running for years now without bigger problems, but what do i know.

Post

The risk for any given site is small. In my opinion, even small risks are worth protecting against, especially when it can be done cheaply, easily, and without introducing other risks or complications.

Are those conditions true here? I couldn't say. I've passed along a link to Ben, though. He'll know better than I; I build sites but am not particularly knowledgeable on networking issues.

Post

People may say "you can't manage your own security if the site doesn't have a secure login"...

Well neither have I ever seen guards at a bulletin board armed with automatic rifles and asking for your papers ...

Part of "managing your own security" is not providing any access to critical data. For example your KVR password should not be used anywhere else, other than perhaps other "low security" uses.

Likewise you should NOT use an email linked to critical security features. You can use a throw-away email or host your own email server with encryption so as to avoid any insecure password recovery. (The server is inaccessible without some means you deem appropriate for the required level of security.)

Most importantly, it requires you to think for yourself about these issues and to know that in many cases SSL key exchange and encryption provides absolutely no protection whatsoever.

It makes a lot of sense to ride around in a heavily armored tank with your bare ass sticking out behind, yes?

I'm not saying SSL would be a bad idea... I really don't see how it would be of either any benefit nor any detriment. This post isn't aimed at anyone in particular. I just think it would make more sense to consider what the costs and benefits may be first, before making requests or demands. Maybe: "would it make sense to provide an SSL connection for login to the KVR forums and developer dashboard?"
Free plug-ins for Windows, MacOS and Linux. Xhip Synthesizer v8.0 and Xhip Effects Bundle v6.7.
The coder's credo: We believe our work is neither clever nor difficult; it is done because we thought it would be easy.
Work less; get more done.

Post

chk071 wrote:
Ciberithm wrote: I have been working in cyber-security for over 15 years
Well, maybe you're seeing things from your perspective then. I mean, in the end, you make your money with people getting hacked, so you hardly will argue that security is not an issue. ;) No offense. But i think especially the security branche, antivirus solution companies etc. have a definite interest in scaring the crap out of people. Not saying you do, just generally speaking. And when i read then that things aren't at all as easy as it seems, and hackers have to do this and that, if the user does this and that, and if that case is valid for this situation, then it makes me wonder if there's as big as an issue as it was claimed to be.

That said, again, if security can be improved here, and it's in the interest of the site owners, and doable, then it should be done of course.
No offense taken by your comment. But I will add that adding a certificate to a website is less than an hours work, while fixing damage done by hackers can take from days to many months for larger networks. Cyber security professionals make a lot more money when people don't use good security practices.

Post

Thank you, Ben (and all involved).

Post

Hey, how about that! Cool. Thanks from me to Ben too.

Post Reply

Return to “Site Stuff”