Our security: Controversy - Printable Version +- Dinkleberg's GMod (https://www.dinklebergsgmod.com/site) +-- Forum: Community (https://www.dinklebergsgmod.com/site/forumdisplay.php?fid=5) +--- Forum: Community Discussion (https://www.dinklebergsgmod.com/site/forumdisplay.php?fid=17) +--- Thread: Our security: Controversy (/showthread.php?tid=3408) Pages:
1
2
|
Our security: Controversy - Sugam - 12-04-2017 Some comments were made in the staff chat about our security, that people feel I went overboard. People also believe that other websites in the gmod community specially prime hacker targets does not use the same security. I come on video to prove a point. Just 2 days ago we had 56 attack attempts on our config files Trying to take our site over. which i posted in the staff chat. Ask any staff member to confirm this. Think twice and do a little bit of research before lobbying to the admins and staff to have the protection removed. We have hundreds of players here probably over 6 figures in dollars in total games and items in peoples accounts in total. But Fish I Hear You Exclaim! Our steam passwords are not logged on our site our passwords are safe My reply: A hacker can produce a man in the middle attack modify our links and make fake phishing pages to send plain coded passwords to them. It is real easy just use google. In fact let me google that for you http://lmgtfy.com/?q=how+to+create+a+fake+steam+login+page MyBB is not a professional forum with paid round the clock 24/7 security staff to thwart attacks like Enjin. It is an amature project made by some people, perhaps some fresh college grads trying to make a name for themselves to get noticed, who got together to make a free forum. They do their best, but I have seen for my self MyBB hacked, passwords stolen, and put on the black market in a matter of moments. Think about others, and think about dinkleberg's liability if security is breached. Thats all. Thank you. Also another thing.... We dont have encryption on this website We do not have a SSL from a CA something we desperately should have A SSL from a CA costs money. I cant afford to pay for one I am sorry. I'm out of work right now due to a surgery, I cannot do it. What is a SSL? "SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers." Read more on an SSL here So again before you say something about the security.... We are not secure We have ZERO encryption here Everything transmitted on our website is PLAIN TEXT that ANYONE can see and possibly even inject their own code into since its plain text (can you imagine an injection attempt without our current security They wouldnt even need an account they could inject code into a forum view from an admin and use their account like what they did on 4thlife) Perhaps someone or a few of you would like to step forward and donate some money towards a SSL certificate from a CA so we could be further protected that would be really thoughtful. The price of an SSL can range greatly and have an anual cost The cheapest are about 9$ a year and provide minimal low bit encryption (still better than nothing) to 40$ a year for medium bit encryption and 250$ for strong 256bit encryption. Some providers even come with insurance in case the server is hacked they cover the cost of repairs and loses. Such as RapidSSL at 12$ a year has 10k$ worth of insurance in case of a loss or damage, 256bit encrypted, domain verification to prevent phishing and, site seal, and has 24/7 support so i can call someone for help. For such a low cost encryption and 10k$ worth of insurance would be nice you could pay for someone to come here and rebuild the server and compensate a players losses if we got trashed. Here is a like to some cheaper providers if someone wants to consider helping out. https://aboutssl.org/worlds-top-15-cheap-ssl-certificate-providers-2017/ Many of these companies offer 30 day trials that we can also test to make sure they work before we purchase which is very important. So if you wanna help discuss it below Let me get a trial before tossing money at one of these companies. Most companies also offer a 30 day refund too some dont. We need to make sure they are server compatible and browser trusted. RE: Our security: Controversy - Lovanatana - 12-04-2017 Could ad revenue from the servers cover at the very least, minimal protection? Something this serious needs to be addressed to some extent. RE: Our security: Controversy - Sugam - 12-04-2017 Its actually pretty cheap like i said 8.99 from a licenced comodo ssl dealer or for 3 years for 22$ https://comodosslstore.com/positivessl.aspx rapidssl is 17$ a year https://www.rapidsslonline.com/ssl-brands/rapidssl/rapidssl-certificates.aspx They provide installation support more, i would kind of rather go through rapidssl than an "authorized comodo dealer" RapidSSL was garbage and very sketchy after 30 min phone call could not get my free trial. Some other sites provide things like malware scanning and stuff i just think encryption is enough I got the malware part covered. i can get a free 90 day trial (SWEET) from comodo we should try that first. https://ssl.comodo.com/free-ssl-certificate.php?track=8177 We are now using the 90day free trial RE: Our security: Controversy - Sugam - 12-04-2017 Hey lookie there at the top https://www.dinklebergsgmod.com/site/ 90day comodo ssl cert installed and working we are now encrypted for the next 90 days It might have a little icon next to it because of peoples images from off sites. thats called "mixed content" and you should not be afraid of it It means the OFFSITE pictures you guys post, or things like the game tracker icons, are not covered under the encryption. Obviously i cannt encrypt something when you link another website. But i would say security is much better now I might have a solution for the pictures I can use a redirect proxy where the server reads itself and then encrypts the pictures and then sends the pictures to you. It would add extra strain to the server though. Literally double work Do you guys care if your shit posting pictures are encrypted or you guys happy that its encrypted as is. If you don't know what I'm talking about if its too technical for you or what not then to make it simple, The important shit is encrypted now. Pictures of scoovies naked ass are not. A hacker can AT MOST can ONLY see that you looked at PICTURES of scoovies ASS on the forum. If you are more technically inclined you can look at the mixed content in firefox in the element inspecter its just like your avatar pictures and game tracker.... Also RAPIDSSL was a bust their free link did not work i called them and after 20 mins they tried to sell me a cert for 8.99 saying that there was a 30 day guarentee so fuck rapidssl if their 30 day trial cant work they can go fuck off RE: Our security: Controversy - EpicGuy - 12-04-2017 Thanks for everything that you’re doing Sugam. I know one of my concerns last year when we migrated over to these forums from Enjin was my Steam account being compromised and the forums not having an SSL certification, and I’ve overheard a couple of players talking about that too. Luckily we’re still good. We talk about wanting to take this server to the next level and being the best. Well I wholeheartedly believe that protecting our forums and our users is definitely something that needs to be done. Peppermint Patches brings up a good point. Can some of the donations be allocated to paying for encryption service? I’m not sure what the upkeep costs are, but if we took all donation options and made half of the costs go to server expenses and half go to encryption we should be ok right? (Take TMod, a $40 donation and $20 goes to the server and $20 goes towards encryption) On a related note, if for whatever reason you’re reading this and you don’t have Steam’s two-factor authentication enabled (Steam Guard) I HIGHLY recommend you enable that ASAP. Two-factor authentication can decrease your chances of losing your account. In fact, enable two-factor authentication on every account you can. Thanks again for your dedication to our safety Sugam. RE: Our security: Controversy - Sugam - 12-04-2017 Before we used to use the free web server from nfo which i don't even think we could install a SSL cert. I did not get to see our site on the free nfo server but i do know nfo's setup and its a security joke its literally 40 people on the same server with their own folder. You can ssh in and even use commands like W and last and history and see everyone's actions everywhere. All the users IP's from ALL the websites. I cant install an SSL cert without having access to Apache and sites-available to edit the virtual hosts and that was not available on the free nfo webserver. And they sure the hell did not run mod-security. So moving all this, the forums loading screens ban sites all over to the "SQL Server" was the best move. At one pint I considered just using a self signed cert and making the user as in YOU being responsible for using HTTPS instead of HTTP. You would have to permit it in the browser because self signed certs are not trusted but THAT option is still better then no option. RE: Our security: Controversy - Tedgp908 - 12-04-2017 The Problem with SSL jokes is that you must get someone else to vouch for you before you can tell the joke. RE: Our security: Controversy - MiniMe - 12-04-2017 Add a way to donate to the forums again, from what I saw on the enjin forums it was paid for like 400 days or something, so if someone wanted to help pay for the forums that could be added to the !donations in game or should talk to fish/dink about it RE: Our security: Controversy - [black]Tronald - 12-04-2017 i haven't had ads in ages, is there an exemption fro certain ranks? RE: Our security: Controversy - Starky - 12-04-2017 Yes Tronald. Thanks for making this clear for those people Fish. Everything you do really helps and is appreciated. |