Calnago wrote: ↑Wed Feb 21, 2018 3:40 am
Well it was your post, combined with the weirdness of my computer yesterday that got me looking into this a bit. I looked for the “s” after the “http” of some sites I visit. Some have it. Some don’t. Velonews seems to not have it, the same as WeightWeenies. I guess I just try to use common sense. Ran a full deep scan using Norton today, took hours, but came back with no threats detected so that was a bit reasssuring. And no weirdness today so maybe it fixed itself. Wish bikes did that.
Calnago wrote: ↑Tue Feb 20, 2018 7:43 pm
One question however... how secure is this site from hackers... reason I ask is that yesterday while posting to my C64 thread, my computer started doing all kinds of weird things, like it was possessed. I shut everything down, but was a bit unnerved by it all. I'm pretty careful about what I do on the internet, but I did download some pics from some of those bike review sites when they were reviewing the C64. That's as close to porn as I go on the internet. Lol. I hope I didn't inadvertently download some malware in the process. I'll be doing a full deep scan of my computer today.
Klaster1 wrote: ↑Wed Feb 21, 2018 3:30 am
Calnago wrote: ↑Tue Feb 20, 2018 7:43 pm
how secure is this site from hackers
As I said earlier, without HTTPS the forum is totally insecure: because requests aren't encrypted at all, anyone can listen for those and steal your credentials. That won't allow arbitrary code execution on your computer (the incident probably had nothing to do with WW), but leakage of admin credentials
might be part of attack vector. Honestly, if your forum login/password are unique I wouldn't bother about the rest.
First, I am not a web security expert. However, I do have some basic knowledge.
Regarding SSL-encryption (https):
If your local computer is affected with any malware then it does not really matter wether the http requests are being sent encrypted or not. Attackers can listen on the machine before it is being encrypted and sent. When you log in to a non-ssl-encrypted website (like WW currently) and you do not have any malware on your computer, the only thing which could happen is that the NSA reads/listen to/saves the unencrypted https requests because they have access to many significant internet traffic hubs around the world and therefore are able to observe a lot of internet traffic.
When an admin with malware on the computer logs into the admin panel they cannot see/access the users passwords as passwords are
always stored encrypted (md5/sha1/...). Only thing which they could probably get with a lot of effort are some email adresses for email-spam.
Sure - I do also not like any email spam. I would also prefer when WW was already fully transferred to SSL encrypted option. But the potential damage (which already requires a lot of effort and matching circumstances) is really manageable. You do furtherly log in to WW with username and password combination, that is also more secure like with email / password. As Klaster1 claimed, when your online-banking and PayPal credentials are not exactly the same like on WW there is absolutely no risk. And if they would match it is also extremely unlikely that anything happens.
We probably do convert WW to https prospectively but this must be a well planned event as WW is a really big project with a huge Google index and there is a lot which can go wrong when doing this. It is not trivial with such a large project. When doing something wrong we could face to lose a relavant count of Google organic visitors.
There are also some other hacking options, but also this is very unlikely that they will succeed for the attackers as we try to always keep the forums software on the latest update iteration. Most of the updates do only fix potential attacking weaknesses. Sure, everybody (also attackers) can look into the forums source code due it's open source nature, but there are also hell lot of users enhancing the code and make it more secure.
Some of those attacks could be:
SQL injections
I personally expect/guess the forum software to be safe here. Biggest potential damage for the user would be that attackers get access to the database which would mean to get email adresses and encrypted passwords (useless through encryption). (This does not have anything to do with SSL/https)
XSS scripting
I also guess that the forum is quite save as we use a widely used template (now
) and we do not have changed anything relevant (regarding this subject) but CSS. I would expect that the developers take care of secure forms/input fields etc.). Potential risk would be manageable as web browsers have generelly very limited options for attackers (there are a lot of security limitations for JavaScript for example). Potential risk: Credentials could be stolen (unencrypted). (This does not have anything to do with SSL/https)
Attachments
I will check the admin control panel about what users can upload exactly but I strongly expect that it is limited to pictures. Then I expect that there is no risk. (This does not have anything to do with SSL/https)
The biggest problem regarding likeability/occurence and potential damage - regardless WW - is when you (accidentially) click on a malware in a spam email or when you download something but images from the internet and execute this. Hackers can for example create a
attack.exe file and rename it in
NortonAntiVirus2018.exe. Also they adjust the file size accordingly and put in the same icon
When you click and do not have a anti-virus software than the machine is infected. It is always good to have some care when browsing the internet.
