EvilZone
Community => News and Announcements => : ande August 20, 2012, 11:19:03 AM
-
SSL support now availible.
https://Evilzone.org (https://Evilzone.org)
-
Love for Evilzone : Over 9000
-
Wonderful news!
-
lol, FF gives me the 'Untrusted Connection' page :P
-
lol, FF gives me the 'Untrusted Connection' page :P
That's because we didn't pay for a SSL certificate. However the encryption is the same and the result (if you trust our self-signed certificate) is the same.
-
asdf
-
That's because we didn't pay for a SSL certificate. However the encryption is the same and the result (if you trust our self-signed certificate) is the same.
Lol, I was about to ask you, how much you paid for it :P Good work, either way :D
-
The certificate only allows you to know (almost) for sure that you are on the good/real website and that traffic is indeed encrypted. There's no real advantage for us to have a certified SSL connection as there are probably close to no sites cloning EZ in order to steal account information.
Glad you are happy with this but thank ande not me ;)
-
asdf
-
The only issue I have with using SSL is links don't point to it. Such as, when I read new posts via /unread it puts me right back into http instead of the SSL. It may be different on a non-mobile device, but I keep getting put back into http.
In any since, SSL is great. I hope v2 will have out of the box SSL with all internal links and all. BTW v2 is looking epic (slight peve on the navigation boarder though, it is wrong with the diode rectifier lol, plus the ceramic capacitor will block ground or vcc, but tis okay), can't wait till the official release.
-
asdf
-
The only issue I have with using SSL is links don't point to it. Such as, when I read new posts via /unread it puts me right back into http instead of the SSL.
Same problem here :(
-
Hmm..../unread is working perfectly for me :P
-
asdf
-
Have you guys heard of HTTPS Everywhere?
-
asdf
-
The only issue I have with using SSL is links don't point to it. Such as, when I read new posts via /unread it puts me right back into http instead of the SSL. It may be different on a non-mobile device, but I keep getting put back into http.
I haven't noticed this yet. Anyway, totally awesome guys!
-
Hmm, bad coding on SMF's part.. I could put a small piece of code @ script startup that checks of you are on SSL or not and redirect you if you are not (and you have "enabled" SSL).
Ill see what I can do.
-
Ande, lets just ask for SSL.
-
Good news! Good to see my suggestion implemented ;)
-
Have you guys heard of HTTPS Everywhere?
Even with this addon, I still find that sometimes I get set back to no SSL... dunno what the issue is... I've tried replicating it, but its a hit or miss... Not sure whats going on... It might be a cache issue though...
Honestly I think SSL should be standard and forced on all sites...
Also just wanted to add that there is no SSL on the upload.evilzone.org, if you try https it wont even load the page (noticed it when I tried loading it with https everywhere)
EDIT:
(like right now, I was SSL when I made this post, but then after I submitted it I went back to noSSL... Not sure whats up with it)
-
Also just wanted to add that there is no SSL on the upload.evilzone.org, if you try https it wont even load the page (noticed it when I tried loading it with https everywhere)
Strange, with HTTPS Everywhere I can load upload evilzone just fine.
-
Strange, with HTTPS Everywhere I can load upload evilzone just fine.
but is it https? I can load it, as long as I don't have the https://upload.evilzone.org (https://upload.evilzone.org)
This is what happens when I load https://upload.evilzone.org (check attachment)
-
Even with this addon, I still find that sometimes I get set back to no SSL... dunno what the issue is... I've tried replicating it, but its a hit or miss... Not sure whats going on... It might be a cache issue though...
Honestly I think SSL should be standard and forced on all sites...
Also just wanted to add that there is no SSL on the upload.evilzone.org, if you try https it wont even load the page (noticed it when I tried loading it with https everywhere)
EDIT:
(like right now, I was SSL when I made this post, but then after I submitted it I went back to noSSL... Not sure whats up with it)
Maybe someone is sniffing your traffic with sslstrip ;P
-
Maybe someone is sniffing your traffic with sslstrip ;P
I can be sure that's not happening ;)
-
That's strange. I hadn't noticed it before but that happens to me too. When I go to the ssl version it just takes me to the main page.
Hmmm..
-
I'm thinking it might be a cache problem... Might have to do that, then flush my dns.
-
I am guessing this is a SMF/Theme problem. This theme and the SMF engine we are using have been hacked up and changed so much that there are probably a few hard coded links around etc. And because of this, I am not going to try to fix it, as this system is gonna get scrapped in not too long.
-
Sorry guys if this is a stupid question, but this got me questioning ever since using the SSL-Only IRC.
What are the benefits of using SSL? The only benefit I know of, is if you're on an unencrypted/public network and the traffic can be sniffed, but the SSL headers can also be stripped?
Besides from sniffing, what other precautions are safer over SSL.
Thanks guys.
P.s, Congrats! ;D
-
Sorry guys if this is a stupid question, but this got me questioning ever since using the SSL-Only IRC.
What are the benefits of using SSL? The only benefit I know of, is if you're on an unencrypted/public network and the traffic can be sniffed, but the SSL headers can also be stripped?
Besides from sniffing, what other precautions are safer over SSL.
Thanks guys.
P.s, Congrats! ;D
Honestly(and quote me if I'm wrong) it's not a perfect thing. It's a good precaution to take but as you said SSL headers can be stripped. Everything has a flaw.
-
Not to revive an oldie, but the correct thing would be to use mod_rewrite and force all over https. Many hosts provide this via .htaccess files.
Would it be an option to donate a real SSL cert? you can pick them up for ~45 now.
Anything I run on the web has paid SSL certs, as accepting self signed just gets you in the habit of accepting certs. MITM attacks can happen and you wouldn't even know.
-
Not to revive an oldie, but the correct thing would be to use mod_rewrite and force all over https. Many hosts provide this via .htaccess files.
Would it be an option to donate a real SSL cert? you can pick them up for ~45 now.
Anything I run on the web has paid SSL certs, as accepting self signed just gets you in the habit of accepting certs. MITM attacks can happen and you wouldn't even know.
Name some sites with paid SSL certs? Even Google doesn't run a paid SSL cert... Everyone I know signs them themselves. And please elaborate how accepting a self-signed SSL cert can make a MITM attack happen?
-
Name some sites with paid SSL certs? Even Google doesn't run a paid SSL cert... Everyone I know signs them themselves. And please elaborate how accepting a self-signed SSL cert can make a MITM attack happen?
Google's cert is verified, they've just acted as their own CA (or whatever it's called).
A few sites that use a paid cert:
Facebook.
Every bank I can name.
Wikipedia.
It all comes down to, can you determine that you are using the same crypto key that the server is? The reason for signing certificates and the like is to try to detect when you are being hit with a man-in-the-middle attack. In a nutshell, that attack is when you try to open a connection to your 'known' IP address, say, 123.45.6.7. Even though you are connecting to a 'known' IP address of a server you trust, doesn't mean you can necessarily trust traffic from that IP address. Why not? Because the Internet works by passing data from router to router until your data gets to it's destination. Every router in between is an opportunity for malicious code on that router to re-write your packet, and you'd never know the difference, unless you have some way to *verify* that the packet is from the trusted server.
A crypto key, if you have the *correct* key, can verify for you that the data hasn't been tampered with. The problem is, however, that before you can begin encrypted communications, you must do an *unencrypted* key exchange, where the server gives you it's crypto key. Here's where the man-in-the-middle has an opportunity. If your traffic is going through my router, I can intercept the self-signed key from the server, and generate a new self-signed key with the same server name, etc in it, so that it *looks* like the self-signed key from your server, but which allows me to decrypt the communications between you and the server. My router then establishes a connection to the server using the *correct* key, and as data passes between you and the server, I unencrypt the data using the real key, then re-encrypt it using the 'fake' key. So, the data is encrypted between me and the server, and between me and you, but gets unencrypted in my router, giving me the opportunity to spy on your data, or even alter if if I want.
The point of a CA-signed certificate is to give slightly stronger verification that you are actually using the key that belongs to the server you are trying to connect to.
Yes, self-signed keys have some uses - in particular if you happen to know the real key's fingerprint (a fingerprint is a numeric or hex string which identifies a cryptographic key), so that you can verify yourself that you are using the correct key for SSL. If you don't happen to know the fingerprint, it's probably still fine to use self-signed certs on a LAN, where you control all the equipment, so don't have to worry so much about a man-in-the-middle (although, arguably, on a LAN you might not even need encryption).
So, in summary, yes, SSL adds security to the connection, but ONLY if you can verify that the correct SSL key for your server is being used, and not a different key that a hostile router has injected.
From https://www.sslshopper.com/article-when-are-self-signed-certificates-acceptable.html (https://www.sslshopper.com/article-when-are-self-signed-certificates-acceptable.html)
But I'm no expert on SSL, so forgive me if this doesn't apply here for some reason.
-
No point in wasting money when you can just sign it yourself
so don't have to worry so much about a man-in-the-middle
That was all I read... So pay money for what?
-
No point in wasting money when you can just sign it yourself
I agree with you there.
Reading the text I posted, I think it means an attacker could replace the self-signed cert with his own during the key exchange (or whatever it's called).
Then, when data is sent, he can decrypt it because he replaced the key with his own.
So one would be paying to make sure the key is actually the real key, by the looks of it.
I think it'd be cheaper just to make note of the cert and check if the cert matches the one displayed when one does something.
Of course, I could be wrong, and as I said in my last post, I'm not an expert on SSL.
-
I agree with you there.
Reading the text I posted, I think it means an attacker could replace the self-signed cert with his own during the key exchange (or whatever it's called).
Then, when data is sent, he can decrypt it because he replaced the key with his own.
So one would be paying to make sure the key is actually the real key, by the looks of it.
I think it'd be cheaper just to make note of the cert and check if the cert matches the one displayed when one does something.
Of course, I could be wrong, and as I said in my last post, I'm not an expert on SSL.
Actually he couldn't if you actually accept the correct one. I can set up a CA for evilzone anyways and that would fix all your worries yet it would still show up flagged in the browser.....
-
Actually he couldn't if you actually accept the correct one. I can set up a CA for evilzone anyways and that would fix all your worries yet it would still show up flagged in the browser.....
I didn't think about that, good point.
It seems I should look on SO before I say something haha: http://stackoverflow.com/questions/292732/ (http://stackoverflow.com/questions/292732/)
-
I didn't think about that, good point.
It seems I should look on SO before I say something haha: http://stackoverflow.com/questions/292732/ (http://stackoverflow.com/questions/292732/)
Yes this is the reason why we use a self signed one however eventually I'll probably set up an evilzone certificate authority anyways just not right now.
-
The point made about MITM is true.
However it stops your ISP from logging everything in the clear.
Which is a good thing.
-
beautiful, I love this place ^^
-
The point made about MITM is true.
However it stops your ISP from logging everything in the clear.
Which is a good thing.
Eh no it's not... If you have accepted the certificate (the correct one) then a MITM attack is just as easy to tell as with verisigned ssl.