https

[roheve]

I noticed that the forum does not use https, not even when editing preferences and changing the password.
I am in the proces of transfering the data from my password protected spreadsheet file to a passwordsafe tool, that is why I noticed while changing the password.

For https you need a certificate. With a self-signed certificate, you get anoying warnings (and the user has to take action to suppress the warnings). There are free certs, but only valid for a year (so Mr. BWired needs to jump to certificate refresh hoops every year, when he is busy with other things etc ... ). But it would be a bit safer.

The thing is about password and cookie sniffing. the risk is low (it is not a bank), but still. When logged in, the connection should be secured.

What do others think?

BTW, Would passwords or hashes be exposed, if there is a breach?

[sj3fk3]

I agree an SSL certificate would not be a bad idea and renewing once a year is not really a big effort... I've had good experience with https://www.startssl.com/

[Bwired]

I will check it out, but probably costing me more, forum and server are not bringing me any money, but costing only
there is nothing on this forum which is secret and passwords are stored encrypted in the database.

[roheve]

I will check it out, but probably costing me more [...]

Yes, it will cost you mainly some time, and a yearly update. See How to obtain and install an SSL/TLS certificate, for free for a preview of what to do, it is a nice read too. I do find the things you need to do for validation a bit messy, but it seems to work.

On the other hand, with an expensive certificate, you only have to do that once every 2 or 3 years, but because you do that less often, you get less experience with it and it will take you longer to upgrade.

The free cert with yearly updates would be an alternative for a hobby site, as it does not cost money. But, as it is now, it also works. My password is now truly random and not (a similar one) used at other sites anymore.

[raymonvdm]

You can buy SSL certificates for arround 60 dollars. I bought mine at ssl.nu for 69 euro`s and this is a wildcard certificate for all subdomains i use (more expensive). So i can use it for my webmail / website and all other webbased services i use (HomeSeer should be working also but haven`t tried it yet.

SSL wil only prevent interception of plaintext password between website and end user and for this forum it would be a nice thing to have (more secure) When using my bank website it is vital

[sj3fk3]

I will check it out, but probably costing me more, forum and server are not bringing me any money, but costing only
there is nothing on this forum which is secret and passwords are stored encrypted in the database.

I'm sure you want to do things on your own, but I'm going to say it anyway I've got my own 8core, 12Gb, server with with a 1Gb/s uplink in NL's best datacenter and I could easily host this forum for free for you. I also willing to do sys-admin stuff like fixing SSL certificates and/or hardening phpBB, no sweat at all.

p.s.
Encrypting passwords in the DB but sending them in clear over the line is kinda defeating the purpose, with goodies like https://www.cookiecadger.com/ around...

[Bwired]

Thanks Greg
i have my own dedicated server as well where the forum is running on also:)
I will put https on my todo list

[jeroen_]

I suggest you go for the startcom trick which is cheap as it is free (they just want your name/address); or if you really want to go for a (paid) wildcard cert we tend to use the bit-more-expensive gandi.net/ssl.

Note that with apache and nginx you can host multiple different SSL certificates from the same ip/port using SNI (Server Name Indication) which is supported by most browsers nowadays (unless one still uses a very old browser, but then you are out of luck anyway).

For really good SSL parameters (especially cipher selection) check out (cut & paste configs, but also the explanation of why to select those):
http://blog.rlove.org/2013/12/strong-ssl-crypto.html

You can verify that all is working great using https://www.ssllabs.com/

And if you are on the subject of security anyways, read the excellent (but in progress) PDF at:
https://bettercrypto.org/

And of course if you have a real SSL cert, then you can just as well enforce HTTPS for the website.


Another thing for your TODO list that can be very interesting for remote-control and thus home-automation too is of course IPv6; if you don't get it natively yet (xs4all offers that as one of the few ones in .nl, check https://www.sixxs.net/faq/connectivity/?faq=native for a list) then get a tunnel, see previous link for that (or ask me here for some details *wink*)

If you need config help, don't hesitate to shoot a question here or DM.

[sj3fk3]

(or ask me here for some details *wink*)

I was always under the impression that all sixxs related questions had to be mailed to info at sixxs on pain of death?

[raymonvdm]

I think 99% of the colocation company`s is providing ipv6 now a days. If not you`re in the wrong place anyway

[jeroen_]

(or ask me here for some details *wink*)

I was always under the impression that all sixxs related questions had to be mailed to info at sixxs on pain of death?

Nope, the forum is the better place, other people who might help out in answering them. mail is only for 'I messed up, here is the valid stuff, please change it' kind of things.

[sj3fk3]

Nope, the forum is the better place, other people who might help out in answering them. mail is only for 'I messed up, here is the valid stuff, please change it' kind of things.

I was joking about the tantrums Pim would throw if you asked him anything on irq or his personal email

[jeroen_]

Nope, the forum is the better place, other people who might help out in answering them. mail is only for 'I messed up, here is the valid stuff, please change it' kind of things.

I was joking about the tantrums Pim would throw if you asked him anything on irq or his personal email

I nicely redirect folks too to the faq/forums/wiki depending on the question.

Answering 40.000 people privately does not scale, hence why we point there.

Note that if you google a bit a lot of people hate me and not Pim as I can be a lot harsher and handle a lot more messages (be that email/forum/etc).
And that some people think they are special and can have private treatment..... well, thou art not a unique special snowflake.

[sj3fk3]

Note that if you google a bit a lot of people hate me and not Pim as I can be a lot harsher

No worries, your reputation precedes google We just used to take the micky out of Pim while we where all working at bit.nl

Anyway: On topic: I'm still a happy sixxs user and totally agree that all things domotica should use IPV6 and that includes this forum

[roheve]

I think 99% of the colocation company`s is providing ipv6 now a days. If not you`re in the wrong place anyway

From looking at the IP, domoticaforum is running at a Hetzner DataCenter, so IPv6 should be there, just not enabled for the website, it seems.