Print Page | Close Window

!Website Not Secure - reassurance

Printed From: Dyxum.com
Category: Dyxum Community
Forum Name: About Dyxum.com
Forum Description: Dyxum officials, announcements, suggestions, critique and other discussions
URL: https://www.dyxum.com/dforum/forum_posts.asp?TID=133538
Printed Date: 24 April 2024 at 07:42


Topic: !Website Not Secure - reassurance
Posted By: bonneville
Subject: !Website Not Secure - reassurance
Date Posted: 21 November 2018 at 11:52
I have a question:

Whenever I now log on to Dyxum on my iMac desktop I get a warning in red in the address bar. It is an exclamation mark in a circle and "Website Not Secure". Now I have been a happy member of the Dyxum community for over ten years and can honestly say it has never been the cause of any issue on iMac, MacBook or ipad.

Has something changed recently to trigger this or am I right in assuming that the message simply indicates that the site content is not encrypted , or is there more I should think about?

Thanks



Replies:
Posted By: Bob J
Date Posted: 21 November 2018 at 11:57
I think chrome highlights where you don't have a https option for a website - I don't think it is a big issue if you are not conducting financial transactions..

-------------
RBJ ~ http://tinyurl.com/h7uhozk - Moderation on Dyxum


Posted By: bonneville
Date Posted: 21 November 2018 at 12:01
Originally posted by Bob J Bob J wrote:

I think chrome highlights where you don't have a https option for a website - I don't think it is a big issue if you are not conducting financial transactions..

Thanks Bob. I thought it wouldn't be sinister. After all, how can the best moderated forum on the 'net be a problem


Posted By: sdblanchet
Date Posted: 21 November 2018 at 12:31
Just to add some

I have been told (unofficially) that the web is going encrypted (https-SSL) in the near future and pre-emptively the browsers are starting to state the websites that are not encrypted (https).

It is nowhere dangerous unless you go to websites that are not recommended.

The https version of the web will protect you against "the man in the middle" attack because of the encryption that will take place between your browser and the website you're visiting. It also "certifizes" the authenticity of the website.

Adding encryption to a website entails getting an authencitity certificate that validate ownership and status of the website using it. But it also add another cost to owning a website because those certificate are not free. Ball park figures are about 300$ to 1000$ per year per certificate.

And if your site is using a redirection like dyndns you cannot get those certificates because your ip address is not static and you don`t own the domain name.

http://www.sdbl.webhop.net - www.sdbl.webhop.net , my site, is as such a redirection from dyndns. I don't own the domain name (webhop.net) and I don`t have a fix (static ip) address.

Either I will have to correct the situation ($$$) or simply close the site !!!







-------------
A99ii,A77,A700,7D,28/50/SAL1650/24-105D/28-75D/70-210/SAL70200G/SAL20TC/Tamron 150-600G2... Gs :-))) http://www.sdbl.webhop.net - sdbl.webhop.net


Posted By: sybersitizen
Date Posted: 21 November 2018 at 16:43
Originally posted by bonneville bonneville wrote:

... am I right in assuming that the message simply indicates that the site content is not encrypted , or is there more I should think about?

There is more to think about.

I have strong evidence that one of my dyxum sessions was 'tapped' while I was on a public wireless network a few months ago. The timing suggests that it happened wile I was traveling in the UK, but the same thing could happen anywhere.

When I got home there was a message (in my dyxum-specified email account) saying that my password (my dyxum password, which the emailer included in the message) had been hacked. The emailer claimed to have also planted a keylogger on my computer, taking control of it, and recording my web transactions while also enabling my webcam. (I knew none of that was true.) The goal was blackmail. The emailer wanted payment into a Bitcoin account.

I then discovered that I was unable to login to my dyxum account. The password had been changed without my knowledge. I had to contact an admin here to arrange to reset it. No other account anywhere was affected.

Since then I've received a few more nearly identical blackmail messages, and my email account is being heavily spammed. Obviously the hacked info has been disseminated among various entities.

This might have been avoided if dyxum used encryption.


Posted By: MiPr
Date Posted: 21 November 2018 at 17:23
I'm discussing this with kikop. I hope we will move to HTTPS soon.

-------------
I'm noise-blind. And noise-about-noise-deaf too ... |   BTW, topic87334.html - Dyxum Weekly Exhibitions don't grow on trees ...


Posted By: horizon
Date Posted: 22 November 2018 at 06:18
I get the same warning on many websites using chrome on my Android Phone. In fact there are times that chrome wont even allow to tell it in advanced settings to just ignore the warning and just to go to the website anyway.

Most of the time its a website that is just one of the Australian Hardware supplies, where you cant purchase online anyway or login.




-------------
Please dont edit my photo's
https://www.wildlife-horizons.com.au - Wildlife Horizons


Posted By: Miranda F
Date Posted: 22 November 2018 at 11:03
Originally posted by sybersitizen sybersitizen wrote:


I then discovered that I was unable to login to my dyxum account. The password had been changed without my knowledge. I had to contact an admin here to arrange to reset it. No other account anywhere was affected.


Oh, worth knowing about. Thanks for sharing that. I have been quite uneasy about using public wi-fi networks for a while now, but since I have a cheap and plentiful supply of 4G data on my phone I never need to use them.

-------------
Miranda F & Sensorex, Sony A7Rii, A58, Nex-6, Dynax 4, 5, 60, 500si/600si/700si/800si, various Sony & Minolta lenses, several Tamrons, lots of MF primes and *far* too many old film cameras ...


Posted By: sybersitizen
Date Posted: 19 December 2018 at 22:04
Originally posted by MiPr MiPr wrote:

I'm discussing this with kiklop. I hope we will move to HTTPS soon.

And ... anything?

If that doesn't happen, at least an answer to a question will help:

If I'm already logged in here on a particular computer so I don't have to type my username and password, what exactly is being passed to the dyxum server when I connect - presumably from a cookie on my computer? Username? Password? A coded text string that the dyxum server decodes as my username and password?


Posted By: amrep
Date Posted: 22 December 2018 at 15:53
Since you have your own site I assume you have some basic knowledge about http and https.

When you log into sites (like dyxum) your browser sends a request header (specifying it's a POST-type request, listing what browser you are using and more) and a body containing parameter-value pairs like username=SomeName&password=somepassw

Since dyxum.com uses http (not https) this string is sent as "plain text" (unencrypted). On an open public network it may be easy to grab by eavesdropping if a hacker have some tools.

If you look at the code for the login page you will see there is a tiny bit of trickery going on using some unique strings (changing vale for every login) as field names like
input type="text" name="MemberNamexyz14chrstring"
input type="password" name="AB345678901STRINGLENGSTIS41CHR12345678901"
So the the dyxym parameter-value string will be on the format
MemberNamexyz14chrstring=SomeName&AB345678901STRINGLENGSTIS41CHR12345678901=somepassw

I don't think this is a real security measure, just a small distraction for a hacker.

If you install a tool like Firebug in your browser you will probably be able so see this in full details.

When you successfully log in the server responds by putting a cookie (small plain text file) on your computer that includes a session id. This id is now included in every request header your browser sends back until you log out. You may think of the session id as a temporary substitute for both username and password.

Cookies are not revealed tho third-party sites. You can easily find and read contents og cookies in your browser. https://www.wikihow.com/View-Cookies - https://www.wikihow.com/View-Cookies

You will see it has content like this:
dyxumforumsID
SID=12345678some%char%string12345678901234

On an un-encrypted network an eavesdropper may able to grab your session id (plain text if http) and hijack your session (no need for a username and password).
https://en.wikipedia.org/wiki/Session_hijacking - https://en.wikipedia.org/wiki/Session_hijacking

Next step for the hacker is to go to the Member CP > Edit Profile
and have your email address. On the Edit Profile page a new password can be saved if the old is known.

Take away:
The combination of public open networks and logging in non-encrypted (http) is a considerable security risk.
Never reuse passwords for low security sites on important sites!

Having someone tampering with personal data is always disgusting.


Posted By: sybersitizen
Date Posted: 22 December 2018 at 17:24
^ Thanks for the detailed explanation about cookies. I know about the issue concerning plain text typed on networks owned by other entities, but was unsure about cookies. I don't remember if I actually logged in while using such a network or if I was already logged in here and relying on a cookie ... but apparently the vulnerability is the same ether way.


Posted By: sybersitizen
Date Posted: 06 February 2019 at 01:11
So, months later, it looks like nothing will be done to enable HTTPS here.

If that's the case, I've learned the hard way to never again access Dyxum on a wi-fi network other than my own. Too risky.


Posted By: Kilkry
Date Posted: 06 February 2019 at 17:37
Originally posted by sybersitizen sybersitizen wrote:

So, months later, it looks like nothing will be done to enable HTTPS here.

If that's the case, I've learned the hard way to never again access Dyxum on a wi-fi network other than my own. Too risky.


Installing a cert isn't that hard; I think the cost is the question. Ads? Maybe that Let's Encrypt would work? For the general trend is -> encryption.

-------------
-


Posted By: mike77
Date Posted: 06 February 2019 at 19:34
I would suggest, at the very least, to avoid sending the plaintext password over the unencrypted channel as long as HTTPS has not been implemented on the site. Why not send a browser-generated SHA-2 hash value of the password and compare it with the SHA-2 hash of the server-side password?

-------------
A99, NEX-C3, HVL-F43M, more than enough glass (A, E, M42, MD)


Posted By: MiPr
Date Posted: 14 February 2019 at 19:25
For test purposes I put a certificate and enabled HTTPS on Dyxum so you can try using it (just change the address to https and enjoy).

Please note: I have not yet created any redirections or URL rewrites so some things will still be broken, e.g. if somebody used a link in a post (using [URL] BB-codes) and placed http:// then browser will switch to HTTP instead of HTTPS. This concerns all BB-code links to other posts or threads or subforums. Good example is any of the Themed Views index pages (e.g. https://www.dyxum.com/dforum/themed-views-index_topic79348.html - Themed Views Index .

PLEASE DO NOT REPORT SUCH THINGS AS ERRORS - this is normal and will be resolved when the time comes.

Having said that, if you encounter any other problems, like "mixed content" warnings (i.e. "some elements on this page are not secure") or lack of HTTPS after clicking any link that is not "user-driven (like the ones in BB-codes) then please report it either by PM to me, or by sending an e-mail to admins (see the link at the bottom of the page) or just reply in this thread.

EDITED
When reporting issue please:
1) Describe the problem, i.e. what the symptom is (screenshots?),
2) Provide steps to reproduce, e.g. "I was on a page (provide url) and I clicked that link/button/picture/thingamajig and then THIS happened
3) Provide the info about the browser which was used,



-------------
I'm noise-blind. And noise-about-noise-deaf too ... |   BTW, topic87334.html - Dyxum Weekly Exhibitions don't grow on trees ...


Posted By: sybersitizen
Date Posted: 14 February 2019 at 20:29
^ Thank you! A good start.


Posted By: MiPr
Date Posted: 14 February 2019 at 20:32
Ray, be careful ATM - it is easy to jump out of HTTPS! For example: I've just realised that links in notification e-mails sent by Dyxum are not https ...

Anyways, I want a few days of "clicking through" before I enable it fully.


-------------
I'm noise-blind. And noise-about-noise-deaf too ... |   BTW, topic87334.html - Dyxum Weekly Exhibitions don't grow on trees ...


Posted By: MiPr
Date Posted: 14 February 2019 at 20:40
One more effect: all photos on Dyxum are hot-linked, which means that we have no influence on their URLs. If those URLs are HTTP not HTTPS then probably there is nothing we can do about it - the warning about mixed content is probably unavoidable.

-------------
I'm noise-blind. And noise-about-noise-deaf too ... |   BTW, topic87334.html - Dyxum Weekly Exhibitions don't grow on trees ...


Posted By: MiPr
Date Posted: 14 February 2019 at 22:07
Now the redirect was added and Dyxum seems to keep working as usual If it collapses overnight - deal with it


-------------
I'm noise-blind. And noise-about-noise-deaf too ... |   BTW, topic87334.html - Dyxum Weekly Exhibitions don't grow on trees ...


Posted By: Kilkry
Date Posted: 18 February 2019 at 18:09
Great, well done! : )

-------------
-


Posted By: owenn01
Date Posted: 18 February 2019 at 18:13
Well done, MiPr - not sure how much work was involved but that you've done it and the effect seems to be seamless is a great reflection on you and your resolve.

From Flickr at least, the images appear to originate from an https link so for those subscribers I assume we are okay.

Thanks again and best regards, Neil.

-------------
My Mantra: "Comment on other's work as you would wish to have yours commented upon". Go on - it's fun!


Posted By: Fred_S
Date Posted: 18 February 2019 at 18:28
+1


Posted By: minolta_mutley
Date Posted: 18 February 2019 at 21:36
Thank you Mipr - i do know how hard these things can be.


Posted By: 4paul
Date Posted: 05 March 2019 at 15:00
Thanks for all the work on this!
Working well for me

-------------
There is a difference between a shaky or out-of-focus photograph and a snapshot of clouds and fog banks. - Schrödinger


Posted By: Fred_S
Date Posted: 19 March 2020 at 19:53
A year after MiPr's great work I just noticed that not the whole site is secure.
Entering some threads via the Themed View Index stil leads to an unsecured page
(got a message about this from my browser)

This does not apply to all themes, but some only (depening on the date of origin??).
The index page itself is safe, but as example, "Museums" and 'Looks like a paiting' aren't secure. "A new year with Meyer" however is secure.
Seems it needs another bit of maintenance. I hope somebody can have a look at it.

-------------
https://www.flickr.com/photos/147603320@N02 - My Flickr    
https://www.instagram.com/fred_s_photography - My Instagram


Posted By: pegelli
Date Posted: 19 March 2020 at 20:03
You'll get that message as soon as one of the images on the page is linked from a non secured site. So I think there's very little we can do about that, depends fully on where the members are linking their photo's from.

-------------
You can see the April Foolishness 2023 exhibition https://www.dyxum.com/dforum/april-foolishness-2023-the-exhibition_topic142439.html - here Another great show of the talent we have on Dyxum


Posted By: Fred_S
Date Posted: 19 March 2020 at 20:18
Thanks for explaining Pieter.

-------------
https://www.flickr.com/photos/147603320@N02 - My Flickr    
https://www.instagram.com/fred_s_photography - My Instagram


Posted By: alanfrombangor
Date Posted: 27 October 2021 at 10:52
Some members reported that my images weren't showing on Chrome and Edge in a recent post. I use Firefox so hadn't noticed. I seems that to allow insecure content, such as images hosted on http sites, you have to tweak your browser settings.

On Microsoft Edge...
Settings
Cookies and site permissions
Insecure content
and allow https://www.dyxum.com - https://www.dyxum.com

On Chrome...
Settings
Under 'Privacy and security', click Site settings and then Insecure content.
Next to 'Not allowed', click Add and insert https://www.dyxum.com - https://www.dyxum.com



Print Page | Close Window