Cal-guns is not secure

[all-cal]

There is no SSL certificate which adds transport layer security on the Calguns site.

This means that when you all enter your passwords, someone can easily capture your password and read all of your posts/communications.

Kestryl should really make the small investment and buy an SSL cert.

[SkyHawk]

Quote:

Originally Posted by all-cal

There is no SSL certificate which adds transport layer security on the Calguns site.

This means that when you all enter your passwords, someone can easily capture your password and read all of your posts/communications.

Kestryl should really make the small investment and buy an SSL cert.

Fake news. Now what other great tech advice do you have for the boss?

[SkyHawk]

[SkyHawk]

And get this - your information, on this or any other wesbsite, is far more likely to be compromised via an attack against the AT REST data, not the IN TRANSIT data. So I’d be more worried about the platform than the SSL cert. What is the OS and version, the website software and version, is it patched, is it firewalled.

Your private messages, passwords etc are more likely to be stolen in a database theft after exploiting the website software or server OS, or the computer of someone who has access to the server. There are thousands of examples. Yahoo, LinkedIn, Equifax, Target - we could do this all day.

Lastly, this is a public forum - what you post here is public. And if you are reusing your password here on other sites, nothing will help you - certainly not a SSL cert.

But if you must - here is a real tech tip for you: make sure HTTPS is always in your URL bar.

[Robotron2k84]

However, I would agree with OP that it's criminal that there is no default or forced redirect to HTTPS, especially now that Youtube video links now seem to work when on HTTPS.

This site is hosted on a legacy version of PHP and an end-of-life version of vBulletin released in 2005, and not even the latest in its version history. There are probably at least 100 critical exploits that exist in these two versions of software that makes your data vulnerable.

I would advise you share as little personal information as possible, OP.

[VictorFranko]

Quote:

Originally Posted by SkyHawk

But if you must - here is a real tech tip for you: make sure HTTPS is always in your URL bar.

Just checking, you mean to physically add HTTPS to the existing Calguns URL?
I did that but as soon as I tried to reply to this thread, the URL dropped the HTTPS.

[dk94044]

Yes someone can view all your posts by clicking your profile and Find All Posts by

[Robotron2k84]

Of course what you post is not particularly private, but passwords and PMs should be relatively so, such that it would take a warrant to be obtained, otherwise stay unable to be accessed in the best case.

Passwords are at least hashed once before being sent over the internet from your browser. It's a static MD5 hash, IIRC, and not based on a seed or nonce, so could be brute-forced with a lookup table. MD5 is not terribly secure anymore.

PMs would be more concerning, and if there is a SQL injection attack vector, all passwords (hashed) could be retrieved and potentially all PM content as well. Always good to clean out the old messages after 30 days or so. Remember, too, if you have email notification for PMs enabled, the system is copying the PM in plaintext over email as well.

The most concerning leak is what posts you view, as metadata for incriminating behavior, should someone care to surveil you. If it's police or a TLA anyway, either a warrant to get the post view history from the DB, or a TLA dropping a Spectre/Meltdown exploit in a VM on the same physical server would allow them to capture DB commits in real time.

You're pretty much screwed if you try to post anything illegal, so adhere to the golden rule of the internet: don't post anything that you wouldn't want public anyway.

[Dragunov]

There's no such thing as a "secure" website.

[71MUSTY]

OMG the Russians could hack us and find out Californian's own more guns then the Russian Army.

[SkyHawk]

Quote:

Originally Posted by VictorFranko

Just checking, you mean to physically add HTTPS to the existing Calguns URL?
I did that but as soon as I tried to reply to this thread, the URL dropped the HTTPS.

Not sure about replies / posts in public forums, where you are about to post in public anyway. But when replying to private messages you can use https and it will not redirect to http.

Anyhow, you can also add the HTTPS Everywhere add-in to Chrome, and make a rule for calguns.net to always change every url to https, and it will perhaps work in those portions of the site you are most worried about. Worth a look:

https://chrome.google.com/webstore/d...npmejbdp?hl=en

https://www.eff.org/https-everywhere/rulesets

[VictorFranko]

Thanks for that info SkyHawk

[TriumphantApe]

Quote:

Originally Posted by SkyHawk

And get this - your information, on this or any other wesbsite, is far more likely to be compromised via an attack against the AT REST data, not the IN TRANSIT data. So I’d be more worried about the platform than the SSL cert. What is the OS and version, the website software and version, is it patched, is it firewalled.

Your private messages, passwords etc are more likely to be stolen in a database theft after exploiting the website software or server OS, or the computer of someone who has access to the server. There are thousands of examples. Yahoo, LinkedIn, Equifax, Target - we could do this all day.

Lastly, this is a public forum - what you post here is public. And if you are reusing your password here on other sites, nothing will help you - certainly not a SSL cert.

But if you must - here is a real tech tip for you: make sure HTTPS is always in your URL bar.

HTTPS doesn't work for me on this site, never has, I use OSX, Windows, and Linux, and all 3 of the major browsers none of them stay HTTPS they revert to HTTP and there is no cert.

I also use HTTPS everywhere extension, it still doesn't work.

Don't really care as I wasn't planning on posting anything I wouldn't say out loud.

[readysetgo]

But I was told if I have nothing to hide, let the cops search all they want...

Is password1234 a good one?

[Unbekannt]

Who cares? The FBI has already traced each and every one of you subversives right back to your house and keyboard. I'm not afraid of anything or anybody except my government.

[Gavelek]

We are doooooooomed!

[ocabj]

There is nothing inherently wrong with the web going all https. I agree that it does give some folks a false sense of security, especially when people start ignoring certificate errors and just accept every notice they see just to get through without understanding the consequences.

But http over SSL has other benefits other than encrypting your web session with a given web server including mitigations to some injection attacks, particularly those involving ad networks.

So yes, https isn't a foolproof method to secure the web, but that's not a reason to not encourage https. That's like saying locks on doors are worthless because people can break them, so why bother locking doors. Security whether Information or Physical is going to be a layered approach. You're not going to use just one single security method. You will use multiple security procedures with the hopes that a failure of one method or procedure will not result in a catastrophic loss.

[TriumphantApe]

HTTPS was for thwarting man in the middle problems, those aren't the most prevalent form of "hacking".
Generally it's a website you went to, or an "ad" on the website, or something you downloaded that gets you into trouble.

If you need to surf sketchy web sites use a virtual machine, they are not as hard to set up as some think.
Keep a base image of the VM, routinely trash the one you're using every month or so and replace it with the "clean" base VM.
And turn off clipboard sharing and folder sharing on the VM.

No matter what, I assume everything is tracked and recorded, also there are a lot of LEO here so anyone acting up probably goes on a list.

If you're unclear on what might be problematic to post, just pretend you're sitting in court and the prosecutor is reading your post... are you uncomfortable?
Then don't post it.

[iambic]

Quote:

Originally Posted by SkyHawk

Fake news. Now what other great tech advice do you have for the boss?

That info icon though.
That screen grab image you posted shows an info icon (in address bar to the right of the home button) instead of the secure lock icon typically seen when logged to secure site. Have you clicked on it to see why it's doing that?

[divert_fuse]

Quote:

Originally Posted by Robotron2k84

Passwords are at least hashed once before being sent over the internet from your browser.

This is not necessarily true. In particular, on a site set up to use SSL, passwords are typically sent in the clear. I build web apps for a living, and this is generally how I do it. I haven't actually checked how the calguns server works, but it's possible that it takes passwords in the clear, given that it's set up to use SSL, except it has some weird redirect thing going on.

Quote:

Originally Posted by bool1tholz

Instead bookmark the HTTPS User CP url and use that:
https://www.calguns.net/calgunforum/usercp.php

This does cause SSL/TLS to be used, but as soon as you navigate anywhere else, it drops down to http.

[hunterb]

Quote:

Originally Posted by readysetgo

...Is password1234 a good one?

Yo! Why you hack me dude?

[SkyHawk]

Quote:

Originally Posted by iambic

That info icon though.
That screen grab image you posted shows an info icon (in address bar to the right of the home button) instead of the secure lock icon typically seen when logged to secure site. Have you clicked on it to see why it's doing that?

Probably insecure calls to images, css or 3rd party sites. The new july version of chrome gives more info but I have not tried it with the latest version.

[NorCalBusa]

Quote:

Originally Posted by readysetgo

But I was told if I have nothing to hide, let the cops search all they want...

Is password1234 a good one?

Yes, but only if you capitalize the "1234".

[Robotron2k84]

Why bother grepping and manually changing resource files? A reverse proxy to host the SSL certificate and a rewrite engine is all that's needed to dynamically rewrite files and URLs mid-stream.

Or, GASP! we could have a gofundme to allow Calguns to purchase a license for a CMS-based modern version of vB, that dynamically generates site resources and has global SSL that actually works, and beef up security at the same time.

What a concept.

[HUTCH 7.62]

[smird]

Quote:

Originally Posted by Robotron2k84

Why bother grepping and manually changing resource files? A reverse proxy to host the SSL certificate and a rewrite engine is all that's needed to dynamically rewrite files and URLs mid-stream.

Or, GASP! we could have a gofundme to allow Calguns to purchase a license for a CMS-based modern version of vB, that dynamically generates site resources and has global SSL that actually works, and beef up security at the same time.

What a concept.

I don't think money is the issue. Kest has tried to upgrade in the past and too much stuff broke.
Here is some discussion
http://www.calguns.net/calgunforum/s...ight=vBulletin

[Robotron2k84]

Money is always a factor. The licenses themselves are cheap $300 or so for vB5, but the conversion (time) and additional hardware and configuration (materials) costs add up.

Looking at that thread, none of them seem as good as vB5. vB4 can still run vBAdvanced, so that's a possibility, too.

The biggest issue in any upgrade is retaining functionally while getting the enhancements. Plugins will be translateable (even if needing triage and custom coding) across vBulletin. If a new platform is chosen, all that goes out the window.

I'm not sure of the specifics for the comment of vB5 being a resource hog. It brings a ton of new features that might be useful. In most cases, disabling these should render similar performance to the older versions.

vBullein also has a hosted option where they do the upgrades for you and you pay by the Megabyte of traffic.

I have no idea what hosting costs are for Calguns currently, but it's at least worth a look.

But, I do get why vB5 turns many people off: it's a CMS-based model and can look more like a social-media presentation than a typical forum board. And it's that way because they merged the blog and forum parts together, under the hood.

But you can still do straight forum presentation, such as: https://www.hdherd.com, or https://www.m1garandforum.com

Of the other ones Xenforo is probably the leader.

[Dan_Eastvale]

Hey, at least we're not getting all those ridiculous spam messages we were getting several months ago
Who do we thank for that?

[Unbekannt]

Quote:

Originally Posted by all-cal

There is no SSL certificate which adds transport layer security on the Calguns site.

This means that when you all enter your passwords, someone can easily capture your password and read all of your posts/communications.

....and that would be the Mexican California State Attorney General.