Site Security

[justintime4tea]

Where's the SSL/TLS? I get a different (earlier version?) website than this when visiting at same domain:443/https

Only concern is many people use the same password in many places (yes, we know it's bad but sadly... people don't listen) so by authenticating with your forum over HTTP this allows plain text visibility of communications between user and your website, does it not? Could this not pose a security concern? I ask from a dev-sec-net-ops-adm (I know shoot me) profession out of concern for the users here and only hope to promote good forum platform security.

Maybe you're taking some precautionary measures, perhaps some php-foo, but when can we see the bump to TLS and 301 redirect to an HTTPS version of the forums?

LetsEncrypt (https://letsencrypt.org/) just announced there launch schedule to start allowing free cert requests via some magic foo that allows them to verify ownership of domain and help make modern TLS setup a breeze :) They want to help secure the world through CA signed certs! You might want to support older legacy SSL perhaps but I'd at least nix export-encryption (haven't personally checked) and ensure web-server sticks to highest->lowest preferred cipher order for TLS/SSL. Wouldn't want someone forcing a downgrade on the encryption to weak encryption to break the TLS/SSL, if you're going to do it go all the way man! :)

...(Maybe you can use some php/js foo to detect what user-bases max encryption support is and target that?)

[iScripters]

Maybe you're taking some precautionary measures, perhaps some php-foo

PHP is server-side, the password will still be sent plain-text regardless of whatever precautions you take in PHP.

[askray]

Why people are in this whole "If it isn't SSL/TLS it's not secure" mentality is beyond me. Someone would have to be able to sniff out any packets from you to the server.

If they can do this? Any encryption is going to matter not a hill of beans because the odds are they already either a) have access to the database or b) have access to your computer and at that point the only thing you can hope is that the site uses encrypted passwords, unless they're on your computer then keyloggers won't care if you're encrypted, or not. They'll see it regardless

[Sumurai8]

Why people are in this whole "If it isn't SSL/TLS it's not secure" mentality is beyond me. Someone would have to be able to sniff out any packets from you to the server.

If they can do this? Any encryption is going to matter not a hill of beans because the odds are they already either a) have access to the database or b) have access to your computer and at that point the only thing you can hope is that the site uses encrypted passwords, unless they're on your computer then keyloggers won't care if you're encrypted, or not. They'll see it regardless

I am certain you have never used free wifi somewhere. Or have been in a school or work network.

Oh you have?

Well... there you go.

[iScripters]

Every hop between you and the forum could potentially steal the credentials.. Also, let's not make it too easy for the NSA
And what about https://en.wikipedia.org/wiki/Man-in-the-middle_attack

[5hifty]

I'd also like to point out the the lockout after X many password attempts is broken as well. If you use the log in box at the top of the page instead of the main one, you completely bypass the lockout.

[tjn]

This topic doesn't pertain to the game itself, so this isn't the right subforum. In fact, it's not even specific to Prison Architect, so I'm guessing it belongs in the lounge.