Certs are free and less than half hour setup on a linux server
Message Board Archives
Arawak, Bossman u need SSL
2017-12-21 10:52:38
2017-12-21 10:58:30
It would help also to see how many read the threads,
Often some are noted with no replies
Such numbers would give members insight into what
is read on the board or ignored
thxs
2017-12-21 11:16:40
In reply to sgtdjones
Insecure?
2017-12-21 14:14:51
In reply to nick2020
Nawwwwwww just want to see if I can get a cut of the royalties
2017-12-21 21:21:54
In reply to steveo
Soon come.
2017-12-22 08:09:31
In reply to Arawak
Soon come.
Ok, good to hear. 2010 welcomes u
2017-12-22 09:55:01
In reply to steveo
LOL, indeed.
Just one of many updates I need to do. But that's not top of my list. Reality is that unless you are using the same password for cc.com that you use for important stuff there's not much useful to be gleaned. Even with the password an attacker would need to do some more work to get your username or email the other site.
Passwords are like underwear... change them often and don't share them 
But of course you are not wrong... I'll need this for HTTP2 anyway. Maybe I will find some inspiration over the Christmas.
2017-12-22 10:07:24
In reply to Arawak
Reality is that unless you are using the same password for cc.com that you use for important stuff there's not much useful to be gleaned.
BINGO, but that IS the problem. Users do use the same damn password. :-( :-(
SSL is the way to go, yet you are correct Arawak: This is NOT a transactional site. Nothing but the "password" on login here at cc.com needs to be protected - however as Steveo suggest: because you do have a password field AND as you say, some users use the same password EVERYWHERE cc.com should have SSL
Contrary to current hysteria, SSL is not needed for every site, but mandatory if you ask for a user login.
A huge mistake is that people use the same password for social sites as well as personal (banking, bills etc).... people: avoid this always!
2017-12-22 10:34:01
In reply to pelon
Many years ago I did work for a small ecommerce site to secure the signups and credit card information via SSL. My client was very concerned because he was getting negative feedback about it.
He was however uninterested when I pointed out that his system was storing all of this info -- unencrypted -- in his database, and worse, emailing each transaction to him in the clear.
And, to illustrate your point above... we have had instances in the best where operators of alternate WI cricket sites (not naming names, but I don't think they are around anymore anyway) would take the credentials people used on their site to login to this site.
So be warned, and practice safe internet.
2017-12-22 10:59:02
In reply to Arawak
If I did not reuse passwords and create easy ones like 123456789 I would require a forget password option.
2017-12-22 14:35:19
In reply to Arawak
Even with the password an attacker would need to do some more work to get your username or email the other site.
Actually my issue is not about the password, I myself use a throwaway password here.
I am very concerned that certain ISPs in certain regions are monitoring traffic on behalf of govts. If they can identify the source of negative posts(to them), there might be a backlash.
I am probably being paranoid.
2017-12-22 15:52:18
In reply to steveo
Wait wait wait.
If THAT is your concern, you need to know that SSL does not inhibit Big Borther one ounce.
Not here, not there, not anywhere.
SSL encrypts and handshakes. Any encryption via SSL has a cert that facilitates decryption at big brother level.
2017-12-22 17:33:26
In reply to pelon
I agree that NSA etc have such capabilities, I am talking within the caribbean
Not here, not there, not anywhere.
If you are saying the caribbean ISPs and govt have such capabilities, I would like to know what u are basing that on?
2017-12-22 18:12:49
In reply to steveo
I am talking within the caribbean
Bwahahahahahaha. Good one.
As if that kind of competence existed in Caribbean governments (or ISPs).
Anyway, if you're *actually* paranoid, use Tor or a VPN. I don't collect anyone's actual identity so unless you reveal it or allow them to deduce it via your originating IP you're likely safe.
Arawak
2017-12-22 18:15:59
In reply to pelon
SSL encrypts and handshakes. Any encryption via SSL has a cert that facilitates decryption at big brother level.
I'm familiar with the man in the middle attack, where a govt would get a CA to issue a bogus cert and impersonate, but I'm not aware of even a hypothetical attack where some master cert unlocks every one else's.
Can you elaborate on this, and provide some references?
2017-12-22 18:24:10
In reply to Arawak
I have begun to use Tor, anyway I will let you shoot the breeze with pelon
2017-12-22 19:06:55
In reply to Arawak
some master cert unlocks every one else's.
A "master key" does not exist, not to my knowledge - and that knowledge is fairly limited.
What I do know is you need to google: "SHA-1 collision" or when bored: "X.509 hash collision"
if peons can - big brother can x 100
I have nothing further on the topic... I refuse to let the ice melt in my Ron Zacapa
2017-12-22 19:18:39
In reply to steveo
This site always give me the blue screen of death.
not as bad as hitcric dot info....
By VD and dutty crotch webbing here all day.
2017-12-22 19:41:20
In reply to pelon
Oh.... that's rather dated. MD5 hasn't been used to sign in ages, and even SHA-1 is retired AFAIK. In any case it's likely far easier to coerce a trusted CA to issue the forged certificate than to do it this way. Somewhere it is written that it's almost always easier to bypass cryptography than to break it.
The same attack exists hypothetically for SHA-2 (or any algorithm, probably) given enough compute power... but I hardly think anyone is willing foot the bill in order to find out what steveo is up to on a cricket web site
2017-12-22 19:42:16
In reply to Arawak
I'm familiar with the man in the middle attack, where a govt would get a CA to issue a bogus cert and impersonate, but I'm not aware of even a hypothetical attack where some master cert unlocks every one else's.
Root CAs can decrypt encryption of their Intermediate CA's as far as I know. I think Microsoft once shipped certificates that had that problem, one of the root CAs was questionable party.
2017-12-22 19:46:37
In reply to Arawak
The same attack exists hypothetically for SHA-2 (or any algorithm, probably) given enough compute power... but I hardly think anyone is willing foot the bill in order to find out what steveo is up to on a cricket web site
Of course, any hash algorithm is bound to have collisions given infinite calculations...
Pelon does not seem up to speed on hash algorithms, SHA1 was out dated years ago, no one uses that for low level encryption, much less SSL. SHA256 is not recommended either. MD5 has been relegated to checksumming.
2017-12-22 20:00:03
I hardly think anyone is willing foot the bill in order to find out what steveo is up to on a cricket web site
yup...
I guard my online privacy - but at the end of the day I have nothing to hide. Encrypted or not.
Seriously... nothing we do here merits an level of concern - but password collection should merit SSL... Steveo porn surfing safe.
2017-12-22 20:36:44
In reply to pelon
Bro, bro, when I am surfing porn, I want the NSA to appreciate my good taste...
Anyway, your taste might be different, given the way you fashion your knowledge blurbs
2017-12-22 20:44:00
In reply to steveo
2018-01-01 12:44:16
Done.
Mostly.
2018-01-01 13:10:22
In reply to Arawak
I heard De "Admin" speaking with (interviewing) a cyber crime investigator/ journalist/writer...that interview was frightening.
De Courtesy must seek further shelter.
Admin...great interview.
2018-01-01 14:54:24
k, think i have tracked down every last http content
2018-01-01 16:02:40
In reply to Arawak
"good show and all that old chap"
Search
Live Scores
- no matches