[ANSWERED] Are we ever going to get TLS on this site?

[Aereaux]

Certificates are free with LetsEncrypt.

[peterlund]

Interesting stuff indeed! First time I heard about a free CA. I will check it out for my mafia bot that currently uses self signed certs when GMs login...

[RagingIke297]

My computer was very unhappy with me when I wanted to allow mafia.peterlund.se to sign its own certs

[kestasjk]

Certificates are free with trustycertificates.ru as well, the question is are they a respected certificate authority, and how can they actually validate people for free?

[kestasjk]

And if it was considered of real value we could afford a proper certificate from a genuine CA, however I personally think it would be a waste of donor cash. I just don't consider this site a real target for the MITM attacks that TLS would guard against.

[Aereaux]

LetsEncrypt is a genuine, respected CA, sponsored by major tech organizations (including the EFF and Mozilla). I think that they automate most of the process of getting a certificate, which makes it cheaper. Frankly, I'd trust LetsEncrypt certificates over many other CAs, and there really is no downside to getting a certificate for this site. This is pretty much the last site that I use that doesn't support TLS, and if you need a specific use case for this, the app that I would like to use for accessing webdip on my phone (so I don't need to start up a full browser) only support HTTPS. Anyways, even if this site wouldn't itself be a target of MITM attacks, people (especially on insecure or untrusted WiFi networks) could inject javascript code to attack vulnerabilities or mine cryptocurrency.

[Jamiet99uk]

How much commission will you receive from LetsEncrypt if you can seal this deal?

[Aereaux]

50% of the amount you pay them.

[Jamiet99uk]

I'm not going to pay them anything.

[Aereaux]

By you I mean in general. And you don't need to, because it's free.

[Jamiet99uk]

I still don't think Kestas is very interested.

[jmo1121109]

Yeah I don't really see a need for this either considering the type of information the site stores we aren't a worthwhile target for any effort based attack. There's nothing to steal...all donation info is handled externally.

[Aereaux]

That's not the point, though. Someone can inject javascript to infect my computer with a virus or read other information stored on my computer or mine cryptocurrency for themselves.

[Jamiet99uk]

That's not the point, though. Someone can inject javascript to infect my computer with a virus or read other information stored on my computer or mine cryptocurrency for themselves.

Is this true? Is webDip particularly vulnerable to viruses?

[Aereaux]

Is this true? Is webDip particularly vulnerable to viruses?

It's not webdip in particular, it's any non-https website. If I'm on an unsecured WiFi, or one administered by someone I don't trust (or potentially some other scenarios), it's possible for people to see and modify the content of that website I'm viewing. They could add javascript that (for example) tries to infect your computer with a virus, using a web browser flaw.

[Jamiet99uk]

I'm deeply concerned and frankly quite shocked.

[jmo1121109]

Is this true? Is webDip particularly vulnerable to viruses?

It's not webdip in particular, it's any non-https website. If I'm on an unsecured WiFi, or one administered by someone I don't trust (or potentially some other scenarios), it's possible for people to see and modify the content of that website I'm viewing. They could add javascript that (for example) tries to infect your computer with a virus, using a web browser flaw.

Free free to take the alarmist mentality elsewhere. Every single site, http or https is vulnerable right now due to the various problems like meltdown and spectre. Not to mention yet another one found 2 days ago. Don't use unsecured wifi's with your banking devices. That is computer security 101.

Those aren't the site being vulnerable though, it's you being vulnerable when you're using a public wifi connection that someone else controls. There has yet to be in over 10 years, any security issue involving this site excepting someone finding a flaw that let them post while silence (which was corrected).

That said, we're an open source repository that you're welcome to contribute too if you find anything not up to speed and want to help, then please do so. Issues can be submitted here: https://github.com/kestasjk/webDiplomacy

[Aereaux]

I don't think that it's alarmist. This is a real thing that could happen. You mentioned meltdown and spectre, without saying how exactly they are relevant. For each, an attacker needs to be able to execute code on my machine. This is where javascript comes into play. For most websites, I disable javascript using the NoScript browser extension, to mitigate spectre and other possible problems. I whitelist some websites that I use that make extensive use of javascript, so that I can use them. Most of the sites that I do this for are delivered over https, so I can be reasonably sure that the code that my browser receives to execute is the code that the website meant to send me. Because webdip requires javascript, I whitelist javascript here, but as it is delivered over http someone could, as described before, add hostile javascript code that takes advantage of spectre or some other problem to escape the sandbox that my browser runs the javascript code in. This could be mitigated by delivering the site over https.

I'd be perfectly fine doing banking over unsecured WiFi, as my bank's website uses https to communicate with my browser. Meltdown, spectre, and other similar problems have many effects, and delivering this website over https would mitigate one of them. I don't think it is a problem with me or whatever connection I am using, it is a problem with the website not supporting a secure protocol. Even if I am on my home WiFi, I don't control all of the computers routing my traffic between me and the site, so I can't totally trust that connection either.

I am not too familiar with how webdip is hosted, and how hard it would be to tell it to use a TLS certificate, but if there is anything I can help with by contributing to the code, let me know.

PS: Would you mind pointing me to the problem that was found two days ago? I don't think I heard about that one.

[jmo1121109]

And that's excellent for you. You're still hackable, literally everyone is if you're a target. If you're honestly concerned that people are going to target you specifically on unsecured networks to install malicious code on your machine then please don't use us on unsecured networks. I would advise not using your banking over a public network, but to each their own.

The issue discovered a couple days ago requires physical access to a laptop or device, but does give access in a stunningly short amount of time. https://mspoweruser.com/new-intel-issue ... 0-seconds/ There are a million and one ways for someone to compromise your computer quickly with minimal effort.

Anyways, posting what *is* alarmist style posts is not the correct way to get changes done when I've already directed you to the issues location on our open source repository. You're welcome to post there or contact the mod team about the problem.

[Kremmen]

One of the problems with these alarmist "it's possible" scenarios is that they fail to consider the real likelihood of anyone spending the massive resources necessary. When you visit your local shop, there could be a dozen armed men there waiting to abduct a random person and hold them for ransom, who happens to be you. There could, but it's really unlikely. They're going to target someone they know, who's of high value. Unknown people with unknown hardware with unknown value to a criminal? There are a hell of a lot better targets to hack than this web site.