wolfshade — 2014-04-10T01:25:06-04:00 — #1
I tried to access this site via SSL, just playin' around, also wanting to make sure that when I log on, I can do it securely.
No dice. Got the following error message:
[B]Secure Connection Failed
An error occurred during a connection to www.sitepoint.com. Peer's Certificate has been revoked. (Error code: sec_error_revoked_certificate)
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.</font>[/B]</font>
Isn't this a bit of a security issue? If it isn't, please advise.
cpradio — 2014-04-10T08:48:43-04:00 — #2
Um the forums have never been under SSL (as far as I know)... So I'm not sure why you think it would work.
wolfshade — 2014-04-10T09:00:11-04:00 — #3
The login for the forum should be done via SSL/TLS. Without it, the forum could be a playground for MitM attack.
cpradio — 2014-04-10T09:46:25-04:00 — #4
I don't buy that. There isn't anything here that is worth gathering. No financial transactions, no personal information (that'd be used for government purposes), so nothing really to protect. Just your username and password and frankly, if you are using the same password here for other websites, you are already doomed.
wolfshade — 2014-04-10T09:53:54-04:00 — #5
As well as the staff, here, do to prevent spam from getting in, accounts would be hacked less if two things happen: 1. People use long and complex passwords, and 2. the staff uses SSL/TLS to make sure that passwords aren't stolen by MitM.
The first one isn't completely realistic - most users STILL don't understand that short, simple, all lower-case passwords are easily hacked.
The second one won't completely eliminate accounts being hacked, but it will go a LONG way in significantly reducing it.
And, no, I don't use the same password for other sites. I've been internet security minded since before it became a huge issue.
cpradio — 2014-04-10T10:20:01-04:00 — #6
Those are fair points, and I've used long passwords for a really long time. But as far as someone gaining control over a staff account, it really isn't much to worry about. There isn't a lot they could do with that access, before being caught by another leary mod/admin.
Nonetheless, valid points, but the risk is low (in my opinion).
wolfshade — 2014-04-10T10:31:42-04:00 — #7
It's not staff accounts that I'm concerned about, really. I haven't seen any attempted SPAM postings from any staff members, anyway. But the spam attempts (I say 'attempts' because I've seen more than a few obvious subject entries, but there's no content when the post is viewed - KUDOS to the people/technology that is doing such an excellent job!) are being seen from standard user accounts. Most likely due to passwords not being long/complex, but I'm not going to discount potential MitM as a culprit.
Anyhoo... that's just my $0.03472 worth.
guido2004 — 2014-04-10T11:42:01-04:00 — #8
Spam attempts are usually made from spam accounts registered by the spammers themselves. I don't remember a case of a user account being hacked to use it for spamming.
mittineague — 2014-04-10T15:52:15-04:00 — #9
At first I thought you might have gotten that message as a result of trying to go to something no longer there. i.e. a removed SPAM post.
But SSL doesn't sound right because as said, unless wrong, the SitePoint forums don't use SSL
But @HAWK; should know about this for certain.
hawk — 2014-04-10T18:07:03-04:00 — #10