Some tidbits about informaction.com SSL

Discussion about the board itself, forums organization and site bugs.
Locked
aloishammer
Senior Member
Posts: 65
Joined: Mon Apr 20, 2009 4:03 pm

Some tidbits about informaction.com SSL

Post by aloishammer » Thu Jul 15, 2010 11:13 pm

I offer this (nearly) without comment, because there's already been enough silly controversy over SSL Labs' results. I would, however, at least disable SSLv2 support and any insecure algorithms left over afterward:

https://www.ssllabs.com/ssldb/analyze.h ... action.com

I ended up at https://forums.informaction.com/ via misadventure with GreaseMonkey and discovered that the server(s) in question serve SSL, but the included certificate is not valid for forums.informaction.com. I certainly encourage, support, and appreciate at least the ability to submit credentials securely, but ^https://forums\.informaction\.com/ucp\.php\?mode=login.* seems to end up at a different server or VHOST, and produces a 404. Actually, so does any other phpBB location I tested on forums.informaction.com.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.4) Gecko/20100527 Firefox/3.6.4

User avatar
Giorgio Maone
Site Admin
Posts: 8697
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Some tidbits about informaction.com SSL

Post by Giorgio Maone » Sat Jul 17, 2010 5:41 pm

In fact forums.informaction.com is not secured.
Only secure.informaction.com (used to serve NoScript's and FlashGot's XPIs) is.
This may change in future, but for the time being this is the (legitimate) setup.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6

aloishammer
Senior Member
Posts: 65
Joined: Mon Apr 20, 2009 4:03 pm

Re: Some tidbits about informaction.com SSL

Post by aloishammer » Sat Jul 17, 2010 8:04 pm

Giorgio Maone wrote:In fact forums.informaction.com is not secured.
Only secure.informaction.com (used to serve NoScript's and FlashGot's XPIs) is.
This may change in future, but for the time being this is the (legitimate) setup.

Righto. Is SSLv2 left enabled for a reason, though? It's been deprecated and disabled-by-default most everywhere.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6

User avatar
Giorgio Maone
Site Admin
Posts: 8697
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Some tidbits about informaction.com SSL

Post by Giorgio Maone » Sat Jul 17, 2010 8:18 pm

aloishammer wrote:Righto. Is SSLv2 left enabled for a reason, though? It's been deprecated and disabled-by-default most everywhere.

Laziness. The browser will negotiate SSLv3 anyway.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6

twotenjack
Posts: 1
Joined: Fri Jul 30, 2010 3:41 pm

Re: Some tidbits about informaction.com SSL

Post by twotenjack » Fri Jul 30, 2010 3:47 pm

In laymans terms, could someone please explain what secure.informaction.com is?
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8

User avatar
therube
Ambassador
Posts: 7404
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Some tidbits about informaction.com SSL

Post by therube » Fri Jul 30, 2010 4:25 pm

I'll guess that it's a (secure) site used to serve two extensions, NoScript & FlashGot, to the public, & as an alternative to https://addons.mozilla.org/ (which may not always be as current). https: being required by the Mozilla Extension Manager.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.11) Gecko/20100701 SeaMonkey/2.0.6

User avatar
Giorgio Maone
Site Admin
Posts: 8697
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Some tidbits about informaction.com SSL

Post by Giorgio Maone » Fri Jul 30, 2010 8:27 pm

therube wrote:I'll guess that it's a (secure) site used to serve two extensions, NoScript & FlashGot, to the public, & as an alternative to https://addons.mozilla.org/ (which may not always be as current). https: being required by the Mozilla Extension Manager.

Correct, and it's used to implement http://noscript.net/abe/wan as well now.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8

User avatar
Giorgio Maone
Site Admin
Posts: 8697
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Some tidbits about informaction.com SSL

Post by Giorgio Maone » Fri Jul 30, 2010 9:38 pm

BTW, @aloishammer:
I took the time to tighten up your "tidbits". Please recheck https://www.ssllabs.com/ssldb/analyze.h ... 103.139.52 :)
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Some tidbits about informaction.com SSL

Post by GµårÐïåñ » Thu Sep 15, 2011 6:44 pm

You are posting public discussions in a public forum that allow anonymous posting so you don't even need an account. So what's the problem, HTTP is just fine and HTTPS would be unnecessary. Its like putting a 10k sound system in a Yugo. Get over it and move on, its a legitimate setup and works just fine and doesn't need to be any more secure than it already is. Dead horse, stop beating it.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/6.9 (Windows NT 6.9; rv:6.9) Gecko/69696969 Firefox/6.9

Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Some tidbits about informaction.com SSL

Post by Alan Baxter » Fri Sep 16, 2011 1:08 am

^^ Just a spammer. Locking.
Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Some tidbits about informaction.com SSL

Post by Thrawn » Thu Nov 22, 2012 10:27 am

Giorgio Maone wrote:In fact forums.informaction.com is not secured.
Only secure.informaction.com (used to serve NoScript's and FlashGot's XPIs) is.
This may change in future, but for the time being this is the (legitimate) setup.


GµårÐïåñ wrote:You are posting public discussions in a public forum that allow anonymous posting so you don't even need an account. So what's the problem, HTTP is just fine and HTTPS would be unnecessary. Its like putting a 10k sound system in a Yugo. Get over it and move on, its a legitimate setup and works just fine and doesn't need to be any more secure than it already is. Dead horse, stop beating it.

Is it worth revisiting this?

I for one would be happy to use HTTPS to access the forums, especially since the public transport system where I live offers free WiFi (which is of course insecure).

And I'd be willing to verify a self-signed certificate - or one signed by an Informaction CA - to save Giorgio the expense of buying one.

ETA: Also discussed at viewtopic.php?f=14&t=412&p=1489. Giorgio wasn't too concerned, but I tend to agree with Tom's concerns.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Linux i686; rv:12.2) Gecko/20121102 PaleMoon/12.2

Locked