Some tidbits about informaction.com SSL

Discussion about the board itself, forums organization and site bugs.
Locked
aloishammer
Senior Member
Posts: 65
Joined: Mon Apr 20, 2009 4:03 pm

Some tidbits about informaction.com SSL

Post by aloishammer »

I offer this (nearly) without comment, because there's already been enough silly controversy over SSL Labs' results. I would, however, at least disable SSLv2 support and any insecure algorithms left over afterward:

https://www.ssllabs.com/ssldb/analyze.h ... action.com

I ended up at https://forums.informaction.com/ via misadventure with GreaseMonkey and discovered that the server(s) in question serve SSL, but the included certificate is not valid for forums.informaction.com. I certainly encourage, support, and appreciate at least the ability to submit credentials securely, but ^https://forums\.informaction\.com/ucp\.php\?mode=login.* seems to end up at a different server or VHOST, and produces a 404. Actually, so does any other phpBB location I tested on forums.informaction.com.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.4) Gecko/20100527 Firefox/3.6.4
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Some tidbits about informaction.com SSL

Post by Giorgio Maone »

In fact forums.informaction.com is not secured.
Only secure.informaction.com (used to serve NoScript's and FlashGot's XPIs) is.
This may change in future, but for the time being this is the (legitimate) setup.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
aloishammer
Senior Member
Posts: 65
Joined: Mon Apr 20, 2009 4:03 pm

Re: Some tidbits about informaction.com SSL

Post by aloishammer »

Giorgio Maone wrote:In fact forums.informaction.com is not secured.
Only secure.informaction.com (used to serve NoScript's and FlashGot's XPIs) is.
This may change in future, but for the time being this is the (legitimate) setup.
Righto. Is SSLv2 left enabled for a reason, though? It's been deprecated and disabled-by-default most everywhere.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Some tidbits about informaction.com SSL

Post by Giorgio Maone »

aloishammer wrote: Righto. Is SSLv2 left enabled for a reason, though? It's been deprecated and disabled-by-default most everywhere.
Laziness. The browser will negotiate SSLv3 anyway.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
twotenjack
Posts: 1
Joined: Fri Jul 30, 2010 3:41 pm

Re: Some tidbits about informaction.com SSL

Post by twotenjack »

In laymans terms, could someone please explain what secure.informaction.com is?
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Some tidbits about informaction.com SSL

Post by therube »

I'll guess that it's a (secure) site used to serve two extensions, NoScript & FlashGot, to the public, & as an alternative to https://addons.mozilla.org/ (which may not always be as current). https: being required by the Mozilla Extension Manager.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.11) Gecko/20100701 SeaMonkey/2.0.6
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Some tidbits about informaction.com SSL

Post by Giorgio Maone »

therube wrote:I'll guess that it's a (secure) site used to serve two extensions, NoScript & FlashGot, to the public, & as an alternative to https://addons.mozilla.org/ (which may not always be as current). https: being required by the Mozilla Extension Manager.
Correct, and it's used to implement http://noscript.net/abe/wan as well now.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Some tidbits about informaction.com SSL

Post by Giorgio Maone »

BTW, @aloishammer:
I took the time to tighten up your "tidbits". Please recheck https://www.ssllabs.com/ssldb/analyze.h ... 103.139.52 :)
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Some tidbits about informaction.com SSL

Post by GµårÐïåñ »

You are posting public discussions in a public forum that allow anonymous posting so you don't even need an account. So what's the problem, HTTP is just fine and HTTPS would be unnecessary. Its like putting a 10k sound system in a Yugo. Get over it and move on, its a legitimate setup and works just fine and doesn't need to be any more secure than it already is. Dead horse, stop beating it.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/6.9 (Windows NT 6.9; rv:6.9) Gecko/69696969 Firefox/6.9
Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Some tidbits about informaction.com SSL

Post by Alan Baxter »

^^ Just a spammer. Locking.
Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Some tidbits about informaction.com SSL

Post by Thrawn »

Giorgio Maone wrote:In fact forums.informaction.com is not secured.
Only secure.informaction.com (used to serve NoScript's and FlashGot's XPIs) is.
This may change in future, but for the time being this is the (legitimate) setup.
GµårÐïåñ wrote:You are posting public discussions in a public forum that allow anonymous posting so you don't even need an account. So what's the problem, HTTP is just fine and HTTPS would be unnecessary. Its like putting a 10k sound system in a Yugo. Get over it and move on, its a legitimate setup and works just fine and doesn't need to be any more secure than it already is. Dead horse, stop beating it.
Is it worth revisiting this?

I for one would be happy to use HTTPS to access the forums, especially since the public transport system where I live offers free WiFi (which is of course insecure).

And I'd be willing to verify a self-signed certificate - or one signed by an Informaction CA - to save Giorgio the expense of buying one.

ETA: Also discussed at http://forums.informaction.com/viewtopi ... 412&p=1489. Giorgio wasn't too concerned, but I tend to agree with Tom's concerns.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Linux i686; rv:12.2) Gecko/20121102 PaleMoon/12.2
Locked