InformAction Forums

I offer this (nearly) without comment, because there's already been enough silly controversy over SSL Labs' results. I would, however, at least disable SSLv2 support and any insecure algorithms left over afterward:

https://www.ssllabs.com/ssldb/analyze.h ... action.com

I ended up at https://forums.informaction.com/ via misadventure with GreaseMonkey and discovered that the server(s) in question serve SSL, but the included certificate is not valid for forums.informaction.com. I certainly encourage, support, and appreciate at least the ability to submit credentials securely, but ^https://forums\.informaction\.com/ucp\.php\?mode=login.* seems to end up at a different server or VHOST, and produces a 404. Actually, so does any other phpBB location I tested on forums.informaction.com.

In fact forums.informaction.com is not secured.
Only secure.informaction.com (used to serve NoScript's and FlashGot's XPIs) is.
This may change in future, but for the time being this is the (legitimate) setup.

Giorgio Maone wrote:In fact forums.informaction.com is not secured.
Only secure.informaction.com (used to serve NoScript's and FlashGot's XPIs) is.
This may change in future, but for the time being this is the (legitimate) setup.

Righto. Is SSLv2 left enabled for a reason, though? It's been deprecated and disabled-by-default most everywhere.

aloishammer wrote: Righto. Is SSLv2 left enabled for a reason, though? It's been deprecated and disabled-by-default most everywhere.

Laziness. The browser will negotiate SSLv3 anyway.

In laymans terms, could someone please explain what secure.informaction.com is?

I'll guess that it's a (secure) site used to serve two extensions, NoScript & FlashGot, to the public, & as an alternative to https://addons.mozilla.org/ (which may not always be as current). https: being required by the Mozilla Extension Manager.

therube wrote:I'll guess that it's a (secure) site used to serve two extensions, NoScript & FlashGot, to the public, & as an alternative to https://addons.mozilla.org/ (which may not always be as current). https: being required by the Mozilla Extension Manager.

Correct, and it's used to implement http://noscript.net/abe/wan as well now.

BTW, @aloishammer:
I took the time to tighten up your "tidbits". Please recheck https://www.ssllabs.com/ssldb/analyze.h ... 103.139.52

You are posting public discussions in a public forum that allow anonymous posting so you don't even need an account. So what's the problem, HTTP is just fine and HTTPS would be unnecessary. Its like putting a 10k sound system in a Yugo. Get over it and move on, its a legitimate setup and works just fine and doesn't need to be any more secure than it already is. Dead horse, stop beating it.

^^ Just a spammer. Locking.

Giorgio Maone wrote:In fact forums.informaction.com is not secured.
Only secure.informaction.com (used to serve NoScript's and FlashGot's XPIs) is.
This may change in future, but for the time being this is the (legitimate) setup.

GµårÐïåñ wrote:You are posting public discussions in a public forum that allow anonymous posting so you don't even need an account. So what's the problem, HTTP is just fine and HTTPS would be unnecessary. Its like putting a 10k sound system in a Yugo. Get over it and move on, its a legitimate setup and works just fine and doesn't need to be any more secure than it already is. Dead horse, stop beating it.

Is it worth revisiting this?

I for one would be happy to use HTTPS to access the forums, especially since the public transport system where I live offers free WiFi (which is of course insecure).

And I'd be willing to verify a self-signed certificate - or one signed by an Informaction CA - to save Giorgio the expense of buying one.

ETA: Also discussed at http://forums.informaction.com/viewtopi ... 412&p=1489. Giorgio wasn't too concerned, but I tend to agree with Tom's concerns.