The Liberal Gun Club Forum

I've tried connecting to the forum using ssl (https) but I get this error:

Secure Connection Failed
An error occurred during a connection to www.theliberalgunclub.com.
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)

I am guessing the problem is server-side.

I general, I try to use ssl wherever I can. Even where security is not paramount, I prefer to use it, on principle.

not even sure ssl is installed appropriately, we rent the server from a hosting company.

we would have to pay for a verisign certificate, and money is sometimes tight

I use a self-signed certificate for my server needs.

It has been a while since I've looked into this but I think self-signed just means that a third party has not vouched for your identity. This can be an issue for people who are concerned about a man-in-the-middle attack or for people who want to make sure that whomever owns the server is traceable "in real life."

Actually...

I also was under the impression that SSL certificates were very expensive. It seems to me that was the case when I researched it some years ago. I was looking at 100-200 per year for a certificate!

However, it seems that it is possible to get some for cheaper now. Apparently as cheap as $20 per year.

http://blog.johnath.com/2008/08/05/ssl-question-corner/

http://www.boutell.com/newfaq/creating/whichcert.html

StartSSL has even free certificates:

http://www.startssl.com/?app=1

From what I understand, the free option is enough to allow for encryption and ensures the end user that the server belongs to the domain name which corresponds to it.

At the same time I realize that the piggy bank does not contain infinite resources and that this does not include labor time. But as one wise man once told me "if you do ask, you might not get... but if you do not ask, you sure won't get."

Thanks for the links, I will look into it. Right now my time is sliced very thinly between my real job and tasks here that only a few can take priority at a time. Currently, I am working on finishing up the course booklet for our firearms safety course, getting it approved as a safety course in FL for use towards obtaining a CCW permit, and getting things going for the meeting. So, my point is.... it sounds great but will be lower on the priority list. Hell, I don't even reply to emails in a timely manner any more.

I must admit that while I understand your concern but I have honestly never thought about it before. Really the only thing I should be worried about not being encrypted is my password. Which is why I never use the same password on sites like this that I use on personal and financial sites.

Nonetheless, its not a bad idea and I will come back to it later on. Sorry I can't get on it sooner rather than later.

That's all any signed SSL cert does, prove that the server you are talking to is the one you think it is. Self signed ones and you will get a trust popup everytime.

Other than that, the only thing it really masks is the data between you and the server, any none of our transactions are PII driven. So, someone could snif your forum password while you were entering it (or more likely, your password hash, I don;t remember how phpBB does it), or see the contents of your post cross the wire when you hit submit. Important when you are sending SSN or credit cards, less so for this sort of traffic. Even some corporate proxies can look inside an SSL stream.

Depedning on server setup, there can be upwards a 20% performance hit to webservices using SSL, and some forum software (not checked this one) may need special config to remember to use SSL on all the internal links.

So, it depends on what you think you are getting by using SSL. Its not doing much for you except preventing eavesdropping on active sessions.

mark wrote:Really the only thing I should be worried about not being encrypted is my password.

Among the reasons which can come up for wanting an encrypted session, one of them is just to make encryption be the norm rather than the exception. The issue with encryption is that when it is the exception rather than the norm, the mere fact of using encryption becomes a red flag for people looking to pry into other people's business.

mark wrote: Which is why I never use the same password on sites like this that I use on personal and financial sites.

Good policy. I think it is a must. However, if someone manages to sniff your http session, they can still steal your credentials:

https://secure.wikimedia.org/wikipedia/ ... /Firesheep

It works by sniffing out the cookies exchanged between the server and the client. The guy using Firesheep to get the cookies I use for this site would not be able to get my password but he would be able to impersonate me on this site. If the cookies are exchanged through https, then Firesheep cannot sniff them.

mark wrote: Nonetheless, its not a bad idea and I will come back to it later on. Sorry I can't get on it sooner rather than later.

Thanks.

Hmm... while I'm at it, if other people read this thread and wonder how to protect themselves. The EFF has released this extension for Firefox:

https://www.eff.org/https-everywhere

The NoScript extension for Firefox also allows forcing the use of https on some web sites:

http://noscript.net/

Of course, no matter the extension, the server has to cooperate and allow the encryption. It is just that these extensions rewrite all URLs to the specified sites so that they use https instead of http.

I also heard of something called BlackSheep which is supposed to counter Firesheep but I am not familiar with it and consider HTTPS Everywhere and NoScript to provide enough protection.

So is our password when signing into this site being sent as plain text? I need to change my password...

MetalSlugIV wrote:So is our password when signing into this site being sent as plain text? I need to change my password...

Its not running SSL, which (as far as I understand) encrypts data as it is being sent/received. So, if someone were doing some packet sniffing (eavesdropping on the conversation between your computer and the server) they could 'hear' your conversation, including your password.

I doubt that many other forums run SSL, but I could be wrong. Like I said, its not something I have thought much about before.

mark wrote: Its not running SSL, which (as far as I understand) encrypts data as it is being sent/received. So, if someone were doing some packet sniffing (eavesdropping on the conversation between your computer and the server) they could 'hear' your conversation, including your password.

Yes, they'd see the password at some point. Some sites will have the login encrypted and think everything is peachy because, you know, the password is encrypted during login. But they forgot that after the login, the way the client tells the server "I am user so and so" is to use cookies. The cookies do not contain passwords (usually) but they do contain an identity. If the connection is not SSL (https) then the cookies go out in the clear. This is actually what FireSheep counts on.

mark wrote: I doubt that many other forums run SSL, but I could be wrong.

I do not know the statistics. The only other gun forum I read on a regular basis does though.

By the way, I'm not losing sleep over this.

The password is probably sent as a hash.

Inquisitor wrote:The password is probably sent as a hash.

Alas... it is not the case. I've performed a test using wireshark. I opened a fresh browser, pointed it to LGC and tried to log in using a fake name and login. All the while, wireshark was recording the packets sent over the wire. A screenshot follows. Look at the bit I've highlighted in red. The login was gerbil and the password gerbil.

(Oh, for those stumbling upon this thread and not having the technical background: wireshark, despite the ominous name, is a diagnostic tool. Just like a gun can be used for legal or illegal ends, wireshark can be used for legal or illegal ends.)

Ah, well.

Pick a good password, change it often, and watch out for mean conservatives on the starbucks wireless

I will look for some stop gaps for that

The password is stored as a hash, sent as plain text.

This thread seems to address many of these questioins:

http://www.phpbb.com/community/viewtopi ... &t=1967375