Homepage logon dangers.

[WojtylaKarol]

They used to be able to as they would store the certificate and alert you if you later visit the site again and the certificate was not the one it stored. But they've specifically removed that in order to force people to use centralized CA certificates.

Damn, create your own DNS protocol then, because that duckery also uses centralized structure... They are infringing on our freedoms! Clearly whole world is in the wrong and only you see through the lies.

[VDZ]

They used to be able to as they would store the certificate and alert you if you later visit the site again and the certificate was not the one it stored. But they've specifically removed that in order to force people to use centralized CA certificates.

Damn, create your own DNS protocol then, because that duckery also uses centralized structure... They are infringing on our freedoms! Clearly whole world is in the wrong and only you see through the lies.

The DNS protocol is decentralized, anyone can host a DNS server if they wanted to, much in the same way you can make a self-signed certificate, and as user you can choose to use any DNS server you want and unlike with certificates your browser is not going to complain you're not using Google DNS or whatever specific authority they prefer.

The top-level domains themselves are centralized and are rightfully criticized for that because they can pull bullshit like suddenly transitioning from a non-profit organization to a profit-seeking corporation and jack up the pricing with site owners' only alternative being to abandon their address. Fortunately the ICANN is sane (for the time being at least; they fortunately blocked that acquisition after massive backlash) and there are a bazillion different TLDs to choose from managed by many sufficiently independent organizations, unlike the CA system which is in the hands of a small handful of organizations concentrated in only a few countries (mostly the US) and can be further limited by browser makers (and every single browser nowadays other than Firefox and derivatives rely on Google for most of their functionality, meaning Google nowadays holds near-absolute power in this regard).

[shubla]

tampering with secure communications is a crime in every developed country, doing so on such a large scale is guaranteed to get you a pretty severe punishment, and this method requires physical proximity to the targets.)

Many things are crimes but you wont get punished for doing them, if you don't get caught, and its very easy not to be caught with these things.
Its common fun to do some silly tricks with people on airports while waiting for your flight, right?

I am of course law abiding citizen, but I'm pretty sure that I could spoof sites by setting up custom wifis on public places all day long and never get caught. Maybe visit peoples backyards and set up fake wifis too.

Sure, if you want to immediately alert literally everyone visiting literally any site via HTTPS on the network that the network is compromised

Well you would not have to spoof all sites, you could just spoof sites that have self signed certificates such as HnH. So there would be no difference from users point of view.

Implying that not fixing obvious security flaw is not important because its unlikely to be abused is the biggest reason why security breaches happen in the first place! Thousands of people play this game, some of them may check forums from god knows what kind of places, public cafes or hotels in suspicious countries and such. Spoofing attack is so easy to do that its a real threat. I don't know how often they happen though, its not like there would be any statistics about those. But when you think of how many times something like /phpadmin is checked daily, or how many bikes are stolen, there certainly are plenty of people ready to do malicious things, both in internet and RL.

self signed https = equivalent to HTTP
HTTP is as secure as HTTPS if you can trust everyone on the route. If you cant trust everyone on the route, then authenticity of self signed sites cannot be verified, which means that you could just send the data completely unencrypted.
So by defending this loftars contraption you are implying that HTTP is secure because its "extremely unlikely" and "impossible in practice" to do attacks against HTTP connections. OK bro, end of case for me. You are dumb and do not know what you are talking about.

It is unfortunate if CA's are compromised, but better alternative does not exist. It is the cost that we must pay, without CA's there would be a lot more problems.

But yeah devs should just switch to use lets encrypt and not wait until something bad happens, assuming that it has not yet happened. Many people re-use passwords, so devs should be responsible and give in with this one, because otherwise somebody might lose a bit more than his hnh account.

I can't see why loftars hate of CA's and complaint about not being able to multi sign CA certs or whatever is more important than safety of thousands.

[VDZ]

its very easy not to be caught with these things.
Its common fun to do some silly tricks with people on airports while waiting for your flight, right?
I am of course law abiding citizen, but I'm pretty sure that I could spoof sites by setting up custom wifis on public places all day long and never get caught.

You should actually try this some time. Let us know how it goes, assuming they have internet in whatever jail you're put in once airport security finds where the MITM traffic is coming from.

Spoofing attack is so easy to do that its a real threat.

But it isn't. Pulling off a MITM attack by itself is pretty hard already, managing to spoof traffic adds a further layer of complication, and actually doing it convincingly is actually very difficult. I can't go into details because NDAs and such, but I'm a reverse engineer (purely software, I don't actually deal with network tampering) and have to work on adding compatibility layers/spoofing results every now and then. It often seems simple but there are so, so many things you can do wrong and every tiny mistake is likely to cause the whole thing to come crashing down - and that's typically without security measures in place to prevent tampering. That's usually fine when working with local software (you just sigh, restart the program and get it back into the state you were working on) but incredibly complicated when one half of the equation is not under your control (you just have to hope your target's environment is sufficiently similar to the environment you tested it on). If there's also the fact that you can get arrested for screwing up then you're really playing with fire.

self signed https = equivalent to HTTP
HTTP is as secure as HTTPS if you can trust everyone on the route. If you cant trust everyone on the route, then authenticity of self signed sites cannot be verified, which means that you could just send the data completely unencrypted.

This is only (partially) true the very first time you access the site, and only if the attacker manages to intercept all of the data (which means you need a really good MITM attack, not just spamming on a public network). If you've already accessed the site before you will run into the problem that the certificate you already know about is not what it's supposed to be. (Furthermore, even if compromised in this way it's still only readable by that specific attacker, and failure to intercept consistently will raise alarm bells.)

[Zentetsuken]

you are a saint VDZ, but don't spent too much time here teaching those who do not want to learn

I can assure you that the very few people left that do not have shubla's posts blocked are very well aware that he has no idea what he is talking about and just has a desperate, cringy lust for trying to talk down to the devs and raise his forum post count. Odds are pretty high he doesn't even believe what he preaches himself, he's just playing his edgy forum troll character, showing off how he can talk shit about the devs without punishment.

There are 100s of people in this community worried about the security of shubla's client for every 1 person who is legitimately concerned about the website

[jeremywsmith]

As someone who works in the Network Security field, gotta say... reading a thread this long arguing about getting a proper SSL certificate for your website which handles credit cards and user data is pretty ridiculous.

Just get a proper certificate. It takes some maintenance, but security seems expensive until you get compromised or your users get compromised.

[MagicManICT]

For those that worried about whether the cert here is issued by a CA or self-signed, let me give you an exercise. Go out and read all the fine print on that certificate and figure out hard hard they are to get. Literally anyone can get a certificate now, even if they've previously had certificates revoked for online chicanery. The CA system has killed itself, and I'll trust my own research for small websites over whatever bullshit these free certs claim to represent.

There are plenty of ways to ensure encrypted communication between a client and server. Some of those are available via client software that doesn't require server and webpage configuration. There's also TOR, which is a Firefox browser with several security options enabled and tools like HTTPS Everywhere installed and activated by default.

Let's not forget the Javascript contained on this website, too, if we're worried about data security. That's something Google themed browsers don't warn you about, yet is more dangerous than self-signed certificates.

Really, some of you just need to get rid of your chromium based browsers, move to a properly configured Firefox browser or the TOR package, then complain to website owners about how their websites don't work with your software. See how quickly you get a response in those cases. They will quite literally tell you to "Fix your browser or fuck off. We don't care about your 'perceived' security."

[VDZ]

For those that worried about whether the cert here is issued by a CA or self-signed, let me give you an exercise. Go out and read all the fine print on that certificate and figure out hard hard they are to get. Literally anyone can get a certificate now, even if they've previously had certificates revoked for online chicanery. The CA system has killed itself, and I'll trust my own research for small websites over whatever bullshit these free certs claim to represent.

It's not like that's a new thing. It's an inherent problem in the system and happened even back when the only CAs charged stupid fees, e.g.

A notable case of CA subversion like this occurred in 2001, when the certificate authority VeriSign issued two certificates to a person claiming to represent Microsoft. The certificates have the name "Microsoft Corporation", so they could be used to spoof someone into believing that updates to Microsoft software came from Microsoft when they actually did not. The fraud was detected in early 2001. Microsoft and VeriSign took steps to limit the impact of the problem.[39][40]

[terechgracz]

Stop it, nerds. Idk what you're arguing about. It's just not normal that I can't enter website without clicking special buttons telling something about certificates and bad security.

[shubla]

You should actually try this some time. Let us know how it goes, assuming they have internet in whatever jail you're put in once airport security finds where the MITM traffic is coming from.

If you think that airports are filled with security people using antennas to catch people setting up fake wifis you are very wrong, let alone malls, cafes, hotels etc. good spots for these activities. I have acquaintances who have done this for fun, not doing anything malicious really but just some silly messing with people, and they've never been caught, not even close. How would they be caught even? "you have to be in physical proximity" yeah like within 100 meter radius on an airport where there are 1000 people in that radius going in and out, doing stuff on their laptops and phones, you won't get caught, even if you somehow did you would not know anything about it and it would be just some virus on your device or such, right?
You won't have to be neckbearded sketchy guy sitting and sweating with the guy fawkes mask on in the corner. You can look quite normal and maybe even hide the actual device in your backpack and such, if you want to further avoid getting caught that is.

Pulling off a MITM attack by itself is pretty hard already,

It is? Isn't the internet filled with tools and tutorials so that pretty much anyone that can follow simple instructions can pull it off? Thats why I'm so worried about it, you need not to be genius to do it.
Just google something like "how to hack wifi sslstrip" or such and you will find how to do it.

This is only (partially) true the very first time you access the site

Yeah but that just marginally reduces the risk, you cannot say that russian roulette is safe activity because "its only so small risk" to have bullet in chamber.
And if you get users used to clicking "Yes, I trust this certificate" they will just click that again when it pops up etc. People switch devices and browsers, clear their cache so they would have to press this trust button quite often.
You should not assume that users are rational or have sizeable knowledge about technology. You must design things so that your average user won't fuck up too much. If no one ever did mistakes, we would not need many of the things that we have, but not all people are nerds that know about those things.

getting a proper SSL certificate for your website which handles credit cards and user data is pretty ridiculous

Payments are done via other providers, BUT, if there is MITM attack, attacker can put his own payment links to his own sketchy credit card logging sites, so I think that even if payments are technically handled off site, the site still takes great risks as people trust the domain which can contain links to payment sites which the users of course also thus trust.

Just get a proper certificate. It takes some maintenance, but security seems expensive until you get compromised or your users get compromised.

Question has not been about the monetary or time cost for a long time, but principles and opinions about how certificates should work. Resistance to not to yield into the system.

For those that worried about whether the cert here is issued by a CA or self-signed, let me give you an exercise. Go out and read all the fine print on that certificate and figure out hard hard they are to get. Literally anyone can get a certificate now, even if they've previously had certificates revoked for online chicanery. The CA system has killed itself, and I'll trust my own research for small websites over whatever bullshit these free certs claim to represent.

But the point of certificate is not that the owner would be "trustworthy" in general, but that the owner of the certificate also owns the site that it has been given out for, and that they still do quite well.
The general advice to check that the url is correct and that there is a green lock is pretty good for the general public and simple enough for most people to follow.

HTTPS Everywhere installed and activated by default

If you still think that it can magically turn HTTP sites into HTTPS you are wrong, it just rewrites the url to https, so the original server must of course still support https.

Let's not forget the Javascript contained on this website, too, if we're worried about data security. That's something Google themed browsers don't warn you about, yet is more dangerous than self-signed certificates.

I would say that the forum software used is pretty safe as its so old and (was)popular, most critical flaws have probably already been found!
People on this thread are worried about username+password leaking and also malicious user setting his own payment links so that the money/cc info gets stolen.