Page 1 of 1

Warning about site

Posted: Thu Mar 28, 2019 8:45 pm
by David Pateman
Getting a warning about this site. Something about clock mismatch or an expired site certificate.

Re: Warning about site

Posted: Thu Mar 28, 2019 9:59 pm
by James Davies
Yeah, SSL certificate expired yesterday.

Re: Warning about site

Posted: Thu Mar 28, 2019 10:49 pm
by David Pateman
Oh, not good at all. Hope is fixed ASAP.

Re: Warning about site

Posted: Tue Apr 02, 2019 1:20 pm
by Greg Bryan
I'm not sure what the SSL Certificate is or does, but I don't believe it is affecting the site functionality - I don't remember seeing a notice or warning ...

Re: Warning about site

Posted: Tue Apr 16, 2019 10:21 am
by Justin Cordesman
Greg Bryan wrote:
Tue Apr 02, 2019 1:20 pm
I'm not sure what the SSL Certificate is or does, but I don't believe it is affecting the site functionality - I don't remember seeing a notice or warning ...
If I'd seen this post before I'd have replied here with my suggestion for using Cloudflare. Right now if you log into the site your username and password are sent in the clear, considerably increasing the risk that someone can intercept user credentials. If you are reusing a username or password here from other sites that are more sensitive, such as for banking, this puts those credentials at risk. Fixing TLS here should be a priority for the admin to protect users given the large number of users who are maybe not so computer savvy and reuse passwords across multiple sites.

Re: Warning about site

Posted: Wed Apr 17, 2019 12:58 pm
by Greg Bryan
Webmaster replied that site certificate was renewed within 24 hours of expiration.
This site is as secure as most any other website ….

Re: Warning about site

Posted: Wed Apr 17, 2019 1:23 pm
by Justin Cordesman
No, it is not. If you visit www.porsche356registry.org then you are presented with a valid certificate, and if you click the little lock icon that indicates an encrypted connection in let's say Chrome or Safari, you can see details of that certificate. But if you click the forum link from the main page, or visit forum.porsche356registry.org directly, you make an unencrypted connection. In Safari or Chrome this is very obviously indicated by it saying "not secure" in the URL field at the top of the browser window. If you attempt to force loading it encrypted, the server does not respond. So the server is misconfigured and/or there is no valid certificate for the forum.porsche356registry.org FQDN so TLS connections were disabled on purpose to avoid throwing certificate warning messages at users at the cost of security.

If you click the login button while on the forum, the username and password fields appear and clicking submit certainly appears to submit that information in the clear, IE not encrypted. If you attempt to do this in Chrome you will see that the grey "not secure" text in the URL bar turns red when you start to fill in username and password to warn you that you are about to submit information unencrypted. Even if you are already logged in after visiting the main page, it seems highly probable if not absolutely certain that the authentication token is being passed back and forth in the clear to validate that the user is logged in.

So bare minimum, the forum.porsche356registry.org FQDN needs a valid certificate, and the server needs to be configured correctly to present it. It would still be a very good idea to migrate DNS to Cloudflare's free service tier with flexible TLS enabled since it would help mitigate issues like this in the future and considerably improve page load times as well as security.

Re: Warning about site

Posted: Wed Apr 17, 2019 1:42 pm
by Greg Bryan
Justin - you obviously know much more about this subject than me - I have made the webmaster aware of this thread.

Re: Warning about site

Posted: Wed Apr 17, 2019 7:48 pm
by Curt Dansby
From our web guy:
porsche356registry.org does not send usernames or passwords over https forum.porsche356registry.org takes login information from porsche356registry.org which is secured. The https certificate was renewed within 24 hours.

C

Re: Warning about site

Posted: Thu Apr 18, 2019 3:28 pm
by Justin Cordesman
Mixing secure and insecure elements on the same page is just not good practice. I can't say I really have the time to determine definitively whether the code for the page handles this appropriately or not but at a cursory glance it looks like there are sign in fields that are loaded with http referrers at the same time as the banner containing it is loaded via https. What is more important here is that this is a 5-10 minute problem to properly mitigate, and at a marginal cost of zero dollars. Create a Cloudflare account, add a website, choose the free tier of service, migrate DNS from your current registrar or hosting to Cloudflare which requires two copy and paste actions. Ensure that the www and forum subdomain traffic is set to be cached by Cloudflare. Once that is done, click the crypto tab, under the very first section labeled SSL, change the dropdown to "flexible". Yea verily, traffic is encrypted everywhere except between Cloudflare and the registry, and the registry's page load times drop considerably thanks to caching in Cloudflare's CDN. If you wanted to do it actually right, you'd also get a cert for the forum FQDN so that everything is encrypted end to end.

Re: Warning about site

Posted: Thu Apr 18, 2019 3:46 pm
by Martin Benade
Service good enough to handle the whole site can be had free? Not that I understood the problem.

Re: Warning about site

Posted: Fri Apr 19, 2019 10:36 am
by Curt Dansby
Hi Justin
Our web guy says there are other issues with cloudflare and it is not the proper way to secure the site.
This is what he says:
At no point are any usernames or passwords sent over http. The system is currently set up this way:
Authentication is handled through www.porsce356registry.org, the main site. Once a user is signed in, they have a login cookie created on their machine.
When a user navigates to forum.porsche356registry.org the forum checks to see if the user is signed into the forum. If the user is not signed in to the forum but is signed into the site, the forum makes a user login status request to the main site using the users cookie as authentication, which it's value is encrypted. the main site that returns user info that logs into the forum. If the user is not signed into the forum or the main site, the user is redirected to the main site to log in.

At no time does a user attempt to directly log into the forum via any login form. The only login accessible on the main site is secured under ssl.

C