Warning about site

Ask questions about how to use the forum or any features on the website. Give us your feedback.
Message
Author
David Pateman
356 Fan
Posts: 122
Joined: Sun Mar 13, 2016 9:36 pm
Location: Canada

Warning about site

#1 Post by David Pateman » Thu Mar 28, 2019 8:45 pm

Getting a warning about this site. Something about clock mismatch or an expired site certificate.
Contact for Kardex

User avatar
James Davies
356Talk Moderator
Posts: 2213
Joined: Thu Aug 15, 2013 9:15 am
Location: Baltimore, MD

Re: Warning about site

#2 Post by James Davies » Thu Mar 28, 2019 9:59 pm

Yeah, SSL certificate expired yesterday.

David Pateman
356 Fan
Posts: 122
Joined: Sun Mar 13, 2016 9:36 pm
Location: Canada

Re: Warning about site

#3 Post by David Pateman » Thu Mar 28, 2019 10:49 pm

Oh, not good at all. Hope is fixed ASAP.
Contact for Kardex

User avatar
Greg Bryan
356Talk Moderator
Posts: 2280
Joined: Sat Oct 04, 2008 1:05 pm
Tag: Be Nice!
Location: San Pedro, CA 90732

Re: Warning about site

#4 Post by Greg Bryan » Tue Apr 02, 2019 1:20 pm

I'm not sure what the SSL Certificate is or does, but I don't believe it is affecting the site functionality - I don't remember seeing a notice or warning ...
Greg Bryan
356Talk Moderator

Justin Cordesman
356 Fan
Posts: 18
Joined: Sun Jul 27, 2014 8:51 pm

Re: Warning about site

#5 Post by Justin Cordesman » Tue Apr 16, 2019 10:21 am

Greg Bryan wrote:
Tue Apr 02, 2019 1:20 pm
I'm not sure what the SSL Certificate is or does, but I don't believe it is affecting the site functionality - I don't remember seeing a notice or warning ...
If I'd seen this post before I'd have replied here with my suggestion for using Cloudflare. Right now if you log into the site your username and password are sent in the clear, considerably increasing the risk that someone can intercept user credentials. If you are reusing a username or password here from other sites that are more sensitive, such as for banking, this puts those credentials at risk. Fixing TLS here should be a priority for the admin to protect users given the large number of users who are maybe not so computer savvy and reuse passwords across multiple sites.

User avatar
Greg Bryan
356Talk Moderator
Posts: 2280
Joined: Sat Oct 04, 2008 1:05 pm
Tag: Be Nice!
Location: San Pedro, CA 90732

Re: Warning about site

#6 Post by Greg Bryan » Wed Apr 17, 2019 12:58 pm

Webmaster replied that site certificate was renewed within 24 hours of expiration.
This site is as secure as most any other website ….
Greg Bryan
356Talk Moderator

Justin Cordesman
356 Fan
Posts: 18
Joined: Sun Jul 27, 2014 8:51 pm

Re: Warning about site

#7 Post by Justin Cordesman » Wed Apr 17, 2019 1:23 pm

No, it is not. If you visit www.porsche356registry.org then you are presented with a valid certificate, and if you click the little lock icon that indicates an encrypted connection in let's say Chrome or Safari, you can see details of that certificate. But if you click the forum link from the main page, or visit forum.porsche356registry.org directly, you make an unencrypted connection. In Safari or Chrome this is very obviously indicated by it saying "not secure" in the URL field at the top of the browser window. If you attempt to force loading it encrypted, the server does not respond. So the server is misconfigured and/or there is no valid certificate for the forum.porsche356registry.org FQDN so TLS connections were disabled on purpose to avoid throwing certificate warning messages at users at the cost of security.

If you click the login button while on the forum, the username and password fields appear and clicking submit certainly appears to submit that information in the clear, IE not encrypted. If you attempt to do this in Chrome you will see that the grey "not secure" text in the URL bar turns red when you start to fill in username and password to warn you that you are about to submit information unencrypted. Even if you are already logged in after visiting the main page, it seems highly probable if not absolutely certain that the authentication token is being passed back and forth in the clear to validate that the user is logged in.

So bare minimum, the forum.porsche356registry.org FQDN needs a valid certificate, and the server needs to be configured correctly to present it. It would still be a very good idea to migrate DNS to Cloudflare's free service tier with flexible TLS enabled since it would help mitigate issues like this in the future and considerably improve page load times as well as security.

User avatar
Greg Bryan
356Talk Moderator
Posts: 2280
Joined: Sat Oct 04, 2008 1:05 pm
Tag: Be Nice!
Location: San Pedro, CA 90732

Re: Warning about site

#8 Post by Greg Bryan » Wed Apr 17, 2019 1:42 pm

Justin - you obviously know much more about this subject than me - I have made the webmaster aware of this thread.
Greg Bryan
356Talk Moderator

User avatar
Curt Dansby
Registry Pres
Posts: 391
Joined: Fri Mar 14, 2008 9:50 am
Location: Charlotte, NC

Re: Warning about site

#9 Post by Curt Dansby » Wed Apr 17, 2019 7:48 pm

From our web guy:
porsche356registry.org does not send usernames or passwords over https forum.porsche356registry.org takes login information from porsche356registry.org which is secured. The https certificate was renewed within 24 hours.

C

Justin Cordesman
356 Fan
Posts: 18
Joined: Sun Jul 27, 2014 8:51 pm

Re: Warning about site

#10 Post by Justin Cordesman » Thu Apr 18, 2019 3:28 pm

Mixing secure and insecure elements on the same page is just not good practice. I can't say I really have the time to determine definitively whether the code for the page handles this appropriately or not but at a cursory glance it looks like there are sign in fields that are loaded with http referrers at the same time as the banner containing it is loaded via https. What is more important here is that this is a 5-10 minute problem to properly mitigate, and at a marginal cost of zero dollars. Create a Cloudflare account, add a website, choose the free tier of service, migrate DNS from your current registrar or hosting to Cloudflare which requires two copy and paste actions. Ensure that the www and forum subdomain traffic is set to be cached by Cloudflare. Once that is done, click the crypto tab, under the very first section labeled SSL, change the dropdown to "flexible". Yea verily, traffic is encrypted everywhere except between Cloudflare and the registry, and the registry's page load times drop considerably thanks to caching in Cloudflare's CDN. If you wanted to do it actually right, you'd also get a cert for the forum FQDN so that everything is encrypted end to end.

Martin Benade
356 Fan
Posts: 3755
Joined: Wed Nov 23, 2011 10:52 am
Location: Cleveland, Ohio

Re: Warning about site

#11 Post by Martin Benade » Thu Apr 18, 2019 3:46 pm

Service good enough to handle the whole site can be had free? Not that I understood the problem.

User avatar
Curt Dansby
Registry Pres
Posts: 391
Joined: Fri Mar 14, 2008 9:50 am
Location: Charlotte, NC

Re: Warning about site

#12 Post by Curt Dansby » Fri Apr 19, 2019 10:36 am

Hi Justin
Our web guy says there are other issues with cloudflare and it is not the proper way to secure the site.
This is what he says:
At no point are any usernames or passwords sent over http. The system is currently set up this way:
Authentication is handled through www.porsce356registry.org, the main site. Once a user is signed in, they have a login cookie created on their machine.
When a user navigates to forum.porsche356registry.org the forum checks to see if the user is signed into the forum. If the user is not signed in to the forum but is signed into the site, the forum makes a user login status request to the main site using the users cookie as authentication, which it's value is encrypted. the main site that returns user info that logs into the forum. If the user is not signed into the forum or the main site, the user is redirected to the main site to log in.

At no time does a user attempt to directly log into the forum via any login form. The only login accessible on the main site is secured under ssl.

C

Justin Cordesman
356 Fan
Posts: 18
Joined: Sun Jul 27, 2014 8:51 pm

Re: Warning about site

#13 Post by Justin Cordesman » Mon Jun 03, 2019 7:43 am

I see that Cloudflare is now in use but you need to make a configuration change on the Cloudflare side to fix the broken code on the Registry. The Registry pages are insecure in part because the forum has a mix of HTTPS and HTTP references. The correct way to fix this is to correct all the HTTP references in the forum's code, but you can use Cloudflare to sort of magically fix this coding error. You can verify this problem exists yourself by searching through the code for the page yourself, or you can see that there are warnings for it in Chrome/Firefox/Safari, and if you try to have the Qualys SSL labs checker tool look at forum.porsche356registry.org you'll see that it completely fails because it cannot negotiate even an SSL session, much less TLS. www.356registry.com passes because it has a valid properly installed certificate. To bandaid this while taking the time to find all the hard coded HTTP references for code fix, your admin can go into the "Crypto" settings on Cloudflare and throw the "Always use HTTPS and "Automatic HTTPS Rewrites" switch to ON. This will automagically rewrite the unencrypted references to be encrypted.
Screen Shot 2019-06-03 at 07.32.51.png
Screen Shot 2019-06-03 at 07.32.51.png (38.22 KiB) Viewed 587 times
Screen Shot 2019-06-03 at 07.28.38.png
Screen Shot 2019-06-03 at 07.28.38.png (50.87 KiB) Viewed 587 times
While on the Crypto settings page, you also want to make sure the following settings are enabled:

This setting will help prevent a visiting user's session from being downgraded to weaker encryption by a malicious actor.
Screen Shot 2019-06-03 at 07.34.18.png
Screen Shot 2019-06-03 at 07.34.18.png (41.33 KiB) Viewed 587 times
This setting will enable the latest TLS standard even if the Registry's server doesn't support it directly:
Screen Shot 2019-06-03 at 07.35.28.png
Screen Shot 2019-06-03 at 07.35.28.png (33.85 KiB) Viewed 587 times
And then you have a couple of choices. You can either install a separate certificate for forum.356registry.org, or you can get an origin certificate for free from Cloudflare, configure it on the server and then set the server's firewall to only allow connections from Cloudflare IP's instead of the whole internet. Either approach will complete the encryption pipeline from user to server.
Screen Shot 2019-06-03 at 07.41.55.png
Screen Shot 2019-06-03 at 07.41.55.png (396.68 KiB) Viewed 587 times

User avatar
Curt Dansby
Registry Pres
Posts: 391
Joined: Fri Mar 14, 2008 9:50 am
Location: Charlotte, NC

Re: Warning about site

#14 Post by Curt Dansby » Fri Jun 07, 2019 2:53 pm

Justin

I do not know why you are saying cloudflare is in use. Our IT guy says it is not and I have given his reasons for not utilizing.

Curt

Justin Cordesman
356 Fan
Posts: 18
Joined: Sun Jul 27, 2014 8:51 pm

Re: Warning about site

#15 Post by Justin Cordesman » Fri Jun 07, 2019 5:41 pm

Because the page is loading a javascript resource via Cloudflare, which is obvious if you visit forum.porsche356registry.org, view source, and search for "Cloudflare". You'll see that the page loads a javascript element via an HTTPS Cloudflare link. After that almost everything on the page is loaded via relative HTTP links (IE unencrypted) except for the brown banner at the top. I assumed from seeing that Cloudflare link in the page source that these were indications that you'd started fixing the page. Since you say you haven't, then this is an indication that there has been no review of site security at all and no one has read the code. Either your admin remains blissfully unaware of the fact that forum.porsche356registry.org does not properly support HTTPS, or is fully aware of the ridiculous hack that is loading an encrypted login page for the registry from the unencrypted forum page and then passing an auth token back and doesn't want to admit to it. Since forum.porsche356registry.org does not support HTTPS connections I'd be fascinated to hear how this auth token is passed securely. Let me guess, it isn't, and instead the login process sets a cookie that the user's browser then passes to the forum unencrypted over the wire?

So, to be clear, connections to forum.porsche356registry.org are not encrypted. Auth tokens are almost certainly passed unencrypted from browser to server after login. If not then engaging in elaborate kung fu to keep that approach secure is a recipe for security errors anyway. The site is loading code from a source that your admin is apparently not aware of. Your admin has claimed that Cloudflare has problems without identifying them or why something like 60% of the web lives behind Cloudflare's CDN without having said problems - to include other car club sites that use the same phpbb software as this forum such as thelincolnforum.net.

If you don't want to use Cloudflare for religious reasons that's fine I guess, but it would cost less than $30 of club dues to purchase a separate certificate to encrypt connections to the forum for three years and fix this insecure kludge.

Post Reply