General fluff => Announcements => Topic started by: IsmAvatar on May 03, 2013, 05:26:28 PM

Title: https (Browser security)
Post by: IsmAvatar on May 03, 2013, 05:26:28 PM
Basically, the announcement is that I've renewed our self-signed certificate and enabled SSL on this site, meaning that you can now use https for security while browsing and logging into the enigma website, forums, etc.

However, that's hardly in english, so I'm going to dumb it down into something you guys can actually understand and read, and in the process I'm going to show my ignorance of the technologies and probably explain something slightly incorrectly. Feel free to correct me, but I think I will get the gist of it, so...

Http is a great way to send and receive plain text, and maybe even some binary data like images and files. But it's not exactly secure. If you log in over http, the following happens:
You generate some packets with your username and password, and send them in the general direction of the server. This information is pretty much plain text. Along the route, it will go through your network, to your router. Then, your router sends it off to your ISP, and it bounces around the internet before it gets to the server ISP, the server's router, and then the server. At any point along that line, a number of computers can easily "sniff" those packets and see what's in them. Anybody on your network can (connected to your router). Your router can, but they're never set up to, because it's useless information for them to keep storing packets. Your ISP can. After that, it bounces around the internet, where not many people really care about it. Then it gets to our server's ISP, router, and server, where nobody's going to sniff it because we pay good money for that server, so it's going to be secure.

There is encryption, and there's a fairly standard way of doing that, and that's called HTTPS, courtesy of SSL. When you use https, your packets are encrypted at your computer. People can still sniff it, but they can't see what's inside. Eventually it gets to the server, and the server knows how to decrypt the packet because it more or less told your computer how to encrypt it (also, the server sends you back encrypted data, which only you can decrypt, so that's nice. Makes loading a page use a tiny bit more cpu, but hey, encryption ftw).
This is done through the magic of certificates and signing and keys and other stuff I won't bore you with. But the certificate is important to explain because it is "self signed". When the server is telling you how to encrypt it, you want to make sure you have the right server, and that our server isn't just someone pretending to be our server.

We provide a certificate, and your browser needs to trust it, because nobody else can provide our exact certificate, but they can provide their own certificate and pretend like its ours. To prevent this from happening, we can ask some other company will sign our certificate - preferably a company that is known to do good signing. Your browser has a list of a bunch of well-known ones already written in. Which means that if our certificate is signed by a company that your browser knows, it will automatically trust our certificate - there's virtually no chance that you're being phished.

However, we haven't asked some other company to sign our certificate (yet), because it costs money, and some of them (like digicert, probably the best-known one) cost hundreds of dollars. We're not paying that. So we've self-signed our certificate until we can find a cheap signer (we're looking into it and we'll make a decision very soon).

So, if you want to use our website/forums securely, you need to navigate your browser to https://enigma-dev.org at which point your browser should hopefully yell at you and say "This certificate is self-signed! Are you sure you trust this website?!" and you need to decide if you trust it's us, or if you think it's a phisher. Since we just set this up, it's unlikely that anybody phished it that quickly, so I'd say it's fairly safe to trust it. In firefox, this is done by "I understand the risks - Add an exception".

The alternative is to continue sending your password to the server as plaintext. If someone's going to phish, it'll be even easier to steal your password that way, rather than all the hastle of setting up a certificate and stuff like that. So frankly, there's no reason not to trust our certificate - even if it is phishing, because what's the difference?

At any rate, NOTE, if we get our certificate signed by someone else, we'll probably need to replace our certificate. Your browser will automatically recognize that one, so you won't need to take any steps, but the old certificate won't be valid. So you could just wait until then, rather than taking the extra steps to trust our self-signed (possibly temporary) certificate - and we'd understand. It's your choice. Our self-signed certificate is provided for those who want that extra layer of security, especially in their own network (even in the meantime).

I've mainly done this for myself, since I'm on a network with a bunch of people who are network programmers and use packet sniffers on a daily basis.

Anyways, there you go. Now you can use our website through https.
Please make sure you see the Lock icon next to the URL (in firefox at least. Or whatever it is on other browsers) before submitting your password.

Title: Re: https (Browser security)
Post by: Josh @ Dreamland on May 03, 2013, 05:40:53 PM
Let me clarify a few points

Thus, self-signed certificates aren't perfect, but they're still better than nothing, because now the hacker actually has to do more than monitor packets going through his server or access point. He'd have to intercept ENIGMA's certificate and replace it with his own, bogus one, and get your computer to use it instead of the real one. So, by all means, use https for logging in. Just do so with awareness of why Firefox is bitching that the connection is not trusted.

All of this, of course, raises profound questions as to why the fuck we don't just distribute a public key to everyone, have them sign their password with it, then just decrypt the bitch before hashing it. If there is a good answer to that question, then by God, I don't know it.
Title: Re: https (Browser security)
Post by: Sabriath on May 06, 2013, 01:49:29 AM
All of this, of course, raises profound questions as to why the fuck we don't just distribute a public key to everyone, have them sign their password with it, then just decrypt the bitch before hashing it. If there is a good answer to that question, then by God, I don't know it.

The MITM (man in the middle) scenario allows for the password to be hacked upon creation.

Although most of what has been said is somewhat accurate, the reason why a 3rd party signature is better than self-signing is to cause less chance of MITM.  Think of a RAID setup for your hdd...say you had 3 drives striped with no parity (no security), and one of those drive fails, you just lost all of your data.  However, if you parity a drive, and a drive fails, it can be restored.  An MITM may occur between a client and host, but less likely between a client and 2 simultaneous hosts.

When it comes to the cloud, nothing is 100% "safe"....but if third-party signature was 99%, then self-signing would be around 70%.  Quite honestly, you don't NEED to pay some third-party site for a cert, if you have windows server, it comes with the ability to create certificates, all you have to do is host it on another IP address from the server, and have the site point to it (iirc).

Title: Re: https (Browser security)
Post by: IsmAvatar on May 06, 2013, 07:59:07 AM
However, so could a MITM. As such, browsers have a list of trusted signers, and if you're not on that list, it raises a warning anyways.
Title: Re: https (Browser security)
Post by: Josh @ Dreamland on May 08, 2013, 09:19:29 PM
I was speaking of an alternative to a self-signed SSL certificate, rather than an end-all, fix-all policy. I'm looking for cheap alternatives that won't make Firefox bitch.