Final Fantasy Hacktics

General => Bugs and Suggestions => Topic started by: DarthFutuza on November 20, 2019, 11:47:00 pm

Title: HTTPS?
Post by: DarthFutuza on November 20, 2019, 11:47:00 pm
So the FFHacktics site certificate evidently expired back in 2017, was just curious if you guys knew about Let's Encrypt?  They'll let you get free SSL/TLS certs so you can enable https or whatever, and its fairly easy to use (Github pages uses it for example).  Seems sorta important to me since there's an actual sign in option (on the forums for example) that isn't being being encrypted, which would allow someone to steal credentials, etc. in transit.  I dunno what the setup on the forums backend software is are exactly (looks like an ancient version of SMF), but I can't imagine it would be too difficult to get https enabled on the site.

Oh geez this reads like an ad doesn't it?  Lol.  Well anyway, just wanted to throw that out there, cause like its 2019 and https is a thing that doesn't really cost money anymore.
Title: Re: HTTPS?
Post by: Xifanie on November 21, 2019, 05:52:43 pm
We're currently on an old-ass version of Debian, too old for certbot, and well, I can't figure out how to SSL let's encrypt without certbot unfortunately (I tried for many hours). We're going to migrate to a new server in the next few months, likely to Ubuntu 18.04 LTS.

There is an issue with the forum; I haven't updated it because if I do, it would involve giving up all the custom layout I put in place, and by that I mean everything. So, I've been weighing my options on this one. I know it's not secure, but people bitched so much when we switched from the generic SMF layout to the FFT one I created back in the day. They said it was so ugly and yadda-yadda. So I don't know if people would love switching back to vanilla or hate it.

Https is definitely coming though.

What primarily complicates things is that, to my knowledge, I'm the only 'available' trustworthy person on FFH capable of managing a server. The others simply being too busy with life otherwise, and that includes my wife. I've seen several people come up front to help with server stuff only to never seen them again a few days later. I say I'm 'available', but I just started developing what seems to be a neurological degenerative disease, so, I guess we'll see how that goes.
Title: Re: HTTPS?
Post by: DarthFutuza on November 21, 2019, 07:44:28 pm
Ah, I see.  I'm sorry to hear that about the NDD, that sounds really rough to deal with.  I wonder if maybe you could help ease some of the workload off of yourself by hiring a professional to do it, members might even be willing to put together a small crowd-funding thing for such an event.  Get the site a Merry St. Ajoristmas gift or whatever you want to theme it around. 

I personally love the theme, but I'd never choose it over an insecure website.  Perhaps, if its just a matter of adjusting css and some configuration files to fit a new forum software theme, I could help with re-implementing the hacktics theme, though I can't say I know too much about making a forum themes, I've done plenty of websites before.  (I do admittedly avoid making forum web page stuff though cause I hate dealing with most forum software).  I dunno maybe you could hold a poll and see what people say.  Thanks for the info though, I appreciate the update. 
Title: Re: HTTPS?
Post by: Xifanie on November 21, 2019, 08:02:04 pm
I mean, to start with, nearly all (if not all) forum softwares were extremely poorly secured until 2015 or so to my knowledge. IIRC, all our passwords are currently stored as MD5 hashes in SMF's database... either that or SHA-1. And we both know that from a security standpoint, those are fucking worthless. But considering that this is the database we have, short of cracking every password longer than 8-9 characters alongside using a rainbow table, we're stuck with those low-level hashed passwords.

Our email system is down too, for reasons I don't understand, so there's no way to force everyone to update their password either, and I don't think this would be a trivial task to fix. Again, someone said they would help fix that and then never showed up again.

It's also pretty safe at this point to assume the database has been breached several times since the creation of this forum.

I welcome anyone else pitching in their ideas, but I'm already in debt because of my health, and this community has grown so thin over the years because everyone who has a lot of experience with FFT modding either left because they hate admins' faces, are too busy with irl/health stuff, or just left/became inactive because we've grown too thin. I don't think a funding project would be successful because as it is, all of the most active people on FFH cannot contribute monetarily.