Banned User
Joined: 3/10/2004
Posts: 7698
Location: Finland
I have no experience as a sysadmin, but I have the recollection that SSL support on the server is relatively heavy (compared to normal operation). Of course if only the login page is SSL-encrypted and nothing else, that's a lot easier on the server. However, it still requires for it to be set up properly. And note that the NSA can possibly decrypt your information anyway, depending on what kind of encryption keys the server uses (via some mathematical trickery explained here.)
Joined: 4/13/2009
Posts: 431
Warp wrote:
I have no experience as a sysadmin, but I have the recollection that SSL support on the server is relatively heavy (compared to normal operation).
Kind of depends on what it's doing. If the board script dominates the runtime, it probably won't matter anyway. The only way to find out is to test it.
Of course if only the login page is SSL-encrypted and nothing else, that's a lot easier on the server. However, it still requires for it to be set up properly.
That's not rocket science. It's pretty easy to do that. Well, at least on a Windows server. Don't know about a Linux server. Besides, the site is already accepting SSL connections; it's just that the forum does not appear to exist when using SSL.
Emulator Coder, Skilled player (1114)
Joined: 5/1/2010
Posts: 1217
Warp wrote:
I have no experience as a sysadmin, but I have the recollection that SSL support on the server is relatively heavy (compared to normal operation).
As for key exchange, TLS doesn't currently support the really fast stuff. As for bulk ciphering, if you have hardware support, AES-GCM really frickin' flies (but requires TLS 1.2). Then there's talk about adding some new ciphersuites that are pretty fast even without hardware support. Well, it used to be the case that TLS was pretty heavy, but since the CPU speeds have increased, it has become pretty cheap CPU-wise (but that has done nothing to other problems). The reasons why this site doesn't do HTTPS have absolutely nothing to do with CPU nor memory usage.
Warp wrote:
Of course if only the login page is SSL-encrypted and nothing else, that's a lot easier on the server. However, it still requires for it to be set up properly.
This kind of set-up should really be avoided.
Joined: 1/25/2014
Posts: 6
Nicos wrote:
why didn't you simply message an admin to change the username for you, i think it's possible ? (as double accounts are forbiden, it should be ? riiighht ? ) as for the site security, until it gets fixed, try to think of it as ridding a bike... it's fun, but it's safer to walk... especialy when ducks are involved
Just didn't cross my mind to bug an admin about it. Now that the two accounts already exist, merging them is a pain in the ass. Oh well, it doesn't really matter anyway. As for using them both, I won't. Should someone really care, they can audit my last login times or just ban the old account.
Joined: 4/13/2009
Posts: 431
Warp wrote:
Of course if only the login page is SSL-encrypted and nothing else, that's a lot easier on the server. However, it still requires for it to be set up properly.
That's not safe, though. The session cookie can still be stolen, making it still just as unsecure.
Patashu
He/Him
Joined: 10/2/2005
Posts: 4045
All the people saying 'well, the internet is fundamentally unsecure' are missing the point. The point is as follows: A database leak is the thing identity thieves want the most, because it means thousands to millions of accounts and passwords are leaked all in one go, and you can mine them in bulk. Sure, there are exploits and attacks for any feasible authentication system between two people or a person and a server, but they only give you one password at a time, so they're not nearly as likely to be bothered with. (Just be careful when using airport wifi, where this is no longer true!)
My Chiptune music, made in Famitracker: http://soundcloud.com/patashu My twitch. I stream mostly shmups & rhythm games http://twitch.tv/patashu My youtube, again shmups and rhythm games and misc stuff: http://youtube.com/user/patashu
Joined: 4/13/2009
Posts: 431
Well, if the steal an admin's password, they can probably dump the database or do a lot of damage.
Emulator Coder, Skilled player (1114)
Joined: 5/1/2010
Posts: 1217
EEssentia wrote:
Well, if the steal an admin's password, they can probably dump the database or do a lot of damage.
The DB passwords are sent over TLS or SSH.