20% cooler!

Join a laid-back, close-knit community of mixed interests Get a free account!

  1. Site being served over HTTP is super insecure, please change your passwords

    #1152172018-11-11 06:45:37 *momo said:

    Hi hello, this is your good friend momo with a little psa:

    If you use your CL password for anything other than CL, please change it. The site is served insecurely and anyone sitting between your computer and the CL servers (including your home network, your ISP's routing facilities, internet backbone providers, and the VPS service that CL uses for its servers) can read your unencrypted password.

    It is near-trivial to serve over HTTPS these days, and free thanks to services like Let's Encrypt, so there is no reason other than ignorance or negligence to not serve every site over HTTPS. @--jack-- or @Warlock, whoever tends to the technical workings of the site, PLEASE just install certbot and get a cert added to the web server. If you need assistance, I'd be glad to point you in the right direction as I already do this for all sites I host.

    With Love, Jesse <3

  2. #1152192018-11-11 11:14:14DarkChaplain said:

    there is no reason other than ignorance or negligence

    That's about right.

    Been shaking my head over this, and other problems. forever now, Then again, it's strange for either admin to even show up these days, and we had about half a dozen server downtimes the past few months, lasting days on end because nobody even noticed it was dead. Go figure...

    Thanks for raising awareness, Momo.

  3. #1152232018-11-11 15:22:06momo said:

    I mean I didn't intend it to be interpreted to be quite so scathing and know nothing of these downtimes so ¯\_(ツ)_/¯

    Ignorance is a valid excuse when systems administration isn't your forte

  4. #1152482018-11-15 02:56:43 *Deftones said:

    For anyone that wants to test this, use this tool mitmproxy.org on your local network, you should be able to see your username and password from any device in the house on any site that doesn't use ssl.

    If you also install your own ssl certs on these devices, you'll be able to decrypt ssl too. Man in the middle attacks is where the fun is.