A mostly 'just thinking aloud' question about web security etc.
I have been looking at making some web pages of mine *slightly* more private recently. There's nothing seriously important on them, just some addresses (that people could find elsewhere easily enough) and some other similar sorts of bits and pieces. However, while I was doing this, I wondered about the "passwords are in clear when using HTTP" thing. If I go to my web site 'out there' and type in a password who/what/where/how will it be seen? Yes, I realise if someone has wireshark running on my LAN they will be able to see it (but my house is reasonably secure!) and, presumably, anyone monitoring packets whizzing around between me and the remote site would be able to see it. However there's a *lot* of packets flying around out there, how would anyone pick out any relevant bits? The remote end is 'mine' too in that it's a virtual server in France (Gandi Internet) so that is moderately secure too with no general access. Obviously anyone with access to the systems at either end of this transaction could see what's going on but then if they have that sort of access getting at a web page password is not going to get them any more access than they have already. This isn't bank access or accessing a big business/selling web site where snoopers might expect to get useful/valuable information so why (and how) would any sort of snooping work? What does the team think? Am I being too un-paranoid? (N.B. the passwords I use for moderately [in]secure web sites bear no relation to the ones I use for secure stuff) -- Chris Green
On 10 January 2020 09:45:19 GMT, Chris Green <cl@isbd.net> wrote:
I have been looking at making some web pages of mine *slightly* more private recently. There's nothing seriously important on them, just some addresses (that people could find elsewhere easily enough) and some other similar sorts of bits and pieces.
However, while I was doing this, I wondered about the "passwords are in clear when using HTTP" thing. If I go to my web site 'out there' and type in a password who/what/where/how will it be seen?
Yes, I realise if someone has wireshark running on my LAN they will be able to see it (but my house is reasonably secure!) and, presumably, anyone monitoring packets whizzing around between me and the remote site would be able to see it. However there's a *lot* of packets flying around out there, how would anyone pick out any relevant bits?
The remote end is 'mine' too in that it's a virtual server in France (Gandi Internet) so that is moderately secure too with no general access. Obviously anyone with access to the systems at either end of this transaction could see what's going on but then if they have that sort of access getting at a web page password is not going to get them any more access than they have already.
This isn't bank access or accessing a big business/selling web site where snoopers might expect to get useful/valuable information so why (and how) would any sort of snooping work?
What does the team think? Am I being too un-paranoid? (N.B. the passwords I use for moderately [in]secure web sites bear no relation to the ones I use for secure stuff)
TLS? -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
On Fri, Jan 10, 2020 at 10:12:26AM +0000, Mick wrote:
On 10 January 2020 09:45:19 GMT, Chris Green <cl@isbd.net> wrote:
I have been looking at making some web pages of mine *slightly* more private recently. There's nothing seriously important on them, just some addresses (that people could find elsewhere easily enough) and some other similar sorts of bits and pieces.
However, while I was doing this, I wondered about the "passwords are in clear when using HTTP" thing. If I go to my web site 'out there' and type in a password who/what/where/how will it be seen?
Yes, I realise if someone has wireshark running on my LAN they will be able to see it (but my house is reasonably secure!) and, presumably, anyone monitoring packets whizzing around between me and the remote site would be able to see it. However there's a *lot* of packets flying around out there, how would anyone pick out any relevant bits?
The remote end is 'mine' too in that it's a virtual server in France (Gandi Internet) so that is moderately secure too with no general access. Obviously anyone with access to the systems at either end of this transaction could see what's going on but then if they have that sort of access getting at a web page password is not going to get them any more access than they have already.
This isn't bank access or accessing a big business/selling web site where snoopers might expect to get useful/valuable information so why (and how) would any sort of snooping work?
What does the team think? Am I being too un-paranoid? (N.B. the passwords I use for moderately [in]secure web sites bear no relation to the ones I use for secure stuff)
TLS?
That's the question, not the answer! :-) -- Chris Green
On 10/01/2020 11:51, Chris Green wrote: [SNIP]
TLS?
That's the question, not the answer! :-)
It is the answer actually. I do think you're worrying too much, but as long as you control your own DNS, Let's Encrypt gives free certificates, and implementing them is trivial. If you're worried about MiM attacks, then use HTTPS. Cheers, Laurie. -- --------------------------------------------------------------------- Laurie Brown laurie@brownowl.com ---------------------------------------------------------------------
On Fri, Jan 10, 2020 at 12:20:25PM +0000, Laurie Brown wrote:
On 10/01/2020 11:51, Chris Green wrote:
[SNIP]
TLS?
That's the question, not the answer! :-)
It is the answer actually. I do think you're worrying too much, but as long as you control your own DNS, Let's Encrypt gives free certificates, and implementing them is trivial. If you're worried about MiM attacks, then use HTTPS.
I'm not worrying about MIM attacks, I'm asking if I *should* be worried about them! :-) I have a Let's Encrypt certificate for the site and have some of the pages on HTTPS already. I guess I can simply put everything on the HTTPS server. -- Chris Green
On Fri, Jan 10, 2020 at 12:48:28PM +0000, Chris Green wrote:
On Fri, Jan 10, 2020 at 12:20:25PM +0000, Laurie Brown wrote:
On 10/01/2020 11:51, Chris Green wrote:
[SNIP]
TLS?
That's the question, not the answer! :-)
It is the answer actually. I do think you're worrying too much, but as long as you control your own DNS, Let's Encrypt gives free certificates, and implementing them is trivial. If you're worried about MiM attacks, then use HTTPS.
I'm not worrying about MIM attacks, I'm asking if I *should* be worried about them! :-) I have a Let's Encrypt certificate for the site and have some of the pages on HTTPS already. I guess I can simply put everything on the HTTPS server.
Yes, I hadn't really thought about it before, all I had to do was delete the apache HTTP 'site enabled' file and it's done! :-) It even automatically redirects HTTP request to HTTPS. Silly me! -- Chris Green
On Fri, 2020-01-10 at 09:45 +0000, Chris Green wrote:
I have been looking at making some web pages of mine *slightly* more private recently. There's nothing seriously important on them, just some addresses (that people could find elsewhere easily enough) and some other similar sorts of bits and pieces.
In which case I wouldn't worry. Why do you want to do this? You don't care if the data is stolen. Do you care if it is lost or the site is unavailable? Sounds to me like the only thing you have to worry about is someone using it to host dodgy material (kiddy porn, viruses, phishing targets). Most of the phishing emails I receive have links to small business sites that have been p0wned to store the payload viruses. TBH, I wouldn't bother, but if you can implement TLS without huge effort & cost, why not go for it? -- Today is Setting Orange, the 10th day of Chaos in the YOLD 3186 "It's 8:15, and that's the time that it's always been"
On 10/01/2020 13:02, Huge wrote:
On Fri, 2020-01-10 at 09:45 +0000, Chris Green wrote:
I have been looking at making some web pages of mine *slightly* more private recently. There's nothing seriously important on them, just some addresses (that people could find elsewhere easily enough) and some other similar sorts of bits and pieces. In which case I wouldn't worry.
Why do you want to do this? You don't care if the data is stolen. Do you care if it is lost or the site is unavailable?
Sounds to me like the only thing you have to worry about is someone using it to host dodgy material (kiddy porn, viruses, phishing targets). Most of the phishing emails I receive have links to small business sites that have been p0wned to store the payload viruses.
TBH, I wouldn't bother, but if you can implement TLS without huge effort & cost, why not go for it?
The above are valid points. My first thought is Do you need a public website, if it's just info for you? If so, VPN into it, or tunnel into it with SSH and then make it otherwise inaccessible to the outside world. Then you don't have to worry so much about making it secure, because no-one but you can get at it. I had a look at http://isbd.net/ which I presume is yours. I don't know if that's the one that you are talking about, but if it is, none of the pages opened as https for me. Also, I don't know much about trying to hack a website, but displaying the PHP status & config info on a webpage just sort of highlights if there are any vulnerabilities that may be exploited. Just my 2p Steve
On Fri, Jan 10, 2020 at 05:35:28PM +0000, steve-ALUG@hst.me.uk wrote:
On 10/01/2020 13:02, Huge wrote:
On Fri, 2020-01-10 at 09:45 +0000, Chris Green wrote:
I have been looking at making some web pages of mine *slightly* more private recently. There's nothing seriously important on them, just some addresses (that people could find elsewhere easily enough) and some other similar sorts of bits and pieces. In which case I wouldn't worry.
Why do you want to do this? You don't care if the data is stolen. Do you care if it is lost or the site is unavailable?
Sounds to me like the only thing you have to worry about is someone using it to host dodgy material (kiddy porn, viruses, phishing targets). Most of the phishing emails I receive have links to small business sites that have been p0wned to store the payload viruses.
TBH, I wouldn't bother, but if you can implement TLS without huge effort & cost, why not go for it?
The above are valid points. My first thought is Do you need a public website, if it's just info for you?
Yes, mostly, for me and family and, occasionally maybe, friends. Thus it's handy for it to be out on the 'public' internet. I do such things as post pictures of things I'm selling or which I want family to look at and see if they want.
If so, VPN into it, or tunnel into it with SSH and then make it otherwise inaccessible to the outside world.
Relatively messy though. I do use ssh tunnels for some things but they're not really 'family friendly'.
Then you don't have to worry so much about making it secure, because no-one but you can get at it.
I had a look at http://isbd.net/ which I presume is yours. I don't know if that's the one that you are talking about, but if it is, none of the pages opened as https for me.
They should now, if not then I'd be interested to know. I did the changes today (10th January) around 2pm.
Also, I don't know much about trying to hack a website, but displaying the PHP status & config info on a webpage just sort of highlights if there are any vulnerabilities that may be exploited.
Yes, true enough, but hiding them is only 'security by obscurity' isn't it! -- Chris Green
On Fri, Jan 10, 2020 at 06:40:47PM +0000, Chris Green wrote:
On Fri, Jan 10, 2020 at 05:35:28PM +0000, steve-ALUG@hst.me.uk wrote:
I had a look at http://isbd.net/ which I presume is yours. I don't know if that's the one that you are talking about, but if it is, none of the pages opened as https for me.
They should now, if not then I'd be interested to know. I did the changes today (10th January) around 2pm.
I see "Index of /" if I go to that, with no HTTPS redirection.
Also, I don't know much about trying to hack a website, but displaying the PHP status & config info on a webpage just sort of highlights if there are any vulnerabilities that may be exploited.
Yes, true enough, but hiding them is only 'security by obscurity' isn't it!
It's security by obscurity if it's the only thing you do. It's part of a proper security in depth strategy though. J. -- /-\ | "It's serious," he explained, |@/ Debian GNU/Linux Developer | "...we're low on duct tape!" \- |
On Fri, Jan 10, 2020 at 07:12:34PM +0000, Jonathan McDowell wrote:
On Fri, Jan 10, 2020 at 06:40:47PM +0000, Chris Green wrote:
On Fri, Jan 10, 2020 at 05:35:28PM +0000, steve-ALUG@hst.me.uk wrote:
I had a look at http://isbd.net/ which I presume is yours. I don't know if that's the one that you are talking about, but if it is, none of the pages opened as https for me.
They should now, if not then I'd be interested to know. I did the changes today (10th January) around 2pm.
I see "Index of /" if I go to that, with no HTTPS redirection.
Yes, so do I, how does that happen then? I have port 80 turned off in port.conf and I have only 000-default-le-ssl.conf in sites enabled. What else do I need to do to stop it responding to http: requests? I'll try a reboot just to make sure but I have restarted apache. -- Chris Green
On 10/01/2020 18:40, Chris Green wrote:
On Fri, Jan 10, 2020 at 05:35:28PM +0000, steve-ALUG@hst.me.uk wrote:
The above are valid points. My first thought is Do you need a public website, if it's just info for you?
Yes, mostly, for me and family and, occasionally maybe, friends. Thus it's handy for it to be out on the 'public' internet. I do such things as post pictures of things I'm selling or which I want family to look at and see if they want.
OK, so you need/want a public website. In that case I'd suggest you check that it's not got any common vulnerabilities. I'm sure there are documents on website hardening.
If so, VPN into it, or tunnel into it with SSH and then make it otherwise inaccessible to the outside world. Relatively messy though. I do use ssh tunnels for some things but they're not really 'family friendly'.
SSH tunnels - probably not family friendly. VPN - depends. My router alleges it can handle VPNs. I hav a VPN app on my phone to allow me to seamlessly connect to my phone. I have a bash script (a one-line command) to allow my laptop to dial home when I'm out-and-about. It's basically set-up then forget. ...but that is moot - you want a public website. Fair enough.
Then you don't have to worry so much about making it secure, because no-one but you can get at it.
I had a look at http://isbd.net/ which I presume is yours. I don't know if that's the one that you are talking about, but if it is, none of the pages opened as https for me. They should now, if not then I'd be interested to know. I did the changes today (10th January) around 2pm.
None of the pages opened as https for me 11/1/20 13:22
Also, I don't know much about trying to hack a website, but displaying the PHP status & config info on a webpage just sort of highlights if there are any vulnerabilities that may be exploited.
Yes, true enough, but hiding them is only 'security by obscurity' isn't it!
A crude analogy for you. Someone walking down my street can see my house. If I had a flyer on the door saying "I have an alarm installed by this manufacturer, with these settings set to these values". If they were temped to break in, they could look and see if there were any known vulnerabilities in the system, or if I'd left any gaping holes. You're advertising your settings on your front page of your website. You're advertising what you've done - e.g. if you're using it out-of-the-box or if you've tweaked things. This advertises if you know what you're doing or if you're using it off-the-shelf. You're making it easy for an intruder to find points of entry. If you need that page, move it somewhere behind a password protected HTTPS page. If you don't - remove it. It certainly doesn't need to be linked from the first page in the clear like it currently is. I used to run a webserver so I could access my webmail. I grew uncomfortable that I didn't know well enough how to secure them against intrusion so I stopped external access to the webserver and binned my webmail. If you're not proficient in web-server security (I am not) then I would suggest for the needs you say you have, it might be simpler just to share stuff with your family via social media, email, or use a free website/blog (Blogger, Wordpress etc) and share your stuff there. That way, someone else (e.g. Google, Wordpress) looks after the security for you. Anyway, good luck. Steve
On Sat, Jan 11, 2020 at 01:44:20PM +0000, steve-ALUG@hst.me.uk wrote:
On 10/01/2020 18:40, Chris Green wrote:
On Fri, Jan 10, 2020 at 05:35:28PM +0000, steve-ALUG@hst.me.uk wrote:
I had a look at http://isbd.net/ which I presume is yours. I don't know if that's the one that you are talking about, but if it is, none of the pages opened as https for me.
They should now, if not then I'd be interested to know. I did the changes today (10th January) around 2pm.
None of the pages opened as https for me 11/1/20 13:22
Are you sure? When I try any http://isbd.uk/<something> pages I either get "Unable to connect" or I get automatically switched to https. I'd be grateful if other people could try as well. I've turned off port 80 access completely (or at least I believe I have), I've read several 'how to' pages about how to make apache2 https only and it feels as if it's all correct.
If you're not proficient in web-server security (I am not) then I would suggest for the needs you say you have, it might be simpler just to share stuff with your family via social media, email, or use a free website/blog (Blogger, Wordpress etc) and share your stuff there. That way, someone else (e.g. Google, Wordpress) looks after the security for you.
You really think using something ready-made like WordPress on somewhere like TsoHost is more secure! I'm not convinced. As I said there's nothing really important on my web site. The only attack that has happened to it over the several years that it has been there was that someone guessed the (admittedly rather obvious at that time) password for the wiki and scribbled all over it. I changed the password to a more secure one and restored the wiki, I've not had any trouble since then. -- Chris Green
On Sat, 2020-01-11 at 15:17 +0000, Chris Green wrote:
On Sat, Jan 11, 2020 at 01:44:20PM +0000, steve-ALUG@hst.me.uk wrote:
On 10/01/2020 18:40, Chris Green wrote:
On Fri, Jan 10, 2020 at 05:35:28PM +0000, steve-ALUG@hst.me.uk wrote:
I had a look at http://isbd.net/ which I presume is yours. I don't know if that's the one that you are talking about, but if it is, none of the pages opened as https for me.
They should now, if not then I'd be interested to know. I did the changes today (10th January) around 2pm.
None of the pages opened as https for me 11/1/20 13:22
Are you sure? When I try any http://isbd.uk/<something>; pages I either get "Unable to connect" or I get automatically switched to https.
I'd be grateful if other people could try as well.
Chromium Version 79.0.3945.79 (Official Build) Built on Ubuntu , running on LinuxMint 19.1 (64-bit) Connecting to http://isbd.net/, I get a seriously minimalist "home page"; Index of / mandyFlat/ phpinfo.php ride2015/ Connecting to https://isdb.net, I get a certificate error; NET::ERR_CERT_COMMON_NAME_INVALID Hope this helps. -- Today is Sweetmorn, the 11th day of Chaos in the YOLD 3186 "It's 8:15, and that's the time that it's always been"
On Sat, Jan 11, 2020 at 03:30:53PM +0000, Huge wrote:
On Sat, 2020-01-11 at 15:17 +0000, Chris Green wrote:
On Sat, Jan 11, 2020 at 01:44:20PM +0000, steve-ALUG@hst.me.uk wrote:
On 10/01/2020 18:40, Chris Green wrote:
On Fri, Jan 10, 2020 at 05:35:28PM +0000, steve-ALUG@hst.me.uk wrote:
I had a look at http://isbd.net/ which I presume is yours. I don't know if that's the one that you are talking about, but if it is, none of the pages opened as https for me.
They should now, if not then I'd be interested to know. I did the changes today (10th January) around 2pm.
None of the pages opened as https for me 11/1/20 13:22
Are you sure? When I try any http://isbd.uk/<something>; pages I either get "Unable to connect" or I get automatically switched to https.
I'd be grateful if other people could try as well.
Chromium Version 79.0.3945.79 (Official Build) Built on Ubuntu , running on LinuxMint 19.1 (64-bit)
Connecting to http://isbd.net/, I get a seriously minimalist "home page";
Index of / mandyFlat/ phpinfo.php ride2015/
Connecting to https://isdb.net, I get a certificate error;
NET::ERR_CERT_COMMON_NAME_INVALID
isbd.net <> isbd.uk isbd.net, isbd.co.uk, isbd.ltd.uk and isbd.biz are all sites hosted at TsoHost and are all basically unused. The site I have been talking about here (which should be https only) is isbd.uk which is hosted on a Gandi virtual server. I should probably tidy up isbd.net, isbd.co.uk, isbd.ltd.uk and isbd.biz. -- Chris Green
isbd.net, isbd.co.uk, isbd.ltd.uk and isbd.biz are all sites hosted at TsoHost and are all basically unused.
The site I have been talking about here (which should be https only) is isbd.uk which is hosted on a Gandi virtual server.
I should probably tidy up isbd.net, isbd.co.uk, isbd.ltd.uk and isbd.biz.
isbd.biz is an alias of isbd.net, as pointed out there's hardly anything there, just some pictures of my SIL's flat, a phpinfo.php (now removed) and some riding holiday pictures (also removed). isbd.co.uk has been used by the RAA for some web site testing, isbd.ltd.uk is an alias. -- Chris Green
On Sat, 2020-01-11 at 15:52 +0000, Chris Green wrote:
On Sat, Jan 11, 2020 at 03:30:53PM +0000, Huge wrote:
On Sat, 2020-01-11 at 15:17 +0000, Chris Green wrote:
On Sat, Jan 11, 2020 at 01:44:20PM +0000, steve-ALUG@hst.me.uk wrote:
On 10/01/2020 18:40, Chris Green wrote:
On Fri, Jan 10, 2020 at 05:35:28PM +0000, steve-ALUG@hst.me.uk wrote:
I had a look at http://isbd.net/ which I presume is
isbd.net <> isbd.uk
Bugger. I just copied something above.
The site I have been talking about here (which should be https only) is isbd.uk which is hosted on a Gandi virtual server.
Chromium Version 79.0.3945.79 (Official Build) Built on Ubuntu , running on LinuxMint 19.1 (64-bit) ------------------------------------------------------------- http://isdb.uk/ isdb.uk 2019 Copyright. All Rights Reserved. The Sponsored Listings displayed above are served automatically by a third party. Neither the service provider nor the domain owner maintain any relationship with the advertisers. In case of trademark issues please contact the domain owner directly (contact information can be found in whois). Privacy Policy ------------------------------------------------------------- http://isdb.uk/ This site can’t be reachedisdb.uk refused to connect. Try: Checking the connection Checking the proxy and the firewall ERR_CONNECTION_REFUSED -------------------------------------------------------------
I should probably tidy up isbd.net, isbd.co.uk, isbd.ltd.uk and isbd.biz.
Yes. -- Today is Sweetmorn, the 11th day of Chaos in the YOLD 3186 "It's 8:15, and that's the time that it's always been"
>
isbd.net <> isbd.uk
Bugger. I just copied something above.
:-)
The site I have been talking about here (which should be https only) is isbd.uk which is hosted on a Gandi virtual server.
Chromium Version 79.0.3945.79 (Official Build) Built on Ubuntu , running on LinuxMint 19.1 (64-bit)
-------------------------------------------------------------
Er, not isdb. ISBD stands for "It Shouldn't Be Difficult", it was a catchphrase of my boss many years ago and when I started contracting and needed a Ltd company I used the initials! :-) -- Chris Green
On Sat, 2020-01-11 at 16:44 +0000, Chris Green wrote:
> > isbd.net <> isbd.uk
Bugger. I just copied something above.
:-)
The site I have been talking about here (which should be https only) is isbd.uk which is hosted on a Gandi virtual server.
Chromium Version 79.0.3945.79 (Official Build) Built on Ubuntu , running on LinuxMint 19.1 (64-bit)
-------------------------------------------------------------
Er, not isdb.
Oh, FFS. http://isbd.uk/ refuses to connect https://isbd.uk/ is an Apache2 default install page. -- Today is Sweetmorn, the 11th day of Chaos in the YOLD 3186 "It's 8:15, and that's the time that it's always been"
On Sat, Jan 11, 2020 at 04:57:53PM +0000, Huge wrote:
On Sat, 2020-01-11 at 16:44 +0000, Chris Green wrote:
> > > isbd.net <> isbd.uk
Bugger. I just copied something above.
:-)
The site I have been talking about here (which should be https only) is isbd.uk which is hosted on a Gandi virtual server.
Chromium Version 79.0.3945.79 (Official Build) Built on Ubuntu , running on LinuxMint 19.1 (64-bit)
-------------------------------------------------------------
Er, not isdb.
Oh, FFS.
http://isbd.uk/ refuses to connect
https://isbd.uk/ is an Apache2 default install page.
Hurrah! Thank you, basically it's as it should be then. I'll maybe replace the Apache2 default install page but I don't really need to as I direct people to specific sub-directories to see things. -- Chris Green
On 11/01/2020 16:57, Huge wrote:
http://isbd.uk/ refuses to connect
Confirmed
https://isbd.uk/ is an Apache2 default install page.
Confirmed, except there's a warning next to the Padlock icon on the title bar saying "Parts of this page are not secure (such as images)" For the record, before this post, I was only talking about http://isbd.net/ Steve
On 11/01/2020 15:17, Chris Green wrote:
On Sat, Jan 11, 2020 at 01:44:20PM +0000, steve-ALUG@hst.me.uk wrote:
On 10/01/2020 18:40, Chris Green wrote:
On Fri, Jan 10, 2020 at 05:35:28PM +0000, steve-ALUG@hst.me.uk wrote:
I had a look at http://isbd.net/ which I presume is yours. I don't know if that's the one that you are talking about, but if it is, none of the pages
Can connect to this one but it say the connection is not secure so that suggests it's not going to https:// Very minimal page.
Are you sure? When I try any http://isbd.uk/<something> pages I either get "Unable to connect" or I get automatically switched to https.
I'd be grateful if other people could try as well.
Cannot connect to that one. (Firefox 72.0.1, Linux Mint (up to date)) HTH. Bev
participants (7)
-
Bev Nicolson -
Chris Green -
Huge -
Jonathan McDowell -
Laurie Brown -
Mick -
steve-ALUG@hst.me.uk