Page 2 of 2

Re: Can we encrypt the forum already?

Posted: Sat Sep 10, 2016 10:35 pm
by skidoo
Who will hack an linux forum ?
2. To what end ? To gain what ?
Hack in order to install a rootkit and get the server to participate in a botnet.
Then it can be employed, on demand via command-and-control, as a spam bulk mailer, a DDOS attack participant, a bitcoin miner...

Rootkit doesn't need to be at o/s level, can be code added into php scripts (phpBB forum software), or otherwise run with the webserver (service) permissions.
Next thing ya know (for instance)... the domain you're operating the compromised webserver from (in this case mepiscommunity.com), you find out no one can receive your domain mailserver because the domain has been added to spamlist.

Re: Can we encrypt the forum already?

Posted: Sat Sep 10, 2016 10:49 pm
by BitJam
I think I was wrong about Let's Encrypt certificates being untrusted. From their blog:
Getting a new root trusted and propagated broadly can take 3-6 years. In order to start issuing widely trusted certificates as soon as possible, we partnered with another CA, IdenTrust, which has a number of existing trusted roots. As part of that partnership, an IdenTrust root “vouches for” the certificates that we issue, thus making our certificates trusted. We’re incredibly grateful to IdenTrust for helping us to start carrying out our mission as soon as possible.
Firefox-50 will trust Let's Encrypt directly but since the existing authority IdenTrust is vouching for Let's Encrypt, I believe the Let's Encrypt certificates will be trusted by all (or almost all) browsers and the scary error/warning box won't appear.

Re: Can we encrypt the forum already?

Posted: Sun Sep 11, 2016 3:25 am
by sanlav
The address Adrian specified http://blog.linuxmint.com/?p=2994 mention :
"We were exposed to an intrusion today. It was brief and it shouldn’t impact many people" and points to the measures taken, in a way confirming my original post.
BUT
I agree that, in the long run, measures should be taken to avoid unencrypted passwords floating on the net. I read some cases where hacks where not done for money gain but for political reasons, revenge or simply to show one can do some harm.

Re: Can we encrypt the forum already?

Posted: Sun Sep 11, 2016 9:19 am
by Adrian
sanlav, I don't understand the source of your resistance to this request, if you feel fine having your password sent in clear over the hops on the internet that's your prerogative, just like I have the right to want my password be encrypted.

Re: Can we encrypt the forum already?

Posted: Sun Sep 11, 2016 7:02 pm
by Jerry3904
The Devs are going to move this discussion to their own Forum for a bit, since there are some sensitive issues involved that we need to go over before a general discussion can proceed.

Thanks for the input so far--we'll be back.