About a serious security issue with the forum

Anything other than PlayStation content may be posted here
Post Reply
TorutheRedFox
What is PSXDEV?
What is PSXDEV?
Posts: 1
Joined: Aug 18, 2020

About a serious security issue with the forum

Post by TorutheRedFox » August 22nd, 2020, 1:04 am

I'd recommend using some form of HTTPS, such as SSL, as hosting a forum over HTTP makes all users vulnerable to man-in-the-middle attacks, which is really not good for the security of the site itself, as this allows malicious people to get access to accounts just through packet sniffing. Sure, VPNs exist, but not everyone is willing to pay a subscription fee for a trustworthy VPN, or risk anything with a free VPN.

User avatar
Punch
Interested PSXDEV User
Interested PSXDEV User
Posts: 8
Joined: Aug 25, 2019

Post by Punch » August 22nd, 2020, 6:33 am

This video is brought to you by NordVPN...

samspin
Curious PSXDEV User
Curious PSXDEV User
Posts: 13
Joined: Oct 14, 2014
I am a: Tinkerer, gamer, solderer
PlayStation Model: DTL-H1202

Post by samspin » August 22nd, 2020, 8:10 am

I believe the reason HTTPS is not enabled for this site is because it would render it innaccessible on older browsers that cannot use modern SSL ciphers. A lot of the PSX era of programs (such as the PsyQ SDK) and the hardware (using ISA slots) only work properly on older operating systems/hardware, and you often need to download extra little bits as you go along. You may think it's easy to just say "oh well, just download onto a USB pen on a newer computer and copy it to the older computer that way- problem solved". Unfortunately adding USB support (usually via PCI card) to older PCs is easier said than done when you have to manually deal with IRQs, etc, without breaking support for the development hardware because there aren't enough IRQs available.
Personally I too have run into this issue when trying to set up my PSX development hardware and had to burn CD after CD just to get everything that I needed moved (since that's how stuff was distributed in this era!). Eventually I found a very old FTP client that still works on Windows 98 and used that to fetch files over my network, but it was still such a faff.
I believe this is also the reason DDOS protection is permanently enabled on this site (hence it keeps doing a browser-check) as a compromise.

User avatar
Punch
Interested PSXDEV User
Interested PSXDEV User
Posts: 8
Joined: Aug 25, 2019

Post by Punch » September 21st, 2020, 11:19 am

The DDOS check makes this site unusable for me sometimes. I gotta do stupid captchas all the damn time here, it's really aggravating.

User avatar
NITROYUASH
Serious PSXDEV User
Serious PSXDEV User
Posts: 124
Joined: Jan 07, 2018
I am a: Game Designer
PlayStation Model: SCPH-5502
Location: Russian Federation
Contact:

Post by NITROYUASH » September 21st, 2020, 6:52 pm

same, i should select a car/plane/truck/etc, every time when i want to read this forum, this is so annoying.

Xavi92
C Programming Expert
C Programming Expert
Posts: 161
Joined: Oct 06, 2012
PlayStation Model: SCPH-5502
Contact:

Post by Xavi92 » September 22nd, 2020, 5:41 am

I already complained about the use of plain HTTP on this site back on December last year. Shadow replied but nothing was done so far. I avoid entering this site since this hCaptcha crap was introduced as I do not trust Cloudfare or they privacy-intruding policies.
samspin wrote: August 22nd, 2020, 8:10 am I believe the reason HTTPS is not enabled for this site is because it would render it innaccessible on older browsers that cannot use modern SSL ciphers.
That simply sounds like a bad excuse. I'm sure the proprietary JavaScript-based hCaptcha crap from Cloudflare takes a lot more resources than TLS. Nowadays there are TLS libraries such as mbedtls that fit even on small, 64 KiB RAM microcontrollers. Moreover, running dead-old web browsers under dead-old unsupported proprietary operating systems also sounds like a terrible idea unless you are yourself open to tons of exploits.

Do you want to use a web browser supporting relatively new versions of TLS on your 64 MiB RAM Pentium I? Move to another operating system such as FreeBSD and luckily lynx might even work. But then you have no support for the ISA development boards. Otherwise, stay that machine away from any network if you decide to stick to Windows 98.
samspin wrote: August 22nd, 2020, 8:10 am I believe this is also the reason DDOS protection is permanently enabled on this site (hence it keeps doing a browser-check) as a compromise.
Potential DDoS attacks are not a reason to use privacy-intruding crap like Cloudflare's hCaptcha or Google's reCAPTCHA. I am sure there are many other ways, much likely based on free software, to mitigate DDoS attacks that do not involve cheap labor, user tracking and data selling. OTOH, some people prefer to disable JavaScript on their browsers for privacy and/or security reasons, and hCaptcha relies on it. Those legitimate users accessing from Tor cannot access this site since Tor exit nodes are detected as malicious users.

Yagotzirck
Extreme PSXDEV User
Extreme PSXDEV User
Posts: 131
Joined: Jul 17, 2013

Post by Yagotzirck » September 23rd, 2020, 12:49 am

Not to mention that despite all those "countermeasures" spambots are still running amok, so I question the usefulness of all those checks :roll:
I'll go out on a limb here and say that ever since PSIO has moved to its own forum admins don't really give a shit about this place anymore.

User avatar
szalay_1
Active PSXDEV User
Active PSXDEV User
Posts: 41
Joined: Jan 22, 2019
I am a: Cheat Device Code Creator
PlayStation Model: 5502-7502
Location: Hungary
Contact:

Post by szalay_1 » September 26th, 2020, 1:08 am

NITROYUASH wrote: September 21st, 2020, 6:52 pm same, i should select a car/plane/truck/etc, every time when i want to read this forum, this is so annoying.
YES same here, this is hella annoying !

Xavi92
C Programming Expert
C Programming Expert
Posts: 161
Joined: Oct 06, 2012
PlayStation Model: SCPH-5502
Contact:

Post by Xavi92 » September 27th, 2020, 12:32 pm

rsoft is hosting a forums site at https://0x7b.de/psxugnd/bbs.php which does not rely on JS or captchas, uses HTTPS and also runs on open source software. I encourage everyone to move towards these forums as long as the admins from psxdev.net do not implement HTTPS and remove captchas on this site once and for all. There is currently a lack of content, but feel free to post your PSX-related ideas or questions.
We are also online almost daily at #psxugnd on Freenode.
See you there!

User avatar
Shadow
Admin / PSXDEV
Admin / PSXDEV
Posts: 2670
Joined: Dec 31, 2012
PlayStation Model: H2000/5502
Discord: Shadow^PSXDEV

Post by Shadow » October 12th, 2020, 1:23 pm

Development Console: SCPH-5502 with 8MB RAM, MM3 Modchip, PAL 60 Colour Modification (for NTSC), PSIO Switch Board, DB-9 breakout headers for both RGB and Serial output and an Xplorer with CAETLA 0.34.

PlayStation Development PC: Windows 98 SE, Pentium 3 at 400MHz, 128MB SDRAM, DTL-H2000, DTL-H2010, DTL-H201A, DTL-S2020 (with 4GB SCSI-2 HDD), 21" Sony G420, CD-R burner, 3.25" and 5.25" Floppy Diskette Drives, ZIP 100 Diskette Drive and an IBM Model M keyboard.

User avatar
szalay_1
Active PSXDEV User
Active PSXDEV User
Posts: 41
Joined: Jan 22, 2019
I am a: Cheat Device Code Creator
PlayStation Model: 5502-7502
Location: Hungary
Contact:

Post by szalay_1 » October 14th, 2020, 12:54 am

WooW This makes life easier !
Thank You =)

User avatar
Shadow
Admin / PSXDEV
Admin / PSXDEV
Posts: 2670
Joined: Dec 31, 2012
PlayStation Model: H2000/5502
Discord: Shadow^PSXDEV

Post by Shadow » October 15th, 2020, 3:12 pm

The main reason the CAPTCHA was added was that the server was under heavy load by a lot of unknown users and it was using a lot of bandwidth which was costing me a lot of money. PSXDEV.NET has always been free (never asked for any donations) or placed any ads and I intend to keep it that way (the way the Internet should be).

As for HTTPS, it's not a priority right now for me to add. I will add it at some stage, but for now it's okay without it and it's been running for over 8 years without it. The data from the server to the DNS is encrypted by Cloudflare.
Development Console: SCPH-5502 with 8MB RAM, MM3 Modchip, PAL 60 Colour Modification (for NTSC), PSIO Switch Board, DB-9 breakout headers for both RGB and Serial output and an Xplorer with CAETLA 0.34.

PlayStation Development PC: Windows 98 SE, Pentium 3 at 400MHz, 128MB SDRAM, DTL-H2000, DTL-H2010, DTL-H201A, DTL-S2020 (with 4GB SCSI-2 HDD), 21" Sony G420, CD-R burner, 3.25" and 5.25" Floppy Diskette Drives, ZIP 100 Diskette Drive and an IBM Model M keyboard.

Xavi92
C Programming Expert
C Programming Expert
Posts: 161
Joined: Oct 06, 2012
PlayStation Model: SCPH-5502
Contact:

Post by Xavi92 » October 27th, 2020, 9:34 am

Thanks for not requiring hCaptcha to legitimate users.
Shadow wrote: October 15th, 2020, 3:12 pm As for HTTPS, it's not a priority right now for me to add. I will add it at some stage, but for now it's okay without it and it's been running for over 8 years without it. The data from the server to the DNS is encrypted by Cloudflare.
That does not mean data from users to the server is encrypted, so sensible information might still be compromised e.g.: password hashes. There is no reason not to run HTTPS nowadays - getting a valid certificate is free via Let's Encrypt and very easy to set up. Even Cloudflare also issue free certificates if you prefer them. So please consider helping us all by getting a free certificate.

Post Reply

Who is online

Users browsing this forum: No registered users and 4 guests