Page 1 of 1

About a serious security issue with the forum

Posted: August 22nd, 2020, 1:04 am
by TorutheRedFox
I'd recommend using some form of HTTPS, such as SSL, as hosting a forum over HTTP makes all users vulnerable to man-in-the-middle attacks, which is really not good for the security of the site itself, as this allows malicious people to get access to accounts just through packet sniffing. Sure, VPNs exist, but not everyone is willing to pay a subscription fee for a trustworthy VPN, or risk anything with a free VPN.

Re: About a serious security issue with the forum

Posted: August 22nd, 2020, 6:33 am
by Punch
This video is brought to you by NordVPN...

Re: About a serious security issue with the forum

Posted: August 22nd, 2020, 8:10 am
by samspin
I believe the reason HTTPS is not enabled for this site is because it would render it innaccessible on older browsers that cannot use modern SSL ciphers. A lot of the PSX era of programs (such as the PsyQ SDK) and the hardware (using ISA slots) only work properly on older operating systems/hardware, and you often need to download extra little bits as you go along. You may think it's easy to just say "oh well, just download onto a USB pen on a newer computer and copy it to the older computer that way- problem solved". Unfortunately adding USB support (usually via PCI card) to older PCs is easier said than done when you have to manually deal with IRQs, etc, without breaking support for the development hardware because there aren't enough IRQs available.
Personally I too have run into this issue when trying to set up my PSX development hardware and had to burn CD after CD just to get everything that I needed moved (since that's how stuff was distributed in this era!). Eventually I found a very old FTP client that still works on Windows 98 and used that to fetch files over my network, but it was still such a faff.
I believe this is also the reason DDOS protection is permanently enabled on this site (hence it keeps doing a browser-check) as a compromise.

Re: About a serious security issue with the forum

Posted: September 21st, 2020, 11:19 am
by Punch
The DDOS check makes this site unusable for me sometimes. I gotta do stupid captchas all the damn time here, it's really aggravating.

Re: About a serious security issue with the forum

Posted: September 21st, 2020, 6:52 pm
by NITROYUASH
same, i should select a car/plane/truck/etc, every time when i want to read this forum, this is so annoying.

Re: About a serious security issue with the forum

Posted: September 22nd, 2020, 5:41 am
by Xavi92
I already complained about the use of plain HTTP on this site back on December last year. Shadow replied but nothing was done so far. I avoid entering this site since this hCaptcha crap was introduced as I do not trust Cloudfare or they privacy-intruding policies.
samspin wrote:
August 22nd, 2020, 8:10 am
I believe the reason HTTPS is not enabled for this site is because it would render it innaccessible on older browsers that cannot use modern SSL ciphers.
That simply sounds like a bad excuse. I'm sure the proprietary JavaScript-based hCaptcha crap from Cloudflare takes a lot more resources than TLS. Nowadays there are TLS libraries such as mbedtls that fit even on small, 64 KiB RAM microcontrollers. Moreover, running dead-old web browsers under dead-old unsupported proprietary operating systems also sounds like a terrible idea unless you are yourself open to tons of exploits.

Do you want to use a web browser supporting relatively new versions of TLS on your 64 MiB RAM Pentium I? Move to another operating system such as FreeBSD and luckily lynx might even work. But then you have no support for the ISA development boards. Otherwise, stay that machine away from any network if you decide to stick to Windows 98.
samspin wrote:
August 22nd, 2020, 8:10 am
I believe this is also the reason DDOS protection is permanently enabled on this site (hence it keeps doing a browser-check) as a compromise.
Potential DDoS attacks are not a reason to use privacy-intruding crap like Cloudflare's hCaptcha or Google's reCAPTCHA. I am sure there are many other ways, much likely based on free software, to mitigate DDoS attacks that do not involve cheap labor, user tracking and data selling. OTOH, some people prefer to disable JavaScript on their browsers for privacy and/or security reasons, and hCaptcha relies on it. Those legitimate users accessing from Tor cannot access this site since Tor exit nodes are detected as malicious users.

Re: About a serious security issue with the forum

Posted: September 23rd, 2020, 12:49 am
by Yagotzirck
Not to mention that despite all those "countermeasures" spambots are still running amok, so I question the usefulness of all those checks :roll:
I'll go out on a limb here and say that ever since PSIO has moved to its own forum admins don't really give a shit about this place anymore.

Re: About a serious security issue with the forum

Posted: September 26th, 2020, 1:08 am
by szalay_1
NITROYUASH wrote:
September 21st, 2020, 6:52 pm
same, i should select a car/plane/truck/etc, every time when i want to read this forum, this is so annoying.
YES same here, this is hella annoying !

Re: About a serious security issue with the forum

Posted: September 27th, 2020, 12:32 pm
by Xavi92
rsoft is hosting a forums site at https://0x7b.de/psxugnd/bbs.php which does not rely on JS or captchas, uses HTTPS and also runs on open source software. I encourage everyone to move towards these forums as long as the admins from psxdev.net do not implement HTTPS and remove captchas on this site once and for all. There is currently a lack of content, but feel free to post your PSX-related ideas or questions.
We are also online almost daily at #psxugnd on Freenode.
See you there!

Re: About a serious security issue with the forum

Posted: October 12th, 2020, 1:23 pm
by Shadow

Re: About a serious security issue with the forum

Posted: October 14th, 2020, 12:54 am
by szalay_1
WooW This makes life easier !
Thank You =)

Re: About a serious security issue with the forum

Posted: October 15th, 2020, 3:12 pm
by Shadow
The main reason the CAPTCHA was added was that the server was under heavy load by a lot of unknown users and it was using a lot of bandwidth which was costing me a lot of money. PSXDEV.NET has always been free (never asked for any donations) or placed any ads and I intend to keep it that way (the way the Internet should be).

As for HTTPS, it's not a priority right now for me to add. I will add it at some stage, but for now it's okay without it and it's been running for over 8 years without it. The data from the server to the DNS is encrypted by Cloudflare.

Re: About a serious security issue with the forum

Posted: October 27th, 2020, 9:34 am
by Xavi92
Thanks for not requiring hCaptcha to legitimate users.
Shadow wrote:
October 15th, 2020, 3:12 pm
As for HTTPS, it's not a priority right now for me to add. I will add it at some stage, but for now it's okay without it and it's been running for over 8 years without it. The data from the server to the DNS is encrypted by Cloudflare.
That does not mean data from users to the server is encrypted, so sensible information might still be compromised e.g.: password hashes. There is no reason not to run HTTPS nowadays - getting a valid certificate is free via Let's Encrypt and very easy to set up. Even Cloudflare also issue free certificates if you prefer them. So please consider helping us all by getting a free certificate.