Website and forum security issues

Website issues & feedback. Constructive criticism is welcome.
(Guest posting is allowed under certain circumstances)
If you have a problem with certain individuals, then PM the Staff account.
Post Reply
Bethrezen
Regular
Regular
Posts: 661
Joined: 25 Sep 2009, 02:05

Website and forum security issues

Post by Bethrezen »

Hi all

Couple of things first off when I load the warzone site in Firefox I'm getting the following warning message.

Image

So it might be an idea to fix that.

Second when I click the link to go to the forum it's taking me to the insecure and unencrypted version of the login page, http://forums.wz2100.net/ instead of the secure encrypted version https://forums.wz2100.net/

Also when I click on the login button on the forum again its taking me to the insecure and unencrypted version of the login page ucp.php?mode=login instead of the secure encrypted version https://forums.wz2100.net/ucp.php?mode=login

So it might be an idea to have some one fix this to make sure that users are always taken to the secure encrypted login page, as that is a potential security problem that could result in people having there login details stolen, as is the warzone site has already been compromised once before so it might be an idea to have someone sort this out.

Third for some reason the forum keeps logging me out, and I have to keep logging back in not a big issue but kind of irritating so might be an idea to have someone look into this as well.
User avatar
NoQ
Special
Special
Posts: 6226
Joined: 24 Dec 2009, 11:35
Location: /var/zone

Re: Website and forum security issues

Post by NoQ »

Bethrezen wrote:Hi all

Couple of things first off when I load the warzone site in Firefox I'm getting the following warning message.

Image

So it might be an idea to fix that.
That seems to be on your side - someone is man-in-the-middle-ing your connection to forums.wz2100.net, maybe a proxy, and https is correctly failing in order to indicate that, which is the whole point of https.
User avatar
Berg
Regular
Regular
Posts: 2204
Joined: 02 Sep 2007, 23:25
Location: Australia

Re: Website and forum security issues

Post by Berg »

NoQ wrote: That seems to be on your side - someone is man-in-the-middle-ing your connection to forums.wz2100.net, maybe a proxy, and https is correctly failing in order to indicate that, which is the whole point of https.
I think there is more too it then it being his side this also happens to me I have to tell firefox to ignore the warning.
Could it be the security certificate or what ever it is for wz2100 needs updating ?
Bethrezen
Regular
Regular
Posts: 661
Joined: 25 Sep 2009, 02:05

Re: Website and forum security issues

Post by Bethrezen »

That seems to be on your side - someone is man-in-the-middle-ing your connection to forums.wz2100.net, maybe a proxy, and https is correctly failing in order to indicate that, which is the whole point of http
I don't use a proxy and if it is that case that the connection is being man in the middled then shouldn't all https connections fail in the same fashion ? the reason i ask is because i don't have that problem with other sites that use https like https://start.duckduckgo.com/ for example

According to the screen shot the issue is the certificate
The certificate is not trusted because it is self-signed.
The certificate is not valid for the name http://www.wz2100.net.
The certificate expired on 15 October 2015 20:47. The current time is 24 October 2017 01:27.
also when i hover over the link on the main page to come to the forum the link is incorrect

Image

note in the bottom left corner how it says http://forums.wz2100.net/ instead of https://forums.wz2100.net/

also if the site is going to use https then shouldn't it automatically redirect you to the secure https address if you try to connect to the insecure http address.
Bethrezen
Regular
Regular
Posts: 661
Joined: 25 Sep 2009, 02:05

Re: Website and forum security issues

Post by Bethrezen »

after looking in to this some more i came across this

https://support.mozilla.org/en-US/kb/tr ... =inproduct

which would seem to indicate that the problem could possibly be the warzone websites, since i only see this problem with the warzone site.
The error occurs on one particular site only

In case you get this problem on one particular site only, this type of error generally indicates that the web server is not configured properly.
Bethrezen
Regular
Regular
Posts: 661
Joined: 25 Sep 2009, 02:05

Re: Website and forum security issues

Post by Bethrezen »

I just noticed something else when i go to

https://wz2100.net/ i don't get the error about the certificate.
However if i go to https://www.wz2100.net/ i do.

Notice the difference with those addressees the one that triggers the certificate warning has the WWW prefix why that would make a difference I'm not sure but it would seem that for what ever reason the WWW prefix is what is triggering the certificate warning.

If you come to the warzone site via https://www.wz2100.net/ which is the url you get on duckduckgo when you search for warzone 2100 and you are using Firefox then you will get the certificate warning, test it out your self.

not really sure who is at fault here but it seems as though the warzone site is simply not handling this correctly and should probably be redirecting users to https://wz2100.net/ before doing the certificate check which would stop this issue for happening.
User avatar
NoQ
Special
Special
Posts: 6226
Joined: 24 Dec 2009, 11:35
Location: /var/zone

Re: Website and forum security issues

Post by NoQ »

Bethrezen wrote:https://wz2100.net/ i don't get the error about the certificate.
However if i go to https://www.wz2100.net/ i do.
Yeah, that explains. I didn't type www, so i never saw the problem.
User avatar
JimmyJack
Trained
Trained
Posts: 118
Joined: 06 May 2017, 05:50

Re: Website and forum security issues

Post by JimmyJack »

I tried the www one with WaterFox and got the same error both when I clicked your link and when I typed it in.
Bethrezen wrote:Third for some reason the forum keeps logging me out, and I have to keep logging back in not a big issue but kind of irritating so might be an idea to have someone look into this as well.

I also had that same problem a-lot when using the Chrome browser. But it went away when I started using WaterFox.
Transmission ends ...
User avatar
vexed
Inactive
Inactive
Posts: 2538
Joined: 27 Jul 2010, 02:07

Re: Website and forum security issues

Post by vexed »

Actually, the problem was the cert expired.
Then it was renewed.

So, if you happen to go there (here) while it was expired, it would show you that error.
/facepalm ...Grinch stole Warzone🙈🙉🙊 contra principia negantem non est disputandum
Super busy, don't expect a timely reply back.
Bethrezen
Regular
Regular
Posts: 661
Joined: 25 Sep 2009, 02:05

Re: Website and forum security issues

Post by Bethrezen »

Actually, the problem was the cert expired.
Then it was renewed.

So, if you happen to go there (here) while it was expired, it would show you that error.
if that's the case and the certificate has been renewed then why does going to https://www.wz2100.net/ still show an outdated certificate and hence give the error ?

Here is what i got just now when i tried https://www.wz2100.net/

Image

also when i click the forum button on the main page its still taking me to the http version of the forum instead of the https version and if you then subsequently login you get the http version of the login page instead of the https version which is not secure so I'd recommend using .htaccess file or a php redirect to make sure that visitors are always using the https version of the site.
Post Reply