Oz Isuzu Forums

General Boards => OzIsuzu Forum Bulletin Board => Topic started by: DannyG on Jul 02, 2020, 12:37:36 PM

Title: Forum Security Error
Post by: DannyG on Jul 02, 2020, 12:37:36 PM
Apologies to anyone effected by the security certificate error we had today.

Our site security certificate is set to auto renew, which it did, however I didn't realise I had to update the site to use the newly renewed certificate.

All sorted now. There was no threat even though some browsers will suggest there was, they do that purely because they see that the certificate was expired.
Title: Re: Forum Security Error
Post by: Bob on Jul 02, 2020, 12:45:57 PM
Thanks Danny, I knew you would be onto it. :occasion14:
Title: Re: Forum Security Error
Post by: DannyG on Jul 17, 2022, 07:52:00 PM
Hi Guys

Some will have noticed our security certificate has expired again and Its happened while I am away  :sad10:

Ill sort it out later in the week when I have time to work through the process of updating the site to see the new certificate.

Sorry for any inconvenience. Your user information is safely stored in an encrypted database so its causing no harm.

Title: Re: Forum Security Error
Post by: WAI4WD on Jul 17, 2022, 09:01:30 PM
Your user information is safely stored in an encrypted database so its causing no harm.
No its not, just FYI. Simple Machines DB is not encrypted. Using SSL does not encrypt DB data. SSL encrypts content being sent between the user and the server. All data at both ends is plain text. All the info in the server DB is there for the taking if hacked. Edit: Quick search, SMF it seems still only use SHA-1 for password hashing, which is broken and completely insecure for even storing passwords.

Have you looked at using Cloudflare? Free CDN, free SSL, DDOS, and much more. All free. You don't have to worry about renewing SSL, as you download their SSL to secure between your server and cloudflare, then Cloudflare auto renew freely the user cert between the browser and cloudflare. The fastest DNS of all providers. It will dramatically improve speed and performance of this site for all users.
Title: Re: Forum Security Error
Post by: Bob on Jul 18, 2022, 03:04:41 PM
Came good for a while but is now doing it again :BangHead:
Title: Re: Forum Security Error
Post by: yvesjv on Jul 19, 2022, 04:56:44 AM
Confirmed.
Saw it as I connected this morning.
Looks like a Sectigo cert on Godaddy.
https://sectigostore.com/page/how-to-install-sectigo-ssl-on-godaddy/

bash-5.1$ openssl s_client -showcerts -connect ozisuzu.com.au:443
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = www.ozisuzu.com.au
verify error:num=10:certificate has expired
notAfter=Jul 16 23:59:59 2022 GMT
verify return:1
depth=0 CN = www.ozisuzu.com.au
notAfter=Jul 16 23:59:59 2022 GMT
verify return:1
---
Certificate chain
 0 s:CN = www.ozisuzu.com.au
   i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
-----BEGIN CERTIFICATE-----
MIIGPDCCBSSgAwIBAgIQElr48cw1+7GrkrFlHq14XzANBgkqhkiG9w0BAQsFADCB
jzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQD
Ey5TZWN0aWdvIFJTQSBEb21haW4gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENB
MB4XDTIwMDcwMjAwMDAwMFoXDTIyMDcxNjIzNTk1OVowHTEbMBkGA1UEAxMSd3d3
Lm96aXN1enUuY29tLmF1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
z574jnrYV1o1ybc8iFAdTZKLNhotnwmePznfXQ2yLunvgn6J0mRxv4Uj49OrvwI+
RoaXP74SWJTAHZiROPmM7vdb2l95/D5V6Ae1xK5AqNQzFjU5e8NawYY+H0Yeab61
pg0h4tE27vlrek5G5PHRivny67ZwGCEy3PrNDJLw2ii7AKkZ+G1WIlSNZeelEqfq
AqY/1O6maXElNXYhiQOoMRTvuSL1J3Dd8Tc89u4+kjwrm+lqbmqeSXCp/ZEeRe4C
JTH0m9B/jJ3fP2fusDWwjtDU5za2mvxu7DtJG8HVKAo/dx5d1LOlPHemb1bdL1Rs
qLC5uyGOYwj0qc05KIsiwwIDAQABo4IDAzCCAv8wHwYDVR0jBBgwFoAUjYxexFSt
iuF36Zv5mwXhuAGNYeEwHQYDVR0OBBYEFDvFW4aF4kkMSSF4os/RehFM9ZqXMA4G
A1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQBsjEBAgIHMCUwIwYIKwYBBQUH
AgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATCBhAYIKwYBBQUH
AQEEeDB2ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3Rp
Z29SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0MCMGCCsGAQUF
BzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTAtBgNVHREEJjAkghJ3d3cub3pp
c3V6dS5jb20uYXWCDm96aXN1enUuY29tLmF1MIIBfQYKKwYBBAHWeQIEAgSCAW0E
ggFpAWcAdQBGpVXrdfqRIDC1oolp9PN9ESxBdL79SbiFq/L8cP5tRwAAAXMNT0q9
AAAEAwBGMEQCIEJMbm1nSG/jOBzd3NeiFJE2wls6eSI8ip8zmvDaWEL4AiAFtdw3
5ts17yjFOGdaTIeuVfYN8CMb8iptH9DBb+qTIgB2AN+lXqtogk8fbK3uuF9OPlrq
zaISpGpejjsSwCBEXCpzAAABcw1PS2IAAAQDAEcwRQIgMNbQ4hR1U+B5OSOc4UZM
S132BHFW/kPidL4vEuT9o9wCIQDcduG7GXSv/TVisV9YpB0yA+YqbJv259KzMjMa
bWZs4gB2AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABcw1PURYA
AAQDAEcwRQIgWz7UOzF9bcoYYGYKH7QOyK4JquFkDjOcKbH/YHsN7JECIQCxHmAO
ANDmwDSv0flEP4mIExv6IKkUmR2qOYg+/FYhjTANBgkqhkiG9w0BAQsFAAOCAQEA
hA4t3noB1Cvbk50vuwLjNFIJAFUdNCdeDNkqZh+oGBDCBDcSB7vUmBt2oXdaZNwy
Lthikvqs/VaHgc1KpukI4+k8XGGAAOl0GcnJ+63A/XZn9onShRaH6htVup+TWSdp
Jk5lmYgVO1RygOgHP6WVAC7JqbCQEsYGf69zAKuT6WH+GPt/kiIr6GagiTfXhzDE
IuWrGulUznCUgsSx+vJJ1QKCLtVDK8hm4Gq+LlAeWymTsi0gGL/xQjxZtB+U5kX6
YY5jzWuFDqxsQBL51zWkco2xlAwje3VbKTX+KFJ4sRQR7eRfQnQtBYiOCSw8355s
mGumIr2WQzXucfqq6vK8UA==
-----END CERTIFICATE-----


Title: Re: Forum Security Error
Post by: DannyG on Jul 19, 2022, 10:49:41 AM
I think I have fixed the issue.

Im not great at this type of thing so can I please get someone to verify that we are now up to date and the https side of the forums is working as it should please?

Thanks and sorry for any inconvenience.
Title: Re: Forum Security Error
Post by: pig75 on Jul 19, 2022, 11:22:57 AM
working now
Title: Re: Forum Security Error
Post by: yvesjv on Jul 22, 2022, 12:39:19 PM
Valid for another year.
Subject   ozisuzu.com.au
Valid from 19/Jul/2022 to 19/Aug/2023
Issuer   Sectigo RSA Domain Validation Secure Server CA
Title: Re: Forum Security Error
Post by: DannyG on Jul 22, 2022, 04:19:58 PM


Have you looked at using Cloudflare? Free CDN, free SSL, DDOS, and much more. All free. You don't have to worry about renewing SSL, as you download their SSL to secure between your server and cloudflare, then Cloudflare auto renew freely the user cert between the browser and cloudflare. The fastest DNS of all providers. It will dramatically improve speed and performance of this site for all users.

Hi sorry I missed this. I am a complete numpty on this type of thing so I have no idea what you are talking about  ;D But it sounds like my price range....... I just dont know what to do  :evil6:
Title: Re: Forum Security Error
Post by: WAI4WD on Jul 22, 2022, 06:45:10 PM
Cloudflare is the largest DNS provider, which just happens to come with CDN and lots of other free features. Paid plans have more, but you don't need them for basic website management.

You create a cloudflare account.

You change your domain DNS to point at cloudflare instead of at your server.

You point cloudflare DNS to your server. Most domain registrars don't provide full DNS control nowadays, cloudflare does, FREE.

When the domain is picked up in cloudflare (takes about a minute or two), you can then create an Origin SSL, which is typically 15 years. That is the SSL that secures between your server and cloudflare. Cloudflare automatically manage your front facing SSL, which will be a wildcard certificate securing many client sites of theirs, but exactly the same as what you use now.

That's it.

Other than the many other options you can play with to improve the speed and performance of your sites loading via cloudflare.

You don't need to generate a CSR or anything on your server, you can do it all on cloudflare and just copy paste it over your existing file locations, depending on what you're using (NGINX or Apache).
Title: Re: Forum Security Error
Post by: DannyG on Jul 23, 2022, 08:11:22 AM
Cloudflare is the largest DNS provider, which just happens to come with CDN and lots of other free features. Paid plans have more, but you don't need them for basic website management.

You create a cloudflare account.

You change your domain DNS to point at cloudflare instead of at your server.

You point cloudflare DNS to your server. Most domain registrars don't provide full DNS control nowadays, cloudflare does, FREE.

When the domain is picked up in cloudflare (takes about a minute or two), you can then create an Origin SSL, which is typically 15 years. That is the SSL that secures between your server and cloudflare. Cloudflare automatically manage your front facing SSL, which will be a wildcard certificate securing many client sites of theirs, but exactly the same as what you use now.

That's it.

Other than the many other options you can play with to improve the speed and performance of your sites loading via cloudflare.

You don't need to generate a CSR or anything on your server, you can do it all on cloudflare and just copy paste it over your existing file locations, depending on what you're using (NGINX or Apache).


Thanks for the info, way too complicated for me. I have no idea about dns's or how to point them sorry. Ive paid for the SSL thingy for a 2 or 3 years in advance now so I think I have to just leave it for now.
Title: Re: Forum Security Error
Post by: yvesjv on Jul 23, 2022, 10:19:10 AM
Totally agree with clodflare except for the use of the wildcard certificate.
If you just happen to share that wildcard cert and with 'bad neighbours' sharing the same IP from the provider, you will be blocked... period
We use umbrella dns and see totally legit sites blocked because of 'bad neighbours'.

Long explanation:
https://umbrella.cisco.com/blog/websites-and-bad-neighbors
Title: Re: Forum Security Error
Post by: WAI4WD on Jul 23, 2022, 11:42:15 AM
Totally agree with clodflare except for the use of the wildcard certificate.
If you just happen to share that wildcard cert and with 'bad neighbours' sharing the same IP from the provider, you will be blocked... period
Not how it works with Cloudflare. SSL is being assigned to cloudflare IP's, none of which are EVER considered bad as Cloudflare IP's are considered tier connections. The cert issued by Cloudflare for your server, is between you and cloudflare only, NOT the visitor. Any bad neighbour server IP has ZERO impact on SSL or IP blocks. You can't impact another user with Cloudflare. Bad neighbours (server IP's) are typically associated to email spam, nothing else.

Never read about this being an issue using Cloudflare due to how they're system works. Their DNS is the fastest in the world to date for good reason.

Oh, and to use the cloudflare free SSL system, you have to use cloudflare DNS, you can't bypass it within the DNS settings, pointing back to forward facing SSL using cloudflare only IP's not origin IP's.
Title: Re: Forum Security Error
Post by: yvesjv on Jul 24, 2022, 03:29:06 AM
Looked it up, they use nginx.
Guess it's all go for Danny to migrate to Cloudflare then.
Title: Re: Forum Security Error
Post by: yvesjv on Aug 11, 2022, 03:04:17 PM
Logged in while at work and seeing this security warning:
The information that you’re about to submit is not secure
Because this form is being submitted using a connection that’s not secure, your information will be visible to others.


Appears when submitting the login form that contains the username/password combo it is not encrypted thus the serious warning...
Title: Re: Forum Security Error
Post by: DannyG on Aug 12, 2022, 07:34:28 AM
Logged in while at work and seeing this security warning:
The information that you’re about to submit is not secure
Because this form is being submitted using a connection that’s not secure, your information will be visible to others.


Appears when submitting the login form that contains the username/password combo it is not encrypted thus the serious warning...

Thanks, any idea what I can do to stop that happening? I think the forum software may have an update or two available perhaps that would help?
Title: Re: Forum Security Error
Post by: yvesjv on Aug 12, 2022, 03:48:28 PM
You probably will have get in touch with web support, not my field.
A quick look shows where it is occurring, see attached.

(https://i.ibb.co/LtNdd3p/Screenshot-2022-08-12-15-10-31.png) (https://ibb.co/LtNdd3p)
Title: Re: Forum Security Error
Post by: WAI4WD on Aug 12, 2022, 07:28:28 PM
That is a 301 redirect is why.
Title: Re: Forum Security Error
Post by: yvesjv on Aug 13, 2022, 04:17:17 AM
You know how to help him?
Haven't touched Apache and any other web servers well over 10 years...
Title: Re: Forum Security Error
Post by: WAI4WD on Aug 13, 2022, 11:05:56 AM
Being that its saying its a 301 redirect, my understanding is you can't ssl login content via a 301 securely, as you're changing the POST / GET URL from the secure login form itself for password field.

This normally happens when you have multiple pages to login, where its redirecting to the original path required to confirm with the DB.

Upgrade the software and template with any patches.

I don't personally touch free forum software for many reasons, one is they're the most insecure, updates are spotty at best, and they stop running well as they grow due to lack of server software support.

Haven't touched Apache and any other web servers well over 10 years...
I stopped using Apache long ago. Too bloated. I've used NGINX for probably the last 6 years now. Won't go back. When my last forum got to about 300k posts, it was expensive and difficult to optimise on Apache, compared to NGINX. My main one is about 1.7million on NGINX, extremely fast page loading.

Much cheaper to run NGINX servers with forums on them than Apache. A fraction of the cost actually.
SimplePortal 2.3.7 © 2008-2024, SimplePortal