Forum Home
    • Register
    • Login
    • Search
    • Recent
    • Tags
    • Popular

    Security concerns that NEED to be addressed

    Newbies - New Members Must Start Here
    4
    5
    636
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      ftcvsbtc last edited by

      IMHO:

      If we the FTC community want to be taken seriously by anyone out there, the maintainers of feathercoin.com and forum.feathercoin.com have to take these measures:

      * Don’t allow HTTP connections to the sites anymore. Enforce HTTPS. Forward HTTP to HTTPS. It’s easy to set up on any web server.

      * Provide ways to validate the downloads on your website with GPG signatures and SHA1/SHA256/whatever checksums like the Bitcoin team does.

      * Stop asking for an image verification from Google (or any 3rd party for that matter) on your forums. Many of us have this evil corporation Google blocked in our /etc/hosts file. It’s sad to have to enable it to do these image verifications. A connection to Google should not be required to use a website. To see what I’m talking about, add this line to your /etc/hosts file (on OS X, probably similar on Linux): “127.0.0.1 google.com [url=http://www.google.com]www.google.com[/url]”

      Just my 2 cents.

      1 Reply Last reply Reply Quote 0
      • Wellenreiter
        Wellenreiter Moderators last edited by

        First of all:

        Welcome to the community, ftcvsbtc :)

        Normally your post should have gone to the section suggestion box.

        [quote name=“ftcvsbtc” post=“43428” timestamp=“1386853137”]
        IMHO:

        * Don’t allow HTTP connections to the sites anymore. Enforce HTTPS. Forward HTTP to HTTPS. It’s easy to set up on any web server.

        [/quote]

        What would be the value add to this?
        Feathercoin.com is a open website, everything is available to everybody, and using HTTPS only for the whole site has a couple of disadvantages.
        There is no trading platform included and no sensitive data is transported unless users publish private date at own will in the forums.

        I aggree, that it could be considered for some pages on the site, e.g the download page for the client software, to ensure users they download from the correct site.

        [quote author=ftcvsbtc link=topic=5889.msg43428#msg43428 date=1386853137]

        * Provide ways to validate the downloads on your website with GPG signatures and SHA1/SHA256/whatever checksums like the Bitcoin team does.

        [/quote]

        I think that is in the pipeline and makes sense for the same reason mentioned above

        [quote author=ftcvsbtc link=topic=5889.msg43428#msg43428 date=1386853137]
        * Stop asking for an image verification from Google (or any 3rd party for that matter) on your forums. Many of us have this evil corporation Google blocked in our /etc/hosts file. It’s sad to have to enable it to do these image verifications. A connection to Google should not be required to use a website. To see what I’m talking about, add this line to your /etc/hosts file (on OS X, probably similar on Linux): “127.0.0.1 google.com [url=http://www.google.com]www.google.com[/url]”

        [/quote]

        What is your suggestion for an alternate method to ensure no bots register on the site?

        Feathercoin development donation address: 6p8u3wtct7uxRGmvWr2xvPxqRzbpbcd82A
        Openpgp key: 0x385C34E77F0D74D7 (at keyserver.ubuntu.com)/fingerprint: C7B4 E9EA 17E1 3D12 07AB 1FDB 385C 34E7 7F0D 74D7

        1 Reply Last reply Reply Quote 0
        • wrapper
          wrapper Moderators last edited by

          Hi ftcvsbtc,

          That sounds great, when can you start helping us practically implementing your ideas?

          1 Reply Last reply Reply Quote 0
          • F
            ftcvsbtc last edited by

            [quote author=Wellenreiter]
            First of all:
            Welcome to the community, ftcvsbtc :)
            [/quote]
            Thanks :D

            [quote author=Wellenreiter]
            [quote author=ftcvsbtc]
            * Don’t allow HTTP connections to the sites anymore. Enforce HTTPS. Forward HTTP to HTTPS. It’s easy to set up on any web server.
            [/quote]
            What would be the value add to this?
            Feathercoin.com is a open website, everything is available to everybody, and using HTTPS only for the whole site has a couple of disadvantages.
            There is no trading platform included and no sensitive data is transported unless users publish private date at own will in the forums.
            I aggree, that it could be considered for some pages on the site, e.g the download page for the client software, to ensure users they download from the correct site.
            [/quote]
            Absolutely, as you mention, wherever files are available for download. Also important for the forum login and password. And, indeed, for more forum post privacy. Why not just secure it all once and for all? I thought it would be easier for you guys than do it on a case-by-case basis.

            [quote author=Wellenreiter]
            [quote author=ftcvsbtc]
            * Provide ways to validate the downloads on your website with GPG signatures and SHA1/SHA256/whatever checksums like the Bitcoin team does.
            [/quote]
            I think that is in the pipeline and makes sense for the same reason mentioned above
            [/quote]
            Great to hear. A nice added security measure.

            [quote author=Wellenreiter]
            [quote author=ftcvsbtc]
            * Stop asking for an image verification from Google (or any 3rd party for that matter) on your forums. Many of us have this evil corporation Google blocked in our /etc/hosts file. It’s sad to have to enable it to do these image verifications. A connection to Google should not be required to use a website. To see what I’m talking about, add this line to your /etc/hosts file (on OS X, probably similar on Linux): “127.0.0.1 google.com [url=http://www.google.com]www.google.com[/url]”
            [/quote]
            What is your suggestion for an alternate method to ensure no bots register on the site?
            [/quote]
            I haven’t looked into all alternatives out there, but I notice this forum runs on PHP, so this may work: [url=http://www.phpcaptcha.org]http://www.phpcaptcha.org[/url]

            1 Reply Last reply Reply Quote 0
            • T
              Tuck Fheman last edited by

              [quote name=“ftcvsbtc” post=“43428” timestamp=“1386853137”]

              * Provide ways to validate the downloads on your website with GPG signatures and SHA1/SHA256/whatever checksums like the Bitcoin team does.
              [/quote]

              Agreed. I asked for this (and PGP sig for Bush’s post) back when the forum was DDoS’d (allegedly).

              1 Reply Last reply Reply Quote 0
              • First post
                Last post