Is there any possibility to connect securely to Xiaopan? I try https but it does not connect. A site like this should offer this I think.
I will contact TCB13 about this who is our hosting provider. I talked to him about SSL and security and he said SSL isn't that secure. We don't allow purchases through the site, so your banking details are safe.
Hey guys, Well I've discussed a lot of times before what are the security issues with SSL and how to bypass it, you can find a lot of information online on that starting with a tool called sslstrip. Since xiaopan.co does not involve any monetary transactions there isn't a need for SSL. If your problem is that you don't trust your provider and you don't want them to see you surfing around here, just don't forget that they can also use sslstrip/similar tools (and some do as we speak) and the DNS requests are always public. From a technical stand point implementing an SSL certificate on xiaopan.co would mean three things: Yearly cost of an SSL certificate; Yearly cost of a dedicated IP for the SSL; Modifying the current software to deal with it. I'm not in position to tell Mr. Penguin to buy or not to, because I'm the person who is selling the service, but I really don't thing it's necessary for now. Anyway, I'm sure you're a regular user of "place-your-torrent-site-here" and they don't use any SSL certificates. At least here at xiaopan.co you're not infringing any copyright laws.
Well, sounds like a reasonable explanation but I disagree - I am not a "regular user of "place-your-torrent-site-here"" I am an occasional user of ...
Come to think of it you might be right. SSL for Social Network Authentication (VK, Google, Facebook, Steam and Twitter) might be a good idea to secure peoples accounts better
I think using SSL is like locking your house - the good boys stay out and the bad boys know how to break in if they want. But at least we can make them have some difficulties.
Honestly, TCB13 is correct. I am very experienced with the tool SSLStrip and with it very bad things can be done.(not that I'm saying I do them) Yes, we use lots of these tools and they're free to anyone but, they are created to help find vulnerabilities in one's network. Most like to consider themselves as "hackers" and its a common word now in days, a bit taboo to some but, on the serious side if one uses these types of tools with a malicious intention, sooner or later you will be caught..There's no such thing as 100% anonymity. I apologize for the bad example I'm about to use but it's a good one. Just like there's no such thing as safe sex only thing is abstinence-to stay away from it. TCB13 gave a woderful tech. point of view and I will give a "hackers" point of view...HTTPS is expensive and there is no point to use it when it is extremely easy to gain access into someone's account. (so always clear your cookies and never ever Login to any website with the "Remember Me" option checked..hint hint :no But not to worry like Mr. Penguin said "there is no transactions allowed in the website" but if you want to be on the safe side, don't use the same password on any website cause if you do when one of your accounts is hacked most likely the password to your other accounts are the same...
I agree, but ... once again I go with the analogy with the house. You know the bad guys can break into your house, wright? But you still keep locking it. Even though you know that if someone targets your home it's completely useless locking it you keep doing that. Why? I think because you know that this way you keep some curious neighbors out and other mischievous kids too. If someone targets me and wants my email accounts and other stuff I will have to be paranoic to avoid that, but even then I will be vulnerable. The laws are for those who comply them.
As they say, better to be safe than sorry. You never know who your neighbor's are..or what they do behind closed doors..
All above is right, but : what about a more simple solution? use a Tor browser https://www.torproject.org/ I think it is a secure enough option for you...
Actually nodes on the Tor network can sniff your traffic and concerning hidemyass.com they don't delete records. The best way to remain anonymous and secure on the web is to pay for a VPN service from a company that deletes it's records I recommend: http://torguard.net/index.php https://airvpn.org/ Most secure but also most expensive: https://www.cryptocloud.com/index.html Aby$m.
Tweeted about the insecurities of SSL and mentioned SSLstrip on Twitter. Got bashed a little bit lol Think you've got a good grip on SSL? There's more to it than many think and it's easy to leak sensitive info http://t.co/Pl3RoPcGks— Troy Hunt (@troyhunt) April 3, 2013 @XiaopanOS sslstrip isn't magical. If the cert doesn't verify, the page doesn't load.— 🎻 Eric Lawrence (@ericlaw) April 3, 2013 319511327045476352 is not a valid tweet id
I only agree with the first guy, he actually tweeted something worth to read. And it's a good post, now my comments on the other two... @ericlaw is there any browser actually enforcing that behavior? NO. Your point is completely invalid and irrelevant. @XiaopanOS— TCB13 (@TCB13sQuotes) April 6, 2013 @tomwillows should I answer this? The hole point of SSLStrip is to force a "downgrade" HTTPs to plain HTTP. @XiaopanOS @troyhunt— TCB13 (@TCB13sQuotes) April 6, 2013
I'm still discussing with one about how sslstrip actually works. The guy on tweet #2 is convinced that if you're already running on HTTPS sslstrip can't go a thing. --- Double Post Merged, 7 Apr 2013 --- Anyway, in certain conditions Eric Lawrence on Tweet #1 has a point. In order for SSLStrip to fail this needs to happen: 1. The server does not accept plain HTTP traffic and does not run an HTTP server in port 80.. 2. You're simulating an SSL endpoint at your machine. But let's consider this facts there. Nobody forces browsers to go only HTTPS by disabling plain HTTP on port 80, because two reasons: 1.1. SSL is expensive in server processing terms... 1.2. If you disable the webserver at 80 and force everyone to go 443 some clients may not be able to work. So you're loosing traffic. 1.3. People will try to load your website without the "s" in the URL all the time and without a server running a port 80 they will get "server not found..." Now on point 2: 2.2 It's not hard, I guess most people seriously using SSLStrip this days are doing it. 2.3 You can get a real certificate from comodo or something and feed back to the browser an SSL connection between your machine and them. The browser will complain for sure but people will still accept it. For hackers I guess the way to go this days it's SSLStrip with some other tools to implement 2.2. But who cares? Every damn server in the planet accepts plain HTTP when the clients refuses HTTPS (by running SSLStrip on an attacker machine)... Meanwhile, Eric Lawrence taking a very narrow view on this subject and assuming that all the servers running websites on HTTPS are on point 1.2. and 1.3. IMHO I think he's just tweeting this very narrow view to "sell" is "HTTPS traffic debug tool" that actually does everything SSLStrip does and a bit more (point 2.3) at windows. Things for the future of HTTPS hacking: - Tamper with the certificate update mechanism and replace the real certificate on the browser by some certificate generated by you.
this Pdf explains on what it does and how it works mason.gmu.edu/~msherif/isa564/projects/sslstrip2.pdf
