Suggestion Xiaopan and SSL?

Discussion in 'Suggestions & Forum Changes Box' started by toljinsky, 10 Nov 2012.

  1. toljinsky

    toljinsky Well-Known Member

    Joined:
    4 Nov 2012
    Messages:
    11
    Likes Received:
    8
    Is there any possibility to connect securely to Xiaopan? I try https but it does not connect. A site like this should offer this I think.
     
  2. Mr. Penguin

    Mr. Penguin Administrator
    Staff Member Admin Moderator VIP

    Joined:
    18 May 2012
    Messages:
    3,097
    Likes Received:
    1,199
    I will contact TCB13 about this who is our hosting provider. I talked to him about SSL and security and he said SSL isn't that secure. We don't allow purchases through the site, so your banking details are safe.
     
  3. TCB13

    TCB13 iKlive CEO
    Staff Member Admin VIP

    Joined:
    24 Jun 2012
    Messages:
    96
    Likes Received:
    54
    Hey guys,
    Well I've discussed a lot of times before what are the security issues with SSL and how to bypass it, you can find a lot of information online on that starting with a tool called sslstrip.

    Since xiaopan.co does not involve any monetary transactions there isn't a need for SSL. If your problem is that you don't trust your provider and you don't want them to see you surfing around here, just don't forget that they can also use sslstrip/similar tools (and some do as we speak) and the DNS requests are always public.

    From a technical stand point implementing an SSL certificate on xiaopan.co would mean three things:
    1. Yearly cost of an SSL certificate;
    2. Yearly cost of a dedicated IP for the SSL;
    3. Modifying the current software to deal with it.
    I'm not in position to tell Mr. Penguin to buy or not to, because I'm the person who is selling the service, but I really don't thing it's necessary for now.
    Anyway, I'm sure you're a regular user of "place-your-torrent-site-here" and they don't use any SSL certificates. At least here at xiaopan.co you're not infringing any copyright laws.
     
  4. toljinsky

    toljinsky Well-Known Member

    Joined:
    4 Nov 2012
    Messages:
    11
    Likes Received:
    8
    Well, sounds like a reasonable explanation but I disagree - I am not a "regular user of "place-your-torrent-site-here"" :) I am an occasional user of ...
     
  5. Mr. Penguin

    Mr. Penguin Administrator
    Staff Member Admin Moderator VIP

    Joined:
    18 May 2012
    Messages:
    3,097
    Likes Received:
    1,199
    Come to think of it you might be right. SSL for Social Network Authentication (VK, Google, Facebook, Steam and Twitter) might be a good idea to secure peoples accounts better
     
  6. toljinsky

    toljinsky Well-Known Member

    Joined:
    4 Nov 2012
    Messages:
    11
    Likes Received:
    8
    I think using SSL is like locking your house - the good boys stay out and the bad boys know how to break in if they want. But at least we can make them have some difficulties.
     
  7. ImJoJo

    ImJoJo The One & Only
    VIP

    Joined:
    25 Jun 2012
    Messages:
    249
    Likes Received:
    107
    Honestly, TCB13 is correct. I am very experienced with the tool SSLStrip and with it very bad things can be done.(not that I'm saying I do them) Yes, we use lots of these tools and they're free to anyone but, they are created to help find vulnerabilities in one's network. Most like to consider themselves as "hackers" and its a common word now in days, a bit taboo to some but, on the serious side if one uses these types of tools with a malicious intention, sooner or later you will be caught..There's no such thing as 100% anonymity. I apologize for the bad example I'm about to use but it's a good one. Just like there's no such thing as safe sex only thing is abstinence-to stay away from it. TCB13 gave a woderful tech. point of view and I will give a "hackers" point of view...HTTPS is expensive and there is no point to use it when it is extremely easy to gain access into someone's account. (so always clear your cookies and never ever Login to any website with the "Remember Me" option checked..hint hint :no But not to worry like Mr. Penguin said "there is no transactions allowed in the website" but if you want to be on the safe side, don't use the same password on any website cause if you do when one of your accounts is hacked most likely the password to your other accounts are the same...
     
  8. toljinsky

    toljinsky Well-Known Member

    Joined:
    4 Nov 2012
    Messages:
    11
    Likes Received:
    8
    I agree, but ... once again I go with the analogy with the house. You know the bad guys can break into your house, wright? But you still keep locking it. Even though you know that if someone targets your home it's completely useless locking it you keep doing that. Why? I think because you know that this way you keep some curious neighbors out and other mischievous kids too.
    If someone targets me and wants my email accounts and other stuff I will have to be paranoic to avoid that, but even then I will be vulnerable.
    The laws are for those who comply them.
     
  9. ImJoJo

    ImJoJo The One & Only
    VIP

    Joined:
    25 Jun 2012
    Messages:
    249
    Likes Received:
    107
    As they say, better to be safe than sorry.;)
    You never know who your neighbor's are..or what they do behind closed doors..
     
  10. Fantasma

    Fantasma Well-Known Member

    Joined:
    31 May 2012
    Messages:
    741
    Likes Received:
    434
    All above is right, but : what about a more simple solution? use a Tor browser https://www.torproject.org/ I think it is a secure enough option for you...
     
  11. Mr. Penguin

    Mr. Penguin Administrator
    Staff Member Admin Moderator VIP

    Joined:
    18 May 2012
    Messages:
    3,097
    Likes Received:
    1,199
    hidemyass.com is another option too.
     
  12. Aby$m

    Aby$m Well-Known Member
    Dev Team VIP

    Joined:
    25 Oct 2012
    Messages:
    153
    Likes Received:
    124
  13. Mr. Penguin

    Mr. Penguin Administrator
    Staff Member Admin Moderator VIP

    Joined:
    18 May 2012
    Messages:
    3,097
    Likes Received:
    1,199
    Tweeted about the insecurities of SSL and mentioned SSLstrip on Twitter. Got bashed a little bit lol

    319511327045476352 is not a valid tweet id
     
  14. TCB13

    TCB13 iKlive CEO
    Staff Member Admin VIP

    Joined:
    24 Jun 2012
    Messages:
    96
    Likes Received:
    54
    I only agree with the first guy, he actually tweeted something worth to read. And it's a good post, now my comments on the other two...

     
    • Like Like x 1
  15. Mr. Penguin

    Mr. Penguin Administrator
    Staff Member Admin Moderator VIP

    Joined:
    18 May 2012
    Messages:
    3,097
    Likes Received:
    1,199
    Looking forward to their response TCB13 :herpderp:
     
  16. TCB13

    TCB13 iKlive CEO
    Staff Member Admin VIP

    Joined:
    24 Jun 2012
    Messages:
    96
    Likes Received:
    54
    I'm still discussing with one about how sslstrip actually works. The guy on tweet #2 is convinced that if you're already running on HTTPS sslstrip can't go a thing.
    --- Double Post Merged, 7 Apr 2013 ---
    Anyway, in certain conditions Eric Lawrence on Tweet #1 has a point. In order for SSLStrip to fail this needs to happen:

    1. The server does not accept plain HTTP traffic and does not run an HTTP server in port 80..
    2. You're simulating an SSL endpoint at your machine.

    But let's consider this facts there. Nobody forces browsers to go only HTTPS by disabling plain HTTP on port 80, because two reasons:

    1.1. SSL is expensive in server processing terms...
    1.2. If you disable the webserver at 80 and force everyone to go 443 some clients may not be able to work. So you're loosing traffic.
    1.3. People will try to load your website without the "s" in the URL all the time and without a server running a port 80 they will get "server not found..."

    Now on point 2:
    2.2 It's not hard, I guess most people seriously using SSLStrip this days are doing it.
    2.3 You can get a real certificate from comodo or something and feed back to the browser an SSL connection between your machine and them. The browser will complain for sure but people will still accept it.

    For hackers I guess the way to go this days it's SSLStrip with some other tools to implement 2.2. But who cares? Every damn server in the planet accepts plain HTTP when the clients refuses HTTPS (by running SSLStrip on an attacker machine)...

    Meanwhile, Eric Lawrence taking a very narrow view on this subject and assuming that all the servers running websites on HTTPS are on point 1.2. and 1.3. IMHO I think he's just tweeting this very narrow view to "sell" is "HTTPS traffic debug tool" that actually does everything SSLStrip does and a bit more (point 2.3) at windows.

    Things for the future of HTTPS hacking:
    - Tamper with the certificate update mechanism and replace the real certificate on the browser by some certificate generated by you.
     
    • Like Like x 1
  17. ImJoJo

    ImJoJo The One & Only
    VIP

    Joined:
    25 Jun 2012
    Messages:
    249
    Likes Received:
    107
Loading...
  • About Us

    We are a community mixed with professionals and beginners with an interest in wireless security, auditing and pentesting. Feel free to check out and upload resources.


    You can also find us on: Twitter and Facebook

  • Donate to Us

    Did you find our forums useful? Feel free to donate Bitcoin to us using the form below. Those who donate the equivlent of $10 USD or more will be upgraded to VIP membership. Don't have Bitcoin? Use your credit card to GO VIP here. Don't want to fork out some coin? There are other ways to GO VIP. Bitcoin: 1LMTGSoTyJWXuy2mQkHfgMzD7ez74x1Z8K