Looking at coultersmithing.com

Post here once you join, and tell us about yourself so we have a clue who we are talking to.
Keep threads short here -- once you have something to say, there's a topic here somplace where it will fit -- and if not, let me know and I will make subforums as necessary. We want all of hard science and tech up here, and if something doesn't fit -- that's my fault and I will fix that for you. See the rules and tips in the parent forum, please.
Forum rules
This sub forum is for new menbers to announce themselves. Try not to create long threads here -- this is just for you to tell us who you are, and for us to say welcome. There are other forums to actually discuss real tech-science things here, and ask questions on. The idea hopefully is to have enough forums and subforums that nothing sci-tech related will be off-topic, there will be a place for it. If I missed something -- let me know, and I'll fix that.

Looking at coultersmithing.com

Postby Phillip Odam » Mon Oct 09, 2017 10:26 pm

In case anyone cares or is interested...

The web server hosting coultersmithing.com is serving via HTTPS as well as regular HTTP, which I assume everyone here uses to access the site. The HTTPS certificate however is for *.bizland.com... by the looks of it the hosting provider for coultersmithing.com. I bring this up for two reasons, either HTTPS should be provided and using a valid certificate or just tear down HTTPS. If it were up to me I'd say just change the SSL certificate and redirect HTTP to HTTPS... there's of course a few extras that ought to be done if wanting to make it a nice clean HTTPS site but that's another discussion.

If the reason for not using HTTPS is the ridiculous price of SSL certificates, I hear ya and even though the maintenance is yearly to every three years typically that's still a pain so I'd suggest using https://letsencrypt.org... takes all of the said headaches away. The SSL certificate is free and automatically renewed at least every 3months using an agent call certbot. I've used it a couple of times, it works and the documentation ain't too bad.

Anyways, thought I'd mention it if it's something the sysadmin(s) would be interested in and of course anyone else on here that's running their own sites.
Phillip Odam
 
Posts: 4
Joined: Sun Oct 08, 2017 1:44 pm

Re: Looking at coultersmithing.com

Postby Phillip Odam » Mon Oct 09, 2017 10:30 pm

Forgot to mention, the agent of course requires the ability the run stuff on the box which at a quick glance looks of it isn't provided with your hosting plan... since port 22 isn't open on the server.

I seem to remember there's a manual option though if you're still wanting to run with a letsencrypt certificate.
Phillip Odam
 
Posts: 4
Joined: Sun Oct 08, 2017 1:44 pm

Re: Looking at coultersmithing.com

Postby Doug Coulter » Tue Oct 10, 2017 7:49 am

Our hosting provider is (they say) iPower. They were cracked in seconds by a pen-testing friend of mine, who handed me both sides of their DH or RSA key.

I've thought about it - but not very much. Taunted improvements are:
1. People can't intercept (MITM) data going to and fro. Nothing here is secret, we have no ads, we don't take credit cards, no secrets here..the entire point of this place is to be open.
2. Google gives you a higher rank in search...

Do we care or have a reason to care? Others feel free to leave comments on this, I don't care either way myself. Most of what seems to be done by SSL simply doesn't matter to us, unless I'm missing something. Having it hosted by a very leaky ISP would seem to be more of a concern - if you can crack them, which is evidently trivial, then we've been had as well if the cracker cares.
Posting as just me, not as the forum owner. Everything I say is "in my opinion" and YMMV -- which should go for everyone without saying.
User avatar
Doug Coulter
 
Posts: 3515
Joined: Wed Jul 14, 2010 7:05 pm
Location: Floyd county, VA, USA

Re: Looking at coultersmithing.com

Postby Phillip Odam » Tue Oct 10, 2017 8:17 am

Yeah wasn't so much suggesting it from a security perspective. It's more an interface and tidiness thing, why have an HTTPS endpoint up if it's misconfigured... of course you're quite possibly limited by what your hosting provider offers. Can you even disable HTTPS? And like you said there's the value from search ranking, again possibly not something of huge interest.
Phillip Odam
 
Posts: 4
Joined: Sun Oct 08, 2017 1:44 pm

Re: Looking at coultersmithing.com

Postby Doug Coulter » Tue Oct 10, 2017 8:31 am

I can ask them. They're allowed me to do pretty much as I've wanted so far - I'm supposed to be able to run cgis, for example. I hear that eventually chrome won't let you surf to non-https sites, but I think that's hot air in the end. Or the end of "the little guy" on the internet. I did not know that there's https for us at all. Wonder if it's even the same domain/ip?

As I read Bruce Schneier and others...the whole chain of trust thing is utterly fatally flawed and is merely "security theater" - which works about as well (or not) as any other suspension of disbelief.
Plenty of certs stolen, faked, and so on.

But it works for example for bank vaults. Few know that that big shiny door you're not gonna get through is the only place most vaults are hard to get into. The back wall of the bank building for example, is usually just regular bricks, and if the vault backs up to the wall, a pickup truck can just back into the bank and be "in". Yes, this has been done...It's hard on the truck, and you still don't have much time to get away before the police come - the defense in depth strategy is at play there - the vault is just designed to take long enough to get through to let the other defenses kick in. At perhaps the last level is insurance, or nope, that's government, who bailed out our irresponsible banks (using of course, our money to do it) when they failed due to bad practices...(which in part were enabled by rule changes by government under bank lobbying).
Posting as just me, not as the forum owner. Everything I say is "in my opinion" and YMMV -- which should go for everyone without saying.
User avatar
Doug Coulter
 
Posts: 3515
Joined: Wed Jul 14, 2010 7:05 pm
Location: Floyd county, VA, USA


Return to Announce yourself

Who is online

Users browsing this forum: No registered users and 3 guests

cron