View Full Version : Complaint This website's SSL cert expired
RodgHerMoore
07-12-2023, 08:19 PM
I haven't posted for a while as my browsers were all warning me about this site not being safe.
I did some research about whether a VPN would help but no it doesn't keep this link secure. It only encrypts to VPN server but anonymous details are still readable between VPN and this site.
Then i thought what is the real security risk here? If the SSL is expired then at worst is everything is deceyptable and my user name and password can be seen as plaintext. More likely is man in the middle where someone takes my credentials.
But i then realised i dont use my personal email...i use a "burner" email solely for this site. I also use a password i use nowhere else....so I'm effectively ok.
So the risk is probably only for those use use their real email on this site AND a password they reuse elsewhere if they use the same email login.
Can any IT security boffins validate my analysis and logic?
Btw i have run several SSL checkers against this site and the main domain SSL cert ecpured Jan 2022. But there is another cert that is being renewed every week ....odd...
So anyway admin....you guys put a sticky proudly ststing you have upgraded this site's security but you have since let it lapse. Pls fix it up!!!
May not affect us but maybe more of the cautious business who may no longer wish to advertise here
woodland
07-12-2023, 09:05 PM
back in the old days, i recall some folk using their uni of sydney email address for this forum.
the email was visible from their profile.
11Bravo
07-12-2023, 11:56 PM
A VPN serves to hide your IP address from all, giving you a different IP address that can't be mapped back to you. Messages from your device to the VPN server are encrypted and wrapped in an envelope. Any sniffer on your ISP connection cannot see the final destination nor the contents. Once at the VPN server, encryption and envelope are removed, and message is sent to the actual destination. But a sniffer there cannot see the actual IP address is was sent from. And it's one of a LOT leaving, and arriving, from/to the VPN server.
My limited understanding of certificates is they just verify that the site is really the site, not a spoofing site. SSL encryption is still done. So if the site is a bogus site, a VPN will not help as it will capture your login info for the true site. But the messages can't be mapped back to you (ok, maybe the government can with a court order for the VPN'S logs, IF the VPN keeps logs).
I've used VPN's to get past the Great firewall, and a Big Sandbox's firewall, with no knock on my door from LE.
GoldfishMan
08-12-2023, 12:04 AM
A VPN serves to hide your IP address from all, giving you a different IP address that can't be mapped back to you. Messages from your device to the VPN server are encrypted and wrapped in an envelope. Any sniffer on your ISP connection cannot see the final destination nor the contents. Once at the VPN server, encryption and envelope are removed, and message is sent to the actual destination. But a sniffer there cannot see the actual IP address is was sent from. And it's one of a LOT leaving, and arriving, from/to the VPN server.
My limited understanding of certificates is they just verify that the site is really the site, not a spoofing site. SSL encryption is still done. So if the site is a bogus site, a VPN will not help as it will capture your login info for the true site. But the messages can't be mapped back to you (ok, maybe the government can with a court order for the VPN'S logs, IF the VPN keeps logs).
I've used VPN's to get past the Great firewall, and a Big Sandbox's firewall, with no knock on my door from LE.
No bro, once an SSL cert is expired, the connection between you and the website is no longer encrypted. All browsers will do this, unfortunately.
Think of all these cert issuers that you need to pay to renew your cert like triads taking protection money. No money = no protection. It's all a money making circus.
yonah
08-12-2023, 03:30 PM
https://cheapsslsecurity.com.au/sslproducts/renewssl.html
There's so many cheap options for renewing SSL. If this forum is receiving money from advertisers can't they just renew it for the security of not just the visitors but also the advertisers? It costs less than an RnT tip for NHJ yearly.
tan30
08-12-2023, 06:16 PM
We'll they won't. Admins probably died from hiv.
yonah
08-12-2023, 07:37 PM
We'll they won't. Admins probably died from hiv.
Not trying to make the forum look bad but here's my two cents according to experience and comments from punting friends IRL.
I think the problem is that this forum is actually dying. The original founders of this forum may not even be around anymore. Only Sydney and Brisbane sections are mostly active, yet most threads are started by the same bunch of people. It's like living in a post-apocalyptic world where the only surviving engineer built an AI projector to project as many different individuals as possible, therefore whoever is running the forum atm saw no need to spend money on SSL encryption as it is only a bunch of people and shops that keeps it alive.
Many people I know in Sydney who punts normally go onto SYD99 to view rosters. Most of them wouldn't even bother reading reviews because it isn't as exclusive as TNT or PP so there's a chance some of them might be doctored. Even in TNT I found some reviews are doctored as shops or privates see the joining fee as an advert fee that they can make back after posting several reviews of themselves or their lineups. My friends normally try to be friends with the reception at the places they regularly visit and get updates directly. Places where the receptionist just isn't friendly at all and the girls aren't the best in looks or behaviour will get into their "private blacklist".
It's the same in Melbourne - we don't normally share intel in public, we keep it amongst our inner circle. One guy who have tried e.g. Chinese hot bombshell Purple will then in the next day either through word of mouth or private WhatsApp group tell the whole group. Then the whole group depending on their taste will take turns booking the same girl. If the girl stays long in the industry some from the group will be her regular. Punters normally like to keep the best girls to themselves as if she's an official mistress and only share subpar girls with others in my findings.
I was also looking into some of the General threads here and found that the topics are very trivial. It reminds me of Yahoo! Answers back in the days, although now it's mostly replaced by Quora or Reddit. The attraction of forums or discussion boards are no longer there these days as Google provides some really good insights while filtering out info that aren't verified.
If anything I usually avoid toxic conversations online. I know this post might attract some toxicity so don't mind me if I don't respond to negativity. As they say - don't feed the troll any validation. I'll only reply if I see any signs of human intelligence rather than human dumbness or artificial intelligence.
GoldfishMan
08-12-2023, 07:48 PM
Nah, it won't attract any toxicity, only a ban. Just to show you that it isn't "dying", lol...
yonah
08-12-2023, 07:53 PM
Nah, it won't attract any toxicity, only a ban. Just to show you that it isn't "dying", lol...
I guess so. I apologize in advance but I do put my mouth where my money is.
Mitch97
08-12-2023, 11:01 PM
Not trying to make the forum look bad but here's my two cents according to experience and comments from punting friends IRL.
I think the problem is that this forum is actually dying. The original founders of this forum may not even be around anymore. Only Sydney and Brisbane sections are mostly active, yet most threads are started by the same bunch of people. It's like living in a post-apocalyptic world where the only surviving engineer built an AI projector to project as many different individuals as possible, therefore whoever is running the forum atm saw no need to spend money on SSL encryption as it is only a bunch of people and shops that keeps it alive.
Many people I know in Sydney who punts normally go onto SYD99 to view rosters. Most of them wouldn't even bother reading reviews because it isn't as exclusive as TNT or PP so there's a chance some of them might be doctored. Even in TNT I found some reviews are doctored as shops or privates see the joining fee as an advert fee that they can make back after posting several reviews of themselves or their lineups. My friends normally try to be friends with the reception at the places they regularly visit and get updates directly. Places where the receptionist just isn't friendly at all and the girls aren't the best in looks or behaviour will get into their "private blacklist".
It's the same in Melbourne - we don't normally share intel in public, we keep it amongst our inner circle. One guy who have tried e.g. Chinese hot bombshell Purple will then in the next day either through word of mouth or private WhatsApp group tell the whole group. Then the whole group depending on their taste will take turns booking the same girl. If the girl stays long in the industry some from the group will be her regular. Punters normally like to keep the best girls to themselves as if she's an official mistress and only share subpar girls with others in my findings.
I was also looking into some of the General threads here and found that the topics are very trivial. It reminds me of Yahoo! Answers back in the days, although now it's mostly replaced by Quora or Reddit. The attraction of forums or discussion boards are no longer there these days as Google provides some really good insights while filtering out info that aren't verified.
If anything I usually avoid toxic conversations online. I know this post might attract some toxicity so don't mind me if I don't respond to negativity. As they say - don't feed the troll any validation. I'll only reply if I see any signs of human intelligence rather than human dumbness or artificial intelligence.
Whats TNT and PP Mean is that refrenceing something?
11Bravo
08-12-2023, 11:50 PM
Whats TNT and PP Mean is that refrenceing something?
Friendly suggestion: rather than quote a long post, acceptable to edit it to the pertinent paragraph/sentences.
tan30
09-12-2023, 12:24 AM
I found this forum after moving on from hookerlooker, that place is just a russian virus trap now I think.
In any case, aus99 was ok some time ago but just like your melb group I never wrote ar's on wls/MLS who I wanted to keep to myself. I'm sure people like brothelcreeper are around (unless he died of AIDS too) and I feel ar's should be there so others know who I fake and who isn't. Save the best for yourself.
RodgHerMoore
10-12-2023, 10:24 PM
No bro, once an SSL cert is expired, the connection between you and the website is no longer encrypted. All browsers will do this, unfortunately.
.
On that last point i am not clear. Some references say it remains encrypted. Others say it is no longer encrypted without elaborating. One source said it is encrypted but the reason it is unsafe is that security protocols and algorithms change all the time. As time passed since expiry there is an increasing likelihood of a cert algorithm being obsolete and having been "cracked" and therefore the encryption is vulnerable.
With all these references diverging on opinion it is hard to sort out fact.
Either way the safest thing to do when using this site is use a burner email account and password solely for this site. This way the only risk is MITM attack and the Quad/Vinnie888/JohnJones idiot steals your credentials and has yet another "zombie" user ID at his disposal.
On that last point i am not clear. Some references say it remains encrypted. Others say it is no longer encrypted without elaborating. One source said it is encrypted but the reason it is unsafe is that security protocols and algorithms change all the time. As time passed since expiry there is an increasing likelihood of a cert algorithm being obsolete and having been "cracked" and therefore the encryption is vulnerable.
With all these references diverging on opinion it is hard to sort out fact.
Either way the safest thing to do when using this site is use a burner email account and password solely for this site. This way the only risk is MITM attack and the Quad/Vinnie888/JohnJones idiot steals your credentials and has yet another "zombie" user ID at his disposal.
Don't know u . 2nd time u called me out. Your mum only cooked when her bf was over and used to buy cheap frozen pizza for u to eat. I don't know how old u are , but i applied for NEETbux for u so that u can buy u own food.
GoldfishMan
11-12-2023, 09:07 AM
On that last point i am not clear. Some references say it remains encrypted. Others say it is no longer encrypted without elaborating. One source said it is encrypted but the reason it is unsafe is that security protocols and algorithms change all the time. As time passed since expiry there is an increasing likelihood of a cert algorithm being obsolete and having been "cracked" and therefore the encryption is vulnerable.
With all these references diverging on opinion it is hard to sort out fact.
There is no ambiguity in it, only good or bad explanations making the reader unable to comprehend the meaning. Hey, what would you expect from websites written by propeller heads? Lol...
The first fact that we need to consider is that SSL uses public-key encryption method. This type of encryption relies a 3rd party, the "certificate authority" or CA, to authenticate that the certificate is good to go. An example of a CA is that link someone posted above of a cheap issuer. It's a company that does nothing but keep certificates for other websites.
This is how it works (I'm no expert here!):
Let's say you go to a website and it gives your browser an SSL cert. The cert says "I'm AUS99" somewhere in it, with a public key for encryption. Your browser will then try to authenticate the cert by going to the CA that issued the cert. Only if the CA authenticates the cert, your browser will ask for the private keys from the AUS99 server and only then can an encrypted connection be established (both private and public key must be there on both sides).
Where it breaks in the case of an expired cert is at the CA. Once a cert is expired, the CA will not authenticate the cert. This will make your browser not try to get the private key and therefore, it can only connect to the website without encryption.
zakthekat
11-12-2023, 01:11 PM
Depending on how the certificate is created, there can be other tags on the cert that will make it fail if its expired like the EV (extended validation) portion. Thats the part that gives you the big green tick on Banking sites. Generic based SSL/TLS certificates will still encrypt after expiration but their validity is no longer assured by the CA chain. There are good and reliable free SSL/TLS certificate sources like LetsEncrypt that will give you all the bits you need up to the EV part but they don't support that in the free tiers, you need to pay to get that as it needs to verify you are the owner of the domain being validated. The public keys are the only parts that are transfered between the client and the server, initial connection with the server will ask for a public key and there will be some back and forth negotiating for both sides to use a public key with the servers private key remaining as the source of truth for both public certs. These temporary public keys are protected by a part of the TLS system called Perfect Forwarded Secrecy, it essentially rolls the keys once a session has been created so that anyone who has sniffed the traffic is unable to use the known keys to replay the conversation and decrypt it, even if you have the private keys. If a self-signed certificate is used, it usually just means the admin hasn't set up proper certs yet or doesn't care about the actual security and its just a tickbox to get a service running. There are other parts of the SSL/TLS infrastructure that can be abused like downgrading the cyphers to weaken the encrypted streams and/or disable PFS so that people can actively sniff and replay things with the private key in real time.
The parts as a user you need to be concerned about isn't just a cert being expired, its the CA revoking the cert and it still being in use.
aussiegaigin
11-12-2023, 03:29 PM
Every so often my Norton AV throw up alarms when I try to log in, telling me its a "known dangerous site". Usually resetting the browser clears it.
GoldfishMan
11-12-2023, 04:38 PM
Depending on how the certificate is created, there can be other tags on the cert that will make it fail if its expired like the EV (extended validation) portion. Thats the part that gives you the big green tick on Banking sites. Generic based SSL/TLS certificates will still encrypt after expiration but their validity is no longer assured by the CA chain. There are good and reliable free SSL/TLS certificate sources like LetsEncrypt that will give you all the bits you need up to the EV part but they don't support that in the free tiers, you need to pay to get that as it needs to verify you are the owner of the domain being validated. The public keys are the only parts that are transfered between the client and the server, initial connection with the server will ask for a public key and there will be some back and forth negotiating for both sides to use a public key with the servers private key remaining as the source of truth for both public certs. These temporary public keys are protected by a part of the TLS system called Perfect Forwarded Secrecy, it essentially rolls the keys once a session has been created so that anyone who has sniffed the traffic is unable to use the known keys to replay the conversation and decrypt it, even if you have the private keys. If a self-signed certificate is used, it usually just means the admin hasn't set up proper certs yet or doesn't care about the actual security and its just a tickbox to get a service running. There are other parts of the SSL/TLS infrastructure that can be abused like downgrading the cyphers to weaken the encrypted streams and/or disable PFS so that people can actively sniff and replay things with the private key in real time.
The parts as a user you need to be concerned about isn't just a cert being expired, its the CA revoking the cert and it still being in use.
Well whatever it is, the connection to this site is not encrypted. Chrome browser on my tablet, when I tap on the little triangle icon on the address bar, it says unsafe connection. Then in that page when I tap on more details, it clearly says the connection is not encrypted.
I think what you said about a connection can still be encrypted when the cert is expired is probably for the propeller heads. You'd probably have to fiddle with something to get your browser to still be able to connect with encryption even when the cert is expired. By default it won't do it.
But yeah, the cert not being verified by the issuer is a big problem because it leaves the door open for impersonation by any other site.
Powered by vBulletin® Version 4.2.5 Copyright © 2024 vBulletin Solutions Inc. All rights reserved.