HTTPS Or HTTP... The War Begins

Anthony Parsons

Well-known member
Its a sad day when running a forum now requires a shift to use HTTPS to stop from external attacks...

I had such an attack on my main forum only this month. XF software nor my server was breached, the attack was purely external. Basically, somehow one can make every call from your site, reference another domain, inject that to act basically like how discouraged works, randomly slowing page loads and disrupting the overall community, even triggering users anti-virus alerts trying to load malicious code to their browser by viewing my site, all done externally without breach of my server.

Register a non-common domain, ie. .tv, it doesn't hit whois quickly, have several servers setup and let the games begin... as I blocked one IP block, the script got moved to the next, the next, etc, shutting each block down as it went and reporting the abuse to each server company to take action against the account holder, which they did so.

The end result... you can pay someone a couple hundred bucks to really cause chaos to a forum nowadays, any site actually, whether disgruntled or just to disrupt the competition, all externally... and the only way to protect from it, is to shift to HTTPS.

Lesson learnt this month... once you start making an impact in an area around the globe, things get nastier and nastier.

Its just not worth the hassle to endure blocking further attempts, instead for a $150 you can get SSL from someone like Godaddy, with the green bar, authenticated, for 2 years vs. endure any type of further external assaults. With HTTPS in use, now they have to try and breach the software or the server...

The web is becoming a very competitive area to play...
 
I'm not clear on how shifting to HTTPS would make any difference at all in the scenario you describe?
 
good read... def worth considering... does switching to https affect anything server side or is it a smooth switch? You will have to excuse me as I am not very technical ;)
 
That makes two of us... but apparently for what occurred and the way it was done, HTTPS is the only way to stop external attacks affecting the users browser when drawing a page.

I guess the same as how it stops people being able to intercept credit card data in the transit of posting it, it stops them being able to intercept the page to the user pulling it and infecting it with whatever malicious code they used.
 
To be fair, a lot of websites are shifting to putting login forms on HTTPS servers, it may well be worth looking to add support for it into XF, wouldn't have thought it would be too tricky.

I did read an article on it recently, but I'll be damned if I can find the bloody thing :( From memory, it was something to do with protecting the login details when used on a wifi connection due to how easy is it to eavesdrop wifi traffic.
 
good read... def worth considering... does switching to https affect anything server side or is it a smooth switch? You will have to excuse me as I am not very technical ;)
I haven't noticed any change in server resources switching to https...

It was effortless, and with a simple .htaccess redirect changing everything on port 80 to https, even Google traffic wasn't affected... as Google must recognise that its simply a https change, the rest of the url remained unchanged.
 
I wouldn't switch the whole forum to HTTPS, the extra load on a busy site will be noticable. You should only need to secure the login pages - which on XF is probably a bit of an issue come to think about it as its integrated into the page! However, the URL that the login form posts to though could be a HTTPS url, that would be sufficient.
 
Nope... the specific attack had nothing to do with login, it actually targeted every single page when loaded, per user. Basically, every page load was being intercepted, then injected somehow, all externally.

Server company found no breach of the software or server, couldn't find a single reference to the throw away domain used, nothing... it affected every member / reader of the forum, logged in or not, it affected them.

The server companies that I immediately reported the abuse to, closed the users accounts near immediately, as they found scripting targeting the site. They didn't elaborate, they just told me they acted and apologised for their servers being used to abuse.
 
I also just reviewed my server load stats, and with 300 - 400 online for about half of every day, down to around 200 the other half, there is no change in server load via https.
 
Well, if there was a comprised router or something along the network route, that may be where the data was being injected, if it wasn't on the server, although if the server company found anything which was their fault, call me a cynic, but would they admit it?

That said, if the server was comprised, it wouldn't necessarily have been fixed by switching to HTTPS - I suspect it was being intercepted somewhere on the network at the hosting company.
 
I never thought about this until just minutes ago, and asked a friend a question. A company I have dealings with do all the web design for a very large pharmaceutical company, basically, they make a website devoted to just one product the company sells... so there are a lot of sites. Anyway, last year they shifted to making all their static product based websites HTTPS. I never really could figure out why, never gave it a second though... however; so I just asked, and apparently they experienced this last year themselves, all done externally, and the only way around it was to make all sites HTTPS, ceasing any page interceptions between the server and the users browser.

They don't know whether it was competitors or anti-pharmaceutical disgruntled persons... but it dragged every single page load, creating random page loading times, which is what I experienced... a page could take 10 - 30 seconds to load, waiting on this injected domain that was catching the page between the server and the browser.

Interesting... that only just clicked to get me to ask.

I don't know if this has also occurred to vbulletin, as they seem to have suddenly switched to https completely as well. First time I had visited them in a long while earlier, to see any rumours in the public sphere... finding they are totally https now.
 
Out of interest, are you and that 3rd party company hosted on the same hosting company?

The only way I can see this happening without the server being compromised is that the hosting company has had their network comprised.
 
Modern CPUs can do SSL encryption in hardware, so there should be little to no performance penalty, but there is a major issue with enabling SSL for an entire forum, and it's related to user-generated content.

If you serve a page with HTTPS, but allow media or image embedding from your users, these resources will almost always come from an HTTP source. This compromises the security of the page, as it allows remote client-side script to run, and therefore most browsers will inform users that the page is attempting to load insecure content and have them confirm their understanding before allowing the HTTP content to load. This can be seriously obstructive to user experience, and may frighten visitors who do not understand why they are receiving the warning.
 
Something doesn't add up here, if they were trying to be disruptive there are cheaper and easier ways to take a site down / disrupt service than intercept network data... what you are describing sounds like a simple slowloris flood, sending partial http headers to your server to force the connections open, drain the server resources and slow the site for other users, however https wouldn't resolve the issue.
 
Out of interest, are you and that 3rd party company hosted on the same hosting company?
No, I am on WiredTree, they shifted between several different hosting companies, all European based.
If you serve a page with HTTPS, but allow media or image embedding from your users, these resources will almost always come from an HTTP source. This compromises the security of the page, as it allows remote client-side script to run, and therefore most browsers will inform users that the page is attempting to load insecure content and have them confirm their understanding before allowing the HTTP content to load. This can be seriously obstructive to user experience, and may frighten visitors who do not understand why they are receiving the warning.
Yes, some browsers do this... agreed... it had to be explained to users and incorporated within new member documentation. Surprisingly, most pages actually load fully compliant using XF, even calling to Facebook, Google analytics, etc... it was only Twitter that I had to remove, as it stopped every page from being https compliant. Yet Chrome explains it best IMO... showing that a page is still secure, only elements that are insecure, which don't affect overall site integrity. Its not like a forum is taking credit cards... that would be different.
Anthony,just one word about your hosting company's explanation: fishy
Nothing fishy about WiredTree that I am aware... actually they spent a lot of time helping me to identify the issue, which I ended up resolving by a) blocking each IP block as they shifted servers, whilst simultaneously b) contacting each server company with an abuse notification, which quickly shut it down and the hosting companies obviously found what they were doing, as they took action just from being notified something was attacking my domain from their IP.

I am not a software engineer or such, so I honestly don't know how they did it... but I do know that they were intercepting each page load, which then filtered down to a warning to my members and readers, as I began getting notifications from users about their security software flagging the site. I disregarded it initially, then noticed in the bottom left of the browser, a domain being called with each page load, yet no such domain existed anywhere in my server files... and I did search the software and server files prior to getting the host involved, opting to see if someone had compromised the software or server. Nothing...

Again, not a software guru... but its being done, its happening, and I don't have the answer as to how they do it. Its not a simple flood of resources though or DDOS or such against the server, as it flagged every readers / members security on their PC who had such software based protection measures... Avast I think it was that picked it up.

Again, I don't have the answers... but skepticism I don't believe is required, as people also thought something like the CIA, Sony and other such major servers couldn't be hacked... yet they just got hacked! Young kids with a computer are doing things that I don't understand...
 
Again, I don't have the answers... but skepticism I don't believe is required
I think the only skepticism you are encountering is related to the assertion that running via SSL would have any effect whatsoever upon the attacks you describe, rather than skepticism that the attacks took place or were effective.
 
Top Bottom