Enable/Configure HTTPS for proxmark.org

ikarus · 2015-02-19 22:20:08

Hi,

I really want to use HTTPS on proxmark.org. Especially for the logging in to this forum!
Can someone configure the server to provide TLS? I don't care if it is a self-signed certificate... I just
don't want so send my login credentials unencrypted!

Also, this could be a great opportunity to update the website. At least a little bit...
It's really outdated... content and design.

Does anyone know who is responsible for the webserver?

Cheers!
ikarus

0xFFFF · 2015-02-19 23:19:27

I have asked Roel on several occasions for Administrative control. A little while back I organised the migration to GitHub but I think giving proxmark.org a facelift is going to be impossible without Roel's help!

asper · 2015-02-20 09:02:07

I agree. Roel if you can, give help!

ikarus · 2015-02-21 16:22:49

Yep, I remember the migration to GitHub and the discussion to update the website too.
Did Roel respond to your message?

0xFFFF · 2015-02-22 23:25:23

ikarus wrote:

Yep, I remember the migration to GitHub and the discussion to update the website too.
Did Roel respond to your message?

Unfortunately not.

*Sent another email. Hopefully I get a reply.

If anyone has contacted Roel in the past using an email address that is not published on this site or http://nfc-tools.org/, could you please contact me?

0xFFFF · 2015-02-26 01:16:08

Good news!!
Roel has contacted me and I have been granted access to make changes to the site.

See post here.

marshmellow · 2015-02-26 06:15:01

Great news!

Https would be nice for login.

I personally don't care how the look and feel goes. As long as we keep the ability to show images and code snippets.

asper · 2015-02-26 10:26:05

I agree with marshmellow.

The post in the news and announcement section is not "answerable" so I write there: I would like to choose a forum Platform which is secure; for what I read phpBB3 is secure, any other suggestion about the Platform ?

Last edited by asper (2015-02-26 11:06:17)

0xFFFF · 2015-02-26 11:56:29

asper wrote:

I agree with marshmellow.
The post in the news and announcement section is not "answerable" so I write there: I would like to choose a forum Platform which is secure; for what I read phpBB3 is secure, any other suggestion about the Platform ?

Ah. Sorry about that. I can post there no worries

Most of the sites I visit use phpBB. I don't know if any of the features we might want are missing from phpBB.
Something that also needs to be considered is the migration of data from one forum to another.

holiman · 2015-02-26 21:24:14

I also don't care about UI, but from what I understand, "discourse" is teh shit. Written by Jeff Atwood, the guy behind stack exchange. I don't know, maybe good. The small features I'd like to have is "active" with specified time interval,instead of only 24h. Also ability for private messages.

As for the proxmark homepage, would be nice if we could write some info about releases and development, links to blog-posts and rfid-related news (new hacks etc), links to documentation.

rule · 2015-02-27 10:29:49

Guys, you do realize there are many plugins for this fluxbb board (like PM etc.). I'm fine with migrating to another forum, but I do like the flexibility of this one.

As for https, I'm sure I can find some time to configure a certificate in the near future.

marshmellow · 2015-02-27 14:07:02

Small annoyances with the current setup ( probably easy fixes):
If you set privacy settings to allow members to email you it does not allow it. (Don't know what that setting does.)

pm would be nice.

Additional content clean up probably just requires more moderators.

Might be nice to have the ability to "close" a topic. Maybe it pulls out of the "open" topics lists and doesn't allow new posts, but can be found via a search or closed section?

Other than that it is working well IMHO.

Edit: oh and the newbe instructions probably need some significant updates.

Last edited by marshmellow (2015-02-27 14:10:36)

ikarus · 2015-02-28 21:52:48

Great news!

phpBB(3) is really nice and feature rich. I set it up multiple times my self. But the main issue
(as pointed out by 0xFFFF) is the migration. I don't think there is a good automated tool for that.
Therefore I agree to rule's proposal to improve this fluxbb installation with plugins.
Hopefully there are good and well maintained plugins...
Using unmaintained plugins could result in a high security risk!

As for the website: I'm fine with WordPress.
It has a strong community and therefore good support.

YoungJules · 2015-02-28 23:44:40

There are tools around, an example (I didn't try it) is discussed at https://www.phpbb.com/community/viewtopic.php?f=65&t=2109031

Otherwise, you just need to find a good programmer with plenty of ETL and database/website conversion experience (ahem!)

Regards.
YoungJules

ikarus · 2015-03-01 12:10:13

I don't think it is that easy. The script they talk about at https://www.phpbb.com/community/viewtop … &t=2109031
is for fluxBB to phpBB2. Not phpBB3. The third version is more complex. (DB structure: fluxBB vs. phpBB3)
But maybe I'm just a pessimist So if someone has the time to try out different conversion tools, feel free to do so!

YoungJules · 2015-03-01 22:23:19

Yeah, I saw it was for phpbb2, but figured the path from phpbb2 to phpbb3 should be well-travelled... anyway I'm here (sometimes) if you guys do need some help

piwi · 2015-03-10 18:31:17

I'd like to add to the wish list: smartphone friendly layout.

ikarus · 2015-04-12 16:08:50

rule wrote:

As for https, I'm sure I can find some time to configure a certificate in the near future.

Any news?

0xFFFF · 2015-04-14 02:13:39

Small update...
I have been away on holidays for a little while so I have not made much progress.
A while ago I copied a dump of the FluxBB database and I am poking around with add-ons and additional security. I am thinking of re-installing FluxBB. I think there might have to be a small outage at some time.

Is there anyone out there with some graphics skills that might be interested in redoing the Proxmark artwork? (logo, main Proxmark image...)

0xFFFF · 2015-05-28 01:58:49

Has anyone had a look at http://flarum.org/?
Thoughts?

marshmellow · 2015-05-28 02:07:12

Just saw one complaint is it has an infinite scroll layout instead of pages. Could get cumbersome with some topics around here. but there probably would be a way to minimize the annoyance.

0xFFFF · 2015-05-28 02:19:28

marshmellow wrote:

Just saw one complaint is it has an infinite scroll layout instead of pages. Could get cumbersome with some topics around here. but there probably would be a way to minimize the annoyance.

I spotted that one too. Hopefully the Beta release addresses this. It could be a good alternative to FluxBB.

marshmellow · 2015-05-28 02:20:34

Looks promising

suixo · 2016-05-10 13:29:07

Another good forum CMS is Discourse: http://try.discourse.org/

It's simple (I find phpBB heavy and bloated), and modern. I also like FluxBB for its simplicity, even if PM could be an interesting option to enable.

For HTTPS, if we have access to a shell on the server / are able to execute python code, Let's Encrypt is a good way to get free and globally-recognized certificates (they encourage automation so you have to renew it every 3 months, but it is quite simple to do).

osys · 2016-05-10 14:11:37

Dear forum members,

From web development point of view, I would definitely implement https. Its a must nowadays, especially for such sensitive resources like this.
I would also rather keep FluxBB as a forum engine (it's really the best), but reuse it's authentication scheme to keep current credential leveraging the possibilities of modern frameworks like Yii2 \ Laravel to achieve interaction services like dumps exchange, etc right on the site. Proxmark is a tool, the same web site should be - application for exchanging knowledge achievements as well as keep discussions on the subject. Another point against monsters like phpBB or any other CMS will be security. Such systems more often being compromised rather than custom web applications.

I wish I would be able to leave feedback on proxmark.org face lift! topic, but seems there are restrictive permissions on it.

Edit:
I've also noticed proxmark.nl to be direct mirror of the forum\site. This can cause content duplicate btw.

Last edited by osys (2016-05-10 14:23:37)

0xFFFF · 2016-05-11 00:41:25

osys wrote:

I wish I would be able to leave feedback on proxmark.org face lift! topic, but seems there are restrictive permissions on it.

Oh. I wasn't thinking when I created the original post. It has been moved now. Try again.

ikarus · 2016-05-29 11:01:53

So it has been over a year now...

Let's stick to the important thinks here: This site needs SSL/TLS!
I'm happy if it will also get a face lift, but the first priority should be
to add HTTPS support. As osys said: "It's a must nowadays, especially
for such sensitive resources like this." So could we please make this
happen? Every time I login to this my stomach hurts...

Let's Encrypt is even out of beta by now.
So it easy to obtain a certificate (if you are in control of the server).

@0xFFFF
You said "Roel has contacted me and I have been granted access to make changes to the site.".
Do the gained privileges include all the needed stuff? (updating webserver configuration, etc.)

ikarus · 2017-03-02 22:07:13

So nearly another year has gone by...
Well, some things have changed. The forum was updated!
Thank you roel and iceman!

However, HTTPS is still an issue. Browsers like Firefox even started
to inform the user visually about insecure connections.

@roel & @iceman: I know your time is very limited. But can you please
use some of this time and configure Let's Encrypt? I can help you with
that If you want to. It just "hurts" me to enter my credentials knowing
that they will leave my computer encrypted.

iceman · 2017-03-02 22:24:41

I'm happy someone likes the new look. Not many users after I removed 10k spam accounts. Enormously much spamers, thanks to recaptcha, the new registrations is down to one per day.

When it comes to configure the server, my hands are totally locked. I've no access to the server configs.
I'll ask Roel about a ssl-certificate.

jbono · 2017-03-09 20:10:18

Well, it's possible to use the Let'sEncrypt free SSL Certificate. I could help with that if Roel needs some help or time!

JahProx · 2017-11-10 22:12:04

If this still a problem, I could also help out! Besides that, I can also make a (free ofcourse) contribution by redesigning / rebuilding the website
PM if u guys are interested!

iceman · 2017-11-10 22:45:01

Thanks for the offer.

Things roll a bit slower in the proxmark world when it comes to certain things but eventually it will happen.

ikarus · 2018-09-30 22:37:50

Well, 3.5 years later...
Any news?

piwi · 2019-03-18 12:22:50

And another 6 months later we have https enabled! Just need a valid certificate now. Thanks iceman for this long deserved forum upgrade.

bunny · 2019-04-21 06:43:27

I think letsencrypt is good for a valid certificate, the certificate expire every 3 months but there is a bot for renewal.

ikarus · 2019-08-12 20:06:39

At last, some progress! Great! But we are not there yet. HTTPS without a valid certificate is no real improvement.
But as @bunny said, just use letsencrypt! @iceman: if you need some help, just say so.

iceman · 2019-08-12 20:27:26

Dunno how many times I have explained this, but neither 0xFFFF nor I have server access to the site. We have FTP access.
Apperantly the server hosts serveral sites. I can only ask Roel to about it. The communication that HTTPS is enabled hasn't reached me yet, so I doubt Roel had anything to do with it.

I have gotten many nice offers to help set up letsencrypt and I tried to explain the situation at hand. As I understand installing a cert needs a shell with root access. Don't have. So is there a way to update without? because I am not at all interested in the idea of running a local priv escalation exploit to install things.

gator96100 · 2019-08-12 21:36:54

Let’s Encrypt certificates can be created without shell access by uploading a file over FTP, but the certificate needs to be renewed every 3 months manually. The problem is the webserver needs to be configured for https with the Let’s Encrypt certificate.

batman192 · 2019-08-12 22:25:49

gator96100 wrote:

Let’s Encrypt certificates can be created without shell access by uploading a file over FTP, but the certificate needs to be renewed every 3 months manually. The problem is the webserver needs to be configured for https with the Let’s Encrypt certificate.

Super janky idea- can the cert be renewed locally and then remotely copied via FTP? Someone would just need to set up a Cron Job that runs the renewal command every three months and then uploads the new certificate via FTP into the proper place.

Regarding webserver configuration, not sure what web server this site is running on but it should be possible to clone the current webserver config, manually add in the SSL cert path, and upload the new config and SSL certs?

gator96100 · 2019-08-12 23:36:46

batman192 wrote:

Super janky idea- can the cert be renewed locally and then remotely copied via FTP? Someone would just need to set up a Cron Job that runs the renewal command every three months and then uploads the new certificate via FTP into the proper place.

I am not familiar with Let’s Encrypts manual mode, but a cron job on a maschine with shell access that renews the certificate for a remote server with ftp access should work.

batman192 wrote:

Regarding webserver configuration, not sure what web server this site is running on but it should be possible to clone the current webserver config, manually add in the SSL cert path, and upload the new config and SSL certs?

This would require access to the configuration file and I am not sure who has access to it.

batman192 · 2019-08-12 23:52:06

I am not familiar with Let’s Encrypts manual mode, but a cron job on a maschine with shell access that renews the certificate for a remote server with ftp access should work.

I can definitely put some commands and a cron job idea together if this is the route we'd like to take.

This would require access to the configuration file and I am not sure who has access to it.

I was thinking iceman/0xFFFF had administrative download/upload FTP access. Idea is that they download the appropriate web config file according to the web server documentation, edit it to include the paths to the SSL certificates, and upload it back onto the box, over-writing the previous config.

gator96100 · 2019-08-12 23:58:55

batman192 wrote:

I was thinking iceman/0xFFFF had administrative download/upload FTP access. Idea is that they download the appropriate web config file according to the web server documentation, edit it to include the paths to the SSL certificates, and upload it back onto the box, over-writing the previous config.

They do have FTP access to the site, but I am not sure if they have access to the configuration file. The configuration file of the webserver is usually in a different folder than the site contents (.html/.php files) and most of the time you only have FTP access to the site contents and not the configuration file.

batman192 · 2019-08-13 00:09:37

gator96100 wrote:

They do have FTP access to the site, but I am not sure if they have access to the configuration file. The configuration file of the webserver is usually in a different folder than the site contents (.html/.php files) and most of the time you only have FTP access to the site contents and not the configuration file.

That's what I'm worried about- that stuff's usually almost certainly requires additional permissions to read/write to the web server config directories. At least with Let's Encrypt you can specify where the certs are saved and as long as you reference them properly in the web server config you should be good.

I guess let's see what they have to say and go from there.

iceman · 2019-08-13 05:08:34

yeah, we don't have much access too high up. A bit further than .html/.php like user level. Not more.

batman192 · 2019-08-13 14:39:30

iceman wrote:

yeah, we don't have much access too high up. A bit further than .html/.php like user level. Not more.

Darn. I guess Roel also configured HTTPS connections to redirect to some other site (https://www.swetika.nl/) because that's where I get redirected to when I attempt to navigate here using https.

So we'd need to understand what's causing that redirect- if it's the web server configuration then, unfortunately, there's not much we can do unless Roel removes the redirect to this new URL and redirects https://www.proxmark.org back to this site.

gator96100 · 2019-08-13 16:16:46

batman192 wrote:

So we'd need to understand what's causing that redirect- if it's the web server configuration then, unfortunately, there's not much we can do unless Roel removes the redirect to this new URL and redirects https://www.proxmark.org back to this site.

It is quite simple to understand what is happening here. The server that hosts proxmark.org is also hosting swetika.nl. The webserver is configured to redirect any https traffic to https://www.swetika.nl , probably to redirect from https://swetika.nl to https://www.swetika.nl.
That https://www.proxmark.org/ even works is just a side effect of an improper configuration.

mwalker · 2019-08-14 06:35:18

this is a little off proxmark topic.
While most if not all browsers do tend to supply the SNI (Server Name Indication) Extension, I did not think it was mandatory for a client to supply. ie. If not supplied the web server then must choose to send the default web site, or nothing. So responding with the default website on 443, while it may not be ideal does not mean mis-configured. It may be the desired behavior (e.g. the ONLY web site on 443 is https://www.swetika.nl, so if no SNI provided, send back the certificate for the "only" ssl website we are hosting).

ikarus · 2019-08-14 20:46:51

@iceman: Sorry I did not want to bother you any more. I though because of piwis "And another 6 months later we have https enabled! Just need a valid certificate now. Thanks iceman for this long deserved forum upgrade." you had full server access by now.

Well, not much to discuss here.
* The server configuration is outdated.
* We need full access to the webserver config to fix it.
* We need full access to the server to use letsencrypt
* We don't have full access. Roel does.
* Reaching out to Roel was tried may times and never worked

Too bad... ¯\_(ツ)_/¯

iceman · 2019-08-14 21:27:16

No, that one was meant to be sarcastic.

However I'm still not giving up hope here. One of these days it will happen. I'm sure of it. If I get better access I know whom to contact who will sort this out in a jiffy

Winds · 2020-08-22 11:41:20

Hi,

Personally me using a DynaDot service and strongly recommend it.

At the moment you have two wariants:

1. You can order an SSL for your Site & FluxBB - only $16.99/yr
2. You can transfer your proxmark.org domain and each 3 month obtain a new SSL certificate for free.

There is cupon for the $5 for your certificate: 617T8n6y9N8o726Z

About transfer data to other forums, you can find a lot of scripts to do that's.

Proxmark3 community

Announcement

#1 2015-02-19 22:20:08

Enable/Configure HTTPS for proxmark.org

#2 2015-02-19 23:19:27

Re: Enable/Configure HTTPS for proxmark.org

#3 2015-02-20 09:02:07

Re: Enable/Configure HTTPS for proxmark.org

#4 2015-02-21 16:22:49

Re: Enable/Configure HTTPS for proxmark.org

#5 2015-02-22 23:25:23

Re: Enable/Configure HTTPS for proxmark.org

#6 2015-02-26 01:16:08

Re: Enable/Configure HTTPS for proxmark.org

#7 2015-02-26 06:15:01

Re: Enable/Configure HTTPS for proxmark.org

#8 2015-02-26 10:26:05

Re: Enable/Configure HTTPS for proxmark.org

#9 2015-02-26 11:56:29

Re: Enable/Configure HTTPS for proxmark.org

#10 2015-02-26 21:24:14

Re: Enable/Configure HTTPS for proxmark.org

#11 2015-02-27 10:29:49

Re: Enable/Configure HTTPS for proxmark.org

#12 2015-02-27 14:07:02

Re: Enable/Configure HTTPS for proxmark.org

#13 2015-02-28 21:52:48

Re: Enable/Configure HTTPS for proxmark.org

#14 2015-02-28 23:44:40

Re: Enable/Configure HTTPS for proxmark.org

#15 2015-03-01 12:10:13

Re: Enable/Configure HTTPS for proxmark.org

#16 2015-03-01 22:23:19

Re: Enable/Configure HTTPS for proxmark.org

#17 2015-03-10 18:31:17

Re: Enable/Configure HTTPS for proxmark.org

#18 2015-04-12 16:08:50

Re: Enable/Configure HTTPS for proxmark.org

#19 2015-04-14 02:13:39

Re: Enable/Configure HTTPS for proxmark.org

#20 2015-05-28 01:58:49

Re: Enable/Configure HTTPS for proxmark.org

#21 2015-05-28 02:07:12

Re: Enable/Configure HTTPS for proxmark.org

#22 2015-05-28 02:19:28

Re: Enable/Configure HTTPS for proxmark.org

#23 2015-05-28 02:20:34

Re: Enable/Configure HTTPS for proxmark.org

#24 2016-05-10 13:29:07

Re: Enable/Configure HTTPS for proxmark.org

#25 2016-05-10 14:11:37

Re: Enable/Configure HTTPS for proxmark.org

#26 2016-05-11 00:41:25

Re: Enable/Configure HTTPS for proxmark.org

#27 2016-05-29 11:01:53

Re: Enable/Configure HTTPS for proxmark.org

#28 2017-03-02 22:07:13

Re: Enable/Configure HTTPS for proxmark.org

#29 2017-03-02 22:24:41

Re: Enable/Configure HTTPS for proxmark.org

#30 2017-03-09 20:10:18

Re: Enable/Configure HTTPS for proxmark.org

#31 2017-11-10 22:12:04

Re: Enable/Configure HTTPS for proxmark.org

#32 2017-11-10 22:45:01

Re: Enable/Configure HTTPS for proxmark.org

#33 2018-09-30 22:37:50

Re: Enable/Configure HTTPS for proxmark.org

#34 2019-03-18 12:22:50

Re: Enable/Configure HTTPS for proxmark.org

#35 2019-04-21 06:43:27

Re: Enable/Configure HTTPS for proxmark.org

#36 2019-08-12 20:06:39

Re: Enable/Configure HTTPS for proxmark.org

#37 2019-08-12 20:27:26

Re: Enable/Configure HTTPS for proxmark.org

#38 2019-08-12 21:36:54

Re: Enable/Configure HTTPS for proxmark.org

#39 2019-08-12 22:25:49

Re: Enable/Configure HTTPS for proxmark.org