I was surprised to find the password I'd entered for the forum (having just signed up) shown in the activation email. It's not a big thing, the email isn't likely to be intercepted, I don't use the same password for the forum as the manager and it's just a forum, but still, I would have thought a hosting company provide a better example of good security practice.

Matthew

It's probably a phpBB thing. I'm not sure exactly which version Linode is running, but it looks pretty old.

Powered by phpBB © 2001, 2005 phpBB Group

Geeeesh, it's a community forum. How much security do they need?

It's probably more to prevent stupid human tricks (what's my password again?) then it is a security risk.

Security paranoia is a huge time suck, people need to use a bit of common sense and focus on the important security issues.

It is indeed and they have indeed changed it in later versions to not do that.

Considering the absolute latest version of phpBB only shows a copyright date of 2007, the fact that this forum shows 2005 is not at all indicative of how old it is. phpBB no longer reports version numbers for security reasons.

phpBB 3 was released in December 2007, so that's the version that shows a copyright date of 2007. If the date is 2005, it's probably phpBB 2.x -- which stopped getting security updates more than two years ago. The theme also looks typical of phpBB 2.x.

As with vonskippy, I'm not particularly worried about somebody hacking into my community forum account. But I do wonder whether or not the forum server is segregated well enough from the rest of Linode's infrastructure that any serious exploit, such as arbitrary command execution, will be self-contained. Given that the forum seems to suffer a lot of downtime (database connection errors) without affecting anything else, I suspect that it's pretty well segregated already.

I certainly hope that Linode is using the latest possible version of phpBB (php forum systems are notorious for being riddled with security holes).

Some sort of confirmation from Linode staff would be nice.

On a related note your only option of logging in involves sending user/pass in the plain anyway (no https on the forum web site), so the password being sent in an email is not the only way that your credentials are exposed to anyone snooping...

That's pretty worrying.

I just noticed something else. The HTML source for in the forums contains the following (around line 16, or so):

/*
  NOTE: These CSS definitions are stored within the main page body so that you can use the phpBB2
  theme administration centre. When you have finalised your style you could cut the final CSS code
  and place it in an external file, deleting this section to save bandwidth.
*/

So it looks like Linode is still using phpBB2, which is pretty worrying as Wikipedia contains the following titbit (emphasis mine):



So right now I'd like to see Linode confirm that they're not using an ancient version of phpBB2 and that they're going to add HTTPS support for the forums to prevent session hijacking and password sniffing.

Edit 0: It looks like it really is phpBB2 (version 2.0.22 or 2.0.23, to be exact): docs/CHANGELOG

Edit 1: Another thing I noticed from wikipedia: "The last official release of the 2.0.x line is 2.0.23, released on February 17, 2008."

I bet linode is using older version for a reason! Yes this version is not getting any updates but updates in other hand means problems because updated versions maybe vulnerable to attacks more. See wordpress changelogs.

I have seen many large forums running their preferred script versions for long time without upgrading. they only switch to updated versions after doing a full research and sometimes it takes more than a year to update to the newer version.

There are reasons for these things. So dont dislike Mr.Caker

Or they haven't updated because it's not worth it?

The forums work. Plain and simple. As far as your https concerns, I be 75% of the sites you submit a password to over the internet are not using https, and 90% of the forum sites. It's simply overkill for a support forum. If someone goes to the trouble of grabbing your cookie or some such, what have they gained? They can ask questions as you? How often have you seen this happen here?

You're expecting the forums to run at some Fort Knox level of security. Do you go into your local grocery store and wonder why they don't keep all the food in locked cases with security guards in every isle?

90% of PHP-based based forums probably run unpatched versions of PHP, MySQL, and Apache. Does that mean that Linode should just ignore security concerns? Of course not.

Linode is a professional operation and the staff know what they're doing. This means that they should stick to common best practices as much as humanly possible. Enabling SSL support for the forums is hardly an insurmountable task.



Basic SSL support is not "Fort Knox level of security". As made clear by Firesheep, SSL is not an optional feature anymore, it is essential.

You can get an SSL cert for a pitance these days (as low as $9 – $20 per year) nor is it computationally expensive anymore.

Hell, for personal use StartSSL will give you a free certificate.

If we are weighing opinions here, I'll add another data point and say this is simply not a concern to me. As has been pointed out, the threat of password sniffing is that someone will post messages as you. The true danger of Firesheep is password reuse, which is really a user problem.

I'll also note that SSL defeats modem compression, which does have a significant performance impact on my dialup sessions. In addition, it seems to inhibit client-side caching, though this may be a configuration problem rather than something inherent to SSL. So there is a downside.

If memory serves the client side caching problem is with older browsers, especially those of the internet explorer variety.

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

And yet you think they need your help to run a forum?