Runboard.com
Слава Україні!
Lost? Hover on Bookmarks!
Runboard Extra! The Runboard Directory Runboard Knowledge Base

Welcome to Runboard Support, the place to find help with your Runboard user account or message board.

If you can't find the answer you need with our search feature, ask here, and a member of staff will respond to you personally.

Chat room Runboard Knowledge Base (wiki) Search Facebook Twitter

runboard.com       You are not logged in.

Page:  1  2 

 
nic0lette Profile
Live feed
Blog
Friends
Miscellaneous info

Registered user

Registered: 10-2017
Posts: 3
Karma: 0 (+0/-0)
Reply | Quote
TLS with Runboard?


Hi,

So Chrome reports Runboard as "Not Secure" now because it has a login prompt on an http page. Even though I can add https, it switches back to http after logging in.

Given that there are companies (such as Comcast) that will actually inject their own code into other websites (when using the Xfinity wifi), it seems like it would be great if Runboard could support https everywhere.
10/19/2017, 5:37 am Link to post Email nic0lette   PM nic0lette Blog
 
Joxcenia Profile
Live feed
Blog
Friends
Miscellaneous info

Global Administrator
Runboard staff member

Registered: 11-2005
Location: Whoosher House
Posts: 7810
Karma: 74 (+75/-1)
Reply | Quote
Re: TLS with Runboard?


There is a discussion somewhere about https:// & http://, but I can't find it. Perhaps it's on another board. *shrugs*

Anyhoo, Lesa had mentioned that there is code that some board owners use that wouldn't work with https://. One piece of code is for adding a chatbox in the header/footer.

Example:

http://bgrapevine50s.runboard.com/

https://bgrapevine50s.runboard.com/

You can see the chatbox in the header when using the first link ... but not when using the second link.

A number of board owners would not be very happy if they can't add their special codes on their boards.



Lesa can probably explain it better once she gets online.






---

10/19/2017, 9:19 am Link to post Email Joxcenia   PM Joxcenia Blog
 
Lesigner Girl Profile
Live feed
Blog
Friends
Miscellaneous info

Global Administrator
Head of Runboard staff

Registered: 11-2005
Posts: 26740
Karma: 436 (+489/-53)
Reply | Quote
Re: TLS with Runboard?


You did well, Jox. Thanks. emoticon


Hi nic0lette,

Although that particular chat box doesn't seem to be working anymore even on http, the fact remains that mixed content can be an issue.

Comcast has the luxury of forcing everyone over to https without breaking anything on their website, because they can ensure that everything on their website will be served up via https. That isn't the case here, where every board admin has the ability to add content to their own boards that may or may not be stored on a host with SSL.

I don't know where the discussion Jox referred to is, either, but I seem to recall mentioning that it really isn't important for most people to go through https here at Runboard like it is at websites where you might submit sensitive information like credit card numbers.

You're already logging in through https, so your password is encrypted when it's sent to Runboard. Are you submitting other sensitive information to Runboard, other than your password?

---
Runboard Knowledge Base
Runboard Support Forums
Find other message boards
10/19/2017, 11:18 am Link to post Email Lesigner Girl   PM Lesigner Girl Blog
 
Joxcenia Profile
Live feed
Blog
Friends
Miscellaneous info

Global Administrator
Runboard staff member

Registered: 11-2005
Location: Whoosher House
Posts: 7810
Karma: 74 (+75/-1)
Reply | Quote
Re: TLS with Runboard?


quote:

Lesigner Girl wrote:

You did well, Jox. Thanks. emoticon


You are most welcome.

quote:


Although that particular chat box doesn't seem to be working anymore even on http, the fact remains that mixed content can be an issue.


I thought it was just me it wasn't working for. But I didn't really have another board to use for an example anyways.






---

10/20/2017, 2:33 am Link to post Email Joxcenia   PM Joxcenia Blog
 
nic0lette Profile
Live feed
Blog
Friends
Miscellaneous info

Registered user

Registered: 10-2017
Posts: 3
Karma: 0 (+0/-0)
Reply | Quote
Re:


quote:

Comcast has the luxury of forcing everyone over to https without breaking anything on their website, because they can ensure that everything on their website will be served up via https. That isn't the case here, where every board admin has the ability to add content to their own boards that may or may not be stored on a host with SSL.



You misunderstand. Comcast takes the code returned from Runboard and changes it to include their own content. (In the normal case, an advertisement of sorts for Xfinity). They're not the only ones who can do this though. Anyone along the path of my connection to Runboard, a hotel, for example, can edit Runboard's content as it's being fetched. -- https://www.theverge.com/2012/4/7/2931600/hotel-caught-injecting-advertising-into-web-pages-on-complimentary-wi

It's even possible that people worse than Comcast can rewrite Runboard's HTML to inject hostile JavaScript or even install malware on a user's computer, making it look like Runboard was the culprit.

In addition to all of this, Chrome is, as I noted, beginning to mark pages as "not secure" when configured like Runboard is currently.

Here's a post from today about Chrome's changes: https://www.blog.google/topics/safety-security/say-yes-https-chrome-secures-web-one-site-time/

Runboard can't make it so each board is secure, but the core part of the platform could be made to always serve its pages over https and could encourage board owners to secure their own board's custom content.

I'm a newcomer here, of course, and it's not something that I'd have to spend the time to build or support, but I wanted to be sure you understood that it isn't just about user's privacy (though that's important), but https also ensures others can't manipulate content.

Thanks for your time.
10/20/2017, 7:00 pm Link to post Email nic0lette   PM nic0lette Blog
 
Lesigner Girl Profile
Live feed
Blog
Friends
Miscellaneous info

Global Administrator
Head of Runboard staff

Registered: 11-2005
Posts: 26740
Karma: 436 (+489/-53)
Reply | Quote
Re: TLS with Runboard?


No, nic0lette, you misunderstand. I understand your concerns, but they're based on your misunderstanding of what you've read.

From your first link:

quote:

When web developer Justin Watt stayed at the Courtyard Marriott hotel in Times Square, he discovered that the facility's wireless hotspot was injecting Javascript code into every webpage for the purpose of delivering ads.



They're not injecting anything server-side. They're showing ads to people who use their wifi. Big difference. I used to use a free dialup ISP nearly 20 years ago that served ads to their users, which is pretty much all the hotel is doing.

In short, what they are doing is client-side, not server-side.

From your second link:

quote:

We knew this would take some time, and so we started by only marking pages without encryption that collect passwords and credit cards. In the next phase, we began showing the “not secure” warning in two additional situations: when people enter data on an HTTP page, and on all HTTP pages visited in Incognito mode.



Intercepting data you, yourself, send, can only give a hacker the same power that you, yourself, have.

Thor and I are the only two people who have the ability to add javascript to Runboard. Therefore, the only way a hacker could add javascript to Runboard would be to go through Thor or myself.

All that said, open source platforms do run the risk of server-side injection attacks, if each web developer who uses those platforms doesn't add their own security, because anyone can download the platform and see the programming. However, Runboard is as closed-sourced as it gets. It was programmed by Thor, in a language that has never been disclosed to the public, using variables that nobody else knows.

---
Runboard Knowledge Base
Runboard Support Forums
Find other message boards
10/20/2017, 11:03 pm Link to post Email Lesigner Girl   PM Lesigner Girl Blog
 
nic0lette Profile
Live feed
Blog
Friends
Miscellaneous info

Registered user

Registered: 10-2017
Posts: 3
Karma: 0 (+0/-0)
Reply | Quote
Re:


  

Last edited by nic0lette, 10/23/2017, 8:21 pm
10/23/2017, 8:07 pm Link to post Email nic0lette   PM nic0lette Blog
 
Joxcenia Profile
Live feed
Blog
Friends
Miscellaneous info

Global Administrator
Runboard staff member

Registered: 11-2005
Location: Whoosher House
Posts: 7810
Karma: 74 (+75/-1)
Reply | Quote
Re: TLS with Runboard?


quote:

Lesigner Girl wrote:

All that said, open source platforms do run the risk of server-side injection attacks, if each web developer who uses those platforms doesn't add their own security, because anyone can download the platform and see the programming. However, Runboard is as closed-sourced as it gets. It was programmed by Thor, in a language that has never been disclosed to the public, using variables that nobody else knows.


That is interesting. Is his case unique? Can anyone develop their own code/language/variables? The curious in me is wondering if this is infinite or limited.








---

10/23/2017, 11:43 pm Link to post Email Joxcenia   PM Joxcenia Blog
 
Lesigner Girl Profile
Live feed
Blog
Friends
Miscellaneous info

Global Administrator
Head of Runboard staff

Registered: 11-2005
Posts: 26740
Karma: 436 (+489/-53)
Reply | Quote
Re: TLS with Runboard?


quote:

Can anyone develop their own code/language[...]


Code and language are both the same thing. Sure, you can create your own language, just like Marc Okrand created the Klingon language, but creating your own language isn't the same thing as not disclosing the language you're using.

quote:

Can anyone develop their own [...] variables?


Of course. The same way you can create your own class names and IDs in HTML and CSS, anyone can create their own variables in the various programming languages that are out there.

I also neglected to mention in my last post that SSL or lack thereof won't make server-side injection attacks any more or less possible. I only mentioned it because any potential hacker has no way of knowing what to target if they were to attempt an injection attack on Runboard.

Basically, it would be like trying to hack into an email account, without knowing the address of that email account or even what domain it's under.

Too many times over the years, I have come across someone who has read something about something and suddenly believes they're an expert on it. Sometimes, the thing they read was written by someone who doesn't know what they're talking about. Other times, the person reading it has misunderstood what they read.

Jox, you might recall one person in particular who believed an image could give you a virus, or some nonsense like that. My guess is that she read about web beacons, and misunderstood what she read. This same person also believed that I was "stealing her cookies" just because I used javascript to change her name on the page to something else.

It's good to be cautious and informed, but a little information without any real understanding can cause a lot of people to be way too paranoid for their own good.

Back to the question that started this thread, my initial reply stands.

Last edited by Lesigner Girl, 10/28/2017, 6:27 am


---
Runboard Knowledge Base
Runboard Support Forums
Find other message boards
10/28/2017, 6:25 am Link to post Email Lesigner Girl   PM Lesigner Girl Blog
 
Joxcenia Profile
Live feed
Blog
Friends
Miscellaneous info

Global Administrator
Runboard staff member

Registered: 11-2005
Location: Whoosher House
Posts: 7810
Karma: 74 (+75/-1)
Reply | Quote
Re: TLS with Runboard?


Yes ... I remember that 'LookyLoo' trick you did. And I too have heard/read that viruses can be hidden within an image. I believe I've seen TV shows where information was hidden within an image as well. *shrugs*

I never researched to see how it was possible to do. I would think you'd have to be able to open up the image before any virus could get out ... and since most people probably hadn't even heard of that, they wouldn't even bother to crack the image open. emoticon






---

10/28/2017, 6:39 am Link to post Email Joxcenia   PM Joxcenia Blog
 


Add a reply

Page:  1  2 



You are not logged in (login)