I can't take it anymore! Could everyone just chill out for two seconds before something CRAZY happens again?!
The nut who actually ground out many packs. The resident forum voice of reason (I HAZ FORUM REP! YAY!)
normal text = me speaking as fellow formite colored text = mod mode
Very nice work @pwlaughingtrendy ! Now, if I could only use BBCode in my signature (as I can in my posts), all would be great!
Formerly Known as Protector from June 2008 to June 20, 2012
Please enable us to buy a token with Zen to faction change a 25th Century FED to a TOS FED.
0
rattler2Member, Star Trek Online ModeratorPosts: 58,705Community Moderator
We do have to consider that its not just STO on these forums...
I can't take it anymore! Could everyone just chill out for two seconds before something CRAZY happens again?!
The nut who actually ground out many packs. The resident forum voice of reason (I HAZ FORUM REP! YAY!)
normal text = me speaking as fellow formite colored text = mod mode
Much better! Kudos, coffee-powered Bacon-monster, Trendy.
[10:20] Your Lunge deals 4798 (2580) Physical Damage(Critical) to Tosk of Borg.
Star Trek Online Volunteer Community Moderator "bIghojchugh DaneH, Dumev pagh. bIghojqangbe'chugh, DuQaHlaH pagh." "Learn lots. Don't judge. Laugh for no reason. Be nice. Seek happiness."~Day[9] "Your fun isn't wrong."~LaughingTrendy
These improvements combined with the vanilla enhance script make a world of difference. Nice one Trendy et al.
One thing though. Would it not make sense for the CMs, and whoever else is working on making Vanilla work, to communicate with the guys doing the enhancements? If you guys all pull in the same direction we could end up with a V.cool forum.
"A human being should be able to change a diaper, plan an invasion, butcher a hog, conn a ship, design a building, write a sonnet, balance accounts, build a wall, set a bone, comfort the dying, take orders, give orders, cooperate, act alone, solve equations, analyze a new problem, pitch manure, program a computer, cook a tasty meal, fight efficiently, die gallantly. Specialization is for insects." — Lazarus Long --->Get the Forums Enhancement Extension!
Wtf you talking about?? they just changed the colors lol. Yes it doesnt hurt the eyes so much now, but the rest of the "features" people wanted are still missing lol. There is no "fix" at all. Keep dreaming.
So it turns out some of the users that were complaining was only because of the colors?? nothing more??? u guys are incredible ^^
Quotes have a contrasting background now, a nav bar at the bottom!
By golly, these forums are better than the old ones now!
And what is this? Posts are boxed so it's not just a sea of black!
ETA and what is this! Edit marks aren't DANGER RED anymore!
And bigger avatars, and nice colors that are pleasing to the eye!
Good on Ya!
So good ah!
Ya while some things have improved a bit, there are other things that have not and are still a bad idea.
For example the need to run the program Arc.exe to be able to use the forums.
An error occurred during a connection to www.arcgames.com. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
Thank you so much for improving the forums. I can see everything much better now!
Yep... Text is definately much easier to see and read,,
However... Please fix the cache.. I swear, If I open one topic, I have to click the "<---" Back arrow button at least 8 times to get out of the topic and clear the forums to get back to the First Forum window...
Internet Explorer, like Chrome, will fallback to a vulnerable protocol if they can't negotiate a secure connection. Firefox rejects the insecure connection.
"A human being should be able to change a diaper, plan an invasion, butcher a hog, conn a ship, design a building, write a sonnet, balance accounts, build a wall, set a bone, comfort the dying, take orders, give orders, cooperate, act alone, solve equations, analyze a new problem, pitch manure, program a computer, cook a tasty meal, fight efficiently, die gallantly. Specialization is for insects." — Lazarus Long --->Get the Forums Enhancement Extension!
Internet Explorer, like Chrome, will fallback to a vulnerable protocol if they can't negotiate a secure connection. Firefox rejects the insecure connection.
A method of communication between your browser and a remote server which is not secure and trivially eavesdropped on. For example, if someone wanted your password on this forum, they could obtain it without much effort. If you put money into your account via a credit card on arcgames.com, that information could be obtained as well.
Like I said, see the articles linked previously. This is a very serious problem. Then again, you are using Internet Explorer, so it's likely that you don't care about security at all.
A method of communication between your browser and a remote server which is not secure and trivially eavesdropped on. For example, if someone wanted your password on this forum, they could obtain it without much effort. If you put money into your account via a credit card on arcgames.com, that information could be obtained as well.
Like I said, see the articles linked previously. This is a very serious problem. Then again, you are using Internet Explorer, so it's likely that you don't care about security at all.
You linked a 50 page wiki document without explaining which part was actually useful to read, TLDR. Another document about a specific encryption protocol(aRC4) without explaining it's importance. a document about a specific type of attack, again without explaining it's relevance. And a fourth document specifically about cracking Rc4.... In other words, you want people to take your word for it. I'm not going to spend hours reading random articles trying to figure out the point you're trying to make.
See, what you described is what I would expect of a system with NO encryption at all. Trivial eavesdropping requires nothing more than copying a transmission and reading it. The types of attacks mentioned in those articles require a specialized software tool that is not trivial to acquire.
A method of communication between your browser and a remote server which is not secure and trivially eavesdropped on. For example, if someone wanted your password on this forum, they could obtain it without much effort. If you put money into your account via a credit card on arcgames.com, that information could be obtained as well.
Like I said, see the articles linked previously. This is a very serious problem. Then again, you are using Internet Explorer, so it's likely that you don't care about security at all.
You linked a 50 page wiki document without explaining which part was actually useful to read, TLDR. Another document about a specific encryption protocol(aRC4) without explaining it's importance. a document about a specific type of attack, again without explaining it's relevance. And a fourth document specifically about cracking Rc4.... In other words, you want people to take your word for it. I'm not going to spend hours reading random articles trying to figure out the point you're trying to make.
See, what you described is what I would expect of a system with NO encryption at all. Trivial eavesdropping requires nothing more than copying a transmission and reading it. The types of attacks mentioned in those articles require a specialized software tool that is not trivial to acquire.
I don't think he wants you to take his word for it, but he wants you to spend the same amount of time as he did to learn what he knows. Unless you're going to read the primary research and personally verify the researchers' claims, you're going to have to take someone's word for it. And what's really important for these types of attacks is how hard they are for malicious hackers to perform; obviously, they are beyond the average user.
I will attempt to explain what I know about RC4. Bear in mind that I am not an expert on computer security, but I have done some reading on this particular issue, because I was investigating the SSL errors on arcgames.com. You don't have to take my word for it; you can search Google yourself. None of this information is difficult to find, but not all of it is easy reading. I, myself, don't understand the technical details of how the attacks work, but I have read enough to get an idea of the consensus within the security community.
Type www.arcgames.com or billing.arcgames.com into the tool below.
Scroll down to the "Cipher Suites" section. It will tell you that the only cipher suite supported by arcgames.com is TLS_RSA_WITH_RC4_128_SHA, which uses RC4 as its symmetric-key encryption scheme. The current consensus in the security community is that it is time to retire RC4, because of security weaknesses discovered since 2013. For reference, I have provided links to the web pages of the researchers, but I haven't read their papers.
Note that those blog posts were written in 2013, but attacks only get better with time.
Google, Mozilla, and Microsoft all agree that they should disable RC4, but no one wants to go first for fear of losing market share. They're afraid that average Joe user will only see that Chrome, Firefox, or IE is not working with their favorite website and not understand why. Chrome, Firefox, and IE all currently support RC4 as a fallback option only. See the links below. (Sorry, I could not find a primary source for Google Chrome.)
Currently, the RC4 fallback in Firefox is enabled for all sites, but Mozilla has made plans to restrict the fallback only to sites in a certain whitelist. As of July 6, 2015, these plans have been delayed indefinitely.
If you read the comments in the code, you'll see that arcgames.com and www.arcgames.com were added because of bug 1182932. If you look up bug 1182932, you'll find that someone (maybe, someone here?) has reported arcgames.com to Mozilla.
Note that billing.arcgames.com isn't included in the whitelist. I don't know if that means that billing.arcgames.com will stop working for Firefox users when Mozilla enables the whitelist restriction. In any case, it's clear that RC4 is on its way out. It's only a matter of time before all browsers disable it completely.
An error occurred during a connection to www.arcgames.com. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
This error was reported by several people, including me.
The RC4 fallback in Firefox works most of the time, but this error appears intermittently. I couldn't find very much information on the issue. The closest is this thread:
It may not be the certificate that's the problem. The error could be occurring because Firefox considers RC4 insecure, or it could be something else entirely. But if PWE were paying attention to the security of their website, they would have switched to another cipher suite already, or least offer a more secure alternative.
Now all they need to do is ditch vanillaforums.com and self host it, oh and fix the glaring security holes, but self hosting should make that a lot easier to fix anyway.
Comments
Couldn't resist. ^^
normal text = me speaking as fellow formite
colored text = mod mode
Please enable us to buy a token with Zen to faction change a 25th Century FED to a TOS FED.
normal text = me speaking as fellow formite
colored text = mod mode
One step for forum viewing.... one Giant leap----
My character Tsin'xing
I Support Disco | Disco is Love | Disco is Life
Star Trek Online Volunteer Community Moderator
"bIghojchugh DaneH, Dumev pagh. bIghojqangbe'chugh, DuQaHlaH pagh."
"Learn lots. Don't judge. Laugh for no reason. Be nice. Seek happiness." ~Day[9]
"Your fun isn't wrong." ~LaughingTrendy
Find me on Twitterverse - @jodarkrider
One thing though. Would it not make sense for the CMs, and whoever else is working on making Vanilla work, to communicate with the guys doing the enhancements? If you guys all pull in the same direction we could end up with a V.cool forum.
So it turns out some of the users that were complaining was only because of the colors?? nothing more??? u guys are incredible ^^
Ya while some things have improved a bit, there are other things that have not and are still a bad idea.
For example the need to run the program Arc.exe to be able to use the forums.
http://perfectworld.vanillaforums.com/categories/startrekonline
My character Tsin'xing
Yep... Text is definately much easier to see and read,,
However... Please fix the cache.. I swear, If I open one topic, I have to click the "<---" Back arrow button at least 8 times to get out of the topic and clear the forums to get back to the First Forum window...
tyvm..
My character Tsin'xing
See these:
https://en.wikipedia.org/wiki/Transport_Layer_Security
https://en.wikipedia.org/wiki/RC4
https://en.wikipedia.org/wiki/POODLE
https://threatpost.com/new-rc4-attack-dramatically-reduces-plaintext-recovery-time/113808
My character Tsin'xing
Like I said, see the articles linked previously. This is a very serious problem. Then again, you are using Internet Explorer, so it's likely that you don't care about security at all.
See, what you described is what I would expect of a system with NO encryption at all. Trivial eavesdropping requires nothing more than copying a transmission and reading it. The types of attacks mentioned in those articles require a specialized software tool that is not trivial to acquire.
My character Tsin'xing
I don't think he wants you to take his word for it, but he wants you to spend the same amount of time as he did to learn what he knows. Unless you're going to read the primary research and personally verify the researchers' claims, you're going to have to take someone's word for it. And what's really important for these types of attacks is how hard they are for malicious hackers to perform; obviously, they are beyond the average user.
I will attempt to explain what I know about RC4. Bear in mind that I am not an expert on computer security, but I have done some reading on this particular issue, because I was investigating the SSL errors on arcgames.com. You don't have to take my word for it; you can search Google yourself. None of this information is difficult to find, but not all of it is easy reading. I, myself, don't understand the technical details of how the attacks work, but I have read enough to get an idea of the consensus within the security community.
Type www.arcgames.com or billing.arcgames.com into the tool below.
https://www.ssllabs.com/ssltest/
Scroll down to the "Cipher Suites" section. It will tell you that the only cipher suite supported by arcgames.com is TLS_RSA_WITH_RC4_128_SHA, which uses RC4 as its symmetric-key encryption scheme. The current consensus in the security community is that it is time to retire RC4, because of security weaknesses discovered since 2013. For reference, I have provided links to the web pages of the researchers, but I haven't read their papers.
http://home.hiroshima-u.ac.jp/ohigashi/rc4/
http://www.isg.rhul.ac.uk/tls/
http://www.isg.rhul.ac.uk/tls/RC4mustdie.html
https://www.blackhat.com/asia-15/briefings.html#bar-mitzva-attack-breaking-ssl-with-13-year-old-rc4-weakness
http://www.rc4nomore.com/
You can read the opinions of two security experts in the links below.
http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html
https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what
Note that those blog posts were written in 2013, but attacks only get better with time.
Google, Mozilla, and Microsoft all agree that they should disable RC4, but no one wants to go first for fear of losing market share. They're afraid that average Joe user will only see that Chrome, Firefox, or IE is not working with their favorite website and not understand why. Chrome, Firefox, and IE all currently support RC4 as a fallback option only. See the links below. (Sorry, I could not find a primary source for Google Chrome.)
https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers
https://bugzilla.mozilla.org/show_bug.cgi?id=1088915
http://blogs.msdn.com/b/ie/archive/2013/11/12/ie11-automatically-makes-over-40-of-the-web-more-secure-while-making-sure-sites-continue-to-work.aspx
Currently, the RC4 fallback in Firefox is enabled for all sites, but Mozilla has made plans to restrict the fallback only to sites in a certain whitelist. As of July 6, 2015, these plans have been delayed indefinitely.
https://bugzilla.mozilla.org/show_bug.cgi?id=1124039
Interestingly, arcgames.com and www.arcgames.com are in the whitelist.
https://dxr.mozilla.org/mozilla-central/source/security/manager/ssl/IntolerantFallbackList.inc
If you read the comments in the code, you'll see that arcgames.com and www.arcgames.com were added because of bug 1182932. If you look up bug 1182932, you'll find that someone (maybe, someone here?) has reported arcgames.com to Mozilla.
https://bugzilla.mozilla.org/show_bug.cgi?id=1182932
Note that billing.arcgames.com isn't included in the whitelist. I don't know if that means that billing.arcgames.com will stop working for Firefox users when Mozilla enables the whitelist restriction. In any case, it's clear that RC4 is on its way out. It's only a matter of time before all browsers disable it completely.
This error was reported by several people, including me.
http://perfectworld.vanillaforums.com/discussion/1190685/ssl-error-on-arcgames-com-ssl-error-no-cypher-overlap
The RC4 fallback in Firefox works most of the time, but this error appears intermittently. I couldn't find very much information on the issue. The closest is this thread:
http://forum.nginx.org/read.php?2,256373
For a more readable view of the same thread, see the link below.
https://www.ruby-forum.com/topic/6873127
Also, Firefox currently isn't accepting the SSL certificate from arcgames.com.
http://perfectworld.vanillaforums.com/discussion/1190682/firefox-isnt-accepting-ssl-certificate-from-arcgames-com
It may not be the certificate that's the problem. The error could be occurring because Firefox considers RC4 insecure, or it could be something else entirely. But if PWE were paying attention to the security of their website, they would have switched to another cipher suite already, or least offer a more secure alternative.
You know what you know and if you won't read, that's all you'll know. Just don't be surprised if your poor security practices come back to bite you.