I just posted an article on http://www.distechtalk.com/

Interesting info.

Good stuff!! Way to Go, Alex!

Cool - I didn't know you guys had a blog. That is very interesting. (I'm a tech-geek wannaba). ha

Thanks for all you do!!

Angie

Awesome. Somehow I missed there was a DIS tech blog.

Great job Alex. :thumbsup2 I have no idea what it means but I think you're Awesome!!! :thumbsup2

I just posted an article on http://www.distechtalk.com/

Alex, first off Hi, and thanks for all you must do for the boards. Second, really neat blog, even if I understand only about 10% of it.

Loved the one about the Tag Fairy, I never noticed they were different, but now that I think about it, they are. Neat little touch that you do...

I am man enough to admit that excited me a little! :banana::banana:

I had no idea there was a DIS Tech blog...it's like Christmas came early. :banana:

I was wondering where the proper place would be to make a technical request for the boards. I'll post it here and if there is somewhere better I'll post it there.

Is there anyway you guys can get an ssl certificate and mirror the login/landing page as an ssl page? I only ask because when I am at a hotel or another hotspot and don't have my laptop with VPN access I am reluctant to go to a page in the clear and enter my password.

Moxie Marlinskike's presentation (http://74.125.93.132/search?q=cache:FSy69O8LjU4J:www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf+moxie+marlinspike+ssl+attack&cd=1&hl=en&ct=clnk&gl=us) at the Black Hat conference exposed some weaknesses in collecting data on a non-ssl page and then passing it to the server through a form initiated ssl connection.

If you could provide a login page located at https://disboards.com just for the log in and then redirect back to the http page it would make security conscious (some would say paranoid) people like me much happier. Even if it requires directly typing the entire url including the resource type so the default login is in the clear it would be a step up in security. This is how Facebook handles secure logins.

Cool stuff, thanks for sharing.

Wow didn't even know this existed - cheers for the link Alex.

The article about the hardware you run on was a great read!
Verio has some serious high speed connections.

Frank - good idea about using a secure connection to login.
If the new Dis app has a built in Disboards browser and you login to that using an unsecured connection, would it also be subject to the same issue?

I had no idea there was a DIS Tech blog...it's like Christmas came early. :banana:

I was wondering where the proper place would be to make a technical request for the boards. I'll post it here and if there is somewhere better I'll post it there.

Is there anyway you guys can get an ssl certificate and mirror the login/landing page as an ssl page? I only ask because when I am at a hotel or another hotspot and don't have my laptop with VPN access I am reluctant to go to a page in the clear and enter my password.

Moxie Marlinskike's presentation (http://74.125.93.132/search?q=cache:FSy69O8LjU4J:www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf+moxie+marlinspike+ssl+attack&cd=1&hl=en&ct=clnk&gl=us) at the Black Hat conference exposed some weaknesses in collecting data on a non-ssl page and then passing it to the server through a form initiated ssl connection.

If you could provide a login page located at https://disboards.com just for the log in and then redirect back to the http page it would make security conscious (some would say paranoid) people like me much happier. Even if it requires directly typing the entire url including the resource type so the default login is in the clear it would be a step up in security. This is how Facebook handles secure logins.

:cough: nerd :cough: :rolleyes1

I had no idea there was a DIS Tech blog...it's like Christmas came early. :banana:


seriously i was pumped too!!

:cough: nerd :cough: :rolleyes1

...says the man on a Disney message board. :rolleyes1 :laughing:

If the new Dis app has a built in Disboards browser and you login to that using an unsecured connection, would it also be subject to the same issue?

I imagine some of the same vulnerabilities would exist in an app but can't say for certain because I am not an app developer. It would be much easier to do on a WiFi connection than the cellular network but considering the encryption of GSM has been broken for years even that isn't impossible. Without getting into ARP-spoofing and how you a man-in-the-middle can make themselves a proxy I would say the safest bet security wise is to make any login page a direct ssl connection to the server.

While in a perfect world all web surfing could be done via ssl it would mean nothing could be cached locally and that would make surfing impractical. A reasonable compromise I think is to use an ssl connection with a server for all login functionality and only stay ssl if you are an e-commerce or financial site. The majority of the web really has to be done in the open to make it work the way it is currently designed.

seriously i was pumped too!!



...says the man on a Disney message board. :rolleyes1 :laughing:

touche :teacher:

Oy, now I can geek out about how the DIS runs... :)

I like the CX4s in general. They perform pretty well. I hate losing 5 disks to the "vault" storage for the OS though. I wonder if they've fixed that...

Is it a single MySQL instance, or are you replicating?

:cough: nerd :cough: :rolleyes1

I know you wanted to ask Don but were too shy.

I didn't know there was such a place... awesome.
Nice job, Alex!

Not reading it because I know from experience that I won't understand it, but am grateful for the hard work you do.

Now, can we talk about rearranging the smilies, please? ;)

Oy, now I can geek out about how the DIS runs... :)

I like the CX4s in general. They perform pretty well. I hate losing 5 disks to the "vault" storage for the OS though. I wonder if they've fixed that...

Is it a single MySQL instance, or are you replicating?

Just a single instance, I was replicating for a bit but there wasn't much advantage. We are tuned for speed not transactional safety, we get a full backup every night and if we lost a few hours of posts it would stink but it wouldn't be the end of the world

I had no idea there was a DIS Tech blog...it's like Christmas came early. :banana:

I was wondering where the proper place would be to make a technical request for the boards. I'll post it here and if there is somewhere better I'll post it there.

Is there anyway you guys can get an ssl certificate and mirror the login/landing page as an ssl page? I only ask because when I am at a hotel or another hotspot and don't have my laptop with VPN access I am reluctant to go to a page in the clear and enter my password.


Well there is a request I have never heard before! I can see the merit in the idea but I'll have to look into what would really be involved. It's a little more complicated because of the load balancer etc but we do it on the static site

I guess I should update the tech blog a bit more often :)

Well there is a request I have never heard before! I can see the merit in the idea but I'll have to look into what would really be involved. It's a little more complicated because of the load balancer etc but we do it on the static site

I guess I should update the tech blog a bit more often :)

Hey, I'm always curious about these things...I run systems like these myself (load balancing, replication, etc.)

Load balancing SSL is a big pain, especially with authenticated sessions. If it was only done for the authentication itself it may not be an issue, depending on what information is stored in the cookies.

But, since the cookies bear the authentication info after the initial password exchange, if you don't use SSL from login forward then your account is for the most part just as susceptible if you aren't careful.

I guess I should update the tech blog a bit more often :)

Could you do a new article on the tag fairy and how a tag fairy is birthed?

Hey, I'm always curious about these things...I run systems like these myself (load balancing, replication, etc.)

Load balancing SSL is a big pain, especially with authenticated sessions. If it was only done for the authentication itself it may not be an issue, depending on what information is stored in the cookies.

But, since the cookies bear the authentication info after the initial password exchange, if you don't use SSL from login forward then your account is for the most part just as susceptible if you aren't careful.

Our load balancer does "sticky sessions" so it's not insurmountable, I did a bit of reading and the bigger issue is the vbulletin software, I have seen a few statements that it either has to be all http or all https

Our load balancer does "sticky sessions" so it's not insurmountable, I did a bit of reading and the bigger issue is the vbulletin software, I have seen a few statements that it either has to be all http or all https

That's what I figured would be the limitation.

Great to see the work that you do Alex getting the appreciation it deserves :thumbsup2

Our load balancer does "sticky sessions" so it's not insurmountable, I did a bit of reading and the bigger issue is the vbulletin software, I have seen a few statements that it either has to be all http or all https

Huh, I never thought of the load balancing effecting the use of ssl. I have never had to deal with distributing an ssl session so you have me there.

I could see not having the login page default to ssl and forcing the manual typing of the address with the https:// manually appended. Maybe at that point the ptr record would direct to one of the sites and not the other replications. The software you use to replicate may have a way of forcing traffic to a specific site for ssl. I haven't looked into the logistics of that, it was more just thinking out loud. I imagine it would not be a highly used feature so I don't think the load balancing would be overly effected but working in I.T. for a financial institution makes me think of these things.

I also see the merits of staying https if it were a site where financial information or other high value info was being passed back to the server. I am not concerned with my posts being sniffed as much as just the login credentials. I was thinking of the hotmail model where you can choose to use enhanced security to login and you are then presented with an ssl login page. After loging in the rest of the session is in the clear. This is probably a bad idea for email (and why I use gmail mostly), but would work for a forum. It isn't a big deal for me because I use a unique password for this site for this very reason. I was just throwing it out there as a suggestion.

Huh, I never thought of the load balancing effecting the use of ssl. I have never had to deal with distributing an ssl session so you have me there.

I could see not having the login page default to ssl and forcing the manual typing of the address with the https:// manually appended. Maybe at that point the ptr record would direct to one of the sites and not the other replications. The software you use to replicate may have a way of forcing traffic to a specific site for ssl. I haven't looked into the logistics of that, it was more just thinking out loud. I imagine it would not be a highly used feature so I don't think the load balancing would be overly effected but working in I.T. for a financial institution makes me think of these things.

I also see the merits of staying https if it were a site where financial information or other high value info was being passed back to the server. I am not concerned with my posts being sniffed as much as just the login credentials. I was thinking of the hotmail model where you can choose to use enhanced security to login and you are then presented with an ssl login page. After loging in the rest of the session is in the clear. This is probably a bad idea for email (and why I use gmail mostly), but would work for a forum. It isn't a big deal for me because I use a unique password for this site for this very reason. I was just throwing it out there as a suggestion.

It wasn't a bad idea at all and it appears that others have tried it with VB, not even load balanced and have had issues, the devil is in the details!