I finally got a https certificate for the site. I've set all the forms (besides the search system) to submit over https, so you may see your session suddenly goes over to https.
Currently, there's a big issue in switching over to https: The [img] tag. There may be warnings in old browsers if I'm serving the forum over HTTPS but the images are HTTP (as almost all in the forum currently are), and generally it makes things less secure. I may have to eventually only allow https img tags and convert those in the db still to links.
Also login tokens are currently going to be sent over http no matter what I do, unless I expire the old ones and set them as secure, which will break things unless I redirect all http to https (which I would do if not for the img issue above).
Also found a really old bug caused by my total misunderstanding of variable scoping in PHP, form actions for adding or editing a post were supposed to point to forum.php?whatever but instead just did ?whatever as I didn't import the global.
And Dreamhost is running with an old version of TLS. Thinking of moving servers. Also want to do a rewrite of the forum to address some major issues.
edited 3:27 PM EST December 2, 2015
But mostly I'm just happy about not sending passwords in the clear anymore.
Ok, so I went ahead and made cookies secure, if you want to take advantage log out and then back in. I also updated the token generator to do something more secure (just a 16 byte random number instead of the weird time based hash thing I was using before).
I made a big change over the last few hours and finally got password hashing implemented, all plaintext passwords are now gone from the database. Newer PHP things like password_hash and password_verify make it really easy to do the right thing.
Very little of this matters for a forum like this, it has been safe simply because it isn't worth attacking, but I did feel really bad about sitting on a big database of passwords that people might be reusing on other sites. I'll sleep easier now.
I see. I don't think CloudFlare makes much sense for me at the moment, though, don't want to introduce another layer if it isn't needed, I'm much more likely to just move to another host where I just have a VPS.
Even that is kind of unlikely to happen in the near term, since I made the changes I talked about in this thread I'm less worried in general.
As it said on the create account page, "Please note that passwords are stored and transmitted unencrypted, so don't use anything sensitive."
That was absolutely atrocious security, and I feel bad about having had it in place for years.
Let this be a reminder to not use the same password on different sites, because some may be implemented by security-ignorant monkeys like me.
[edit] Not harsh enough to call myself security-ignorant, I've known for years it was an issue (that same message was shown since at least 2006) but couldn't be bothered to fix it. Unknownfile made an attempt to implement password hashing that wiped out the db at one point...
I'm noticing you're using Startcom. Let's Encrypt would've seemed like the natural choice around the time you went HTTPS, so just thought I'd check if you knew of it? It's both free and automated so you don't have to renew certificates in the future. I've only heard good things of it.
I knew of it, it was still in closed beta at the time and I didn't want to wait any longer. Definitely will be using Let's Encrypt when this cert expires.