Recent

Author Topic: Forum upgrade?  (Read 2800 times)

TRon

  • Hero Member
  • *****
  • Posts: 3463
Re: Forum upgrade?
« Reply #45 on: September 09, 2024, 05:31:45 pm »
I don't know what old OS exists that still get at least security updates (against OS exploits). Because any OS that doesn't, IMHO doesn't count when it comes to "should a website support it". Better if a website does not, as such OS should not be used for internet access. Even if the browser handles as much as it can outside the OS, things like the TCP/IP stack could still have exploitable vulnerabilities. Those machines may be good for certain offline work though.
What a nonsense. From that I have to conclude that you buy into all those closed source systems per definition, which is fine but don't bother others with it. Since when has tcp/ip stack has anything to do with the browser (other than being a transport layer) ?

It is about all those shitty extentions and forced methods that seems dictated by factually one company and websites that are very happy to oblige. My motto: if you can't do it without javascript then a) you are a poor excuse of a website maintainer/developer and b) your website isn't worth it. About 99.99% out there exist because of convenience (read: laziness).

But hey let's keep bashing the retro-scene, because it is easy :)
« Last Edit: September 09, 2024, 05:33:31 pm by TRon »
This tagline is powered by AI

MarkMLl

  • Hero Member
  • *****
  • Posts: 7864
Re: Forum upgrade?
« Reply #46 on: September 09, 2024, 05:34:33 pm »
I read somewhere that other people had issues with GitLab, because they had certain browser feature disabled (by enabling some tracking protection or similar).

I'm not in a position to put time into this for at least a few hours, but a very quick experiment confirms that Firefox 115 with all Javascript etc. excluded presents an absolutely minimal frontpage (i.e. looks like there's a whole lot of frames that aren't being loaded) and hitting "Sign in" results in "Enable JavaScript and cookies to continue". This is obviously pretty much as expected.

Quote
Mantis: AFAIK No one wanted to do the maintenance work.

I can't remember but I think there were also issues related to the cost etc. of running our own system, including the expense of an impending hardware upgrade. Plus there was obviously a sentiment among the developers that they needed to migrate from Subversion to Git.

I'll try to take a bit more of a look at an older system which /might/ show up if it's an SSL/TLS issue, but one thing occurs to me: if the "1280px" issue that somebody pointed out earlier is a showstopper this will presumably be the size of the physical screen (i.e. rather than the application window). I think that the only way the server can find this out is by running Javascript (possibly loaded as a lot of analytics from those-nice-people-Google), which again takes us to the situation where it's /either/ a local scripting issue /or/ it's a server issue which requires local scripting to be triggered. I don't know whether there's any way of breaking in locally and fixing that sort of thing, but again any hack would be likely browser-specific...

Oh, and I'm sorry about my outburst earlier, but /honestly/.

MarkMLl
MT+86 & Turbo Pascal v1 on CCP/M-86, multitasking with LAN & graphics in 128Kb.
Logitech, TopSpeed & FTL Modula-2 on bare metal (Z80, '286 protected mode).
Pet hate: people who boast about the size and sophistication of their computer.
GitHub repositories: https://github.com/MarkMLl?tab=repositories

MarkMLl

  • Hero Member
  • *****
  • Posts: 7864
Re: Forum upgrade?
« Reply #47 on: September 09, 2024, 05:37:51 pm »
What a nonsense. From that I have to conclude that you buy into all those closed source systems per definition, which is fine but don't bother others with it. Since when has tcp/ip stack has anything to do with the browser (other than being a transport layer) ?

Fair play there: the SSL/TLS library probably comes with the OS rather than with the browser.

I've got XP on the same system that I'm planning to try with a fairly-old copy of Debian at some point, but wouldn't have dreamed of connecting it to the Internet: there's quite simply too much risk of its 'phoning home to MS and being told to kill itself.

MarkMLl
MT+86 & Turbo Pascal v1 on CCP/M-86, multitasking with LAN & graphics in 128Kb.
Logitech, TopSpeed & FTL Modula-2 on bare metal (Z80, '286 protected mode).
Pet hate: people who boast about the size and sophistication of their computer.
GitHub repositories: https://github.com/MarkMLl?tab=repositories

ASBzone

  • Hero Member
  • *****
  • Posts: 714
  • Automation leads to relaxation...
    • Free Console Utilities for Windows (and a few for Linux) from BrainWaveCC
Re: Forum upgrade?
« Reply #48 on: September 09, 2024, 05:44:28 pm »
I’d rather not discuss the details of my computer on a public forum.

Once you connect to the internet, your OS is already public information.   All not providing it to people in a forum that you have chosen to visit does, is make it harder for you to get help.

Your OS, browser and other thumbprint info goes into the forum logs, so...
-ASB: https://www.BrainWaveCC.com/

Lazarus v3.5.0.0 (2216170cde) / FPC v3.2.3-1387-g3795cadbc8
(Windows 64-bit install w/Win32 and Linux/Arm cross-compiles via FpcUpDeluxe on both instances)

My Systems: Windows 10/11 Pro x64 (Current)

Martin_fr

  • Administrator
  • Hero Member
  • *
  • Posts: 10450
  • Debugger - SynEdit - and more
    • wiki
Re: Forum upgrade?
« Reply #49 on: September 09, 2024, 05:44:31 pm »
Since when has tcp/ip stack has anything to do with the browser (other than being a transport layer) ?

Maybe the context did get mixed up, maybe I missed something in your reply?

- I did not say, the tcp/ip layer was responsible for the faulty display.
- I did say, that if you use on old system, and if it does not get updates, then never mind how up to date your browser is, you should not have anything connecting to the interment from within that OS, since it will almost certainly expose layers of the (potentially vulnerable) OS to the internet.

So, then if your OS is such old, it does not matter (IMHO) if the page can be displayed with any software under that OS => it shouldn't be attempted in first.

Also note: I have not stated that Joanna's OS falls into that category. I don't know that.

Martin_fr

  • Administrator
  • Hero Member
  • *
  • Posts: 10450
  • Debugger - SynEdit - and more
    • wiki
Re: Forum upgrade?
« Reply #50 on: September 09, 2024, 05:48:20 pm »
Your OS, browser and other thumbprint info goes into the forum logs, so...
Actually, not the forum logs. I can't actually see them (there usually also is no need for me to see them).

Only the server admin can get them from the web server logs (at least I guess they are stored there for some short time). Not sure though how easy it be to make the connection to a user account. The purpose of the webserver logs isn't user management.

ASBzone

  • Hero Member
  • *****
  • Posts: 714
  • Automation leads to relaxation...
    • Free Console Utilities for Windows (and a few for Linux) from BrainWaveCC
Re: Forum upgrade?
« Reply #51 on: September 09, 2024, 05:49:34 pm »
Fair play there: the SSL/TLS library probably comes with the OS rather than with the browser.

Absolutely. It is the OS that provides the bulk of support for what encryption protocols will be available to the user.  The browser to reduce support to a subset of what the OS provides, but it cannot handle what the OS does not.

TLS version support (1.0, 1.1, 1.2, 1.3) are going to be one factor (with 1.0 and 1.1 no longer supported), and also underlying cipher support for various encryption methods are going to be the other factor -- especially when talking about a site like a modern source control.

It is also possible, but less likely, for the device being used as a router or firewall on the network in question to also have problems due to encryption/cipher support.
-ASB: https://www.BrainWaveCC.com/

Lazarus v3.5.0.0 (2216170cde) / FPC v3.2.3-1387-g3795cadbc8
(Windows 64-bit install w/Win32 and Linux/Arm cross-compiles via FpcUpDeluxe on both instances)

My Systems: Windows 10/11 Pro x64 (Current)

Joanna from IRC

  • Hero Member
  • *****
  • Posts: 1173
Re: Forum upgrade?
« Reply #52 on: September 09, 2024, 05:52:47 pm »
I’d rather not discuss the details of my computer on a public forum.

Once you connect to the internet, your OS is already public information.   All not providing it to people in a forum that you have chosen to visit does, is make it harder for you to get help.

Your OS, browser and other thumbprint info goes into the forum logs, so...
I’m more concerned about the forum guests than the forum owners..
✨ 🙋🏻‍♀️ More Pascal enthusiasts are needed on IRC .. https://libera.chat/guides/ IRC.LIBERA.CHAT  Ports [6667 plaintext ] or [6697 secure] channel #fpc  #pascal Please private Message me if you have any questions or need assistance. 💁🏻‍♀️

ASBzone

  • Hero Member
  • *****
  • Posts: 714
  • Automation leads to relaxation...
    • Free Console Utilities for Windows (and a few for Linux) from BrainWaveCC
Re: Forum upgrade?
« Reply #53 on: September 09, 2024, 05:53:07 pm »
Your OS, browser and other thumbprint info goes into the forum logs, so...
Actually, not the forum logs. I can't actually see them (there usually also is no need for me to see them).

Only the server admin can get them from the web server logs (at least I guess they are stored there for some short time). Not sure though how easy it be to make the connection to a user account. The purpose of the webserver logs isn't user management.

Good point, Martin.  For some forum solutions, it is available at that level, but not all.  It will be in the webserver logs, though, depending on the verbosity of the logging, and how often the logs are rotated.

But it can be tricky to tie a username to an IP, depending on the application.
-ASB: https://www.BrainWaveCC.com/

Lazarus v3.5.0.0 (2216170cde) / FPC v3.2.3-1387-g3795cadbc8
(Windows 64-bit install w/Win32 and Linux/Arm cross-compiles via FpcUpDeluxe on both instances)

My Systems: Windows 10/11 Pro x64 (Current)

ASBzone

  • Hero Member
  • *****
  • Posts: 714
  • Automation leads to relaxation...
    • Free Console Utilities for Windows (and a few for Linux) from BrainWaveCC
Re: Forum upgrade?
« Reply #54 on: September 09, 2024, 05:57:02 pm »
I’m more concerned about the forum guests than the forum owners..

And they are not going to be able to anything to you with that info.

Most attacks that you need to worry about will involve you getting tricked into clicking on something that an adversary controls.

And guess what...  They don't need to know your OS/Browser (or even IP address) details in advance.

Concealing that info adds no protection.
Disclosing it -- especially in in the narrow context being discussed -- does not adversely impact your security in any way.

But that's your call.  It will simply take more time to assist you, and less people may bother with doing so.



-ASB: https://www.BrainWaveCC.com/

Lazarus v3.5.0.0 (2216170cde) / FPC v3.2.3-1387-g3795cadbc8
(Windows 64-bit install w/Win32 and Linux/Arm cross-compiles via FpcUpDeluxe on both instances)

My Systems: Windows 10/11 Pro x64 (Current)

MarkMLl

  • Hero Member
  • *****
  • Posts: 7864
Re: Forum upgrade?
« Reply #55 on: September 09, 2024, 05:57:28 pm »
Actually, not the forum logs. I can't actually see them (there usually also is no need for me to see them).

Only the server admin can get them from the web server logs (at least I guess they are stored there for some short time).

But the User Agent string in the server logs can be trivially spoofed by e.g. a browser plugin.

Much more detail than that can only be accessed via Javascript ** , either by out-of-band comms or by manipulating cookies ***

** or FWIW other scripting on /some/ platforms. I was musing yesterday evening on some Java facilities that worked on x86 but not on SPARC: and that was Sun's own Java.

*** IIRC a cookie can be read and set at both the HTTP and scripting levels.

MarkMLl
MT+86 & Turbo Pascal v1 on CCP/M-86, multitasking with LAN & graphics in 128Kb.
Logitech, TopSpeed & FTL Modula-2 on bare metal (Z80, '286 protected mode).
Pet hate: people who boast about the size and sophistication of their computer.
GitHub repositories: https://github.com/MarkMLl?tab=repositories

Joanna from IRC

  • Hero Member
  • *****
  • Posts: 1173
Re: Forum upgrade?
« Reply #56 on: September 09, 2024, 06:01:16 pm »
Quote
Most attacks that you need to worry about will involve you getting tricked into clicking on something that an adversary controls.
I worry about too. I often wonder about suspicious accounts and their links. That’s kind of a flaw of web browsers letting malicious websites Do things to your computer though...
✨ 🙋🏻‍♀️ More Pascal enthusiasts are needed on IRC .. https://libera.chat/guides/ IRC.LIBERA.CHAT  Ports [6667 plaintext ] or [6697 secure] channel #fpc  #pascal Please private Message me if you have any questions or need assistance. 💁🏻‍♀️

ASBzone

  • Hero Member
  • *****
  • Posts: 714
  • Automation leads to relaxation...
    • Free Console Utilities for Windows (and a few for Linux) from BrainWaveCC
Re: Forum upgrade?
« Reply #57 on: September 09, 2024, 06:06:47 pm »
But the User Agent string in the server logs can be trivially spoofed by e.g. a browser plugin.


Sure, but in this particular instance, that is not likely to be a huge concern.  At the very least, it would be helpful info for someone on the backend, even if not accurate -- just as long as it is consistent.


Also, I notice that the IP logging to the forum is known to moderators, making it easier to map a specific user to the site.  (Still need access to both forum logs and webserver logs).
-ASB: https://www.BrainWaveCC.com/

Lazarus v3.5.0.0 (2216170cde) / FPC v3.2.3-1387-g3795cadbc8
(Windows 64-bit install w/Win32 and Linux/Arm cross-compiles via FpcUpDeluxe on both instances)

My Systems: Windows 10/11 Pro x64 (Current)

Thaddy

  • Hero Member
  • *****
  • Posts: 15933
  • Censorship about opinions does not belong here.
Re: Forum upgrade?
« Reply #58 on: September 09, 2024, 06:07:57 pm »
Yes, the user agent string can be spoofed even from the browser itself.
What worries me more is what I always warned for: old os's and browsers do not support the minimum tls 1.1 protocol, which will be soon tls 1.2. E.g. xp supports just ssl3 and tls 1 which are dropped from most https servers.. So if you want to be pendantic start complaining to the browser makers, if you want to be humble read up on supported protocols for the different os's and browsers.

Nobody ecept the experts listen:
start here
https://wiki.openssl.org/index.php/SSL_and_TLS_Protocols
https://en.wikipedia.org/wiki/Version_history_for_TLS/SSL_support_in_web_browsers

Frankly, you are a moron if you demand for support for older  and insecure browser protocols.
If I smell bad code it usually is bad code and that includes my own code.

MarkMLl

  • Hero Member
  • *****
  • Posts: 7864
Re: Forum upgrade?
« Reply #59 on: September 09, 2024, 06:13:23 pm »
Quote
Most attacks that you need to worry about will involve you getting tricked into clicking on something that an adversary controls.
I worry about too. I often wonder about suspicious accounts and their links. That’s kind of a flaw of web browsers letting malicious websites Do things to your computer though...

Yes, which is why I have multiple browser profiles as I've described earlier.

MarkMLl
MT+86 & Turbo Pascal v1 on CCP/M-86, multitasking with LAN & graphics in 128Kb.
Logitech, TopSpeed & FTL Modula-2 on bare metal (Z80, '286 protected mode).
Pet hate: people who boast about the size and sophistication of their computer.
GitHub repositories: https://github.com/MarkMLl?tab=repositories

 

TinyPortal © 2005-2018