Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Protecting the website with TLS and Linux
Goto page 1, 2  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Discussions
View previous topic :: View next topic  
Author Message
C0rn3j
Advanced Cheater
Reputation: 0

Joined: 28 Aug 2012
Posts: 51
Location: Czech republic

PostPosted: Thu Apr 20, 2017 10:05 am    Post subject: Protecting the website with TLS and Linux Reply with quote

Hi, first of all, did you know that Lets Encrypt can give you free TLS certificate for cheatengine.org and forum.cheatengine.org, and whatever other domains you need?

I'd love if the forums and the main page were properly secured. Feel free to PM/mail me if you need help.

Secondly, I'd like to talk about a native client for linux - You've stated reasons why you think it is not needed - CE runs through wine(mostly fine) and it is used mostly for Windows games anyway, so WINE is needed.

Personally I use CE on Linux (sadly through wine) to access ceserver running on my android phone, and it sucks to deal with WINE just for this purpose.

Would it be possible for you to port CE to Linux? Maybe with a help of a fund raiser if you're not willing, maybe you'll find out there's interest?

Thanks for the response, Dark Byte!
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 133

Joined: 25 Jan 2006
Posts: 7055
Location: 127.0.0.1

PostPosted: Thu Apr 20, 2017 11:59 am    Post subject: Reply with quote

The main site really does not need any type of TLS/SSL ticket. There is no point given there is no secure information being handled anywhere on it. It's a static page display of some basic info on CE. The forums would be the only ideal spot to have it due to logins being used. And even then it is not like this site is holding super secret banking info or similar. I'm not against it being added just personally see no point in it.
_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
STN
I post too much
Reputation: 29

Joined: 09 Nov 2005
Posts: 2340

PostPosted: Thu Apr 20, 2017 12:30 pm    Post subject: Reply with quote

HTTPS can't save you from being hacked, in the recent past a lot of big sites have been hacked and sensitive data leaked that were using https.

That green icon is just an illusion of safety like antiviruses, i think some of this hysteria about https is spreading because Google is pushing it.

Look at steam and a lot of other big sites, they're still not using https, if it was that unsecure don't you think these forums and other sites would have been hacked ages ago.

Linux permissions system make it hard to make cheating applications like Cheat Engine at least when i tried. Sure it gives it a reputation for being "free" of viruses but makes it shitty as an OS for everyday use, sudo user and all that crap

_________________
Cheat Requests/Tables- Fearless Cheat Engine
http://fearlessrevolution.com
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 133

Joined: 25 Jan 2006
Posts: 7055
Location: 127.0.0.1

PostPosted: Thu Apr 20, 2017 7:45 pm    Post subject: Reply with quote

STN wrote:
That green icon is just an illusion of safety like antiviruses, i think some of this hysteria about https is spreading because Google is pushing it.


Mainly because it is not explained at all and not explained correctly. The enforcement of https:// from browsers is not for overall site security but instead to make public wifi users more aware that their data is more vulnerable to things such as man in the middle attacks while they are out and about at places like Starbucks or similar. Sadly, news outlets and other media sites poorly present this as a site being vulnerable to being hacked rather than just the transmission of data between the site and user being at risk.

But given how bad media/news sites are reaching for any actual stories these days, their reporting quality has gone completely out the window and instead they are just rushing stories to be the first to cover something then every other outlet just copies the same story within the same week.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Dark Byte
Site Admin
Reputation: 332

Joined: 09 May 2003
Posts: 19629
Location: The netherlands

PostPosted: Fri Apr 21, 2017 1:26 am    Post subject: Reply with quote

what is so bad about using Wine in linux? Last time i checked it even supports just executing .exe files from the commandline and desktopshell without even noticing it's there.
if it's because you have to connect to ceserver then i don't understand why your problem is specifically with using it for an android device, where you HAVE to use ceserver, even if i where to port it to linux

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Back to top
View user's profile Send private message MSN Messenger
C0rn3j
Advanced Cheater
Reputation: 0

Joined: 28 Aug 2012
Posts: 51
Location: Czech republic

PostPosted: Sat Apr 22, 2017 10:50 am    Post subject: Reply with quote

Quote:
there is no point given there is no secure information being handled anywhere on it.

... the site literally gives you links for executable downloads, I think that having secure executable downloads is a priority.

Not to mention the certificate is FREE.


Quote:
HTTPS can't save you from being hacked, in the recent past a lot of big sites have been hacked and sensitive data leaked that were using https.


Where am I saying that? HTTPS is used to secure communication between the client and the server.

Quote:

Look at steam and a lot of other big sites, they're still not using https, if it was that unsecure don't you think these forums and other sites would have been hacked ages ago.


I guess that stealing cookies via MitM and presenting fake steam site and stealing login info is not deemed as a problem in your eyes?

I guess that you can literally steal login info for CE forums with MitM without even presenting a fake website is not an issue?

[quote]
Linux permissions system make it hard to make cheating applications like Cheat Engine at least when i tried.[/quote

Yet surprisingly we have ceserver for linux and android already(and for android there's even a client!), which is the most important part, I'm just asking for a client?


Quote:
if it's because you have to connect to ceserver then i don't understand why your problem is


That's not a problem for me, you just used the fact that CE is only used to hack windows games as a reason to not port it to Linux.


Quote:

what is so bad about using Wine in linux?


I'd prefer not needing WINE at all. I tried opening some submenu in CE and it crashed. I'm not even sure whether to blame WINE or CE for that, it definitely complicates bug reports(didn't really report anything as I'm not sure whether the menu/feature should have worked in the first place)

Maybe in the next WINE there's going to be a regression yadda yadda yadda, I'd just really like not having another layer that can cause problems.

Moreover running WINE is an annoyance. I'd rather not have to deal with the command line(or think of some weird workaround) every time I want to open CE.

What do you think about my HTTPS suggestion?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 332

Joined: 09 May 2003
Posts: 19629
Location: The netherlands

PostPosted: Sat Apr 22, 2017 11:54 am    Post subject: Reply with quote

the executable is already signed, so if someone where to intercept/edit that the signature would be wrong

as for the forum, sure mitm attacks van happen, but just create a new account after i ban the old one (because that's the worst that will happen)

also, none of these free certificates allow for wildcard domains, so things like darkbyte.forum.cheatengine.org and C0rn3jsforum.cheatengine.org won't work anymore

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Back to top
View user's profile Send private message MSN Messenger
C0rn3j
Advanced Cheater
Reputation: 0

Joined: 28 Aug 2012
Posts: 51
Location: Czech republic

PostPosted: Sat Apr 22, 2017 3:00 pm    Post subject: Reply with quote

>the executable is already signed, so if someone where to intercept/edit that the signature would be wrong

How many people do you think check the signature before installing? I'd guess one out of 100 000 perhaps.

>also, none of these free certificates allow for wildcard domains, so things like darkbyte.forum.cheatengine.org and C0rn3jsforum.cheatengine.org won't work anymore


That's true, you can only request 100 domains per request. But do you for some reason use a bazillion of domains?
Back to top
View user's profile Send private message
STN
I post too much
Reputation: 29

Joined: 09 Nov 2005
Posts: 2340

PostPosted: Sat Apr 22, 2017 3:45 pm    Post subject: Reply with quote

C0rn3j wrote:

Yet surprisingly we have ceserver for linux and android already(and for android there's even a client!), which is the most important part, I'm just asking for a client?


I said hard not impossible. Look at the condition of those tools and what we have available for windows, there's no match for a lot of reasons that i don't want to go into.

Quote:
I guess that stealing cookies via MitM and presenting fake steam site and stealing login info is not deemed as a problem in your eyes?


and to other things you said. Nothing can save you from stupidity, the ironic thing i have seen consistently is people who have more than one antiviruses installed are the ones who have the worst kind of malware on their systems and those AVs themselves act like malware themselves slowing the system down doing nothing to help the situation.

It's the same deal with this https thing, "presenting fake steam site" and "fake ce download" a bit extreme, don't you think? Someone has to go to a lot of lengths to do that with you and you're fucked anyway if someone's this obsessed with you Laughing

I see you joined in 2012 why didn't you push for https back then or is it an issue now all of a sudden. The free certificate you are so happy about doesn't really prove anything, there is no authentication process you have to go through for that but to get a "proper" cert with your name etc. that costs a lot and that's the only one you should trust. I don't think many people realize that.

Your point is justified but for a site like cheat engine, it doesn't matter. For paypal and any other site that deals with my money, i wouldn't feel safe either without https.

_________________
Cheat Requests/Tables- Fearless Cheat Engine
http://fearlessrevolution.com
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 133

Joined: 25 Jan 2006
Posts: 7055
Location: 127.0.0.1

PostPosted: Sat Apr 22, 2017 10:41 pm    Post subject: Reply with quote

C0rn3j wrote:
Quote:
there is no point given there is no secure information being handled anywhere on it.

... the site literally gives you links for executable downloads, I think that having secure executable downloads is a priority.

Not to mention the certificate is FREE.


If someone got onto the server to affect the downloads, having a certificate on the site is not going to shit to protect anyone. They can just edit the site, claim the infected file is the real one, give the infected files SHA/MD5 hashes and no one would even know til they were already infected. Again, ruling having the site run under https:// pointless.

C0rn3j wrote:
I guess that stealing cookies via MitM and presenting fake steam site and stealing login info is not deemed as a problem in your eyes?


You should see the number of people that speed click through the installer already and get all the adware that comes with it. You think people are going to check the browser url to ensure its a legit link lol? You're funny.

C0rn3j wrote:
I guess that you can literally steal login info for CE forums with MitM without even presenting a fake website is not an issue?


You don't need a fake site to steal someone's login info using a MitM attack lol...

C0rn3j wrote:
How many people do you think check the signature before installing? I'd guess one out of 100 000 perhaps.


You are contradicting yourself here.. if people aren't checking the signature of the file, what difference does it make having an SSL cert on the site? If the file is infected, it's not going to make a difference lol.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Deine Mutter
Expert Cheater
Reputation: 1

Joined: 05 Apr 2006
Posts: 180

PostPosted: Mon Apr 24, 2017 6:01 am    Post subject: Reply with quote

Not using SSL because the website is static is not a valid excuse for reasons listed here for example. It is indisputable that you always improve the security and privacy of a website by deploying SSL on it - also for static websites. In the case of static websites the improved security and privacy is just less prominent than in the case of dynamic websites, but you still protect against MITM attacks because nobody can modify the traffic.

However, not using SSL because it is a pain in the ass to set up is a very valid excuse in my opinion. It is just a clusterfuck that nobody wants to deal with, which is perfectly understandable. But saying it is not needed is just not accurate.

_________________
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 133

Joined: 25 Jan 2006
Posts: 7055
Location: 127.0.0.1

PostPosted: Tue Apr 25, 2017 5:31 pm    Post subject: Reply with quote

Deine Mutter wrote:
Not using SSL because the website is static is not a valid excuse for reasons listed here for example. It is indisputable that you always improve the security and privacy of a website by deploying SSL on it - also for static websites. In the case of static websites the improved security and privacy is just less prominent than in the case of dynamic websites, but you still protect against MITM attacks because nobody can modify the traffic.

However, not using SSL because it is a pain in the ass to set up is a very valid excuse in my opinion. It is just a clusterfuck that nobody wants to deal with, which is perfectly understandable. But saying it is not needed is just not accurate.


The article you linked to is nothing more than mere opinion, much like everyone elses suggestions and views in this topic. It does not validate or invalidate the usage of SSL either way.

Points 1 and 2 are completely irrelevant to this topic.

Point 3 goes into the points I made already if the server was hacked it makes the entire purpose of the 'middle-man' attack point of view invalid. If the exe, which was the point of this topic, not injected ads and javascript, was modified on the server, having the SSL cert and https:// usage on the site would make no difference.

Point 4 I covered above already.

Point 5 is nothing but opinion on that link about 'having to have the best of the best'. The motto 'if it isn't broken, don't fix it' can be used here.

My points in my other post were specific to how the OP stated the exe being affected.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Deine Mutter
Expert Cheater
Reputation: 1

Joined: 05 Apr 2006
Posts: 180

PostPosted: Wed Apr 26, 2017 9:50 am    Post subject: Reply with quote

atom0s wrote:
Point 3 goes into the points I made already if the server was hacked it makes the entire purpose of the 'middle-man' attack point of view invalid. If the exe, which was the point of this topic, not injected ads and javascript, was modified on the server, having the SSL cert and https:// usage on the site would make no difference.

I don't really get your point here to be honest. Of course, if somebody hacked into the server, then you're fucked and SSL is not gonna do shit for you. But without SSL an attacker doesn't need to hack the server to tamper with the download of the executable file. In an untrusted network an attacker can intercept the communication between the victim and the cheatengine.org server and replace the body of the HTTP response packets of the download with the contents of his own malicious executable file in a totally transparent manner. This attack would not be possible with SSL. I'm not trying to say how likely or unlikely this scenario is, but this is definitevly an attack which is currently possible and could be protected against with SSL. This is not an opinion, it's a fact.

_________________
Back to top
View user's profile Send private message
STN
I post too much
Reputation: 29

Joined: 09 Nov 2005
Posts: 2340

PostPosted: Wed Apr 26, 2017 2:22 pm    Post subject: Reply with quote

Quote:
In an untrusted network an attacker can intercept the communication between the victim and the cheatengine.org server and replace the body of the HTTP response packets of the download with the contents of his own malicious executable file in a totally transparent manner.


Whoa...which movie is this from ?

_________________
Cheat Requests/Tables- Fearless Cheat Engine
http://fearlessrevolution.com
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 133

Joined: 25 Jan 2006
Posts: 7055
Location: 127.0.0.1

PostPosted: Wed Apr 26, 2017 3:18 pm    Post subject: Reply with quote

STN wrote:
Quote:
In an untrusted network an attacker can intercept the communication between the victim and the cheatengine.org server and replace the body of the HTTP response packets of the download with the contents of his own malicious executable file in a totally transparent manner.


Whoa...which movie is this from ?


It's common man-in-the-middle attack stuff, nothing new and nothing movie-esque.

Point is people should not be downloading binaries on public / untrusted networks. There are a ton of back and forth arguments that can be made on this subject, either way it is up to Dark Byte if he wants to add SSL, if he deems it has a purpose to begin with.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Discussions All times are GMT - 6 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites