Rontini Submarine BBS Homepage
Forum Home Forum Home > General > U.S. Submarine Related
  New Posts New Posts RSS Feed - USSVI Page
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

"The opinions posted here do not represent those of any company, organization, or group and are those only of the author of the respective post." - From Rontini

RontiniSubmarineBBS.com is proudly sponsored by Submarine Shop for Submariners. Your patronage helps support this BBS.

At Ron's direction, we have removed all forums that were not being actively posted to.


USSVI Page

 Post Reply Post Reply
Author
Message Reverse Sort Order
gerry View Drop Down
Admin Group
Admin Group
Avatar

Joined: 16 Dec 2015
Status: Offline
Points: 634
Post Options Post Options   Thanks (0) Thanks(0)   Quote gerry Quote  Post ReplyReply Direct Link To This Post Topic: USSVI Page
    Posted: 02 Dec 2020 at 6:05pm
You guys are all correct in that an unsecured (http) connection is higher risk than a secured (https) connection. I'm guessing USSVI's security certificate has either expired or is not configured correctly. 

What is the actual risk? Pretty low, in my opinion. Lacking the encrypted connection makes your data going back and forth from the site vulnerable to a "man in the middle" attack, which is still quite difficult to perform without malware.  If you are sending credit card numbers, SSNs or banking information, your risk is higher. If you use the same password on an unsecured site in other places, you are at higher risk. 

Mitigating your risk:
- Use a password manager (I use LastPass) so you have a different strong password for every site you need a password on. If a hacker does manage to get your password, the damage they can do is limited. 
- Understand that "man in the middle" attacks are one of the most rare forms of hacking and are predominantly carried out on financial connections. See Malware below.
- Subscribe to Have I Been Pwned (https://haveibeenpwned.com/) to see if you have been compromised i the past. The site will also tell you if your email address shows up in future hacks. 
- Make sure you are keeping up on Windows updates (or Mac or whatever you use) and that you are using some form of Anti-Malware and Anti-virus. 
- Malware on your computer can compromise ALL of your accounts. NEVER click on a link or open an attachment in email from someone you don't know of from someone you Do know if you are not expecting a link or attachment. This is called Phishing and can be very sophisticated in fooling people... but one click and you can be compromised.
- Keep your browser (Chrome/Firefox/Edge/etc) updated. Most of these self update.

Please note, this BBS is not using secure socket connections (no https) as we do not deal in financials and actual trusted certificates are rather expensive. Expense may also be a reason USSVI is not updated. Additionally, a REAL certificate is actually not only expensive but complex to obtain and configure. Certificate Authorities make you PROVE the domain is secure and the applicant is actually the owner or authorized to get the cert. Any of these reasons could be contributors to USSVI's situation - they may not know HOW to get a proper certificate. 

Source: a) This is what I do and b) I am a "Certified Ethical Hacker" (a fancy way of saying I have been trained like a bad guy but promised to use my powers only for Good, never for Evil).

Edit: So this made me curious, so I dug in and investigated. USSVI's certificate is valid, their server is not supporting TLS 1.2, the current protocols for encrypted connections. As Joe points out above, you get a warning, and if you click on the Learn More (or Advanced) button, you are allowed to proceed anyway. Note that your connection IS secured, just not with the most current protocols. In my opinion, this reduces your risk greatly, as in "better than nothing", but TLS 1.0 and 1.1 HAVE been hacked in the past.  Another problem I see is they are hosting on GoDaddy, who in my experience, is not exactly cutting-edge with security. Further, USSVI's Certificate was issued BY GoDaddy, who will provide one to anyone with an account and $50. GoDaddy is NOT a "real" Certificate Authority. Not supporting modern security protocols was one of the reasons I moved all my (and my client's) web sites off GoDaddy.

So what does all this geekery mean?

You can use USSVI without https for little risk. You can use USSVI *with* https (if you dismiss the warning) with even less (but non-zero) risk.
MT2/SS
USS Simon Bolivar - SSBN 641 (B)
USS Henry M. Jackson - SSBN 730 (B)
USSVI - Wyoming Base
Back to Top
Runner485 View Drop Down
BBS Supporter
BBS Supporter
Avatar

Joined: 16 Dec 2015
Location: Delaware
Status: Offline
Points: 3199
Post Options Post Options   Thanks (0) Thanks(0)   Quote Runner485 Quote  Post ReplyReply Direct Link To This Post Posted: 02 Dec 2020 at 10:58am
I get the same thing Dave. The url was always HTTPS...I think the site is being updated and is not allowing access.
================================================================

Secure Connection Failed

An error occurred during a connection to www.ussvi.org. Peer using unsupported version of security protocol.

Error code: SSL_ERROR_UNSUPPORTED_VERSION

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

Learn moreā€¦

This website might not support the TLS 1.2 protocol, which is the minimum version supported by Firefox. Enabling TLS 1.0 and TLS 1.1 might allow this connection to succeed.

TLS 1.0 and TLS 1.1 will be permanently disabled in a future release.
DBF
Joe
SS485,CVA42
Holland Club
Mid-Atlantic Base
Back to Top
SaltiDawg View Drop Down
Rickover
Rickover
Avatar

Joined: 03 Jan 2016
Location: Rockville, MD
Status: Offline
Points: 2865
Post Options Post Options   Thanks (0) Thanks(0)   Quote SaltiDawg Quote  Post ReplyReply Direct Link To This Post Posted: 07 Nov 2020 at 7:06pm
Not a solution nor an answer
but if you remove the s in https and hit return you will see the page displayed.

I assume this may expose you to some security risk?
Back to Top
Dave595 View Drop Down
Old Salt
Old Salt
Avatar

Joined: 04 Jan 2016
Location: Beaverton, Oreg
Status: Offline
Points: 331
Post Options Post Options   Thanks (0) Thanks(0)   Quote Dave595 Quote  Post ReplyReply Direct Link To This Post Posted: 07 Nov 2020 at 6:58pm
I have had some people tell me they get this when they try to open the uSSVI page.  Any solution?  I don't have any problem with Windows 10 and firefox.

Your connection isn't secure

This site uses an outdated security configuration that might expose your personal information when it's sent to this site (for example, passwords, messages, or credit cards).

NET::ERR_SSL_OBSOLETE_VERSION

EM1(SS)
USS PLUNGER (SSN-595)
HOLLAND Club
USSVI LIFE Member
Blueback Base, Rogue-Umpqua Base, Olympic Peninsula Base
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 11.04
Copyright ©2001-2015 Web Wiz Ltd.

This page was generated in 0.078 seconds.