1. Forum
  2. DOVE-Net
  3. Synchronet Discussion

  • Security Question

    From HusTler@VERT/HAVENS to All on Sunday, October 18, 2020 14:47:14
    So for whatever reason I am unable to get https working on my bbs. My question is if someone logs on using ftelnet from the webpage which is using the webv4 interface, is the users name and password encrypted? What about if the user logs on using the web interface. Is that encrypted? How would I check this myself? Is that a whole new thing? Thanks


    ... Life is a sexually transmitted disease

    HusTler
    Havens BBS
    (havens.synchro.net:23)

    ---
    � Synchronet � Havens BBS havens.synchro.net
  • From Digital Man@VERT to HusTler on Sunday, October 18, 2020 17:10:42
    Re: Security Question
    By: HusTler to All on Sun Oct 18 2020 03:47 pm

    So for whatever reason I am unable to get https working on my bbs. My question is if someone logs on using ftelnet from the webpage which is using the webv4 interface, is the users name and password encrypted?

    ftelnet uses websockets, which are not encrypted by default. There is WSS (websockets-secure) support in exec/websocketservice.js, but I don't recall if ftelnet does/can use it.

    What about if
    the user logs on using the web interface. Is that encrypted?

    It depends. The legacy web UI uses http authentication, which is usually digest (not clear text). ecWeb uses his own login method would would be encrypted from the client when using HTTPS.

    How would I check this myself?

    Use a network sniffer, like Wireshark.



    digital man

    Synchronet/BBS Terminology Definition #15:
    CR = Carriage Return (ASCII 13, Ctrl-M)
    Norco, CA WX: 78.3�F, 54.0% humidity, 9 mph E wind, 0.00 inches rain/24hrs

    ---
    � Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net
  • From echicken@VERT/ECBBS to Digital Man on Sunday, October 18, 2020 21:43:31
    Re: Security Question
    By: Digital Man to HusTler on Sun Oct 18 2020 18:10:42

    ftelnet uses websockets, which are not encrypted by default. There is WSS (websockets-secure)
    support in exec/websocketservice.js, but I don't recall if ftelnet does/can use it.

    If the page is served via HTTPS, webv4 will try to configure ftelnet to use WSS. The sysop needs to have WSS configured in services.ini.

    ---
    echicken
    electronic chicken bbs - bbs.electronicchicken.com
    � Synchronet � electronic chicken bbs - bbs.electronicchicken.com
  • From Tracker1@VERT/TRN to Digital Man on Monday, October 19, 2020 18:58:48
    On 10/18/2020 6:10 PM, Digital Man wrote:
    ftelnet uses websockets, which are not encrypted by default. There is WSS (websockets-secure) support in exec/websocketservice.js, but I don't recall if ftelnet does/can use it.

    ftelnet can use wss.

    --
    Michael J. Ryan
    tracker1 +o Roughneck BBS

    ---
    � Synchronet � Roughneck BBS - coming back 2/2/20