Don't mean to be a bother about this...



  • But, when I start poking around EZA Forums, I noticed that it shows you full IP/Browser/etc. details somewhere in the options... I dunno about you, but this seems like a security problem down the road. Ya know, like when users get hacked, and whatnot. This is a reality. It's nothing you should be shrugging off, because Steam, Epic, and other major forums were hacked. Now, don't get me wrong, I get that they were hacked because of various reasons; the Steam and Epic forums were vulnerable because the software they were using (vBulletin) had exploits.

    What I am saying, is that the details in there might be a problem tomorrow. It might not be today, but tomorrow, sure. I'm not familiar with the forum software being used, but either way it looks robust so far! :)



  • As far as I know, these are only visible to you and the admins, although I assume you're talking about the forum database being accessed and this information "leaking out". Although I don't really see this as a major security issue since any site you visit can track and log your IP address. One way to do it in say PHP is to use the following code:

    $your_ip = $_SERVER['REMOTE_ADDR']
    

    So say I wanted to know your IP, I could paste a link here (like a link to some article), which would send you to my server, log your IP and immediately redirect you to some other site. In many cases you wouldn't even know (especially if I used a shortener like bit.ly). BTW, browser configuration is also a standard value that your browser sends out to all website you visit.

    @UltimateBrent, is this totally correct? Did I miss something?

    What I am a bit concerned about and I believe it was already mentioned in a different thread is the fact that the forums aren't using an SSL certificate, which means passwords and usernames aren't being sent encrypted. As far as I know, @UltimateBrent already knows about this.


  • admin

    @marcel You're correct, you could do that to get an IP.

    And no, there's no SSL on the login. Use Google or Twitter auth if you're worried about that.



  • Knowing an IP of a random member of a forum isn't a security issue and as @marcel pointed out is easy to obtain through other means.

    I do agree about not using SSL for log in though. @UltimateBrent how come this hasn't been implemented? There are a lot of free options that are easy enough to set up.


  • admin

    @FallenBlade I will likely must make the whole forum SSL, rather than trying to mod the forum software to only do it for the login pages. Like I said though, it's secure if you do Google or Twitter auth. You have an option if you're worried about security.



  • @UltimateBrent Like you said. Better to just put up the whole site and all subdomains under SSL. A wildcard certificate for a domain and all subdomains can run for 100USD or less so this might be a worthwhile investment. Maybe this is something to discuss with Brandon :)


  • admin

    @marcel said in Don't mean to be a bother about this...:

    @UltimateBrent Like you said. Better to just put up the whole site and all subdomains under SSL. A wildcard certificate for a domain and all subdomains can run for 100USD or less so this might be a worthwhile investment. Maybe this is something to discuss with Brandon :)

    SSL is free nowadays with Let's Encrypt actually.



  • I have read all answers. But what I meant was: Once a user gets access to your account, they can also poke into settings and look at your IP address. I don't have a problem with an admin seeing my IP, because it IS only him seeing it. I dunno. I just thought it was a small detail that I noticed that was probably going to be a problem later.


  • admin

    @Carlos said in Don't mean to be a bother about this...:

    I have read all answers. But what I meant was: Once a user gets access to your account, they can also poke into settings and look at your IP address. I don't have a problem with an admin seeing my IP, because it IS only him seeing it. I dunno. I just thought it was a small detail that I noticed that was probably going to be a problem later.

    Where are you seeing IP addresses?



  • @Carlos AFAIK the IP and client details the site shows you are based on what you are viewing the site with. If someone gained access to your account they'd only end up seeing their own browser and IP details.



  • @UltimateBrent At the bottom of the Profile Settings there is a log of your last couple of log-ins. It keeps a record of your OS, browser, and IP.



  • @carlos Aren't most of these things part of the regular user agent that all websites use? They might not show you all of that info, but it is always used to determine how content is delivered, isn't it?

    Not to mention, you are seeing YOUR recent IPs, right? I haven't seen others' IPs show up for me anywhere on the site.



  • @Carlos I feel the same.