Silk Road forums
Support => Feature requests => Topic started by: NaN on June 18, 2011, 08:56 pm
-
Repost from "Business as usual"
Welcome back SR!
Just a quick suggestion about this new forum. I think using an open source solution like this is a VERY bad idea. One of the first things I was impressed by when I discovered SR was that everything was custom, secret, and locked down. This program has thousands of lines of code that make all these emoticons and whatnot work. While that is looks nice and good, I can guarantee black hats have zero day exploits in their pockets for SMF and many other PHP projects. That is often how server security is breached and confidential info is leaked. For example this forum is designed to log IPs by default...
Not really a warm fuzzy feeling when I saw that we had moved to this. Good call on separating it though!
-
If anything this makes it more secure. The only IP being logged is 127.0.0.1. This forum is on a completely different server so if it is hacked, the worst they are gonna do is post something under your name? Big deal. SR knows what he is doing people. All these security posts are made by people with no knowledge of how things operate.
-
I would be surprised if this is stock SMF dropped straight in, as there are mods available to harden security considerably with very little work.
There are pro's and con's to a closed source, stripped down forum (as before) and there are pro's and con's to a expansive open source solution, plug-ins etc (as we have now) too- Not sure why it's on SMF RC3 as Gold version is out, but currently released exploits and vulnerabilities targeting < 2.0 final don't really seem viable in practice and rely on server misconfiguration or major security lapses on the admins account rather than being vulnerable out of box; the fact that this is .onion site makes things slightly harder from an attackers perspective, even if it's down to something as basic or small as the latency of TOR making certain attacks much less desirable in comparison to clearnet sites; as envious said the IP 'logged' status isn't an issue on here
Not to say there isn't 0days sitting there now or that there won't be attacks in the future..whether they come from bored script-kiddies or someone higher but at least you have the advantage of this forum's source being freely available to analyze, broadly deployed and regularly patched in comparison to the 'security by obscurity' model before.
The fact that this forum is now isolated from your account and transaction stages is a huge step forward- prior to this if your account was compromised a malicious user had access to personal mailbox, funds in wallet and reputation; if the registration was down and your account was jacked there was pretty much nothing you could do. Assuming you are using a separate credentials to SilkRoad market an attacker has much less to go on- and you have a means to contact admin or other members should 1 or the other go down.
-
but not all is custom made, today an error message seen by others revealed that a certain not to mention PHP framework was used, or it has the appreance thereof... not that that neceserily is bad, but it didn't look to me as if this was hand coded...