Login at Kodi Home

viljoviitanen · (This post was last modified: 2015-02-16, 18:06 by Kib.)

Hello,

You have http://kodi.tv/contribute/donate-by-wire-transfer/ and I think it's rather irresponsible behaviour to put account numbers on an insecure page. Wire transfers aren't "secure" in a sense that if you send your money to a fraudster, your chances of getting the money back are close to zero (unlike when paying with a credit card).

You (the people running the kodi.tv internals) probably can even get a certificate for free: https://www.globalsign.com/en/ssl/ssl-open-source/ so it's not a question of cost.

If you don't have experience on setting up https, and need help, I can help. I can come to irc or whatever at a suitable time to answer any question on regarding setting up https (also, if you want a quick audit on some basic stuff for running servers reasonably securely so you don't end up like Sony, I can also do that). I do stuff like that for a living, and although we don't use debian at work, I've been using debian and debian based distros on my personal computers for ages.

(P.S. security wise best practice is not to advertise what you're running. http://httpd.apache.org/docs/2.2/mod/cor...rvertokens )

**da-anda** · 2015-01-16, 13:43

we're already trying to get a free certificate IIRC - at least kib mentioned some time ago to have a look at it. Thanks for bringing this topic up again.

viljoviitanen · 2015-01-16, 13:56

(2015-01-16, 13:43)da-anda Wrote: we're already trying to get a free certificate IIRC - at least kib mentioned some time ago to have a look at it. Thanks for bringing this topic up again.

Great, good to hear! Hopefully you can get it sorted out. Meanwhile, you can also get (short lived) free certificates instantly, e.g. https://www.comodo.com/landing/ssl-certi.../free-ssl/ .

~~Ned Scott~~ · (This post was last modified: 2015-01-17, 04:34 by Ned Scott.)

Am I missing something, because having https shouldn't have any impact on us publicly showing the account number or not.

EDIT: ah wait, I think I understand now. You're not talking about the transaction, but just making sure that is really our account. That's a pretty good point, in that case.

viljoviitanen · 2015-01-17, 09:33

(2015-01-17, 04:31)Ned Scott Wrote: Am I missing something, because having https shouldn't have any impact on us publicly showing the account number or not.

EDIT: ah wait, I think I understand now. You're not talking about the transaction, but just making sure that is really our account. That's a pretty good point, in that case.

Yep, it doesn't affect you directly, but indirectly if people donating send their monies to the fraudster instead of the xbmc foundation.

Not that it's likely that someone modifies the page on the fly to switch the account number, kodi is not THAT popular, but security by unpopularity is no security... At least with paypal you see who you are sending money to.

Although, I must say I'd click the paypal donate button with more confidence if it the page the button is on was https.

Really, there's no excuse for not having https, just do it. If you can't for whatever reason, get help, e.g. from me. Make it a priority.

(P.S. http://www.httpvshttps.com/ )

viljoviitanen · 2015-02-13, 17:53

4 weeks and counting. I guess this is a rather low priority.

**Kib** · (This post was last modified: 2015-02-15, 00:20 by Kib.)

Yes. Yes it is.
Understand that these things are costly, and getting them for free is a long process.
Add to that that I do actually have a very demanding day job and there you go.

Furthermore, actually having our 100 million redirections per day running, looking at updating the forum and wiki, procuring a new server, are all more important then adding HTTPS overhead to a server that is sometimes having trouble - hence the replacement.

viljoviitanen · 2015-02-15, 09:37

@Kib, thanks for an honest reply.

Piers · (This post was last modified: 2015-02-15, 12:36 by Piers.)

Sorry if this is a very stupid suggestion, but sure a general and cheap certificate would be more than suitable. It could be enabled just for that page. A €15 SSL certificate isn't going to compare to one with wildcard support but that doesn't appear to be what's required for this.

I use eight or none of these types of certificates for my websites.

If it is just a matter of making sure https:// is used for http://kodi.tv/contribute/donate-by-wire-transfer/ then with the current software the website is using it's 3 lines and a certificate installed and set up. What is the objection to a basic yet valid certificate?

Am I missing the point?

**Kib** · (This post was last modified: 2015-02-17, 09:10 by Kib.)

We also want it on some other domains, so I rather spend a little bit more time to get a wildcard cert / cert with extra SANs added
Having virtualhosts makes the situation a bit more complicated as well.

And the most important reason I highlighted is simply the lack of time combined with a lack of priority.
Whatever way you look at it, many other things are more important. See above.

**Kib** · (This post was last modified: 2015-02-15, 19:08 by Kib.)

To keep you guys in the loop: we were approved by GlobalSign to get a free wildcard cert for a year.
But the code i got from the employee who created it did notwork when I was ordering: "The code does not exist".

I have sent a followup mail to the guy that created the code for me and am awaiting his answer.

Piers · 2015-02-16, 04:12

(2015-02-15, 19:06)Kib Wrote: To keep you guys in the loop: we were approved by GlobalSign to get a free wildcard cert for a year.
But the code i got from the employee who created it did notwork when I was ordering: "The code does not exist".

I have sent a followup mail to the guy that created the code for me and am awaiting his answer.

Excellent news Smile

**Kib** · 2015-02-16, 17:15

Got the cert today and installed it.
As I imagined, the (old old) server that is running trac/wiki/main website could not handle all the kodi.tv traffic when it was forced over https.

I took the middle road and left the default of http active, but I changed the links on the website to point to

https://kodi.tv/contribute/donate/
as well as
https://kodi.tv/contribute/donate-by-wire-transfer/

Piers · 2015-02-17, 02:48

(2015-02-16, 17:15)Kib Wrote: Got the cert today and installed it.
As I imagined, the (old old) server that is running trac/wiki/main website could not handle all the kodi.tv traffic when it was forced over https.

I took the middle road and left the default of http active, but I changed the links on the website to point to

https://kodi.tv/contribute/donate/
as well as
https://kodi.tv/contribute/donate-by-wire-transfer/

Purely out of curiosity, what are the specifications of the hardware?

~~Ned Scott~~ · 2015-02-17, 03:23

I heard it was a dead rat attached to some hard drives.