TOPIC:

Good day,

Our administrators recently informed us that the free hosting does not include a secure login.

Looking closely, it appears they are right? I have seen other threads that say this is not possible. Curiously, as a system administrator, why exactly is this not possible? You use the same TLD, and just change subdomains. A wildcard SSL cert would take care of this in about a half hours worth of time.

Is this a possibility, if not, please explain why not.

Thanks

The cost of a wildcard cert is about $900.00 if your company would like to donate the funds each year we would be glad to accept the funds. FTH is not part of Toastmasters International. FTH is run by Toastmaster volunteers for Toastmasters Clubs, the server is donated by a fellow Toastmaster.

So, on this same topic, as District 35 Webmaster, I've been notified that one of our corporate clubs have been banned from accessing their club website due to being an unsecure site.

Are you suggesting that to be secured through FTH each club would have to come up with $900 to become a secured site?

What other ways can our FTH sites be secured and safe from hackers and phishing schemes?

If this is not possible, FTH will not last long, especially in the corporate environments.

Respectfully,

Peggy Lee Hanson
District 35 Webmaster

Peggy,

FTH employs a number of security strategies. However, it really depends on what types of security are important to you...

• Passwords are stored in our database with MD5 encryption. No one can access passwords, not even me.
• Your email address is not required to be used for logins. An identifying number is used instead when you pick your name from the drop-down.
• Spam Assassin is highly regarded for checking email... we use it. (We went through a lot of effort to fully implement it last year.) It is sophisticated and will catch most suspicious emails.
• We block email with blind carbon copies, since those are frequently spam/phishing emails.
• We allow blocking must publically accessible email addresses to block spam/phishing emails.
• We block emails to distribution lists from those who are not authorized to send to those lists. (we check list membership)
• We provide a mechanism for clubs to black list email addresses.

However, some additional security strategies require an expenditure of money for a "security certificate" or similar. (https/SSL, DKIM signatures, etc.) As we are not supported by Toastmasters International, we are not a company, and we are an independent effort driven by volunteer Toastmasters labor and open source/free software only, we have no money for purchasing security certificates. (The fact that we have been able to accomplish as much as we have despite that is no small miracle.)

You should not infer that security is unimportant to us. However, the fundamental premise of FreeToastHost is that it is free for clubs and districts to use, so we cannot really absorb any expenses, because we have no funding.

Brian is really the go-to guy on this, and he has been an integral part of the FreeToastHost effort since 2004, and I defer to him and trust his instincts on this completely. I only chimed in here because I do not want people to think we don't care about security... We absolutely do care about security. However, we also have additional constraints that we adhere to.

Steve,

Thank you for your lengthy explanation. My intention was not to be disrespectful nor infer that security is not important to you or all who volunteer their time, resources, and brilliance to FTH. I sincerely apologize that my comment had that affect.

It is a concern, however, to me, and the clubs in my district, that another choice could be made by those clubs to go another route other FTH. I LOVE FTH and actively promote and support the program. But, I guess that would be their choice to make.

I will forward your explanation onto the district leaders, one of whose company has blocked access to his club; perhaps the explanation may be enough to allow club access to its members.

Please, once again, accept my deepest apology for the unintentional negative inference. But also please, accept my deepest gratitude for all you and your team do to make the job of webmaster easy.

In appreciation and with the utmost respect,
Peggy

Peggy,

I was not offended. However, in an open forum like this, I want to make sure people viewing this thread do not get the wrong ideas. Keep in mind that this is essentially like us having a conversation in front of a large crowd.

Peggy a secure certificate for ALL of the toastmaster clubs that use the domain toastmastersclubs.org would be a wild card certificate and would cost FTH $900 per year to support ALL clubs using our domain.

A club using a custom domain would cost $89 per year.

I am a District 35 club also, and have been "banned" from accessing the site via work.

<sarcasm>Aren't you volunteers supposed to be cheap? LOL </sarcasm>

900 bucks?!? Where are you shopping?

www.namecheap.com/security/ssl-certificates/wildcard.aspx

Positive or Essential, $94 or $99 bucks. While 900 or 99 from zero is still zero, however, it is much more affordable than you might think. You just need to shop a reseller. I use these for several of my clients. They work great when they need to offer multiple services and need a bunch of sub-domains secured.

Think its do-able? Let me know if I can help.

Our company did the same thing, and we really love FTH. The meeting scheduling part especially was awesome, designed specifically for Toastmasters! It just works. We moved to Sharepoint, and we're not going to be able to create the same kind of functionality.

I have to imagine that that IT people (not the word I was thinking in my head, btw) at a lot of company-based clubs are doing the same thing. Could the districts fund it, or could we crowdsource the funding? I'll pitch in. FTH is worth it.

FTH has acquired a secure certificate but many things have to be done to force the content to be accessed via the secure certificate.

1517456.toastmastersclubs.org/ works securely as they are only using fth items.

Those who use outside scripts and content will not be able to access the site securely or if they accessing content with absolute url the certificate will fail.

4456966.toastmastersclubs.org/ accesses the images with absolute URL

Brian:

Thanks for the update. I asked our company IT to review the site again, because our club really wants to go back to FTH. They had 2 comments.

1. The site now supports https, but does not force http traffic to https. If you access the site using http (3418923.toastmastersclubs.org/), then the login request also gets sent over http. The apache configuration should be updated to automatically redirect all http requests to https so that the site can only be accessed via https.
2. The ssl configuration on the site is vulnerable to the POODLE attack. The ssl configuration needs to be updated to disable the SSL 3 protocol. The following links contain more information.
   www.ssllabs.com/ssltest/analyze.html?d=3...s.org&hideResults=on
   community.qualys.com/blogs/securitylabs/...by-the-poodle-attack

Is there any chance that these changes are part of what you are contemplating?

Thanks

Kurt

Kurt,

I am the principal system developer at this time. For the last two years, I have been the only person doing system development, and I work as a volunteer. FTH is independently developed and maintained strictly with volunteer labor (all volunteers are also Toastmasters) and we do not have any budget to hire people or farm out development work. We do have another person that has recently volunteered to assist with development, but since the system is very large and involved, it is going to take a bit to get them up to speed.

This https improvement is on my to-do list--I have not forgotten it. However, the main problem that I have to find a way to resolve is that while we can switch to using https on the main pages, the website spawns many other pages (e.g. reports) that also need to get addressed. It is *not* as simple as you may think. This is a system wide, global change that has wide ranging impacts.

So... while I actually did try to make the switch a few months ago, we ran into issues (w/ reports) that indicated that there was a good bit more work involved in this than I originally thought. We also have to switch from https to http for clubs with a custom domain since our security certificate only addresses the toastmastersclubs.org domain.

Unfortunately, this is the fundamental conundrum with FTH being used for corporate clubs. We really do not have the means to quickly make changes that corporate clubs may be expecting. Also, while we certainly are interested in good security, if you look hard enough, you can probably find vulnerabilities. All I can promise is that we (me) will try to do the best we can to make improvements as my available spare time permits.

Steve,

Thank you for the detailed information on the situation and challenges faced in remedying the site security issues. As it has been about a year since your post and the issue seems to still be present, I was wondering what progress has been made to resolve it.

If you need assistance with the work, I may be able to assist myself and/or recruit others for this effort. Contact me privately if this would be helpful.

Best Regards,

Jeff