Hi everyone.

You might realized it: Is-a-furry.org has a new set of certificates.

Since I use Letsencrypt certificates are getting changed every 3 month.

If you get a warning about a new certificate you can compare the certificate used on the homepage.

Greetings

Arsimael

After some years, it finally happened.
I.got.fooled!

But lets start from the beginning:

Last week, on the 21st of june, I got a ticket with a “lost password” topic.
I proved the rightful owner by asking him for 5 contacts out of his list and some details he put in when the account was created.
Sadly there wasn’t an email connected to this account.

I reset the password and wrote the new password to the ticket. – BAD MISTAKE.

I don’t know how, but the guy which requested the password was NOT the rightful owner. The real owner contacted me just a few hours later.
And he COULD authenticate and proove it was his account due earlier tickets he created. He names me the right email address and so on.

I could give him his account back and learned a good thing. But now I am in a twist.

I don’t want your personal information. IAF uses the principle of “as less data as possible, as much data as needed”.
You can use IAF.org completely anonymized, with TOR and so on.
But I need some information to validate your rightful ownership in cases like this.

So heres a semi good Idea:

Add a valid email address to your profile. Use a spamming adress. One you don’t need everyday. One which can float around on the net.

If you need a password reset, or something, I will write to THIS address, attached to your Jabber Account.

If someone tries to steal your account, and can trick me into believing its his account, not yours, you might can’t login. But then you can be sure your new password is in YOUR mailbox and your account is still safe from others.

Nobody is perfect. I have a lot of security, but in the end I’m human. And if someone can answere all security questions, and fool me into reset a password, there is still this last step.

Hope you can understand what I try to say.

  • Use different passwords for different services!
  • Use a Password generator if you can’t find good passwords!
  • Suggestion: Keepass2

Greetings
Arsimael

Related: How secure is IAF.org

Hi everyone.

Some of you might recognized, some might not: Is-a-furry.org has a new set of SSL certificates.
And now the Web and the XMPP Server use the same set of certs.

The last years I used a lot of certificate providers. Startcom, Geotrust, RapidSSL, Symantec etc.etc.
Now I try a new provider: Lets Encrypt.

Pros:
– It’s free (less costs for me)
– It’s scriptable. Means I don’t have to update them by hand and restart all services. – This can be done automatically
– I get a warning if my certs are running out
– Same cert for Webserver and Chatserver

Cons:
– They are only valid for three month. So there are four changes/year instead of one.

If you get a certificate warning when connecting to is-a-furry.org, be sure you have the right certificate.

Serial number:
‎03 3e 4b db ec 5f 92 ce 19 32 d9 71 e8 04 d3 22 8e 91

Finger print:
‎f5 d2 a6 20 41 6b 22 b8 4e f7 6f 22 f9 4e 6f 32 b3 27 61 38

Issuer:
Let’s Encrypt Authority X3

Valid until:
13.08.2016

Thanks for your patience
A.I.

Oh, by the way:

xmpp.net score
and:
SSL Labs A+ rating 😀

In tha last days I reworked the whole encryption/page security thing.

And I got my A+ rating on SSLLabs.com back :). Unfortunately also many old and outdated browsers and platforms are no longer able to connect to the homepage of is-a-furry.org. You can have a look on the SSLLabs.com rating to see which devices are now not able to connect to iaf.org.

This does not affect the mail or jabber server. They have an own set of encryption algorythms.

Sorry for the recent restarts, but I am still NOT DONE with those spamming cunts.

For all the new people here: In-Band registration is now disabled. This means you can’t register an account via Jabber-Client.

If you want to register an account on is-a-furry.org, you have to do this >>here<< (this was available since months, but I just wanted to point it out again)

 

So what happend? In the last days I got hundrets and hundrets of spammers and bots which tried to register (in summary) 134.763 accounts on is-a-furry.org, im.it-native.de and jhml.de. They are stupid and didn’t knew that its only possible to create an account every ten minutes from the same IP address, so I could block nearly 90% of their tries without moving a finger. Additional 8% were blocked by my “servers are not allowed to registrate an account” rule. Means if a server on the net (those you can rent from hosting companies) are not allowed to register an XMPP account. (Don’t get me wrong, if you want to use your jabber account on IRSSI or any other CMD-Messenger on linux or windows, feel free to do so, you just couldn’t REGISTER an account.) Anyways. I got sick of it. Then the real spamming started. Russian Jabber messages  about “Quality Jabber Spam, 2 Million accounts! Just contact blahblah@spamm.fu. So I took action.

 

Here are the latest changes:

  1. In-Band registration is deactivated. Means you have to register an account via Website.
  2. Strangers can’t text you anymore. Means, if you want to chat with somebody, you have to add him to your contact list first.
  3. You still can join MUCs (rooms) and chat with everyone, whisper to anyone and get whispers from anyone in the room.

I hope now the spamming stops. We’ll see.

Sorry for the recent restarts, but I had to configure a new feature.

Since the last days I got a lot and lots of spammessages. Like “Contact someuser@spamdomain.ru for cheap but high quality Jabber/XMPP Spam”.

I tried to write to the serverowners of these Domains and make them have a look on what’s going on on their servers, but I never received any answere.

That’s why I added a new plugin to the server. It’s a bit more than just a plugin. I upgraded to the newest prosody version (that’s the serversoftware I use for the jabber/xmpp server) and activated the blocklist module – with some extension.

Now you are able to block users on your account. Means if you are bugged by someone you con block it by the server, and don’t have to do this on every single client you use. And I also can block whole domains from connecting to my server (additional to the non-SSL encrypted servers).

AND I will maintain a new list. A list with blocked domains, and the reasons why they are blocked.

 

–> blocklist

 

stay tuned ~ a.i.

Is-a-furry.org starts the fourth year of service now. And due this, we got a new SSL Certificate.

IF you get any errors, compare the Fingerprints. The official SSL certificate has these Fingerprints:

SHA-256:

84:9A:C8:67:17:0A:0D:53:30:4E:6C:73:F7:AC:49:2E:

B9:80:13:09:2D:EB:57:4A:2E:42:9C:C2:49:D0:AA:19

8A:E1:F1:63:C8:9C:CD:02:FB:83:26:E0:1D:3E:DD:E7:
12:75:06:17:D0:6D:7C:7F:0F:3E:BF:F4:12:C7:8A:6B

SHA1:

F1:CB:A5:3E:B1:F4:BB:C5:1B:33:FC:5A:A4:20:95:2D:49:DA:9B:BB

8F:75:1D:01:10:95:6A:95:43:2C:A2:EA:76:39:ED:B3:72:65:9E:0E

The certificates are verified by Geotrust StartCom Ltd. and valid ’til May 2016.

 

This certificate is valid on the XMPP Server, and the homepage.

The list of good and stable Jabber-Clients is finished. If you don’t know which one to choose, or which one’s a good one, maybe this helps you a bit.  You can find the list if you hover your mouse over “How to chat” – second line.

Candy got finetuned and should now also run on IE (rumors say down to version 7, but I really really hope you are not using Windows XP anymore).

Jappix got it’s latest updates and a short maintainance. – But I still can’t figure out why Jappix needs AGES to send a Message to the chatrooms.

 

Happy Chatting!

 

Oh, by the way: Teamspeak 3 Server is up, and maybe I will add a mumble server.

I worked a bit more on the different chatsystems.

First of all: Jappix is available again. But it has no priority if it comes to errors.

Candy now connects to both rooms. “chat” and “bedroom” are now available.

Fixed some errors that images were not shown on this page.

I had to get rid of some old encryption algorythms. RC4 is now disabled, which brings me back the “A” rating on SSLlabs.

 

Changed the look and feel of the IAF homepage. There are no longer two different menus. You can find Jappix, candy and all tutorials in the menu above.