Jump to content

Question

Posted

So reading a thread and came across this statement

"Even the neowin login page is not encrypted"

Now I thought to myself - that can not be true.. I know the page itself is not fully encrypted, but that is not an issue the sending of the username and password could be using a https post, etc.

So figured I would take a look see.... Oddly enough, the post for the login looks to be in the clear from the page source

[code]
<form action="http://www.neowin.net/forum/index.php?app=core&amp;module=global&amp;section=login&amp;do=process" method="post" id='login'>
[/code]

Now I said -- hmmm, I know a little bit about html, but maybe I am missing something and I am looking at it wrong or something. So I did what I know better and that is looking at network sniffs... So I took one while logging in..

And what you know - my password right there in the clear?? That is not a very safe practice... I know its only a forum and such, and I agree you sure don't have to encrypt the whole site - but not the sending of the username and password?? That needs to be corrected!!

Now my password is complex random - but I assure you it was in the clear.

[attachment=328758:passwordinclear.png]

Not sure what that auth part is there I highlighted, but hid it as well.

So am I correct in that everyone that is logging into neowin is sending username and password in clear??
9 people like this

Share this post


Link to post
Share on other sites

108 answers to this question

  • 0

Posted

Yes, the username and password on neowin are in pure clear text when sent to their servers. No SSL, no hashing, no encryption, just your name, your password.
1 person likes this

Share this post


Link to post
Share on other sites
  • 0

Posted

Yep. May be an IPB issue

Share this post


Link to post
Share on other sites
  • 0

Posted

This sort of thing really is more common than you'd think.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='trek' timestamp='1361863256' post='595544122']
Yep. May be an IPB issue
[/quote] I don't think so - I looked on their website, and their form shows it being posted via HTTPS

[code]
<form action="[url="view-source:https://www.invisionpower.com/clients/index.php?app=core&module=global&section=login&do=process"]https://www.invisionpower.com/clients/index.php?app=core&amp;module=global&amp;section=login&amp;do=process[/url]" method="[url=""]post[/url]" id='[url=""]login[/url]'>
[/code]

I am hoping someone just forgot the S there -- but that seems unlikely because you can not access neowin.net via https at all. So maybe they don't have a cert to use?

Share this post


Link to post
Share on other sites
  • 0

Posted

Most systems that "care" if their accounts could get hacked or not use an SSL connection for at least the login page. Honestly, what damage can really be done on this forum if someone hacks your account? HOPEFULLY people here are smart enough not to use the password on this site on any of their other more important web logins.

Share this post


Link to post
Share on other sites
  • 0

Posted

ah keep it as plain text, that way if I ever get drunk and go turbo on the forums I have a scape goat now.... :p

Share this post


Link to post
Share on other sites
  • 0

Posted

Expectation of the lack of password entropy isn't justification for a site not following best security practices..

Not to mention, password entropy is the biggest issue with authentication now days >.>

SO. Not good >.>

Share this post


Link to post
Share on other sites
  • 0

Posted

I hear yah - it is just a forum.. But personal info about the account could be gleaned form the users control panel. And yeah again great info the password you use here should not be the same as your other logins, etc. But it is still very bad practice, I can not believe it was done on purpose - it must be some oversite somewhere??
1 person likes this

Share this post


Link to post
Share on other sites
  • 0

Posted

True, but VB's I frequent also md5 hash the passwords first even if the post action is not encrypted

Share this post


Link to post
Share on other sites
  • 0

Posted

I completely agree, hell, every login page that I've coded the password gets hashed and salted before ever even being submitted to the server, and that ALL gets sent across a SSL encrypted connection. Maybe the server admin doesn't want to pay for a cert? lol

Share this post


Link to post
Share on other sites
  • 0

Posted

I would imagine the option to use https on the login page is an option in the admin area of IPB. I can't can't find a manual though for IPB.
I can see what your saying but I use lots of sites and I would imagine well over half are not secure. Still, if IPB has a flick switch to enable it maybe it should be enabled. Certs are cheap enough these days. [url="https://www.startssl.com/?app=39"]Free[/url] is cheap right? :)

I use a different random password for every site I use, still there is information about me (email) that a normal user can't see without my password.

Will be interesting to see what the dev's say.

Share this post


Link to post
Share on other sites
  • 0

Posted

Did some research, by default IPB wants to use an SSL connection, and all of the passwords are hashed in MD5 in the database, but are sent in plain text in the hopes that the sysadmin used an SSL connection for the login page.

Share this post


Link to post
Share on other sites
  • 0

Posted

I imagine that now this has been brought to our attention that the developers will roll in higher security into the upcoming site-wide updates, because this kinda isn't okay
6 people like this

Share this post


Link to post
Share on other sites
  • 0

Posted

I have several pairs of password: 1 for emails; 1 for website which related to finance or may involve credit card purchase, and another 1 for anything else (I have no doubt on Neowin security :shifty: ).

Share this post


Link to post
Share on other sites
  • 0

Posted

Hrm, I think I have about 20ish passwords for my own uses, then a unique password for each of my 200+ clients servers ... Somedays I feel like bashing my head against a wall trying to remember one... but hey, its definitely more secure than some of the other options in the world.
1 person likes this

Share this post


Link to post
Share on other sites
  • 0

Posted

I suppose I'm more surprised it's taken 13 years to discover this (massive?) flaw, but I've alerted Redmak and DaveLegg to have a look.

Thanks BudMan.
5 people like this

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='Neobond' timestamp='1361868326' post='595544222']
I suppose I'm more surprised it's taken 13 years to discover this (massive?) flaw, but I've alerted Redmak and DaveLegg to have a look.

Thanks BudMan.
[/quote]

I LOL'd at 13 years. What does that say about this "technically savvy" community? Haha :shifty:
2 people like this

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='nekkidtruth' timestamp='1361868684' post='595544226']
I LOL'd at 13 years. What does that say about this "technically savvy" community? Haha :shifty:
[/quote]

About as much as your "helpful" response I suppose.
10 people like this

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='Neobond' timestamp='1361869158' post='595544234']
About as much as your "helpful" response I suppose.
[/quote]

Touche. However, doesn't make it any less humorous. ;)

Share this post


Link to post
Share on other sites
  • 0

Posted

There was a previous discussion about this here: [url="http://www.neowin.net/forum/topic/499158-neowin-needs-https-login/"]http://www.neowin.net/forum/topic/499158-neowin-needs-https-login/[/url]

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='nekkidtruth' timestamp='1361869766' post='595544242']
Touche. However, doesn't make it any less humorous. ;)
[/quote]

It's humorous that you don't understand that this isn't actually a huge problem, and can only be resolved by purchasing an expensive SSL certificate for 3 servers, or have a free one cry about it being self signed (creating an unnecessary browser alert for my site).

Share this post


Link to post
Share on other sites
  • 0

Posted

Guess he doesn't really know how much SSL certs actually cost.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='alwaysonacoffebreak' timestamp='1361871242' post='595544274']
Guess he doesn't really know how much SSL certs actually cost.
[/quote]

Ones that are fully trusted, and don't create browser alerts yeah.. expensive.
1 person likes this

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='alwaysonacoffebreak' timestamp='1361871242' post='595544274']
Guess he doesn't really know how much SSL certs actually cost.
[/quote]

RapidSSL are knocking them out for US$49 :)

Share this post


Link to post
Share on other sites
  • 0

Posted

I was going to say. There's dozens of certified signing authorities that do SSL cert pricing for reasonable money O.o

Comodo will sign a multi-domain cert through namecheap for $91..

[url="http://www.namecheap.com/ssl-certificates/comodo.aspx"]http://www.namecheap.com/ssl-certificates/comodo.aspx[/url]

Share this post


Link to post
Share on other sites
This topic is now closed to further replies.
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.